Profiling GDPR

Profiling GDPR, Ireland

It is now widely accepted that Data is the new Oil (2006, Clive Humby, UK mathematician & inventor of the Tesco Clubcard).
Today, there is a new “gang of four,” as Google chairman Eric Schmidt puts it [Profiling GDPR Eric Schmidt Gang of Four ] . They are Google, Apple, Amazon and Facebook [GAAF], and they are behind the consumer revolution on the Internet today. All four companies are “growing at incredible rates”. Schmidt notes that all four are together worth in excess of half a trillion dollars, they are all platforms in their own right, and they are all basically spreading their power where before there was only one company who had such influence: namely, Microsoft

User Profiling

The core businesses of the GAAF have now fundamentally converged into Profiling. Article 4 of the GDPR defines Profiling as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Article 22 goes on to state that a European Citizen has the right not to be subject to a decision based solely on automated processing, [including profiling] which produces legal effects or similarly significantly affects, with certain exemptions to this, Profiling GDPR – Recital-71 – April 2017
Through Profiling of all of its users, the GAAF Corporates know who your best friends are, your preferred holiday destinations and your relationship status. Over-and-above this there is a colossol quantity of other data being compiled about us. Information that can be used to create a profile of our personality and then by advertisers to target us. The data is so extensive that it can accurately assess our ‘intelligence’, political leanings, life satisfaction and even sexuality by just scanning our online activity, Profiling GDPR – Deep penetration at Facebook – BBC .

Very recently, it was reported in the Guardian [Profiling GDPR Google record fine, June 2017 ] the EU has fined Google a record-breaking €2.42bn for misusing its role as monopolist in the search engine sector. Google’s offence was the artificial and illegal promotion its own online shopping service, at the expense of rival price comparison services. European regulators deemed that, Google was found to have denied both its consumers -> real choice and rival firms -> the ability to compete on a level playing field.

Profiling GDPR – in practice post 25th May 2018

This occurrence could well prove to be a preliminary skirmish in the build-up to 25th May 2018, being the implementation date for the EU-GDPR., (not the EU- Google Data Protection Regulation).
Such fines, as in those levied on the Global Banking Sector, are typically disputed & horse-traded, but finally paid over. This is because such monopolistic businesses, by their nature are considered as holding a licence to print money’. In reality they would prefer not to have been caught engaging in money-laundering, mis-selling, false accounting inter alia. Indeed when they are caught they appear to be genuinely contrite.

Profiling GDPR-1
However, ultimately such activities are part & parcel of their lucrative Unique Selling Proposition. They are sufficiently influential to be in a position to invisibly pass-on such fines to their business & personal clients.
The Office of the Irish Data Protection Commissioner is the interface with the European operations of Google, Facebook, Amazon & Apple, in terms of the implementation of the GDPR in May 2018.
This ‘policing role’ will involve the enforcement of certain particular Data Protection Principles that have a specific relevance to Profiling in GDPR .
Over the previous eight years the EU GDPR has been developed & fine-tuned by the Article 29 Data Protection Working Party with the key objective of protecting the Personal Data of all EU Citizens from unauthorised & intrusive exploitation by Data Controlling and/or Processing firms (including the GAAF corporates).

Key Data Protection Principles

within Profiling GDPR

The key Data Protection Principles for GAAF., inter alia are Consent, the Right to be Forgotten & new legal duty of Data Processors to demonstrate Accountability-based Compliance.

GDPR requires  GAAF corporates to obtain a Consent that is ” freely-given, specific, informed and an indication of the data subject’s wishes…. by a statement or by a clear affirmative action…..proper, action-based & unambiguous” .

Like other Businesses , GAAF corporates must obtain such a Consent from European Citizen Users to use their data for a set of clearly defined & explained purposes. within this process  there is likely to be a prolonged sequence of adversarial locking-of-horns with legitimate local & EU Regulators for years to come.

The ePrivacy directive-change proposals seek to bring the 2002 law in line with the new GDPR. They attempt to keep pace with technological developments. They also address the tracking of users for advertising, the collection of metadata and other behavioural data, and the explicit consent required to do so.

  • It was recently reported in the Guardian that an Australian advocacy group Choice highlighted the problem by getting an actor to read Amazon Kindle’s 73,198 word Terms and Conditions. It took 9-hours.
  • Spare a thought for 7,500 online shoppers from 2010, when former games retailer Gamestation claimed to have gained their souls thanks to a clause inserted into its Ts and Cs for April Fool’s Day. If you don’t read the small print, who knows what you are giving away?

In complying with the Regulation these  profiling GDPR corporates will greatly resist any potential requirement to disclose aspects of their internal business algorithms in order to preserve their valuable business models.
The success or failure of the Regulation will be determined by how close it can come to meeting its objective of protecting the Data Protection & Privacy rights of European citizens, while allowing the orderly continuation of Profiling GDPR & other related activities by GAAF.

Profiling GDPR -284 KB

Ronan Coburn is a Forensic Accountant, and a Certified Data Protection Officer,
he engages in Consulting on assignments within these sectors.
More info at