Automated Decision-Making
Jules Polonetsky
CEO @ Future of Privacy Forum | Advancing Responsible Data Practices
Today, the Future of Privacy Forum launched a comprehensive?Report ?analyzing case-law under the General Data Protection Regulation (GDPR) applied to real-life cases involving Automated Decision Making (ADM). The Report is informed by extensive research covering more than 70 Court judgments, decisions from Data Protection Authorities (DPAs), specific Guidance and other policy documents issued by regulators. Congratulations to FPF lead authors Sebastio Barros Vale and Gabriela Zanfor-Fortuna for this valuable contribution.
The GDPR has a particular provision applicable to decisions based solely on automated processing of personal data, including profiling, which produces legal effects concerning an individual or similarly affects that individual: Article 22. This provision enshrines one of the “rights of the data subject”, particularly the right not to be subject to decisions of that nature (i.e., ‘qualifying ADM’), which has been interpreted by DPAs as a prohibition rather than a prerogative that individuals can exercise.
However,?the GDPR’s protections for individuals against forms of automated decision-making (ADM) and profiling go significantly beyond Article 22. In this respect, there are several safeguards that apply to such data processing activities, notably the ones stemming from the general data processing principles in Article 5, the legal grounds for processing in Article 6, the rules on processing special categories of data (such as biometric data) under Article 9, specific transparency and access requirements regarding ADM under Articles 13 to 15, and the duty to carry out data protection impact assessments in certain cases under Article 35.
This new FPF Report outlines how national courts and DPAs in the European Union (EU)/European Economic Area (EEA) and the UK have interpreted and applied the relevant EU data protection law provisions on ADM so far – before and after the GDPR became applicable -, as well as the notable trends and outliers in this respect. To compile the Report,?we have looked into publicly available judicial and administrative decisions and regulatory guidelines across EU/EEA jurisdictions and the UK. It draws from more than 70 cases – 19 court rulings and more than 50 enforcement decisions, individual opinions, or general guidance issued by DPAs, – from a span of 18 EEA Member-States, the UK, and the European Data Protection Supervisor (EDPS). To complement the facts of the cases discussed, we have also looked into press releases, DPAs’ annual reports, and media stories.
Some examples of ADM and profiling activities assessed by EU courts and DPAs and analyzed in the Report include:
领英推荐
Our analysis shows that the GDPR as a whole is relevant for ADM cases and has been effectively applied to protect the rights of individuals in such cases, even in situations where the ADM at issue did not meet the high threshold established by Article 22 GDPR. Among those, we found?detailed transparency obligations about the parameters that led to an individual automated decision, a broad reading of the fairness principle to avoid situations of discrimination, and?strict conditions for valid consent?in cases of profiling and ADM.
Moreover, we found that when enforcers are assessing the threshold of applicability for Article 22 (“solely” automated, and “legal or similarly significant effects”), the criteria they use are increasingly sophisticated. This means that:
A recent preliminary ruling request sent by an Austrian court in February 2022 to the Court of Justice of the European Union (CJEU) may soon help clarify these concepts, as well as other related to the information which controllers need to give data subjects about ADM’s underlying logic, significance and envisaged consequences for the individual.
The findings of this Report may also serve to inform the discussions about pending legislative initiatives in the EU that regulate technologies or business practices that foster, rely on,?or relate to ADM and profiling, such as the AI Act, the Consumer Credits Directive, and the Platform Workers Directive.
Award Winning Global Privacy Expert, Speaker & Media Commentator | Bestselling Author, Podcast Host & Career Coach | I Help Mid Career Professionals Become Confident, Capable & Credible World-Class Privacy Experts
2 年I look forward to reading this congratulation to Dr. Gabriela Zanfir-Fortuna and the team for producing this!
Growth & Product Marketer | 15 Yrs Cutting-Edge Technology | Natural Collaborator | Data & AI-Centric | 35+ Launch Campaigns | 3 X Founding Marketer | Founder of AI Nonprofit | Lead author of National Data Standard
2 年Jeff Jockisch Collaboration potential?
Partner - Privacy at Helios. Founder, Salinger Privacy. Senior Fellow, Future of Privacy Forum. IAPP Global Vanguard Award (2022, Oceania region), for ‘exceptional leadership, knowledge and creativity in privacy’.
2 年Looking forward to reading this - congrats Dr. Gabriela Zanfir-Fortuna and team for putting this together!
AI Ethics, Data Privacy & Cybersecurity | General Counsel | Corporate Secretary & Board Advisor | Government Relations | Identifying & mitigating risk for multinational technology companies
2 年Very thoughtful and comprehensive publication from FPF, but we've come to expect that from you!
Data Expert in Law and Technology: Helping Businesses Grow while using all their data lawfully and ethically – Data, Data Protection and IT law, Information Security, and AI Expertise
2 年This is a very thorough piece of work to put together every decision.