Author: Olivia Tambou

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) is based on the data subject’s explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

A. Preliminary remarks

Art. 22 grants data subjects the right not to be subject to a decision based solely on automated processing. This provision reflects the desire of the legislator that data processing operations “should be designed to serve mankind”; this further demonstrates a concern to “uphold human dignity in the face of machine determinism” especially “by enabling humans (rather than their ‘data shadows’) to maintain the lead role in ‘constituting’ themselves”. Art. 22 is aimed at tackling the possible negative impact of automated processing (including profiling) on the ability of the data subject to control decision-making that significantly affects him or her. In this context, inaccuracies and bias of fully automated processing could have a detrimental impact, such as undue discrimination. This highlights the need “to ensure (…) that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised”, as well as to “secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents (…) discriminatory effects on natural persons on the basis of” sensitive personal data (Art. 9 GDPR) and that prevents processing resulting “in measures having such an effect”. These concerns, particularly acute in the era of Big Data, reveal that the legislator has taken into due consideration the social demand for an enhanced right to informational self-determination.

Art. 22 is an adaptation of Art. 15 DPD that addressed purely machine-based decision-making. Probably inspired by Art. 2 of the French Loi n° 78–17, prohibiting automated court decisions, Art. 15 DPD reflected the will of the EU legislator to anticipate future (then) algorithmic implementations – that people seem to experience today. However, this provision had never been invoked before the CJEU. It could then be argued that Art. 15 DPD provided for a rather “theoretical” right, in an era when decision-making had not yet become fully automated. Indeed, this was the case with credit-scoring systems, where the German Federal Court of Justice found that decisions on credit were ultimately taken by human actors and thus fell outside the scope of national law transposing Art. 15 DPD. On the other hand, SAs have dealt with decision-making conducted solely by algorithms. For example, in 2017, CNIL stressed the fully automated nature of the processing involved in the selection of candidates in educational contexts. In light of current and future technological developments, it would be fair to argue that Art. 22 GDPR will have more concrete applications.
Art. 22 follows the structure of Art. 15 DPD: it starts with the rule, namely a qualified prohibition on fully automated processing (or a qualified right of the data subject not to be subjected to a decision based solely on automated processing); and it then provides for exceptions.

There are four key novelties. Firstly, Art. 22 explicitly refers to profiling as a specific type of automated processing, which should be subject to rigorous regulation. Art. 4(4) harmonises the concept of profiling by defining it as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (→ mn. 3–8). Secondly, Art. 22 para. 2 lit. c stipulates that explicit consent of the data subject can legitimise a decision based solely on automated processing. Thirdly, it imposes new obligations on the controller who must “implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision” (Art. 22 para. 3). Fourthly, automated decision-making based on special categories of data is, in principle, prohibited, unless certain requirements are met (Art. 22 para. 4).

Although it is clear that, as mentioned in recital 7 GDPR, the European legislator aims to strengthen control of the data subject over his or her data, as well as establish and enhance practical and legal certainty for relevant stakeholders, it may be too early to fully assess the future impact and effectiveness of Art. 22 GDPR. More concretely, it may be hard to examine whether and how this right could be directly exercised by the data subject, contrary to other traditional rights, such as the right to object, the right to access, the right to erasure, or the new right to portability or the right to be forgotten However, it would be fair to claim that Art. 22 could enhance protection of the data subject, through the obligations imposed on controllers.

[…]