The preliminary point of Article 22, Article 15 of the 1995 Data Protection Directive (DPO), limited its scope to decisions which had produced an `unfavourable` legal effect or a similar adverse effect32, in accordance with french administrative law on which that provision was based. However, this language has not been included in the DPO or GDPR. In its first draft guidelines, the Article 29 Working Group clarified that material impacts could be positive or negative.33 In a later version, the Working Group deleted all references to its previous statement and did not comment on the matter. However, if we compare the GDPR with its sister instrument for policing, the Law Enforcement Directive, which, unlike the GDPR, explicitly mentions that only “adverse” (legal) effects would apply, as well as the explicit removal of “unfavourable” in the drafting of the Data Protection Directive, they all serve as indicators that the legislator wanted the provision to be applied with significant effects whatever whatever its value. 34 Article 22 of the GDPR contains provisions restricting its use. automated decision-making systems when they are “exclusively automated” and have “significant legal or similar effects”. The specific remedies provided for in paragraph 4 and their usefulness5 are the subject of a debate that is not sought in this document. Instead, we focus exclusively on the scope of Article 22. A similarly worded provision exists in the Enforcement Directive, the GDPR`s sister instrument for police and criminal justice.6 In addition, many other international laws have a similar or almost identical interpretation to Article 22.7 Although our analysis focuses on the GDPR to examine this provision, the issues we raise are relevant in a broader sense. One way to mitigate this problem could be to adopt a two-pronged approach: an interpretive strategy in which “positive” effects are treated as insignificant, combined with an operational strategy that ensures that no negative effects can occur automatically. In the case of the fight against money laundering, this means that the continued operation of the bank account as usual has a “positive” effect and therefore does not fall within the scope and requires a legal basis; In the meantime, simply marking one`s own account as suspicious for human verification is not (yet) a significant effect, since no decision has yet been made. While there may be potential for automated decision-making with a positive effect (business as usual), there is “no” possibility of automated decision-making with a negative effect (accounts are only frozen after a human review that does not fall within the scope of Article 22). In content moderation, this would mean that all tagged content was sent to a human for review, while all unlabeled content was not.
It is puzzling that the “realization” approach and the “potential” approach has some support in the law. Recital 71 of the GDPR provides examples of Article 22 – Qualification Decisions, which specify the “automatic rejection of an online loan application” [emphasis added] and not the automatic assessment. However, the rights to information provided for in Articles 13 to 14 must be exercised “before” the start of processing27, which requires an assessment of whether a decision falls within the definition in Article 22, which must be taken before processing. The forward-looking wording of the articles on information rights, which emphasises the “foreseen” consequences,28 also suggests that this obligation must be fulfilled at least before processing.29 In addition, the remedies provided for in Article 22(3) – human intervention to seek, express a point of view and challenge a decision – are meaningless until a decision has been taken. This is especially true for decisions based on consent: if the refusal of consent would force human intervention (to prevent the decision from being an Article 22 decision), then the guarantee of human intervention is superfluous. We do not want to resolve that tension here. We collect them to highlight the consequences when the focus is on the final step of the decision-making process to determine the state of the entire treatment operation. This can sometimes make sense when it comes to whether human intake is sufficient (regardless of the summary cases mentioned above).
However, the above examples show that the issues at issue on the scope of Article 22 do not relate only to the degree of human involvement or the significance of the effects of the decision. Even in cases where the last step is clearly exclusively automated, it may not be clear how far the scope should extend in a chain of automated steps. Multi-level automated decision-making scenarios therefore raise more fundamental questions about the scope of Article 22, which in themselves require further analysis. While it is clear that initial profiling plays a role in achieving the ultimately significant effect (from further examination), if there is downstream discretion, this may not be enough. In some cases, however, it will likely be a fait accompli; In a system with significant effects and a profiling system, it will be inevitable that at some point, in some cases, a person acts in such a way that he produces the significant effect by confirming the profile. This is an essential means by which even the most basic configurations of decision support systems can pose problems in determining the scope of Article 22. While there don`t seem to be easy answers to this dilemma in case law or regulatory guidelines, the first practical step this implies is that regulators may need to zoom out and look for empirical evidence for a much broader system than they originally thought they were investigating. The first relevant ambiguity to be introduced in this article is the nature of what it means to base a decision “exclusively” on automated processing.
This processing includes “profiling”, which consists of any form of automated processing of personal data in which personal aspects relating to a natural person are assessed, in particular to analyse aspects of work performance, economic situation, health, personal preferences or interests, reliability or behaviour, the location or movements of the person concerned; or when it has a legal effect or significantly affects it in a similar way. These roles may occur in the same system, but we will analyze them in isolation to provide initial clarity. We do not consider the interaction between decisions over time, for example: by recycling or updating a model, which can result in significant feedback effects.12 In such cases (where payments are made automatically), the first automated step alone does not lead to exclusively automated decisions that have legal or similar effects; Such decisions will be taken only at a later stage. Does this remove all automated processing steps upstream of the scope of Article 22? The lack of clarity in this provision makes it difficult for controllers to comply with it. Article 22 of the GDPR is a long provision that contains two prohibitions – each in paragraphs 1 and 4 – and a number of exceptions to both prohibitions in paragraphs 2 and 4. Let`s take a closer look at this complex architecture and start with the first prohibition of purely automated decision-making in Article 22(1) of the GDPR. First, is it a general prohibition on WMD or a right to object to ADM? Its wording resembles a right to object that must be actively exercised, but most of the legal literature sees it as a prohibition, including by the European Data Protection Board (EDPS).