Safeguards for the right not to be subject to a decision based solely on automated processing (Article 22 GDPR)
WP29 has recently adopted Guidelines on Automated Individual Decision-making and Profiling for the purposes of General Data Protection Regulation 2016/679 (GDPR). Article 22 GDPR bans all decisions that affect the data subject which have been based solely on automated processing. The Article eventually allows automatic processing, conditional on application of suitable safeguards for data subject rights. These safeguards might vary substantially depending on automated processing technologies. This article describes, firstly, the general safeguards to embed legal requirements. Secondly, the article explores solutions for automatic processing based on data analysis. It is argued that, although the data controller can put in place safeguards that respect data subject rights, a parallel empowerment of external authorities will be necessary to reach both: an informed external oversight, and the full application of this right. This article seeks to provide an analysis of Article 22 GDPR in the hope that this will inform the policy debate.
Keywords: Article 22 GDPR; automated processing; data analysis; agreement technologies; multi-agent systems; internal/external oversight