IP, Technology & Data

According to online reports, internet retailer Amazon has just been granted a new US patent for a system aimed at “mining of user event data to identify users with common interests”. The system analyses user behaviour to profile users into different categories.

Amongst the things monitored are the purchasing of gifts and “the gift wrap used by such other users when purchasing gifts for this user, such as when the gift wrap evidences the user’s religion (in the case of Christmas or Hanukkah gift wrap, for example)”.

So if someone orders me a gift from Amazon, has it gift wrapped and sent to me at some point in December, Amazon will apparently assume that I am of Christian belief.

That’s quite a leap of faith (pun intended), given that a substantial proportion of people who give Christmas presents are likely to class themselves as atheist or ambivalent in their religious beliefs.

The preamble to the patent states that:

A computer-implemented matching service matches users to other users, and/or to user communities, based at least in part on a computer analysis of event data reflective of user behaviors. The event data may, for example, evidence user affinities for particular items represented in an electronic catalog, such as book titles, music titles, movie titles, and/or other types of items that tend to reflect the traits of users. Event data reflective of other types of user actions, such as item-detail-page viewing events, browse node visits, search query submissions, and/or web browsing patterns may additionally or alternatively be considered. By taking such event data into consideration, the matching service reduces the burden on users to explicitly supply personal profile information, and reduces poor results caused by exaggerations and other inaccuracies in such profile information. [emphasis added]

What about data protection rules?
This raises some interesting data protection questions.

In the EU, religious beliefs are one of the categories of personal information that are classified as “sensitive personal data”, and therefore subject to a stronger set of rules. In particular, a data controller may only process sensitive personal data if it can satisfy one of the specific conditions set out in Schedule 3 of the Data Protection Act. The majority of these grounds relate to things like processing that is required by law, processing that is necessary to protect the vital interests of the data subject or processing for the administration of justice.

None of these are applicable to Amazon.

Which means the only condition it could rely upon is the “explicit consent” of the data subject.

It’s difficult to reconcile this need for explicit (not implied) consent with the last sentence of the preamble, which states that the system will “reduce the burden on users to explicitly supply personal profile information” – in other words, it will allow Amazon to guess the things that users don’t tell it.

European data protection rules make it clear that Amazon cannot activate this system in respect of a user unless he has expressly given his informed consent. So if a user decided that it would like Amazon to profile him based on his religious beliefs, would that user rather tick a box saying “would you like Amazon to guess which (if any) religious beliefs you hold?” or simply complete the details in his personal profile?

And how does this guessing system equate with the fourth data protection principle, which states that personal data shall be “accurate and, where necessary, kept up to date”? Will Amazon periodically ask you to confirm its assumptions to check that they are up to date?

Organisations such as Amazon often apply to patent new ideas without necessarily ever putting them into practical applications. In Europe at least, I suspect that this may be one such idea.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me