This chapter considers EU data protection law, most notably Regulation 2016/679, the General Data Protection Regulation (GDPR). The GDPR governs the processing of data that identifies an individual or makes her identifiable. It sets out circumstances when the process is lawful. The most notable of these is that the individual consented to it; processing is necessary to perform a task in the public interest or in the exercise of official authority; or the data is required for the pursuit of a party’s legitimate interests unless the fundamental rights of the individual overrides these interests. Individuals have a number of rights in respect of their personal data. These include the right to information about it and to access it, and to rectify inaccurate or incomplete personal data. Arguably, most contentiously, the individual can have the data erased if she withdraws her consent or the data is no longer necessary for the purposes for which it was processed. This right must be balanced against other interests, most notably the freedom of others to expression and information.

Access has become a keyword of the twenty-first century. However, even in the 1960s, government data collection and growing computational power facilitated new forms of statistical analysis that people thought could become new ‘intelligence’ systems. The legislative response to these threats were new data protection and information privacy regimes that included ‘data subject rights’ – mechanisms by which individuals could obtain access to information about them held by others, and rectify any inaccuracy. This type of transparency gave individuals a way to participate in the profiling regime, by attempting to ensure that the data used by profilers was accurate and relevant. Informed by the German constitutional concept of informational self-determination, limitations to profiling in data protection are premised on the idea that a person’s self-image ought to be the primary determinant of their identity. However, it is argued here that this approach loses traction as the profiling environment becomes more sophisticated.