Do algorithms rule the world? Algorithmic decision-making and data protection in the framework of the GDPR and beyond
Research output: Contribution to journal › Article › Academic › peer-review
The purpose of this article is to analyse the rules of the General Data Protection Regulation (GDPR) and the Directive on Data Protection in Criminal Matters on automated decision-making and to explore how to ensure transparency of such decisions, in particular those taken with the help of algorithms. Both legal acts impose limitations on automated individual decision-making, including profiling. While these limitations of automated decisions might come across as a forceful fortress strongly protecting individuals and potentially even hampering the future development of Artificial Intelligence in decision-making, the relevant provisions nevertheless contain numerous exceptions allowing for such decisions. While the Directive on Data Protection in Criminal Matters worryingly does not seem to give the data subject the possibility to familiarize herself with the reasons for such a decision, the GDPR obliges the controller to provide the data subject with 'meaningful information about the logic involved' (Articles 13(2)(f), 14(2)(g) and 15(1)(h)), thus raising the much-debated question whether the data subject should be granted a 'right to explanation' of the automated decision. This article seeks to go beyond the semantic question of whether this right should be designated as the 'right to explanation' and argues that the GDPR obliges the controller to inform the data subject of the reasons why an automated decision was taken. While such a right would in principle fit well within the broader framework of the GDPR's quest for a high level of transparency, it also raises several queries: What exactly needs to be revealed to the data subject? How can an algorithm-based decision be explained? The article aims to explore these questions and to identify challenges for further research regarding explainability of automated decisions.
- Article 11 Directive 2016/680, Article 22 GDPR, General Data Protection Regulation, PERSONAL DATA, algorithmic transparency, automated decision-making, right to explanation