Profiling the European Citizen: Cross‐Disciplinary Perspectives

Profiling becomes easier all the time as people scatter digital traces of themselves on the Internet, in their telephone calling records, on their credit card statements and hundreds of other places. It has been estimated that, on average, our details can be found on more than 700 databases (Bradwell and Gallagher, 2007).

Meanwhile, the technology for mining and aggregating these data is becoming increasingly sophisticated and, as costs of storage continue to plunge, cheaper too to construct profiles. In days gone by, it was film stars, politicians and sports figures who had concerns about their visibility. Now, in the digital age, everyone's profile is of interest, especially to government and business.

Law enforcement authorities piece together clues to compose profiles of unknown suspects. Intelligence agencies attempt to do the same with terrorists, e.g. the US Department of Homeland Security gathers passenger name records (PNRs) not only to check passengers against black lists but also to identify prospective terrorists who have yet to show up on a black list.

Industry and enterprise are engaged in profiling in order to better target customers for products and services. Those companies engaged in behavioural marketing (or personalised advertising, as it is known), such as Phorm in the UK, NebuAd and others in the USA, are creating profiles that result in targeted adverts following our travels in cyberspace. Supermarket chains and their “partners” offer loyalty cards not just as a (tiny) reward for our loyalty but as a way of collecting more data about us, what we are buying and what else they might be able to pitch our way based on the profiles they construct of us.

Insurance companies use profiling technologies to assess risks associated with individuals (he smokes) and groups (they are members of a skydiving club). Ditto credit card companies and banks (we will pass on granting a mortgage to those with a history of unemployment).

Profiling and its implications are of interest to social scientists, lawyers, computer scientists, legal philosophers and policy‐makers too. For those who want something more substantial than Big Brother stories in the press, Springer has recently published a comprehensive exegesis of the subject. Entitled Profiling the European Citizen, the 373‐page book brings together leading European experts who examine profiling, what it is and how it works, example applications and the implications of the technologies, especially in terms of the adequacy of the EU's legal regime.

The book has 17 chapters, starting with an introduction and overview of profiling and ending with a set of conclusions, written by the co‐editors. Each of the 15 chapters in between is followed by a commentary or assessment by one or two experts from disciplines different from the authors (hence, the book's subtitle: Cross‐Disciplinary Perspectives).

Co‐editor Mireille Hildebrandt defines profiling as the process of discovering correlations between data that can be used to identify and represent an individual or group and/or the application of those profiles (sets of correlated data). She introduces key distinctions between individual and group profiling, between distributive and non‐distributive group profiling, and direct and indirect profiling.

Profiling an individual's keystroke behaviour, for example, might enable a service provider to “recognise” this person as she goes online, and as she cruises the Internet, more data can be added to her profile.

Group profiling comes from data correlated to establish a category having certain attributes. Or the data of an existing group of people can be collected, aggregated, stored and processed in order to find shared features. Hildebrandt further distinguishes between distributive and non‐distributive profiles. A distributive profile identifies a group in which all members share the same attributes (e.g. blond hair and blue eyes). A non‐distributive profile identifies a group in which not all members share all of the attributes of a group's profile (e.g. psychopaths share some attributes, but not all).

Direct profiling is used to uniquely characterise a person or group within a population while indirect profiling leads to creation of a profile that is applied to another subject. The distinction between direct and indirect profiling is important because data protection legislation protects personal data, but there may be a lacuna if the applied profiles are generated from other people's data.

The book especially focuses on automatically generated profiles which are used to make decisions without human intervention. It also flags group profiling because it often raises ethical issues and could lead to discriminatory practices.

Although profiling is obviously of great benefit to government and industry, the benefits are less obvious or perhaps less unalloyed for citizen‐consumers. Some people do not mind being profiled, because they like the personalised services it offers, but many others do not like their details being hoovered up so that they can be targeted better (who wants to be a target, after all).

Some of the contributors to this book see risks with profiling, e.g. that government and industry accumulate more power at the expense of citizen‐consumers. We do not know what happens to our data and what types of profiles may be applied to us or what the consequences could be. If inaccurate profiles are used to make decisions about us, there is a risk of an unfair judgement. A profile poses the risk that we could be unfairly discriminated against or our behaviour manipulated.

Although powerful algorithms (“the engines of profiling”) have been developed, as discussed in one chapter, data mining is complicated by the existence of too many attributes (which ones to select), missing variables, conflicting data or the incompatibility of different datasets, all of which creates risks for the reliability of the profiles that eventually emerge.

The book considers whether there is a need to regulate profiling and, if so, how? How adequate is existing law?

In principle, the EU's Data Protection Directive (95/46/EC) applies to profiling, as it involves the collection and processing of data about individuals. However, some question whether group profiles can be regarded as personal data when the data are anonymised and abstracted, and when profiles can be applied to individuals without identifying them.

Article 15 of the Directive prohibits taking decisions affecting individuals solely on the basis of automated decision making (=profiling). The Directive also upholds the principle of purpose specification, which provides that processing personal data must meet specified, explicit and legitimate purposes, which restricts the possibility to aggregate and process data from different databases.

In their chapter, Gutwirth and De Hert argue that if the definition of “personal data” (“any information relating to an identified or identifiable natural person”) turns out to be a barrier to the application of data protection rules, maybe it is time to devise a new generation of data protection rules: “If technologies and socio‐economic practices make it possible to control and steer individuals without the need to identify them, the time has probably come to explore the possibility of a shift from personal data protection to data protection tout court.”

In one of the book's commentaries, Bert‐Jaap Koops splashes cold water on notions that “profiling is dangerous”. He asks why we should be concerned about data protection anyway. Data storage devices and data networks are here to stay. Trying to control these activities he likens to banging one's head against a brick wall. Organisations happily continue large‐scale data collection and correlation, with or without the blessing of data protection laws and without any material redress.

He says we need convincing qualitative examples and quantitative data to show that profiling poses significant negative effects. For his part, he does not view profiling as a threat to privacy. “It is not so much privacy that is at stake but fair judgement and equal treatment.” Thus, we should consider profiling more in the context of anti‐discrimination law, which is rooted in Article 14 of the European Convention on Human Rights (“The enjoyment of the rights and freedoms set forth in this Convention shall be secured without any discrimination … ”), which Schreurs et al. examine in their chapter.

There is much to commend this book. It is an extensive, thought‐provoking, informative analysis of the state‐of‐the‐art in profiling and its applications, especially in the European legal context, and gives strong pointers for new policy considerations.