Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Council of Europe: Rules to Protect Automatically Processed Personal Data in the Context of Profiling

(Dec. 23, 2010) The Recommendation notes that “information and communication technologies (ICTs) allow the collection and processing on a large scale of data, including personal data, in both the private and public sectors,” and that “this collection and processing may occur in different situations for different purposes and concerndifferent types of data.” (Council of Europe, Committee of Ministers, Recommendation CM/Rec(2010)13 of the Committee of Ministers to Member States on the Protection of Individuals with Regard to Automatic Processing of Personal Data in the Context of Profiling [hereinafter Recommendation] (adopted Nov. 23, 2010),

The types of data include: traffic data; Internet user queries; consumer buying habits, activities, lifestyle, and behavioral data culled from telecommunication devices, including geo-location data; and in particular data from social networks, video surveillance systems, biometric systems, and radio frequency ID technology that foreshadows a possible future world of “ambient intelligence” and the “Internet of things.” (Id.) Thus, “[t]he Internet of the future will therefore not just connect human beings with one another but will also interlink smart devices (Internet of things),” resulting in objects constantly monitoring and analyzing, “probably without their knowledge, the behaviour of the human beings around them, so as to interact with them in a dynamic way.” (Bureau of the European Committee on Legal Co-Operation (CDCJ-BU), Draft Recommendation on the Protection of Individuals with Regard to Automatic Processing of Personal Data in the Framework of Profiling and Its Draft Explanatory Memorandum (Strasbourg, Aug. 31, 2010),

The Council acknowledged that profiling might be in the legitimate interests of both the profiler and the profiled, e.g., “by leading to better market segmentation, permitting an analysis of risks and fraud, or adapting offers to meet demand by the provision of better services,” but it also expressed a number of concerns. (Recommendation, supra.) For example, the Council worried that computerized stereotyping, brought about by the automatic collection of the abovementioned types of data, might be used to treat people prejudicially, unjustifiably depriving an individual from accessing certain goods or services and thereby violating the principle of non-discrimination. It was also concerned that “the profiling of children may have serious consequences for them throughout their life.” (Id.) In addition, the Council considered that “the use of profiles, even legitimately, without precautions and specific safeguards, could severely damage human dignity, as well as other fundamental rights and freedoms, including economic and social rights.” (Id.)

Therefore, the Council was convinced that it is necessary to regulate profiling to protect individual privacy rights and freedoms and prevent discrimination. The Council recommended to the Member States that they take measures to ensure that their law and practice reflect the principles on profiling set forth in an appendix to the Recommendation. It also recommended that those principles should be broadly disseminated, in particular, by persons, public authorities, and public or private entities that “participate in and use profiling, such as designers and suppliers of software, profile designers, electronic communications service providers and information society service providers,” among others. Third, it encouraged those groups to establish and promote self-regulation mechanisms. (Id.)

The appendix to the Recommendation has nine sections, covering: 1) definitions, 2) general principles, 3) conditions for the collection and processing of personal data in the context of profiling (with subsections on lawfulness, data quality, and sensitive data), 4) information to be provided to the data subjects, 5) rights of data subjects, 6) exceptions and restrictions (to sections 3, 4, and 5), 7) remedies, 8) data security, and 9) supervisory authorities. Among the information that the controller (“the natural or legal person, public authority, agency or any other body which alone, or in collaboration with others, determines the purposes of and means used in the collection and processing of personal data”) must provide to data subjects are: the fact thatthat their data will be used in the context of profiling; the purposes for which the profiling is carried out; the categories of personal data used;the identity of the controller; andthe existence of appropriate safeguards. (Id.)

Rights of data subjects under section 5 include the right to obtain one's personal data,the logic underlying the processing of such data and that was used to attribute a profile; andthe purposes for which the profiling was carried out and the categories of persons to whom or bodies to which the data may be communicated. Data subjects should also be entitled to the “secure correction, deletion or blocking of their personal data, if profiling “is performed contrary to the provisions of domestic law” that enforce the Recommendation's principles, and to object, on “compelling legitimate grounds” to the use of their personal data for profiling, unless the law provides for profiling in the personal data processing context. If there are grounds for restricting a data subject's rights, the decision to do so should generally be communicated to him or her “by any means that allows it to be put on record, with a mention of the legal and factual reasons for such a restriction.” (Id.)