A much-debated question is the nature of Article 22 GDPR. The Article 29 Working Party,on the one hand, interprets this provision as a general prohibition and mostly justifies its reading based on Recital 71, which makes it clear that processing under Article 22 GDPR is not allowed generally.^[2] On the other hand, Bygrave and other authors argue that this interpretation runs counter the actual wording of Article 22 GDPR, as well as its placement in the structure of the Regulation (namely, Chapter III on data subject’s rights) and its special consideration in Articles 13.2(f), 14.2(g), 15.1(h), and 35.3(a).^[3]Whereas the interpretation of Article 22 GDPR as a prohibition requires the data controller to apply it regardless of the data subject’s action for this purpose, its interpretation as a right involves its exercise following the aforementioned requirements enshrined in Article 12 GDPR that will also be mentioned below.

The automated decision-making is the ability to make decisions by technological means without human involvement. Automated decisions can be based on any type of data, for example, data provided directly by the individuals concerned (such as responses to a questionnaire); data observed about the individuals (such as location data collected via an application); derived or inferred data such as a profile of the individual that has already been created (e.g. a credit score)^[4].

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (see Article 4 GDPR).

Although the GDPR does not define the ‘legal’ and ‘similar effects’ arising from the automated decision-making, the Article 29 Working Party clarifies that a legal effect requires that the decision, which is based on solely automated processing, affects someone’s legal rights, such as the freedom to associate with others, vote in election or take a legal action. A legal effect may also be something that affects a person’s legal status or their rights under a contract^[5]. Examples of legal effects encompass the termination of a contract, the denial of a social benefit granted by law, the denial of citizenship or resident permits. As regards the similar effects, the Article 29 Working Party considers them as the consequence ofdecisions that must have the potential to significantly affect the circumstances, behaviors or choices of the individual concerned: have prolonged or permanent impact on the data subject or; lead to the exclusion or discrimination of the individual^[6]. This is evident in a e-recruitment practice that favor white men over women or people pertaining to minority or vulnerable groups.

Pursuant to Article 22.4 GDPR, where special categories of personal data are involved, automated decision-making can occur, on the condition that the data subject has explicitly consented to it or where it is necessary for reasons of substantial public interest provided for by EU or EU Member State Law. In this context, the controller must take all the appropriate measures to safeguard the data subject’s rights and freedoms.

As already mentioned, Article 12 GDPR provides the controller’s obligation to inform the data subject about the existence of the automated decision-making. In addition, the information should not be limited to the fact that such decision-making occurs, but it should also explain the logic involved and the potential consequences for the data subject^[7].

Article 22.2 GDPR provides three exceptions from the prohibition of automated decision-making, namely:

• The decision is necessary for entering into, or performance of, a contract between the data subject and a controller;
• The decision is authorized by EU or EU Member State law to which the controller is subject;
• The decision is based on the data subject’s explicit consent.

In cases one of these exceptions applies, the data controller shall implement specific safeguards other than the ones generally provided in Article 12 GDPR. Based on Article 22.3 GDPR, in the cases of derogations for contract and consent, the data subjects will still have the right to demand human review of the fully automated decision, in addition to the general safeguards that the data controller should implement to protect their fundamental rights and freedoms, as well as legitimate interests. Additionally, in order to guarantee a fair and transparent data processing, Recital 71 requires the data controller to use appropriate mathematical or statistical procedures for the profiling, implement technical and organizational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimized, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and prevent, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or processing that results in measures having such an effect. For these purposes, the implementation of the principle of data protection by design and by default are of the utmost importance.

Furthermore, Recital 91 clarifies that a data protection impact assessment should be made in the context of automated decision-making processes, whenever thedata processing results indecisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures.The provision continues by saying that [a] data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic- electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.

References

¹L. A. Bygrave, ‘Article 22. Automated individual decision-making, including profiling, in C.Kuner, L. A. Bygrave& C.DockseyThe EU General Data Protection Regulation (GDPR) A Commentary, Oxford: Oxford University Press, 2020, p. 526 ↑

²Article 29 Data Protection Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, 2018, WP251rev.01, pp. 19-20 ↑

³L. A. Bygrave, op. cit., pp. 531-532 ↑

⁴Article 29 Data Protection Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, op. cit., p. 8 ↑

⁵Article 29 Data Protection Working Party, ‘Guidelines on Automated Individuals Decision-Making and Profiling for the Purpose of Regulation no. 2016/679’, op. cit., p. 21 ↑

⁶Ibid. ↑

⁷Fundamental Rights Agency (ed.), op. cit., p. 234 ↑