Background and Overview
The cases we identified often stem from situations of daily life where ADM is increasingly playing a significant role. For instance, one cluster of cases envisages students and educational institutions. These cases vary from the use of live Facial Recognition technologies to manage access on school premises and recording of attendance, to online proctoring and further to fully automated grading based on the individual profile of a student, but also on the profile of their school district, as a substitute of highschool graduation exams during the COVID-19 pandemic. Another significant cluster of cases has at its core the situation of gig workers and the way they are being distributed shifts, gigs, income and penalties through their respective platforms. A significant number of cases challenge automated credit scoring. The way in which governments distribute social benefits, like unemployment, and manage tax avoidance and potential fraud is increasingly subject to more cases — individual challenges or ex officio investigations. We also encountered cases where the underlying ADM was challenged in situations like the issuing of gun licenses, scraping publicly available sources to build an FR product, or profiling of prospective clients by a bank. Our analysis will show that the GDPR as a whole is relevant for ADM cases and has been effectively applied to protect the rights of individuals in such cases, even in those situations where the ADM at issue does not meet the high threshold established by Article 22 GDPR, and the right not to be subject to solely automated decision-making is not applicable. For instance, without even analyzing whether Article 22 applies in those cases — Courts and DPAs have found that the deployment of live FR applications to manage access to school premises and monitor attendance was unlawful under other provisions of the GDPR because it did not have a lawful ground for processing in place and it did not respect the requirements of necessity and proportionality, thus protecting the rights of students in France and Sweden (see Cases 30 and 31). A comparative reading of relevant cases will also show how complex transparency requirements are considered in practice, being effectively translated into a right of individuals to receive a high level explanation about the parameters that led to an individual automated decision concerning them or about how profiling applied to them. The principles of lawfulness and fairness are applied separately in ADM related cases, with the principle of fairness gaining momentum in enforcement. For instance, in one of the most recent cases enshrined in the Report, the Dutch DPA found that the algorithmic system used by the government to automatically detect fraud in social benefits requests breached the principle of fairness, since the processing was considered “discriminatory” for having taken into account the dual nationality of the people requesting childcare benefits. Another important point that surfaced from our research is that when enforcers are assessing the threshold of applicability for Article 22 (“solely” automated, and “legal or similarly significant effect” of ADM on individuals), the criteria used are increasingly sophisticated as the body of case-law grows. For example, Courts and DPAs are looking at the entire organizational environment where an ADM is taking place, from the organization structure, to reporting lines and the effective training of staff, in order to decide whether a decision was “solely” automated or had meaningful human involvement. Similarly, when assessing the second criterion for the applicability of Article 22, enforcers are looking whether the input data for an automated decision includes inferences about the behavior of individuals, and whether the decision affects the conduct and choices of the persons targeted, among other multi-layered criteria.
AUTOMATED DECISION-MAKING UNDER THE GDPR: PRACTICAL CASES FROM COURTS AND DPAS
3