<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="en"><front><journal-meta><journal-id journal-id-type="publisher-id">kulawr</journal-id><journal-title-group><journal-title xml:lang="en">Kutafin Law Review</journal-title><trans-title-group xml:lang="ru"><trans-title>Kutafin Law Review</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">2713-0525</issn><issn pub-type="epub">2713-0533</issn><publisher><publisher-name>MSAL</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.17803/2713-0533.2024.3.29.491-513</article-id><article-id custom-type="elpub" pub-id-type="custom">kulawr-345</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>DIGITAL LAW, ARTIFICIAL INTELLIGENCE AND CYBER SECURITY</subject></subj-group></article-categories><title-group><article-title>Digital Profiling and the Legal Regime of Derived Personal Data</article-title><trans-title-group xml:lang="ru"><trans-title></trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-2502-559X</contrib-id><name-alternatives><name name-style="western" xml:lang="en"><surname>Mochalov</surname><given-names>A. N.</given-names></name></name-alternatives><bio xml:lang="en"><p>Artur N. Mochalov, Cand. Sci. (Law), Associate Professor, Department of Constitutional Law</p><p>Yekaterinburg</p></bio><email xlink:type="simple">artur.mochalov@usla.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff xml:lang="en" id="aff-1"><institution>Ural State Law University named after V.F. Yakovlev</institution><country>Russian Federation</country></aff><pub-date pub-type="collection"><year>2024</year></pub-date><pub-date pub-type="epub"><day>16</day><month>10</month><year>2024</year></pub-date><volume>11</volume><issue>3</issue><fpage>491</fpage><lpage>513</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Mochalov A.N., 2024</copyright-statement><copyright-year>2024</copyright-year><copyright-holder xml:lang="ru">Mochalov A.N.</copyright-holder><copyright-holder xml:lang="en">Mochalov A.N.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://kulawr.msal.ru/jour/article/view/345">https://kulawr.msal.ru/jour/article/view/345</self-uri><abstract><p>The paper discusses some aspects of the legal regulation of personal data profiling in various jurisdictions. It focuses on derived personal data, also known as inferences, which are the outputs of digital profiling and automated decision-making. Although the extraction of new knowledge about individuals based on the processing of personal data has become common practice in both the commercial and public sectors, there have been only a few attempts to establish specific legal frameworks for derived personal data. These include the European Union, California (USA), and Singapore. Using a comparative legal approach, the author analyzes the characteristics of derived personal data and how the rights of individuals are protected in relation to derived personal information in these jurisdictions and in Russia as well. After examining the relevant laws and regulations, the author concludes that these attempts to regulate derived personal data are an effort to adapt traditional legal frameworks to the challenges posed by Big data. At the same time, the protection of personal data when using Big data technologies and artificial intelligence requires advanced regulatory approaches. Today, data extraction processes are often hidden from data subjects and not under their control. The author believes that the automated processing of personal information, including digital profiling and the extraction of new personal data, should be made more transparent and allow users to opt out.</p></abstract><kwd-group xml:lang="en"><kwd>personal data</kwd><kwd>derived personal data</kwd><kwd>inferences</kwd><kwd>profiling</kwd><kwd>data mining</kwd><kwd>privacy</kwd></kwd-group><funding-group><funding-statement xml:lang="en">The reported study was funded by Russian Science Foundation, project number 24-28-01378.</funding-statement></funding-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Adjerid, I. and Kelley, K., (2018). Big data in Psychology: A Framework for Research Advancement. American Psychologist. 73(7), pp. 899–917, doi: 10.1037/amp0000190.</mixed-citation><mixed-citation xml:lang="en">Adjerid, I. and Kelley, K., (2018). Big data in Psychology: A Framework for Research Advancement. American Psychologist. 73(7), pp. 899–917, doi: 10.1037/amp0000190.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Bottis, M. and Bouchagiar, G., (2018). Personal Data v. Big data: Challenges of Commodi¿ cation of Personal Data. Open Journal of Philosophy, 8, pp. 206–215, doi: 10.4236/ojpp.2018.83015.</mixed-citation><mixed-citation xml:lang="en">Bottis, M. and Bouchagiar, G., (2018). Personal Data v. Big data: Challenges of Commodi¿ cation of Personal Data. Open Journal of Philosophy, 8, pp. 206–215, doi: 10.4236/ojpp.2018.83015.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Bouchagiar, G. and Bottis, M., (2018). Personal Data Protection Models: Aspects of Ownership. 16th International Conference e-Society 2018. Available at: https://ssrn.com/abstract=3167011 [Accessed 06.04.2024].</mixed-citation><mixed-citation xml:lang="en">Bouchagiar, G. and Bottis, M., (2018). Personal Data Protection Models: Aspects of Ownership. 16th International Conference e-Society 2018. Available at: https://ssrn.com/abstract=3167011 [Accessed 06.04.2024].</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Chander, A., (2017). The Racist Algorithm? Michigan Law Review, 115, pp. 1023–1045.</mixed-citation><mixed-citation xml:lang="en">Chander, A., (2017). The Racist Algorithm? Michigan Law Review, 115, pp. 1023–1045.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Custers, B. and Vrabec, H., (2024). Tell me something new: data subject rights applied to inferred data and pro¿ les. Computer Law &amp; Security Review, 52, 105956, doi: 10.1016/j.clsr.2024.105956.</mixed-citation><mixed-citation xml:lang="en">Custers, B. and Vrabec, H., (2024). Tell me something new: data subject rights applied to inferred data and pro¿ les. Computer Law &amp; Security Review, 52, 105956, doi: 10.1016/j.clsr.2024.105956.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Davis, P. and Schwemer, S.F., (2023). Rethinking Decisions Under Article 22 of the GDPR: Implications for Semi-Automated Legal DecisionMaking. Proceedings of the Third International Workshop on Arti¿ cial Intelligence and Intelligent Assistance for Legal Professionals in the Digital Workplace (LegalAIIA 2023). Available at: https://ssrn.com/abstract=4478107, doi: 10.2139/ssrn.4478107 [Accessed 06.04.2024].</mixed-citation><mixed-citation xml:lang="en">Davis, P. and Schwemer, S.F., (2023). Rethinking Decisions Under Article 22 of the GDPR: Implications for Semi-Automated Legal DecisionMaking. Proceedings of the Third International Workshop on Arti¿ cial Intelligence and Intelligent Assistance for Legal Professionals in the Digital Workplace (LegalAIIA 2023). Available at: https://ssrn.com/abstract=4478107, doi: 10.2139/ssrn.4478107 [Accessed 06.04.2024].</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Day, P., (2020). Cambridge Analytica and Voter Privacy. Georgetown Law Technology Review, 4.2, pp. 583–607. Fischer, C., (2020). The legal protection against inferences drawn by AI under the GDPR. July 2020. Available at: https://arno.uvt.nl/show.cgi?¿d=151926 [Accessed 06.04.2024].</mixed-citation><mixed-citation xml:lang="en">Day, P., (2020). Cambridge Analytica and Voter Privacy. Georgetown Law Technology Review, 4.2, pp. 583–607. Fischer, C., (2020). The legal protection against inferences drawn by AI under the GDPR. July 2020. Available at: https://arno.uvt.nl/show.cgi?¿d=151926 [Accessed 06.04.2024].</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Gonçalves, M.E., (2017). The EU Data Protection Reform and the Challenges of Big data: Remaining Uncertainties and Ways Forward. Information &amp; Communication Technology Law. 26(2), pp. 90–115, doi: 10.1080/13600834.2017.1295838.</mixed-citation><mixed-citation xml:lang="en">Gonçalves, M.E., (2017). The EU Data Protection Reform and the Challenges of Big data: Remaining Uncertainties and Ways Forward. Information &amp; Communication Technology Law. 26(2), pp. 90–115, doi: 10.1080/13600834.2017.1295838.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Malgieri, G. and Comandé, G., (2017). Sensitive-bydistance: quasi-health data in the algorithmic era. Information &amp; Communications Technology Law, 26(3), pp. 229–249, doi: 10.1080/13600834.2017.1335468.</mixed-citation><mixed-citation xml:lang="en">Malgieri, G. and Comandé, G., (2017). Sensitive-bydistance: quasi-health data in the algorithmic era. Information &amp; Communications Technology Law, 26(3), pp. 229–249, doi: 10.1080/13600834.2017.1335468.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Minbaleev, A.V. and Storozhakova, E.E., (2023). Problems of legal protection of personal data in the process of using neural networks. Courier of Kuta¿ n Moscow State Law University (MSAL), 2, pp. 71–79, doi: 10.17803/2311-5998.2023.102.2.071-079. (In Russ.).</mixed-citation><mixed-citation xml:lang="en">Minbaleev, A.V. and Storozhakova, E.E., (2023). Problems of legal protection of personal data in the process of using neural networks. Courier of Kuta¿ n Moscow State Law University (MSAL), 2, pp. 71–79, doi: 10.17803/2311-5998.2023.102.2.071-079. (In Russ.).</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Naumann, F., (2014). Data Pro¿ ling Revisited. ACM SIGMOD Record, February 2014, doi: 10.1145/2590989.2590995.</mixed-citation><mixed-citation xml:lang="en">Naumann, F., (2014). Data Pro¿ ling Revisited. ACM SIGMOD Record, February 2014, doi: 10.1145/2590989.2590995.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Niševic, M., (2020). Pro¿ ling Consumers Through Big data Analytics: Strengths and Weaknesses of Article 22 GDPR. Global Privacy Law Review, 1(2), pp. 104–115.</mixed-citation><mixed-citation xml:lang="en">Niševic, M., (2020). Pro¿ ling Consumers Through Big data Analytics: Strengths and Weaknesses of Article 22 GDPR. Global Privacy Law Review, 1(2), pp. 104–115.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Roig, A., (2017). Safeguards for the right not to be subject to a decision based solely on automated processing (Article 22 GDPR). European Journal of Law and Technology, 8(3).</mixed-citation><mixed-citation xml:lang="en">Roig, A., (2017). Safeguards for the right not to be subject to a decision based solely on automated processing (Article 22 GDPR). European Journal of Law and Technology, 8(3).</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Savelyev, A.I., (2015). The Issues of Implementing Legislation on Personal Data in the Era of Big data. Pravo. Zhurnal Vysshey shkoly ekonomiki, 1, pp. 43–66. (In Russ.).</mixed-citation><mixed-citation xml:lang="en">Savelyev, A.I., (2015). The Issues of Implementing Legislation on Personal Data in the Era of Big data. Pravo. Zhurnal Vysshey shkoly ekonomiki, 1, pp. 43–66. (In Russ.).</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Vinogradova, E.V., Polyakova, T.A. and Minbaleev, A.V., (2021). Digital pro¿ le: the concept, regulatory mechanisms and enforcement problems. Law Enforcement Review, 5(4), pp. 5–19, doi: 10.52468/2542-1514.2021.5(4).5-19. (In Russ.).</mixed-citation><mixed-citation xml:lang="en">Vinogradova, E.V., Polyakova, T.A. and Minbaleev, A.V., (2021). Digital pro¿ le: the concept, regulatory mechanisms and enforcement problems. Law Enforcement Review, 5(4), pp. 5–19, doi: 10.52468/2542-1514.2021.5(4).5-19. (In Russ.).</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Wachter, S. and Mittelstadt, B., (2019). A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big data and AI. Columbia Business Law Review, 2, pp. 494–620.</mixed-citation><mixed-citation xml:lang="en">Wachter, S. and Mittelstadt, B., (2019). A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big data and AI. Columbia Business Law Review, 2, pp. 494–620.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Westerlund, M., Isabelle, D.A. and Leminen, S., (2021). The Acceptance of Digital Surveillance in an Age of Big data. Technology Innovation Management Review, 11(3), pp. 32–44.</mixed-citation><mixed-citation xml:lang="en">Westerlund, M., Isabelle, D.A. and Leminen, S., (2021). The Acceptance of Digital Surveillance in an Age of Big data. Technology Innovation Management Review, 11(3), pp. 32–44.</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Wiedemann, K., (2022). Pro¿ ling and (automated) decision-making under the GDPR: A two-step approach. Computer Law &amp; Security Review, 45, 105662, doi: 10.1016/j.clsr.2022.105662.</mixed-citation><mixed-citation xml:lang="en">Wiedemann, K., (2022). Pro¿ ling and (automated) decision-making under the GDPR: A two-step approach. Computer Law &amp; Security Review, 45, 105662, doi: 10.1016/j.clsr.2022.105662.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
