Under article 22 GDPR, at least as construed by European Data Protection Board’s guidance, there is a general prohibition against making decisions based solely on automated processing, including profiling, when these decisions produce legal effects concerning individuals or similarly affect them. In such cases, controllers must rely on one of the exceptions provided in art. 22.2 GDPR, and its specific regulatory framework (including strengthened transparency duties) applies.
The term “solely on automated processing” refers to the lack of human intervention in the decision-making process, implying the absence of meaningful and active human participation. While this may appear self-evident, the importance of human intervention has blurred over the years.
In this context, the Spanish DPA has published a blog entry providing recommendations and guidance (along with examples) for objectively assessing a person's participation in the decision-making process. The blog entry also refers to the recent Court of Justice of the EU on the SCHUFA decision, which offered a broad interpretation of the article 22 GDPR:
-
Competence: Does the person have the authority or an assigned task allowing them to modify the outcome of the automated decision?
-
Preparation and training. Does the person have the ability / aptitude / knowledge to evaluate the automated decision and its underling factors in the context of the processing and the system used considering its capabilities and limitations?
-
Independence and diligence in the exercise of their powers. Does the person face pressures from the organization or external sources that may coerce them to dispute the automated decision (e.g., this includes automation bias) or refrain from questioning them?
-
Means to be able to exercise the person’s competence and qualifications. The following person’s means and skills must be evaluated:
a. The decision process must allow for the person to apply his/her competences. In other words, the person’s ability to intervene in a timely manner and due form must be foreseen in the decision process (even if the process is digital).
b. The person must have all necessary information in a timely manner to be able to exercise their qualification and make an informed decision, considering consequences, risks of decisions in general, and those made for specific cases; individuals data and context, etc.
c. Person must have the necessary resources to intervene.
d. Person must have the sufficient time to address the automated decision in a feasible and realistic way.
It is worth recalling that, in addiction to the lack of human intervention, for art. 22. GDPR to apply, such decisions must result in legal or similarly significantly effects.
Next steps
In the light of the recent SCHUFA decision and with the imminent adoption of AI regulation, automated decisions seem to be on the radar of supervisory agencies. Controllers should review criteria mentioned above to determine whether the degree of the human intervention in their processing activities is substantial enough to exempt them from the art. 22 GDPR regime, where other elements of art. 22 are present.
