Individual Automated Decision-making


Published at  2024-07-04 by  Ana Rodrigues

Article 22 of the GDPR is, in my opinion, one of the most relevant provisions regarding AI. This article provides data subjects the right not to be subject to judgements made solely through automated processing, including profiling, where such decisions have legal effects or have a significant impact on them. Article 4.4 contains the definition of profiling.

However, this provision is subject to the exception listed in Article 22.2, which indicates that this prohibition does not apply if the decision is necessary for contract performance, is authorised by Union or Member State law, or is based on the data subject's explicit consent. In circumstances where exemptions apply, data controllers must take adequate steps to protect data subjects' rights, such as the right to human intervention, the right to express views, and the right to contest the decision (Article 22.3).

Nonetheless, even without exemptions, it is difficult for a data subject to satisfy the prerequisites included in Article 22.1. First and foremost, Article 22 only applies to decisions made solely through automated means. Typically, systems that have a significant impact on persons are utilised for decision support rather than decision making. Furthermore, interpreting 'solely' as requiring automated initial data gathering raises the application threshold even higher.

Furthermore, even if decisions are solely automated, they must adhere to the second element of Article 22.1, which demands a decision producing legal effects or significantly affecting the individual. Two concerns develop here. To begin, there is some debate over whether AI-generated outputs qualify as 'decisions' due to a lack of explicit direction. Second, deciding what constitutes a 'significant' impact is challenging. While WP29's Guidelines provide examples, such as decisions that affect someone’s financial circumstances, they are not binding.

As a result, Article 22 may be considered unclear, given the confusion regarding its actual reach and the ease with which it can be circumvented due to its high threshold and numerous exceptions.

GDPR on AI - a series of posts written by Maria Mot