[IUCC-GDPR] Art29 final on profiling and automated decision making

Hank Nussbacher Hank at mail.iucc.ac.il
Tue Feb 20 20:51:16 IST 2018


And here is his blog posting on the matter:
https://community.jisc.ac.uk/blogs/regulatory-developments/article/automated-processing-network-and-information-security

-Hank

-----Original Message-----
From: Hank Nussbacher 
Sent: 20 February 2018 20:50
To: GDPR <gdpr at iucc.ac.il>
Subject: Art29 final on profiling and automated decision making

Forwarding from JISC (UK NREN).  Especially note the exclusion of " automated network defence and learning analytics now fall safely below the Art.22 threshold":
------------------------------
They've just published their final version of this guidance, at
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053

They do seem to have read our consultation response (or, at least, others with the same messages):

a) although they still believe there's a "general prohibition" on automated decision-making with legal or similar effect, they do now try to justify that claim based on the wording of the Regulation (p19).

Much more importantly

b) they are *much* clearer on "legal or similar effect" - "only serious impactful effects will be covered by Article 22" (p21). So they're now looking for things at the level of cancellation of a contract, entitlement or denial of a social benefit, refusal of entry to a country.

Then they have a wriggle to try to explain why targeted advertising could be of that seriousness (p22)!

But it seems that, of the problem areas we highlighted in our response, automated network defence and learning analytics now fall safely below the
Art.22 threshold. Fraud detection is given as an example of something that may be permitted as a legal obligation (which seems a bit narrow to me).
Then, weirdly, they say on p 22 that "decisions that deny someone an employment opportunity" may not be fully automated; but on p23 use short-listing of a large pool of job applicants as an example that is allowed (because "not practically possible" to do it manually)!

So although it's a lot clearer than the original, still lots of inconsistencies and loopholes for those who don't care about data protection to exploit. But at least our constituents who *do* care about data protection, should find comfort here for most of the things they legitimately need to do.

If others spot anything else interesting in the document, please let me know. I may do a blog post on the network defence stuff, when I've a spare hour.

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser

T 01235 822302
Skype ancormack
Twitter @JanetLegReg
Blog https://community.jisc.ac.uk/blogs/regulatory-developments
Orcid.org/0000-0002-8448-2881

Lumen House, Library Avenue, Harwell Oxford, Didcot OX11 0SG

Jisc.ac.uk



More information about the GDPR mailing list