GDPR Brief: automated decision-making and profiling

7 Jan 2019

Individual opportunity increasingly depends on automated decisions by companies and (prospective) employers. Any automated decision-making, including profiling, is subject to the usual requirements of the GDPR.

Individual opportunity increasingly depends on automated decisions by companies and (prospective) employers. Any automated decision-making, including profiling, is subject to the usual requirements of the GDPR. Special attention should be paid to (a) selection and use of software, (b) transparency, (c) the qualified prohibition on significant decisions based on solely automated processing.

(a) Selection and use of Software – Data Protection by Design and Default

Software developers should design products that support fulfilment of data protection obligations, including fulfilment of data subject rights. Controllers must implement appropriate and effective technical measures. Before introducing new technologies into automated decision-making operations, especially in case of profiling, a Data Protection Impact Assessment may be required.

(b) Transparency – Right to be informed and obtain information

A data subject must be told of the existence of automated decision-making, including profiling, and “meaningful information” about the algorithmic logic involved, as well as the significance and envisaged consequences, at least where processing relates to decisions based on solely automated processing.

The responsibility is (normally) to provide this information at the time personal data is collected. This suggests information provided will relate to system function rather than specific decisions. A data subject also has a right to obtain this information at any point. If requested after an algorithm has been applied, then it may be possible for a controller to provide information about a specific decision, although the requirement appears still to be future oriented.

(c) Qualified Prohibition on Significant Decision-Making on Solely Automated Processing

Decisions which have legal or similar significant effects (on a data subject) should ordinarily not be based solely on automated processing: human intervention should be present. Exceptions exist if (i) necessary to a contract, (ii) with explicit consent, or (iii) otherwise authorised by law with suitable safeguards. In case of (i) or (ii), the data subject still has the right, at least, to obtain human intervention, to express his or her viewpoint, and to contest the decision. Solely automated decision-making (usually) ought not to concern a child.

Furthermore, special categories of personal data ought not to be used without explicit consent unless for reasons of substantial public interest, on a legal basis that is proportionate to the aim pursued, respects the essence of data protection, and provides appropriate safeguards. Such safeguards may include a right to obtain an explanation of the specific decision reached.

Mark Taylor is Associate Professor in Health Law and Regulation at Melbourne Law School.

Further Reading

• L Edwards and M Veale, “Enslaving the Algorithm: From a ‘Right to an Explanation’ to a ‘Right to Better Decisions’?” IEEE Security & Privacy 2018 16(3)
• S Wachter, B Mittelstadt and L Floridi, “Why a Right to Explanation of Automated Decision Making Does Not Exist in the General Data Protection Regulation” International Data Privacy Law 2017 7(2)
• WP29 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (Adopted on 3 October 2017, as last Revised and Adopted on 6 February 2018)

Relevant GDPR Provisions

• Recital 71 – Profiling
• Recital 78 – Appropriate Technical and Organisational Measures
• Article 4(4) – Definition of Profiling
• Article 12 – Right to be informed
• Article 13 – Right to be informed
• Article 14 – Right to be informed
• Article 15 – Right of access to information
• Article 22 – Automated Decision-Making, including profiling
• Article 23 – Restrictions
• Article 35 – Data Protection Impact Assessment

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.