Automated Processing

Definition under EU GDPR

Solely automated decision-making is the ability to make decisions by technological means without human involvement

 

Definition under EU GDPR

  • data provided directly by the individuals concerned (such as responses to a questionnaire);
  • data observed about the individuals (such as location data collected via an application);
  • derived or inferred data such as a profile of the individual that has already been created (e.g. a credit score).

 

Protections attached to automated processing

  • Right to be informed (Art. 13 and 14)
  • Right of access, rectification, erasure
  • Right to object
  • Right not to be subject to automated individual decision-making

 

Protections attached to automated processing

  • Right to be informed (Art. 13 and 14)
  • Right not to be subject to automated individual decision-making

 

Right to be informed

Article 13 (f) and 14 (2) (g)

"meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject"

Right to be informed

Article 13 (f) and 14 (2) (g)

"meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject"

Right to opt-out (Art.22)

  • Right not to be subject to a decision based solely on automated processing, including profiling
  • The decision must produce legal effects concerning him or her or similarly significantly affects him or her.

Right to opt-out - Exceptions

  • If the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller
  • If the decision is authorised by laws and also lays down suitable measures to safeguard the data subject’s rights
  • If the decision is based on explicit consent of data subject

Both too broad and too narrow

Why too narrow?

  • Broadly worded exceptions

Performance of a contract

  • "Controllers may wish to use solely automated decision-making processes for contractual purposes because they believe it is the most appropriate way to achieve the objective."
  • All arrangements of data collection leading to automated processing can be structured as a contract (or pre-contractual obligations), to circumvent this right

Authorised by law

  • All forms of automated processing sanctioned by law for governmental or other purposes is bereft of this right.
  • This would apply to all state collection of data (directly or indirectly), which has a basis in law
  • This could also apply to private sector processing of data where the law sanctions use of certain kinds of processes

Solely automated processing only

  • For any decision that involves a human in any way, this right is not available
  • Decisions that are not solely automated might also include profiling. For example, before granting a
    mortgage, a bank may consider the credit score of the borrower, with additional meaningful
    intervention carried out by humans before any decision is applied to an individual.
  • It is easy to automate a process, and merely show a human in the workflow, to avoid this provision

Why too broad?

  • The approach of the regulation is to address an overly broad category of action, rather than issues around it

Why too broad?

  • The approach of the regulation is to address an overly broad category of action, rather than issues around it

Attempts to qualify automated processing

Requirement of the decision to have

  • Legal effect, or
  • Similarly significant impact

Attempts to qualify automated processing

Legal effect

 

  • Impact on legal rights
  • Impact on legal status
  • Impact on contractual rights

Attempts to qualify automated processing

Similarly significant impact

 

  • even if impact is not on legal rights, its produces an effect which is similarly significant

Right to explanation (Art 13 and 14)

  • Applies to all automated decision-making (the qualifications of Art 22 are not applicable)
  • "meaningful information about the logic involved"
  • "significance and the envisaged consequences of such processing"

"meaningful information"

  • System functionality: logic, significance, and general functionality of an automated decision-making system, eg. the system’s requirements specification, decision trees, pre-defined models, criteria, and classification structures

"meaningful information"

  • The language used suggests that data subjects must be provided with information about how an automated decision-making system works in general, for which purposes, and with what predicted impact, before automated decisions are made. Notably this cannot include any information about how a specific decision was made or reached, but rather addresses how the system itself functions, eg its decision tree or rules, or predictions about how inputs will be processed