I
2. ASSESSING THE THRESHOLD THAT TRIGGERS ARTICLE 22: CASE-LAW
n order for Article 22 GDPR to be applicable, two conditions must be met at the same time: first, the ADM at stake must involve “solely automated” processing of personal data; and second, the ADM must either produce “legal effects” concerning the data subject, or “similarly significantly” affecting the data subject. If at least one of the two conditions is not met, then the processing does not fall under Article 22 GDPR and its specific requirements. Courts and DPAs apply an increasingly sophisticated set of criteria when making these assessments. In order for a decision to be considered “solely” automated, enforcers are looking at the entire organizational environment where the processing takes place: organizational structure, reporting lines and chain of approval; effective training of staff; internal policies and procedures. Formal human involvement in making decisions is not considered sufficient, with enforcers paying attention to the quality of human involvement, how it relates to individual and actual decisions (as opposed to setting parameters at the outset for the whole ADM process), and at what time in the decision-making process it occurs. When assessing if ADM has legal or similarly significant effects, the criteria used are even more complex, layered and considered in relation to one-another. Enforcers pay attention to everything from the categories of personal data on the basis of which the automated decisions are produced and whether they include data points and/or inferences about the behavior of data subjects, to the capacity of a decision resulting from ADM to affect the “conduct and choices” of the persons targeted, and to the more easily quantifiable financial loss or loss of income opportunity. Our research shows that even in those cases where Courts and DPAs decided that the ADM at issue does not fall under Article 22 GDPR since it does not meet the required criteria, they have still enforced other relevant provisions of the GDPR, such as the principles of transparency, fairness, data minimization, purpose limitation, and other provisions.
2.1 “Solely automated processing” can sometimes include human involvement The interpretation of the meaning of the “solely automated processing” element of Article 22(1) GDPR is one of the most contentious issues in cases before EU Member-States’ courts and one of the biggest focuses of DPA decisions relating to ADM. According to guidance from the EDPB/ WP29, not all forms of human involvement in a decision-making process rule out the application of such provision, as mere token gestures taken by humans are not enough to set aside the ADM prohibition.103 The condition that the decision-making must be “solely automated” in order for the prohibition and special conditions in Article 22 to apply has already been assessed in several cases, both by national Courts and DPAs. In the cases we analyzed, the Courts have found that the decision-making is not solely automated primarily when:
28
FUTURE OF PRIVACY FORUM