※随時更新予定。

大量の個人情報が今やネット上に存在し、またスマホ、ICカード、POS端末、センサー、カメラなどからも続々と大量の個人情報を収集できる時代において、こうやって収集された個人情報によって、人が「プロファイリングされるリスク」というのが指摘されています。

各国における議論をメモ化していきたいなと思っていますが、まずはEUのGDPRから

Article 4　Definitions
(4)‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Article 22　Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a)
is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b)
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c)
is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

仮訳↓
「プロファイリング」とは、特定人の個人的側面（特に、人の仕事の能力（パフォーマンス）、経済状況、健康、趣味嗜好、興味、信頼性、行動、位置、動作に関する分析又は予測）を評価する個人データの利用による自動処理を意味する。

この定義は、当初の提案よりも狭くなっているとのこと。Trackingとの違いが、以下のサイトで次のように記述されていました。

Top 10 operational impacts of the GDPR: Part 5 - Profiling

This definition implicitly excludes data processing that is not “automated.”

Further elaboration of this definition may be found in the Recitals, where the GDPR establishes its jurisdiction over non-EU controllers provided they are “monitoring the behaviour of [EU] data subjects as far as their behaviour takes places within the European Union.” Processing activity involves data subject “monitoring” when “individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” This definition suggests that profiling is not equivalent to tracking, but instead is something more, involving the intention to take decisions regarding a data subject or predict the subject’s behaviors and preferences.