January 17, 2022

Volume XII, Number 17

Advertisement
Advertisement

January 15, 2022

Subscribe to Latest Legal News and Analysis

January 14, 2022

Subscribe to Latest Legal News and Analysis

Are Profiling and Automated Decision Making the Same Thing?

No.

Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:

  1. An activity must involve “an automated form of processing;”

  2. An activity must be “carried out on personal data;”

  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”1

As indicated above, profiling occurs when an organization is attempting to evaluate personal aspects about a data subject. Profiling does not necessarily indicate, however, that an organization takes action based upon the information it has evaluated.

Automated decision-making refers to making a decision by technological means without human intervention.2 While automated decision-making can rely upon profiling when rendering a decision, it does not necessarily need to do so. For example, if an algorithm is configured to render a decision about an individual’s eligibility to participate in a program open only to individuals over the age of 18 based directly on information an individual provides on a webform (e.g., their date of birth or their age), that activity would constitute “automated decision making,” but it would not necessarily constitute profiling, as the process of making the decision did not evaluate any personal aspects of the person. In contrast, if an algorithm is configured to infer a person’s age by their online behavior and based on the inference render a decision about an individual’s eligibility to participate in a program open only to individuals over the age of 18, that activity would constitute both profiling (i.e., using automated means to evaluate or infer a person’s age) as well as automated decision making (i.e., rendering a decision regarding eligibility based upon the profiling).

FOOTNOTES

See, e.g., WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017. Cf Va. Code 59.1-571 (2021); C.R.S. 6-1-1303(20) (2021).

2 WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, at 7.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 321
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement