Seite - 43 - in Austrian Law Journal, Band 1/2019

ALJ 2019 Digital Single Market – towards Smart Regulations 43 1. Art. 22 GDPR as an example of an explicit regulation on the use of algorithms By enacting the General Data Protection Regulation (GDPR),34 the EU apparently attempted to restrain algorithmic decisions by means of explicit legal regulation for the first time. In this context, Art. 22 GDPR, which covers automated individual decision-making, should be highlighted in particular.35 While the provisions of the GDPR only apply to the processing of personal data,36 this notion is understood in a broad sense.37 Art. 22 GDPR stipulates that the data subject shall have the right not to be subject to a decision solely based on automated processing (hereinafter referred to as an "automated decision") - including profiling38 - which produces legal effects concerning him or her or similarly significantly affects him or her. Apart from the exceptions to be discussed below, such decisions (that are made completely automated and without human intervention) are in principle prohibited. Since the wording of Art. 22 refers to "decisions", these must be distinguished from automated decision preparations that take place upstream. In this sense, if a person (at best equipped with decision-making authority and a margin of discretion) examines the decision bases prepared by an algorithm and then makes the final decision,39 Art. 22 GDPR shall not be applicable.40 Besides that, it is questionable whether the scope of this clause - in accordance with its wording - includes trivial algorithms (i.e. simple if-then-decisions). A minimum degree of complexity should be required in order to be able to speak of an actual automated decision, even though this assessment might be quite difficult for the individual.41 Art. 22 para. 2 GDPR provides for three exceptions to the general prohibition of exclusively automated individual decision-making. On the one hand, it is permissible if it is necessary for 34 In force since 25 May 2018. 35 For a detailed analyses of Art 22 GDPR cf. Casey, Farhangi and Vogl, Rethinking Explainable Machines: The GDPR's 'Right to Explanation' Debate and the Rise of Algorithmic Audits in Enterprise, 34 BERKELEY TECHNOLOGY LAW JOURNAL 143 (2019), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3143325; Floridi, Soft ethics, the governance of the digital and the General Data Protection Regulation, 376 PHILOSOPHICAL TRANSACTIONS OF THE ROYAL SOCIETY A (2018), https://doi.org/10.1098/rsta.2018.0081; Mittelstadt, Allo, Taddeo, Wachter and Floridi, The ethics of algorithms: Mapping the debate, Big DATA & SOCIETY (2016), available at https://journals.sagepub.com/doi/10.1177/2053951716679679. 36 Cf. Art. 2 No. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR) [2016] OJ L119/1. 37 According to Art. 4 para 1 GDPR, the term “personal data” comprises any information relating to an identified or identifiable natural person. 38 “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (Art. 4 para 4 GDPR). 39 A pure nod will probably not be sufficient. Cf. Ernst, Algorithmische Entscheidungsfindung und personenbezogene Daten, 72 JURISTENZEITUNG 1029 (2017); Veale and Edwards, Clarity, surprises, and further questions in Art 29 Working Party draft guidance on automated decision-making and profiling, 34 COMPUTER LAW & SECURITY REVIEW 398 (2018). 40 Consequently, the so-called "scoring" is not covered by Art. 22 GDPR because in this case the decision is only prepared by a machine, but is ultimately made by a human being. 41 Cf. von Lewinski, Art. 22 GDPR, in BECK’SCHER ONLINE-KOMMENTAR DATENSCHUTZRECHT, para 12 seq. (Wolff and Brink ed., 22nd ed. 2017).