DISCLAIMER: SEE AT THE END OF THIS BLOG.... As Big Data, Artificial Intelligence (AI) and the Internet of Things (IoT) grow, so do the areas in which our data is collected and used to make decisions for us. Autonomous cars are very thought-provoking and exciting, and there is a certain thrill in the very real dangers and risks which we allow a computer to manage for us, and instead of us, in an autonomous vehicle. Jurists and ethicists now debate the decision-making processes that autonomous cars will have to go when, say, facing a crash and needing to choose in which direction to crash. Will cars prefer to crash into another vehicle? Pedestrians? A bridge? And so on. These classic 'trolley problems' take on new significance and it's all very interesting.
But there are many more mundane and less visible areas of profiling and automated decision making which still have very significant implications for our lives. For example, in banking AI us used to make decisions on applications for mortgages and other forms of credit, fraud prevention, and even identification of the best clients to approach for follow-on equity offerings.
GDPR article 21 gives data subjects the right to object to being profiled, and article 22 gives the right to object to fully automated decision making, and profiling, which significantly affects them. What is the threshold for 'significant'? Recital 71 gives as examples: e-recruiting and credit decisions. The WP29 opinion on Automated individual decision-making under GDPR gives another example: where a credit card customer's credit is limited based not on the customer's repayment history, but on an analysis of other customers in the same neighborhood.
Though the language of article 21 is not clear on this, the WP29 reading of article 22(1) is that it is a general prohibition on automated decision making. The best way to work around the prohibition is explicit consent from the data subject, but performance of a contract may also justify it. Either way, the data subject must be informed.
There are many further provisions, but we note that the controller must give the data subject meaningful information as to the logic of the automatic decision making (see articles 13(2)(f) and 14(2)(g)), the WP29 specifically gives the example of motor insurance: the insurer must explain to applicants the significant and logic of analyzing the variables pertaining to the applicants and how that plays into the insurance offered.
In summary, automatic decision making is becoming much more commonplace in many industries, and it needs careful management under GDPR.
DISCLAIMER: THIS IS NOT LEGAL ADVICE, THESE ARE OUR MUSINGS, BASED ON OUR EXPERIENCE WITH OUR CLIENTS AND COLLEAGUES, AND WERE ORIGINALLY SHARED OR WRITTEN IN A VERY SPECIFIC CONTEXT. YOU CAN DRAW INSPIRATION, AND TELL US IF YOU HAVE INTERESTING COMMENTS, BUT WE HAVE NO RESPONSIBILITY FOR THESE OPINIONS VIS-A-VIS OUR READERS.
www.myedpo.com