Automated decision-making (ADM) under the General Data Protection Regulation (GDPR) is defined as any decision made without human intervention through technological means such as algorithms or artificial intelligence. Examples include automated product recommendations and algorithmic fraud detection in banking. As specified in Article 22 of the GDPR, individuals (“data subjects”) possess the right not to be subject to a decision based solely on automated processing, including profiling, especially if such decisions produce legal effects or significantly affect them.
Three principal grounds under which ADM is permissible:
- Performance of a contract: ADM is necessary for entering into, or performance of, a contract between the data subject and a business.
- Legal authorization: ADM is authorized by Union or Member State law, such as for monitoring tax evasion.
- Explicit consent: The data subject has given explicit consent to the processing.
Legal and practical implications were observed:
- Businesses deploying ADM must ensure safeguards such as meaningful human intervention, the opportunity for individuals to express their views, and the ability to contest decisions.
- The scope of “significant effect” is interpreted broadly and may include impacts on creditworthiness, employment opportunities, or access to public services.
- ADM systems have triggered regulatory scrutiny over transparency, algorithmic bias, and the adequacy of user consent mechanisms.
- Recent empirical research indicates that many organizations lack adequate processes to comply fully with Article 22, particularly regarding the provision of explanations and effective contestation procedures.
In summary, GDPR restricts ADM that produces significant effects unless strict legal conditions are met and explicit safeguards are in place. The literature emphasizes ongoing challenges in operationalizing these safeguards and ensuring meaningful human oversight.
