Digital Profiling and the Legal Regime of Derived Personal Data

The paper discusses some aspects of the legal regulation of personal data profiling in various jurisdictions. It focuses on derived personal data, also known as inferences, which are the outputs of digital profiling and automated decision-making. Although the extraction of new knowledge about individuals based on the processing of personal data has become common practice in both the commercial and public sectors, there have been only a few attempts to establish specific legal frameworks for derived personal data. These include the European Union, California (USA), and Singapore. Using a comparative legal approach, the author analyzes the characteristics of derived personal data and how the rights of individuals are protected in relation to derived personal information in these jurisdictions and in Russia as well. After examining the relevant laws and regulations, the author concludes that these attempts to regulate derived personal data are an effort to adapt traditional legal frameworks to the challenges posed by Big data. At the same time, the protection of personal data when using Big data technologies and artificial intelligence requires advanced regulatory approaches. Today, data extraction processes are often hidden from data subjects and not under their control. The author believes that the automated processing of personal information, including digital profiling and the extraction of new personal data, should be made more transparent and allow users to opt out.

1. Adjerid, I. and Kelley, K., (2018). Big data in Psychology: A Framework for Research Advancement. American Psychologist. 73(7), pp. 899–917, doi: 10.1037/amp0000190.

2. Bottis, M. and Bouchagiar, G., (2018). Personal Data v. Big data: Challenges of Commodi¿ cation of Personal Data. Open Journal of Philosophy, 8, pp. 206–215, doi: 10.4236/ojpp.2018.83015.

3. Bouchagiar, G. and Bottis, M., (2018). Personal Data Protection Models: Aspects of Ownership. 16th International Conference e-Society 2018. Available at: https://ssrn.com/abstract=3167011 [Accessed 06.04.2024].

4. Chander, A., (2017). The Racist Algorithm? Michigan Law Review, 115, pp. 1023–1045.

5. Custers, B. and Vrabec, H., (2024). Tell me something new: data subject rights applied to inferred data and pro¿ les. Computer Law & Security Review, 52, 105956, doi: 10.1016/j.clsr.2024.105956.

6. Davis, P. and Schwemer, S.F., (2023). Rethinking Decisions Under Article 22 of the GDPR: Implications for Semi-Automated Legal DecisionMaking. Proceedings of the Third International Workshop on Arti¿ cial Intelligence and Intelligent Assistance for Legal Professionals in the Digital Workplace (LegalAIIA 2023). Available at: https://ssrn.com/abstract=4478107, doi: 10.2139/ssrn.4478107 [Accessed 06.04.2024].

7. Day, P., (2020). Cambridge Analytica and Voter Privacy. Georgetown Law Technology Review, 4.2, pp. 583–607. Fischer, C., (2020). The legal protection against inferences drawn by AI under the GDPR. July 2020. Available at: https://arno.uvt.nl/show.cgi?¿d=151926 [Accessed 06.04.2024].

8. Gonçalves, M.E., (2017). The EU Data Protection Reform and the Challenges of Big data: Remaining Uncertainties and Ways Forward. Information & Communication Technology Law. 26(2), pp. 90–115, doi: 10.1080/13600834.2017.1295838.

9. Malgieri, G. and Comandé, G., (2017). Sensitive-bydistance: quasi-health data in the algorithmic era. Information & Communications Technology Law, 26(3), pp. 229–249, doi: 10.1080/13600834.2017.1335468.

10. Minbaleev, A.V. and Storozhakova, E.E., (2023). Problems of legal protection of personal data in the process of using neural networks. Courier of Kuta¿ n Moscow State Law University (MSAL), 2, pp. 71–79, doi: 10.17803/2311-5998.2023.102.2.071-079. (In Russ.).

11. Naumann, F., (2014). Data Pro¿ ling Revisited. ACM SIGMOD Record, February 2014, doi: 10.1145/2590989.2590995.

12. Niševic, M., (2020). Pro¿ ling Consumers Through Big data Analytics: Strengths and Weaknesses of Article 22 GDPR. Global Privacy Law Review, 1(2), pp. 104–115.

13. Roig, A., (2017). Safeguards for the right not to be subject to a decision based solely on automated processing (Article 22 GDPR). European Journal of Law and Technology, 8(3).

14. Savelyev, A.I., (2015). The Issues of Implementing Legislation on Personal Data in the Era of Big data. Pravo. Zhurnal Vysshey shkoly ekonomiki, 1, pp. 43–66. (In Russ.).

15. Vinogradova, E.V., Polyakova, T.A. and Minbaleev, A.V., (2021). Digital pro¿ le: the concept, regulatory mechanisms and enforcement problems. Law Enforcement Review, 5(4), pp. 5–19, doi: 10.52468/2542-1514.2021.5(4).5-19. (In Russ.).

16. Wachter, S. and Mittelstadt, B., (2019). A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big data and AI. Columbia Business Law Review, 2, pp. 494–620.

17. Westerlund, M., Isabelle, D.A. and Leminen, S., (2021). The Acceptance of Digital Surveillance in an Age of Big data. Technology Innovation Management Review, 11(3), pp. 32–44.

18. Wiedemann, K., (2022). Pro¿ ling and (automated) decision-making under the GDPR: A two-step approach. Computer Law & Security Review, 45, 105662, doi: 10.1016/j.clsr.2022.105662.