GDPR Automated Decision Making: What Article 22 Requires
This article explains the GDPR's rules on automated decision-making under Article 22, including what counts as a 'significant effect', the requirements for meaningful human involvement, and the three lawful bases for such processing.
Why it matters
Understanding GDPR's rules on automated decision-making is critical as AI-powered scoring, credit decisions, and personalization become ubiquitous across industries.
Key Points
- 1Article 22 of GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects
- 2Significant effects include credit scoring, insurance pricing, job application screening, and benefits determinations, but not necessarily targeted advertising or content personalization
- 3For human involvement to take a decision out of scope, the reviewer must have authority to change the decision and actually review the individual's circumstances
Details
The GDPR's Article 22 places specific requirements on the use of automated decision-making, including profiling, that produces legal effects or similarly significant consequences for individuals. For Article 22 to apply, there must be an actual decision made based solely on automated processing, with no meaningful human involvement. The GDPR does not exhaustively define 'significant effects', but examples include credit decisions, insurance pricing, and job application screening. Targeted advertising and content personalization may not meet the threshold unless they result in exclusion from opportunities. If Article 22 applies, companies must meet one of three lawful bases: explicit consent, necessity for a contract, or substantial public interest. They also have obligations around transparency, the right to human review, and the right to an explanation of the decision. The upcoming EU AI Act will further regulate high-risk AI systems that fall under Article 22.
No comments yet
Be the first to comment