The Council of Europe announced, on 3 November 2021, that it had adopted a Recommendation CM/Rec (2021)8 (“Recommendation”) of the Committee of Ministers to member States on the protection of individuals concerning the automatic processing of personal data in the context of profiling. The Council specifically stated that the recommendation updates its previous recommendation on the same topic adopted in 2010 under the Protocol amending the Convention for the Protection of Individuals concerning Automatic Processing of Personal Data (“Convention 108+”) and aims to respond to the radical changes in profiling techniques over the last decade and the resulting need for additional safeguards to protect personal data and private lives of individuals.
Profiling is defined in the Recommendation as any form of automated processing of personal data, including the use of machine learning systems, that involves the use of data to evaluate certain personal aspects relating to an individual, specifically to analyze or predict aspects concerning that person's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
According to the general principles set out in the Recommendation, among other things, respect for fundamental rights and freedoms, particularly the rights to human dignity and privacy, but also freedom of expression, as well as the principle of non-discrimination and the imperatives of social justice, cultural diversity, and democracy, should be ensured during the profiling operations covered by this recommendation, in both the public and private sectors.
The Recommendation states that profiling should contribute to, or at least not adversely affect, both the well-being of individuals and the development of an inclusive, democratic, and sustainable society and that it should also not discriminate against individuals, groups, or communities. In addition, it was explained that the use of automated decision-making systems should not damage the dignity and democracy of the people and that the autonomy of human intervention in the decision-making process should be preserved. Further, it is evaluated that the Member States should promote the design and implementation of procedures and systems in accordance with privacy and data protection, currently in the planning stage and throughout the entire data processing period, in particular through the use of privacy-enhancing technologies.
Also, the use of automated decision-making systems based on artificial intelligence technologies poses additional risks due to potential errors and biases, as well as the difficulty of providing justification and transparency for the decisions made, preventing data subjects from fully exercising their rights. The design, development, and implementation of AI-based automated decision-making systems necessitates a special and ongoing focus on the risks posed, as well as their assessment by diverse, independent teams.
The general conditions for processing personal data within the framework of lawfulness, which is the first condition indicated in the Recommendation, are listed, as are the conditions for processing personal data in the context of profiling. There are additional exceptions to personal data processing in the context of profiling.
Another condition indicated in the Recommendation is that the quality of data and algorithms. It is indicated that controllers and, when possible, processors should take suitable efforts to correct data inaccuracy factors and limit the risks of inaccuracy and bias inherent in profiling. Furthermore, controllers and, where appropriate, processors shall examine the quality of the data and the statistical inferences made, as well as the impact of profiling on the data subject's rights, on a regular and reasonable basis. Finally, when getting data or algorithms from a third party, controllers or processors must receive the relevant documentation from the third party to verify the quality of the data and algorithms and their relevance for processing.
The last condition indicated in the Recommendation is about the special categories of data. Accordingly, the processing of sensitive data in the context of profiling, as described in Article 6 of the 108+ Convention, should be permitted only where effective protections are established by law and the data is required for lawful and explicit processing purposes. Furthermore, processing for the purpose of detecting or predicting race or ethnicity, political views, union membership, religious or other beliefs, health or sexual life should be prohibited and only permitted if appropriate safeguards are included in the law and the data is absolutely necessary for the legal and private purposes of the processing. Lastly, where consent is required, it should be made clear that the processing involves such data.
The Recommendation further specifies which information the controller must disclose to the data subject at the latest when the data is obtained when personal data related to a data subject are collected from the data subject in the context of profiling and some other provisions relating to information.
Finally, the Recommendation that includes the rights of data subjects, general provisions on data security, and special provisions for profiling based on artificial intelligence systems using machine learning processes, further advises governments to encourage and legally bind the use of the "privacy by design" approach throughout the whole processing time, particularly using privacy-enhancing technology. It also advises them to take sufficient precautions against the creation and use of technologies that are designed to circumvent privacy-protecting technological measures wholly or partially.
Esra Temur, Simge Kılıç