Article 22 GDPR: Difference between revisions
(4 intermediate revisions by 3 users not shown) | |||
Line 207: | Line 207: | ||
Article 22 GDPR has its roots in Articles 12a and 15 of the 95/46/EC Data Protection Directive (DPD). One of the main differences is that the GDPR has a broader scope of application, since it applies to “automated processing, including profiling”. In contrast, the DPD provision was only applicable if a form of profiling was involved.<ref>Article 20 of GDPR proposal, COM(2012) 11 final (available [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF here]).</ref> This difference in scope can be noticed between the initial proposal of the Commission, in which Article 22 was titled “Measures based on profiling" and the final wording of the GDPR, which extends the scope of Article 22 GDPR to include automated decisions which are not based on profiling. In contrast to the DPD, Article 22(4) GDPR also explicitly addresses the use of sensitive data by laying down a qualified prohibition of decisions based on categories of data listed under [[Article 9 GDPR|Article 9(1) GDPR]]. | Article 22 GDPR has its roots in Articles 12a and 15 of the 95/46/EC Data Protection Directive (DPD). One of the main differences is that the GDPR has a broader scope of application, since it applies to “automated processing, including profiling”. In contrast, the DPD provision was only applicable if a form of profiling was involved.<ref>Article 20 of GDPR proposal, COM(2012) 11 final (available [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF here]).</ref> This difference in scope can be noticed between the initial proposal of the Commission, in which Article 22 was titled “Measures based on profiling" and the final wording of the GDPR, which extends the scope of Article 22 GDPR to include automated decisions which are not based on profiling. In contrast to the DPD, Article 22(4) GDPR also explicitly addresses the use of sensitive data by laying down a qualified prohibition of decisions based on categories of data listed under [[Article 9 GDPR|Article 9(1) GDPR]]. | ||
===(1) Prohibition on automated decision-making === | |||
There have been conflicting arguments as to whether Article 22(1) GDPR lays down a right or a general prohibition. On the one hand, if the provision is interpreted as a right, then the data subject would have to actively exercise the right in order to be protected from the types of impactful, automated decisions that Article 22 GDPR deals with. The main argument invoked by proponents of this approach is a strictly literal interpretation of the word "right" in the provision,<ref>''Bygrave'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 531 (Oxford University Press 2020).</ref> alongside with the fact that this provision is included in Chapter III of the GDPR, regulating the "Rights of the data subject". On the other hand, Article 22(1) GDPR can be framed as a general prohibition. This interpretation seems more in line with the purpose of the provision, which seeks to protect data subjects from the general possibility of being subject to decisions covered by Article 22 GDPR. The WP29 Guidelines on Automated individual decision-making and Profiling,<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]).</ref> seems to take this broader and more comprehensive approach: “''The term 'right' in the provision does not mean that Article 22(1) applies only when actively invoked by the data subject. Article 22(1) establishes a general prohibition for decision-making based solely on automated processing. This prohibition applies whether or not the data subject takes action regarding the processing of their personal data''”.<ref>The WP29 supports this argument by relying on the principles of the GDPR and its aim to give data subjects control over their personal data. Furthermore, the WP29 makes a reference to Recital 71 GDPR, which implies that decisions under Article 22(1) GDPR are generally not allowed, by contrasting these with decisions regulated by Article 22(2) GDPR which should, “''however''”, be allowed. WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 19 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]).</ref> | |||
There have been conflicting arguments as to whether Article 22(1) GDPR lays down a right or a general prohibition. On the one hand, if the provision is interpreted as a right, then the data subject would have to actively exercise the right in order to be protected from the types of impactful, automated decisions that Article 22 GDPR deals with. The main argument invoked by proponents of this approach is a strictly literal interpretation of the word "right" in the provision | |||
====Scope==== | ====Scope==== | ||
The title of Article 22 GDPR mentions automated “individual” decision-making, which might suggest that the scope of the provision does not extend to decisions or processing operations which produce effects for groups of data subjects. Following this reasoning, Article 22 GDPR would not be applicable if decisions affect multiple data subjects or groups of individuals connected by common characteristics, such as age, gender, or postal code. However, considering the realities of machine learning and Big Data, pertinent arguments have also been made supporting the view that Article 22 GDPR should apply to group decision-making.<ref>See ''Veale, Edwards'', Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling, in ''Computer Law & Security Review'', 34, (2018), p. 402: “''Consider individuals classified by categories such as "man/woman", "married/single/divorced", or "high/low income". Solely automated decisions could be taken for all "divorced low-income women," supposedly rendering Article 22 GDPR inapplicable, despite their potentially significant effects. In such situations, decisions could be treated as a bundle of individual decisions, which makes it more difficult to circumvent Article 22 GDPR, and thereby better protects the fundamental rights of data subjects. However, in the absence of any CJEU decisions on this matter so far, it is still disputed whether Article 22(1) GDPR should apply to group decisions''”.</ref> | The title of Article 22 GDPR mentions automated “individual” decision-making, which might suggest that the scope of the provision does not extend to decisions or processing operations which produce effects for groups of data subjects. Following this reasoning, Article 22 GDPR would not be applicable if decisions affect multiple data subjects or groups of individuals connected by common characteristics, such as age, gender, or postal code. However, considering the realities of machine learning and Big Data, pertinent arguments have also been made supporting the view that Article 22 GDPR should apply to group decision-making.<ref>See ''Veale, Edwards'', Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling, in ''Computer Law & Security Review'', 34, (2018), p. 402: “''Consider individuals classified by categories such as "man/woman", "married/single/divorced", or "high/low income". Solely automated decisions could be taken for all "divorced low-income women," supposedly rendering Article 22 GDPR inapplicable, despite their potentially significant effects. In such situations, decisions could be treated as a bundle of individual decisions, which makes it more difficult to circumvent Article 22 GDPR, and thereby better protects the fundamental rights of data subjects. However, in the absence of any CJEU decisions on this matter so far, it is still disputed whether Article 22(1) GDPR should apply to group decisions''”.</ref> | ||
====Decision | ====Decision based solely on automated processing==== | ||
======Decision====== | ======Decision====== | ||
Line 221: | Line 220: | ||
To begin with, this second element of Article 22(1) GDPR will depend on whether human intervention is even possible from a technical perspective, or whether the decision-making process is constructed in a solely algorithmic way with no room for human involvement. If the process technically allows for human intervention, then an assessment has to be made as to whether the action undertaken by a human is “''meaningful''” or merely a procedural “''token gesture''”.<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]).</ref> In order to meet the first criterion, the intervention must be “''carried out by someone who has the authority and competence to change the decision''”. Furthermore, the human involved must not only have the power to change the decision, but actually exercise this competence by ”''consider''[ing''] all the relevant data''” and verifying the substance and correctness of the machine-generated decision.<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]); ''Bygrave'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 533 (Oxford University Press 2020).</ref> | To begin with, this second element of Article 22(1) GDPR will depend on whether human intervention is even possible from a technical perspective, or whether the decision-making process is constructed in a solely algorithmic way with no room for human involvement. If the process technically allows for human intervention, then an assessment has to be made as to whether the action undertaken by a human is “''meaningful''” or merely a procedural “''token gesture''”.<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]).</ref> In order to meet the first criterion, the intervention must be “''carried out by someone who has the authority and competence to change the decision''”. Furthermore, the human involved must not only have the power to change the decision, but actually exercise this competence by ”''consider''[ing''] all the relevant data''” and verifying the substance and correctness of the machine-generated decision.<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]); ''Bygrave'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 533 (Oxford University Press 2020).</ref> | ||
======Automated | ======Automated processing====== | ||
The "automated processing" criterion in Article 22(1) GDPR is related to the final stage of the processing, which results in a solely automated decision based on already existing data. By contrast, the methods of collecting the initial data sources must not necessarily be automated, and can be semi-automated or even manual.<ref>''Bygrave'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 533 (Oxford University Press 2020).</ref> Furthermore, the automated decision must not entirely be based on personal data related to the person affected by the decision, and can also include non-personal data, or personal data related to other individuals. | The "automated processing" criterion in Article 22(1) GDPR is related to the final stage of the processing, which results in a solely automated decision based on already existing data. By contrast, the methods of collecting the initial data sources must not necessarily be automated, and can be semi-automated or even manual.<ref>''Bygrave'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 533 (Oxford University Press 2020).</ref> Furthermore, the automated decision must not entirely be based on personal data related to the person affected by the decision, and can also include non-personal data, or personal data related to other individuals. | ||
====Legal or | ====Legal or similarly significant effects==== | ||
======Legal Effects====== | ======Legal Effects====== | ||
A decision has legal effects on a data subject when it is binding and affects the person’s legal rights or interests. Examples can be the cancellation of a contract, the decision of a tax authority on an individual’s tax return, or the denial of a social benefit granted by law.<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available here); ''Brkan'', Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in ''International Journal of Law and Information Technology'', 27 (2019), p. 102.</ref> | A decision has legal effects on a data subject when it is binding and affects the person’s legal rights or interests. Examples can be the cancellation of a contract, the decision of a tax authority on an individual’s tax return, or the denial of a social benefit granted by law.<ref>WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available here); ''Brkan'', Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in ''International Journal of Law and Information Technology'', 27 (2019), p. 102.</ref> | ||
======Similarly | ======Similarly significant effects====== | ||
In principle, satisfying this criterion means that the impacts of the decision must be considerable despite not changing the legal position of the individual. While it can be difficult to establish this in practice, according to the WP29 some guiding criteria for similarly significant effects include: | In principle, satisfying this criterion means that the impacts of the decision must be considerable despite not changing the legal position of the individual. While it can be difficult to establish this in practice, according to the WP29 some guiding criteria for similarly significant effects include: | ||
Line 258: | Line 257: | ||
Furthermore, an analysis of [[Article 6 GDPR|Articles 6(1)(b)]] and 22(2)(a) GDPR seems to indicate a difference in the scope of the two provisions with regards to the necessity of the processing for entering into a contract. Whereas for [[Article 6 GDPR|Article 6(1)(b) GDPR]] the processing would have to be necessary not only for entering into or the performance of a contract, but also in order to take steps at the request of the data subject prior to entering the contract, Article 22(2)(a) GDPR does not mention this additional aspect. In any case, the application of Article 22(2)(a) GDPR is always subjected to the presence of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision” (cf. Article 22(3) GDPR). | Furthermore, an analysis of [[Article 6 GDPR|Articles 6(1)(b)]] and 22(2)(a) GDPR seems to indicate a difference in the scope of the two provisions with regards to the necessity of the processing for entering into a contract. Whereas for [[Article 6 GDPR|Article 6(1)(b) GDPR]] the processing would have to be necessary not only for entering into or the performance of a contract, but also in order to take steps at the request of the data subject prior to entering the contract, Article 22(2)(a) GDPR does not mention this additional aspect. In any case, the application of Article 22(2)(a) GDPR is always subjected to the presence of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision” (cf. Article 22(3) GDPR). | ||
====(b) Authorised by | ====(b) Authorised by law==== | ||
The second exemption in Article 22(2) GDPR is also subject to the presence of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests”. However, it seems that such measures do not necessarily need to be the same as those foreseen by Article 22(3) GDPR. Instead, Members States have discretion in this aspect. | The second exemption in Article 22(2) GDPR is also subject to the presence of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests”. However, it seems that such measures do not necessarily need to be the same as those foreseen by Article 22(3) GDPR. Instead, Members States have discretion in this aspect. | ||
====(c) Explicit | The EDPB pointed out that Article 6(1)(f) GDPR can not be considered a law authorising automated decision making within the meaning of this provision.<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 81 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> | ||
====(c) Explicit consent==== | |||
The wording of Article 22(2)(c) GDPR (“explicit consent”) results in the same standard for this requirement as [[Article 9 GDPR|Article 9(2)(a) GDPR]]. Particular attention must be given to consent being freely given in the context of entering into or performance of a contract.<ref>See also [https://gdprhub.eu/Article%204%20GDPR Articles 4(11)] and [https://gdprhub.eu/Article%207%20GDPR 7(4) GDPR], as well as Recital 43 GDPR.</ref> Indeed, discussions on whether consent is freely given, including in line with [[Article 9 GDPR|Articles 9(2)]] and 22(2(c) GDPR, will lead to assessing the “necessity” element. In this context, it must be assessed whether the decision is necessary for the “performance of a contract, including the provision of a service” as mandated by [[Article 7 GDPR|Article 7(4) GDPR]]. However, this provision does not mention entering into a contract, which would seem to exclude examples such as online credit applications where the algorithmic decision occurs in order to enter the contract and not to perform it. Furthermore, issues could arise with decisions based on profiling, where a data subject might have given their consent to the profiling, for example by accepting a cookie, but not to the decision-making process resulting from it. In this context, data subjects might not even be aware of the solely automated decision-making process occurring, in which case the consent to the profiling would not be considered as satisfying the requirements of Article 22(2)(c) GDPR.<ref>''Brkan'', Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in ''International Journal of Law and Information Technology'', 27 (2019), p. 106.</ref> Finally, decisions based on explicit consent are also subjected to the safeguards laid down in Article 22(3) GDPR. | The wording of Article 22(2)(c) GDPR (“explicit consent”) results in the same standard for this requirement as [[Article 9 GDPR|Article 9(2)(a) GDPR]]. Particular attention must be given to consent being freely given in the context of entering into or performance of a contract.<ref>See also [https://gdprhub.eu/Article%204%20GDPR Articles 4(11)] and [https://gdprhub.eu/Article%207%20GDPR 7(4) GDPR], as well as Recital 43 GDPR.</ref> Indeed, discussions on whether consent is freely given, including in line with [[Article 9 GDPR|Articles 9(2)]] and 22(2(c) GDPR, will lead to assessing the “necessity” element. In this context, it must be assessed whether the decision is necessary for the “performance of a contract, including the provision of a service” as mandated by [[Article 7 GDPR|Article 7(4) GDPR]]. However, this provision does not mention entering into a contract, which would seem to exclude examples such as online credit applications where the algorithmic decision occurs in order to enter the contract and not to perform it. Furthermore, issues could arise with decisions based on profiling, where a data subject might have given their consent to the profiling, for example by accepting a cookie, but not to the decision-making process resulting from it. In this context, data subjects might not even be aware of the solely automated decision-making process occurring, in which case the consent to the profiling would not be considered as satisfying the requirements of Article 22(2)(c) GDPR.<ref>''Brkan'', Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in ''International Journal of Law and Information Technology'', 27 (2019), p. 106.</ref> Finally, decisions based on explicit consent are also subjected to the safeguards laid down in Article 22(3) GDPR. | ||
Line 274: | Line 275: | ||
Pursuant to Article 12(1), which expressly refers to Article 22, the controller "''shall take appropriate measures''" to provide the information required "''in a concise, transparent, intelligible and easily accessible form, using clear and plain language''". In the light of the above, the controller is obliged to provide complete information in relation to all elements allowing an informed exercise of the rights provided for in Article 22(3) and, more generally, to all elements of automated decision-making, including profiling. This leaves the door open for additional safeguards, such as the potential "''right to explanation''" regarding the automated decision-making, the profiling and the underlying algorithmic logic that could be inferred from Recital 71 GDPR. | Pursuant to Article 12(1), which expressly refers to Article 22, the controller "''shall take appropriate measures''" to provide the information required "''in a concise, transparent, intelligible and easily accessible form, using clear and plain language''". In the light of the above, the controller is obliged to provide complete information in relation to all elements allowing an informed exercise of the rights provided for in Article 22(3) and, more generally, to all elements of automated decision-making, including profiling. This leaves the door open for additional safeguards, such as the potential "''right to explanation''" regarding the automated decision-making, the profiling and the underlying algorithmic logic that could be inferred from Recital 71 GDPR. | ||
==== Practical issues ==== | |||
However, clarifications will still be needed as to how the safeguards already mentioned by Article 22(3) GDPR can be operationalised and what their outcome will be. On the operational side it would be questionable how some systems would even allow for human intervention in practice, for example when the website or platform does not technically allow this. On the other hand, with regards to the legal consequences of the data subject expressing their point of view or contesting the decision, it is not clear from this provision how or by who contentious issues should be resolved in practice.<ref>''Brkan'', Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in ''International Journal of Law and Information Technology'', 27 (2019), p. 106.</ref> | However, clarifications will still be needed as to how the safeguards already mentioned by Article 22(3) GDPR can be operationalised and what their outcome will be. On the operational side it would be questionable how some systems would even allow for human intervention in practice, for example when the website or platform does not technically allow this. On the other hand, with regards to the legal consequences of the data subject expressing their point of view or contesting the decision, it is not clear from this provision how or by who contentious issues should be resolved in practice.<ref>''Brkan'', Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in ''International Journal of Law and Information Technology'', 27 (2019), p. 106.</ref> | ||
===(4) Qualified | In addition, effective implementation of a right to explanation faces both legal and technical issues. On the one hand, the problem arises of how to balance such a data subject's right with intellectual property rights and industrial secrets of the controller. On the other hand, due to the current level of development of machine learning technologies, it may be difficult for the controller to explain in details the logic behind processes partly beyond human understanding. However, from a legal perspective, the latter argument should lead to the logical conclusion that controller shall not make use of such tools, if they are not able to fully understand their functioning and effects in practice. | ||
===(4) Qualified prohibition of using special categories of data=== | |||
Explicit consent in the context of Article 22(4) GDPR should be interpreted in a similar manner as to Article 22(2)(c) GDPR. With regards to the “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests”, these seem to have the same scope and interpretation as in Article 22(3) GDPR. | Explicit consent in the context of Article 22(4) GDPR should be interpreted in a similar manner as to Article 22(2)(c) GDPR. With regards to the “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests”, these seem to have the same scope and interpretation as in Article 22(3) GDPR. | ||
Latest revision as of 13:39, 24 October 2024
Legal Text
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
Relevant Recitals
The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.
In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.Commentary
Article 22 GDPR has its roots in Articles 12a and 15 of the 95/46/EC Data Protection Directive (DPD). One of the main differences is that the GDPR has a broader scope of application, since it applies to “automated processing, including profiling”. In contrast, the DPD provision was only applicable if a form of profiling was involved.[1] This difference in scope can be noticed between the initial proposal of the Commission, in which Article 22 was titled “Measures based on profiling" and the final wording of the GDPR, which extends the scope of Article 22 GDPR to include automated decisions which are not based on profiling. In contrast to the DPD, Article 22(4) GDPR also explicitly addresses the use of sensitive data by laying down a qualified prohibition of decisions based on categories of data listed under Article 9(1) GDPR.
(1) Prohibition on automated decision-making
There have been conflicting arguments as to whether Article 22(1) GDPR lays down a right or a general prohibition. On the one hand, if the provision is interpreted as a right, then the data subject would have to actively exercise the right in order to be protected from the types of impactful, automated decisions that Article 22 GDPR deals with. The main argument invoked by proponents of this approach is a strictly literal interpretation of the word "right" in the provision,[2] alongside with the fact that this provision is included in Chapter III of the GDPR, regulating the "Rights of the data subject". On the other hand, Article 22(1) GDPR can be framed as a general prohibition. This interpretation seems more in line with the purpose of the provision, which seeks to protect data subjects from the general possibility of being subject to decisions covered by Article 22 GDPR. The WP29 Guidelines on Automated individual decision-making and Profiling,[3] seems to take this broader and more comprehensive approach: “The term 'right' in the provision does not mean that Article 22(1) applies only when actively invoked by the data subject. Article 22(1) establishes a general prohibition for decision-making based solely on automated processing. This prohibition applies whether or not the data subject takes action regarding the processing of their personal data”.[4]
Scope
The title of Article 22 GDPR mentions automated “individual” decision-making, which might suggest that the scope of the provision does not extend to decisions or processing operations which produce effects for groups of data subjects. Following this reasoning, Article 22 GDPR would not be applicable if decisions affect multiple data subjects or groups of individuals connected by common characteristics, such as age, gender, or postal code. However, considering the realities of machine learning and Big Data, pertinent arguments have also been made supporting the view that Article 22 GDPR should apply to group decision-making.[5]
Decision based solely on automated processing
Decision
The first element required to trigger Article 22 GPDR is the presence of a "decision", which can be interpreted in a broad sense.[6] Examples of a decision can be official acts of public authorities such as decisions on tax returns,[7] as well as automatic refusals of online credit applications or similar decisions in the context of e-recruiting practices.[8] In a more general sense, decisions could also be seen as a particular attitude or position taken with regards to a person, if this position is at least likely to be acted upon.[9] Although there does not seem to be a specific requirement for the decision to be formalised in a particular way, it should at least be distinguishable from other stages of the decision-making process.
Solely
To begin with, this second element of Article 22(1) GDPR will depend on whether human intervention is even possible from a technical perspective, or whether the decision-making process is constructed in a solely algorithmic way with no room for human involvement. If the process technically allows for human intervention, then an assessment has to be made as to whether the action undertaken by a human is “meaningful” or merely a procedural “token gesture”.[10] In order to meet the first criterion, the intervention must be “carried out by someone who has the authority and competence to change the decision”. Furthermore, the human involved must not only have the power to change the decision, but actually exercise this competence by ”consider[ing] all the relevant data” and verifying the substance and correctness of the machine-generated decision.[11]
Automated processing
The "automated processing" criterion in Article 22(1) GDPR is related to the final stage of the processing, which results in a solely automated decision based on already existing data. By contrast, the methods of collecting the initial data sources must not necessarily be automated, and can be semi-automated or even manual.[12] Furthermore, the automated decision must not entirely be based on personal data related to the person affected by the decision, and can also include non-personal data, or personal data related to other individuals.
Legal or similarly significant effects
Legal Effects
A decision has legal effects on a data subject when it is binding and affects the person’s legal rights or interests. Examples can be the cancellation of a contract, the decision of a tax authority on an individual’s tax return, or the denial of a social benefit granted by law.[13]
Similarly significant effects
In principle, satisfying this criterion means that the impacts of the decision must be considerable despite not changing the legal position of the individual. While it can be difficult to establish this in practice, according to the WP29 some guiding criteria for similarly significant effects include:
- significantly affects the circumstances, behaviour or choices of the individuals concerned;
- has a prolonged or permanent impact on the data subject; or
- at its most extreme, leads to the exclusion or discrimination of individuals.
The WP29 also gives examples of decisions that can have effects which are similarly significant to legal ones. These include decisions that:
- affect someone’s financial circumstances, such as their eligibility to credit;
- affect someone’s access to health services;
- deny someone an employment opportunity or put them at a serious disadvantage;
- affect someone’s access to education, for example university admissions.
In any case, the decision should have more than just a trivial effect, and impact someone’s position either in relation to other persons, or to access a service or opportunity. For example, Recital 71 GDPR mentions the “automatic refusal of an online credit application or e-recruiting practices without human intervention”.
Decisions resulting in targeted advertisement based on profiling could also significantly affect individuals, for example, when someone is targeted with high interest loans because they are known to be in financial difficulties and are particularly susceptible to accept such offers. In this context, the WP29 lays down a non-exhaustive list of characteristics that can be decisive in the assessment of each case, such as:
- the intrusiveness of the profiling process, including the tracking of individuals across different websites, devices and services;
- the expectations and wishes of the individuals concerned;
- the way the advert is delivered; or
- using knowledge of the vulnerabilities of the data subjects targeted.
(2) Exceptions
(a) Contract
The first exception from the prohibition laid down in Article 22(1) GDPR applies if the decision is necessary for entering into, or performance of, a contract between the data subject and the controller. It is unclear how the "necessity" criterion should be interpreted. A strictly textual interpretation would lead to most examples of solely automated decisions not being considered necessary. For example, while assessing if an individual’s credit risk is necessary for a bank in order to protect its investments, algorithmic credit scoring is not in itself necessary, since an assessment can also be carried by humans. As different arguments could be made for the threshold and meaning of the "necessity" criterion, this aspect will need to be clarified by courts.
Furthermore, an analysis of Articles 6(1)(b) and 22(2)(a) GDPR seems to indicate a difference in the scope of the two provisions with regards to the necessity of the processing for entering into a contract. Whereas for Article 6(1)(b) GDPR the processing would have to be necessary not only for entering into or the performance of a contract, but also in order to take steps at the request of the data subject prior to entering the contract, Article 22(2)(a) GDPR does not mention this additional aspect. In any case, the application of Article 22(2)(a) GDPR is always subjected to the presence of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision” (cf. Article 22(3) GDPR).
(b) Authorised by law
The second exemption in Article 22(2) GDPR is also subject to the presence of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests”. However, it seems that such measures do not necessarily need to be the same as those foreseen by Article 22(3) GDPR. Instead, Members States have discretion in this aspect.
The EDPB pointed out that Article 6(1)(f) GDPR can not be considered a law authorising automated decision making within the meaning of this provision.[14]
(c) Explicit consent
The wording of Article 22(2)(c) GDPR (“explicit consent”) results in the same standard for this requirement as Article 9(2)(a) GDPR. Particular attention must be given to consent being freely given in the context of entering into or performance of a contract.[15] Indeed, discussions on whether consent is freely given, including in line with Articles 9(2) and 22(2(c) GDPR, will lead to assessing the “necessity” element. In this context, it must be assessed whether the decision is necessary for the “performance of a contract, including the provision of a service” as mandated by Article 7(4) GDPR. However, this provision does not mention entering into a contract, which would seem to exclude examples such as online credit applications where the algorithmic decision occurs in order to enter the contract and not to perform it. Furthermore, issues could arise with decisions based on profiling, where a data subject might have given their consent to the profiling, for example by accepting a cookie, but not to the decision-making process resulting from it. In this context, data subjects might not even be aware of the solely automated decision-making process occurring, in which case the consent to the profiling would not be considered as satisfying the requirements of Article 22(2)(c) GDPR.[16] Finally, decisions based on explicit consent are also subjected to the safeguards laid down in Article 22(3) GDPR.
(3) Safeguards
Article 22(3) GDPR lays down a non-exhaustive list of safeguards which should always be available to the data subjects in case of automated decision-making carried out under Article 22(2)(a) and (c) GDPR. The list is not exhaustive and includes the right to obtain human intervention on the part of the controller, to express the data subject’s point of view and to contest the decision.
These rights maintain a unifying element: in order to be exercised, they all require some kind of prior information that only the controller can provide. Take, for example, the right to challenge the decision. In order to do so, it is necessary to know which elements have been taken into account by the algorithm and what its logic is, albeit in summary form. Conversely, it would be logically impossible to challenge the decision. The same applies to the right to obtain human intervention. In order to meaningfully exercise it, it is necessary to know at least what procedure the data subject has to follow and which criteria guide the reviewer’s decision. Otherwise, it would be completely impossible to express one's own point of view.
Pursuant to Article 12(1), which expressly refers to Article 22, the controller "shall take appropriate measures" to provide the information required "in a concise, transparent, intelligible and easily accessible form, using clear and plain language". In the light of the above, the controller is obliged to provide complete information in relation to all elements allowing an informed exercise of the rights provided for in Article 22(3) and, more generally, to all elements of automated decision-making, including profiling. This leaves the door open for additional safeguards, such as the potential "right to explanation" regarding the automated decision-making, the profiling and the underlying algorithmic logic that could be inferred from Recital 71 GDPR.
Practical issues
However, clarifications will still be needed as to how the safeguards already mentioned by Article 22(3) GDPR can be operationalised and what their outcome will be. On the operational side it would be questionable how some systems would even allow for human intervention in practice, for example when the website or platform does not technically allow this. On the other hand, with regards to the legal consequences of the data subject expressing their point of view or contesting the decision, it is not clear from this provision how or by who contentious issues should be resolved in practice.[17]
In addition, effective implementation of a right to explanation faces both legal and technical issues. On the one hand, the problem arises of how to balance such a data subject's right with intellectual property rights and industrial secrets of the controller. On the other hand, due to the current level of development of machine learning technologies, it may be difficult for the controller to explain in details the logic behind processes partly beyond human understanding. However, from a legal perspective, the latter argument should lead to the logical conclusion that controller shall not make use of such tools, if they are not able to fully understand their functioning and effects in practice.
(4) Qualified prohibition of using special categories of data
Explicit consent in the context of Article 22(4) GDPR should be interpreted in a similar manner as to Article 22(2)(c) GDPR. With regards to the “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests”, these seem to have the same scope and interpretation as in Article 22(3) GDPR.
Decisions
→ You can find all related decisions in Category:Article 22 GDPR
References
- ↑ Article 20 of GDPR proposal, COM(2012) 11 final (available here).
- ↑ Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 531 (Oxford University Press 2020).
- ↑ WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, (available here).
- ↑ The WP29 supports this argument by relying on the principles of the GDPR and its aim to give data subjects control over their personal data. Furthermore, the WP29 makes a reference to Recital 71 GDPR, which implies that decisions under Article 22(1) GDPR are generally not allowed, by contrasting these with decisions regulated by Article 22(2) GDPR which should, “however”, be allowed. WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 19 (available here).
- ↑ See Veale, Edwards, Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling, in Computer Law & Security Review, 34, (2018), p. 402: “Consider individuals classified by categories such as "man/woman", "married/single/divorced", or "high/low income". Solely automated decisions could be taken for all "divorced low-income women," supposedly rendering Article 22 GDPR inapplicable, despite their potentially significant effects. In such situations, decisions could be treated as a bundle of individual decisions, which makes it more difficult to circumvent Article 22 GDPR, and thereby better protects the fundamental rights of data subjects. However, in the absence of any CJEU decisions on this matter so far, it is still disputed whether Article 22(1) GDPR should apply to group decisions”.
- ↑ Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 532 (Oxford University Press 2020).
- ↑ Brkan, Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in International Journal of Law and Information Technology, 27 (2019), p. 102.
- ↑ Recital 71 GDPR.
- ↑ Mendoza, Bygrave, The Right not to be Subject to Automated Decisions based on Profiling, in University of Oslo Faculty of Law Legal Studies Research Paper Series No. 2017-20 (2017), pp. 10-11.
- ↑ WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available here).
- ↑ WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available here); Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 533 (Oxford University Press 2020).
- ↑ Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 22 GDPR, p. 533 (Oxford University Press 2020).
- ↑ WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 21 (available here); Brkan, Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in International Journal of Law and Information Technology, 27 (2019), p. 102.
- ↑ EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 81 (available here).
- ↑ See also Articles 4(11) and 7(4) GDPR, as well as Recital 43 GDPR.
- ↑ Brkan, Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in International Journal of Law and Information Technology, 27 (2019), p. 106.
- ↑ Brkan, Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond, in International Journal of Law and Information Technology, 27 (2019), p. 106.