The article begins by demonstrating that the business reality of profiling eludes attempts to answer the five simple questions posed by the GDPR (I.). Then, the three dimensions of profiling are elaborated as well as the difficulties in applying the GDPR provisions on profiling to a particular enterprise (II.). The first prong of the main part suggests that textual analysis of the GDPR reveals profiling to be best understood as a conceptual cluster (III.). The second prong of the main part then offers both analogical and policy arguments to prove that the GDPR definition of profiling also is teleological or outcome-based, rather than goal-based (IV.). As a result, it is sufficient that a form or stage of data processing shares the digital dividends of the profiling ecosystem for it to attract the qualification of profiling under the GDPR. A rigorous application of the GDPR regulates the business practice of profiling whether or not new legal tools including a prohibition of profiling by default are introduced and ahead of the forthcoming ePrivacy Regulation (V.).

The right to data portability (Art. 20 GDPR) is of hybrid nature, both serving the data subject’s protection and enabling the free flow of data and as such being an instrument to enhance competition and develop the digital singular market. The right could be seen as a regulatory tool, which implies preventing market-entry barriers for SMEs on the basis of legal requirements and standardization on technology.

Use of our mobile communication devices tells a good deal about us. It is often the case that what number calls what number, at what times and frequencies and, in the case of mobile phones from and to what geographical locations can be as revealing to law enforcement and national security agencies as the actual contents of messages. Inevitably, though, this may involve the processing of data concerning millions of people who have no inclination to engage in unlawful conduct.Establishment of a legal regime for data retention that balances the claims of law enforcement agencies to prevent and detect criminal and terrorist activities has proved to be a difficult task. A number of legal challenges have been brought before the British and European Courts and this note seeks to consider and place in context the recent litigation involving the legality of the United Kingdom’s Data Retention and Privacy Act 2014.