Is “Profiling-per-se” and “Misuse of Profile” be distinguished in Privacy law?

All privacy laws from GDPR to DPA 2021 define “Personal Information” (PI) and a need to “Protect Personal Information”.

In defining PI, the popular definition is that any information “about” a living human constitutes PI and should be subject to some regulation such as valid consent for processing etc.

Additionally, most laws also  define “Creating a Profile” constitutes a “Data Processing activity” that needs consent and the generated “Profile” is also part of the “Personal Information” which the data principal has a right  to control. The right of data portability extends to not only information provided by the data principal to the data fiduciary during the collection process but also to the profile created by the data fiduciary.

The Cambridge Analytica dispute was centred around the use of personal information to create a political profile for the purpose of targeted advertising.  Recently, I came across an article arguing that “We should stop automatic profiling of people”. Though this was in the context of an organized data processing activity, the article triggered some thoughts to indicate that this principle that “Profile” is part of personal information and is protected under privacy laws as an asset of the data principal requires a larger debate.

I am aware that this is a contrarian thought and is presented for the purpose of academic debate. It is not to be construed as an interpretation of the data protection law which by popular interpretation considers “Profile” is part of the personal data and needs to be protected by consent or legitimate interest. It is also subject to the right of portability and right to forget irrespective of the intellectual property rights associated with the creation of the profile, though the principles of anonymisation may be used for profiling of a group of people without violating the principles of privacy.

“Imaging a profile” is a fundamental and natural reaction of the human brain as a stimuli to any observation. This is part of the “Fight or Flight” response triggered in the human system.  The first step in this fight or flight response is to understand  the behaviour of people in a particular situation which  includes “Profiling” whether it is correct or incorrect. If the inference creates a more than threshold danger perception, it would trigger an action potential for fight or flight. Otherwise it is recorded for further processing. When the behaviour gets repeated next time, the brain may interpret that this person habitually of a particular behavioural trait and if it is not considered desirable, the brain triggers a “Mild fight or flight response”.

Thus “Drawing Inference” from any observation is a natural human trait and if it is absent we call a person un-intelligent or even an idiot.

The same tendency when carried out by a software is considered as “Profiling”. In this case the inference may lead to targeted advertising the same way human inference of a person as friendly leads to opening up a conversation.

Considering that this “Inference” is a natural human trait therefore, banning it through the privacy law is an unnatural inhibition on the human tendency and is unlikely to be effective.

On the other hand any misuse of information causing a harm to the individual whether through profiling or not can be considered as a “Civic Wrong” and be subjected to punishment.

We need to therefore debate whether “Profiling per-se” is bad in law or “Misuse of Profile alone is bad in law”.

It is therefore sufficient if privacy laws distinguish “Profiling per-se” and “Use of Profile” and not consider “Profiling per-se” as a “Violation of Privacy Right per-se” while the mis-use of profile can continue to be considered as a punishable act.

Comments are welcome.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.