Profiling

Definition

Profiling is the automated analysis of personal data to construct a detailed picture of an individual’s characteristics, preferences, behaviours, or likely future actions. AI systems aggregate data from diverse sources — browsing history, purchase records, location data, social media activity, and biometric signals — to generate profiles used for targeted advertising, credit scoring, insurance pricing, employment screening, and law enforcement. Under the EU General Data Protection Regulation, profiling is specifically defined as any automated processing of personal data that evaluates personal aspects, and individuals hold rights to contest decisions made solely on this basis.

How It Relates to AI Threats

Profiling is a foundational mechanism within the Privacy and Surveillance Threats domain. In the sensitive-attribute-inference sub-category, AI systems derive protected characteristics such as ethnicity, health status, or political orientation from seemingly neutral data points. In the behavioral-profiling-without-consent sub-category, individuals are tracked and categorised without meaningful awareness or choice. The scale and granularity of AI-driven profiling far exceeds what was possible through traditional methods, enabling micro-targeted manipulation, discriminatory treatment, and pervasive surveillance. The opacity of profiling algorithms makes it difficult for individuals to understand or challenge the conclusions drawn about them.

Why It Occurs

• Vast quantities of personal data are continuously generated through digital interactions and connected devices
• Machine learning models excel at identifying patterns across high-dimensional datasets to predict behaviour
• Economic incentives drive organisations to maximise the commercial value of user data
• Individuals lack practical tools to understand what inferences are being drawn from their data
• Regulatory enforcement has not kept pace with the speed and sophistication of automated profiling techniques

Real-World Context

Profiling underpins many of the harms documented across the TopAIThreats taxonomy. Law enforcement agencies have deployed predictive profiling systems that disproportionately target minority communities. Social media platforms use behavioural profiles to optimise engagement, contributing to information integrity threats. The GDPR, the EU AI Act, and emerging regulations in other jurisdictions have established specific requirements around profiling transparency and the right to human review, though enforcement remains inconsistent across sectors and regions.