Did you read our previous post “In the news: automated decision-making”? Following on from that, we are now going to unpick Article 22.
Few people had heard of Article 22 of the GDPR before this summer’s automated grade-prediction story broke in the media. This less-known snippet of the GDPR is highly significant for our everyday lives. So many workflows are automated, making the entitlement to challenge automated decisions one of the most important data subject rights that the GDPR bestows.
Automated decision-making presents a high risk to the rights and freedoms of individuals for a number of reasons. For example, it works at a volume and speed that are beyond human capacity to keep track of… let alone understand.
For a Controller who is accountable for the effects produced by their automated decision-making, familiarity with Article 22 and how it interacts with the rest of the GDPR, is essential to managing data protection risk.
So what does it say?
Automated individual decision-making, including profiling
1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This means that there is a general prohibition on leaving decisions that significantly affect individuals entirely up to computers. In other words, humans must be in the loop at some point.
‘Legal effects’ means ‘having an effect the data subject’s legal rights’ – the obvious one that might spring to mind is the right not to be unfairly discriminated against, but there are many rights which could be affected. Even if no legal rights are directly affected, if the automated decision produces a significant impact in other ways; on an individual’s behaviour or choices, for example; then the processing is forbidden by default.
However, it’s not always forbidden – there are narrow circumstances in which it can be used….
2. Paragraph 1 shall not apply if the decision:
(a) Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) Is based on the data subject’s explicit consent.
This means that solely-automated processing can only be carried out on the basis of contract, legal duty or consent. Never legitimate interests, public interest or vital interests. When automated processing is employed to negotiate or fulfil the terms of a contract, it must be necessary to do so – not just ‘easier’ or ‘cheaper’.
Any Controller relying on legal obligation must be prepared to cite the specific legal duty that requires automated processing to take place and justify why it is necessary. For example, the use of fraud-monitoring systems to block suspicious financial transactions may be justified by section 18 of the Money Laundering Regulations, on the basis that analysing transaction patterns in real-time is beyond the capability of most human beings and therefore automated judgement is appropriate.
Consent, of course, must be:
- Informed – the logic of the processing must be described, the risks highlighted and the data subject’s rights explained,
- Freely-given – there must be a genuine choice, and no detriment arising from refusal or withdrawal,
- Explicit – consent for the automated processing to take place must be presented separately to terms and conditions, cookie consent, marketing consent or any other aspect of the interaction,
- Unambiguous – a positive and specific response by the data subject to the question of consent for automated processing
… and all of this must be in place before the automated processing beings.
3.In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
It’s highly likely that automated processing will have an impact on the rights, freedoms or interests of the data subject – and therefore a DPIA should be carried out (before the processing begins). ‘Suitable measures’ will depend on the nature (scope, context, etc) of the processing, so there’s no definitive checklist that can be applied in all scenarios. As this paragraph makes clear, there must be processes and channels for a data subject to:
a) identify that a decision has been made by automated means
b) challenge that decision
c) have a human being review the decision
although these steps may not be enough on their own to provide ‘suitable’ measures for protecting data subjects.
4.Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Automated decision-making presents an even greater threat to individuals’ rights and freedoms when special category personal data is involved, so it is restricted to when it is necessary in the substantial public interest, or with explicit consent, only.
(Substantial public interest conditions are outlined in Schedule 1, Part 2 of the UK Data Protection Act). A DPIA is definitely required if the automated processing will involve special category personal data.
Applying Article 22
a) Identify activities which will involve automated decision-making, map the data flows and the logic used in the decision-making process.
If you are looking at a product or service which involves automated decision-making, you will need to engage with the vendor to get this information. The ideal time to do this is before you buy anything.
b) Assess the ‘what-ifs’ – could this processing somehow produce ‘legal effects’, long-term consequences, or disruption to the data subject’s normal life?
If not; you can go ahead with the processing, as long as you ensure that the Principles, data subject’s rights and Controller obligations are met for all of the processing
c) Make sure the purposes, lawful bases and justifications of necessity are all established for the proposed automated decision-making
Need more guidance or information? Contact us…