Best prices Special offers for members of the PWE book club The cheapest delivery
DOI: 10.33226/0137-5490.2022.5.5
JEL: K23, K24

The criteria for the admissibility of automated decisions in light of Art. 22(1) GDPR

The purpose of this article is to explore the rules of the General Data Protection Regulation (GDPR) on the admissibility of automated decision-making included in its art. 22(1). While this provision might come across as clear and unequivocal, a close investigation shows that it contains numerous ambiguities. In particular, it is not clear whether the right not to be subject to a decision based solely on automated processing should be interpreted as a general prohibition or a right to be actively exercised by the data subject, and when a decision is actually solely based on automated processing. The conducted analysis shows that art. 22(1) GDPR lacks precise language, and therefore raises questions over its adequacy for achieving the purposes of the GDPR and the protection actually afforded to data subjects.

Download article
Keywords: GDPR; automated decision-making; Art. 22(1) GDPR

References

 

Bibliografia/References

Brkan, M. (2019). Do algorithms rule the world? Algorithmic decision-making and data protection in the framework of the GDPR and beyond. International Journal of Law and Information Technology, 27(2), 91–121. https://doi.org/10.1093/ijlit/eay017

Citron, D. K. (2008). Technological due process. Washington University Law Review, 85(6), 1249–1313.

Edwards, L., & Veale, M. (2018). Slave to the algorithm? Why a right to explanation is probably not the remedy you are looking for. Duke Law & Technology Review, 16(1), 18–81. https://doi.org/10.31228/osf.io/97upg

European Parliament. Directorate General for Parliamentary Research Services. (2019). Understanding algorithmic decision-making: Opportunities and challenges. Publications Office of the EU.

European Data Protection Board. (2018). Endorsement 1/2018. https://bit.ly/3DoFyBg.

European Data Protection Supervisor. (2021). Opinion 11/2021on the Proposal for a Directive on consumer credits. https://bit.ly/3JU6zyY.

Finck, M. (2019). Smart contracts as a form of solely automated processing under the GDPR. International Data Privacy Law, 9(2), 78–94. https://doi.org/10.1093/idpl/ipz004

Geburczyk, F. (2020). Prawa osób fizycznych w kontekście przetwarzania danych osobowych w procesach zautomatyzowanego podejmowania decyzji. Monitor Prawniczy, 581–587.

Grupa Robocza Art. 29. (2018). Wytyczne w sprawie zautomatyzowanego podejmowania decyzji w indywidualnych przypadkach i profilowania do celów rozporządzenia 2016/679/UE z 6 lutego 2018 r., 17/PL WP251rev. 01.

Hänold, S. (2018). Profiling and automated decision-making: Legal implications and shortcomings. W: M. Corrales, M. Fenwick, & N. Forgó (red.), Robotics, AI and the future of law (123–153). Springer Singapore. https://doi.org/10.1093/idpl/ipz004

Hoffmann-Riem, W. (2020). Artificial intelligence as a challenge for law and regulation. W: T. Wischmeyer & T. Rademacher (red.), Regulating artificial intelligence (1–29). Springer International Publishing. https://doi.org/10.1007/978-3-030-32361-5_1

Hustinx, P. (2017). EU data protection law: The review of Directive 95/46/EC and the General Data Protection Regulation. W: M. Cremona (red.), New technologies and EU law. Vol. 1. Oxford University Press. https://doi.org/10.1093/acprof:oso/9780198807216.003.0005

Kaminski, M. E. (2019a). Binary governance: Lessons from the GDPR's approach to algorithmic accountability. Southern California Law Review, 92(6), 1529–1616.

Kaminski, M. E. (2019b). The right to explanation, explained. Berkeley Technology Law Journal, 34(1), 189–219.

Litwiński, P. (2018). Komentarz do art. 22. W: Rozporządzenie UE w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takich danych. Komentarz. Legalis.

Maciejewski, M., & Sibiga, G. (2015). Automatyzacja w nakładaniu administracyjnych kar pieniężnych. W: M. Błachucki (red.), Administracyjne kary pieniężne w demokratycznym państwie prawa (72–82). Biuro Rzecznika Praw Obywatelskich.

Malgieri, G. (2019). Automated decision-making in the EU Member States: The right to explanation and other „suitable safeguards” in the national legislations. Computer Law & Security Review, 35(5). https://doi.org/10.1016/j.clsr.2019.05.002

Mendoza, I., & Bygrave, L. A. (2017). The right not to be subject to automated decisions based on profiling. W: T.-E. Synodinou, P. Jougleux, C. Markou, & T. Prastitou (red.), EU internet law (77–98). Springer International Publishing. https://doi.org/10.1007/978-3-319-64955-9_4

Moeller, C. (2017). Are we prepared for the 4th industrial revolution? Data protection and data security challenges of Industry 4.0 in the EU context. W: R. Leenes, R. van Brakel, S. Gutwirth & P. de Hert (red.), Data protection and privacy: The age of intelligent machines (143–164). Hart Publishing. https://doi.org/10.5040/9781509919376.ch-006

Sakowska-Baryła, M. (2018). Komentarz do art. 22. W: Ogólne rozporządzenie o ochronie danych osobowych. Komentarz. Legalis.

Sancho, D. (2020). Automated decision-making under Article 22 GDPR: Towards a more substantial regime for solely automated decisionmaking. W: M. Ebers & S. Navas (red.), Algorithms and law (136–156). Cambridge University Press. https://doi.org/10.1017/9781108347846.005

Selbst, A. D., & Powles, J. (2017). Meaningful information and the right to explanation. International Data Privacy Law, 7(4), 233–242. https://doi.org/10.1093/idpl/ipx022

Tosoni, L. (2021). The right to object to automated individual decisions: Resolving the ambiguity of Article 22(1) of the General Data Protection Regulation. International Data Privacy Law, 11(2), 145–162, https://doi.org/10.1093/idpl/ipaa024

Urząd Komisji Nadzoru Finansowego. (2020). Komunikat Urzędu Komisji Nadzoru Finansowego w sprawie realizacji przez banki i inne instytucje ustawowo upoważnione do udzielania kredytów prawa wnioskującego o kredyt do uzyskania wyjaśnień na temat dokonanej oceny zdolności kredytowej. https://www.knf.gov.pl/knf/pl/komponenty/img/Komunikat_UKNF_ws_prawa_do_uzyskania_wyjasnien_nt_oceny_zdolnosci_kredytowej_wersja_szczegolowa_70332.pdf

Veale, M. & Edwards, L., (2018). Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling. Computer Law & Security Review, 34(2), 398–404. https://doi.org/10.1016/j.clsr.2017.12.002

Voigt, P., & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR). Springer International Publishing. https://doi.org/10.1007/978-3-319-57959-7

Wachter, S., Mittelstadt, B., & Floridi, L. (2017). Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation. International Data Privacy Law, 7(2), 76–99. https://doi.org/10.1093/idpl/ipx005

Yeung, K. (2019). Why worry about decision-making by machine? W: K. Yeung & M. Lodge (red.), Algorithmic regulation (21–48). Oxford University Press. https://doi.org/10.1093/oso/9780198838494.003.0002

Zalnieriute, M., Moses, L. B., & Williams, G. (2019). The rule of law and automation of government decision-making. The Modern Law Review, 82(3), 425–455. https://doi.org/10.1111/1468-2230.12412

Article price
4.00
Price of the magazine number
15.00
Subscription
195.00 €
156.00
Lowest price in last 30 days: 156.00
get subscription