Closed Consultations

Article 29 WP draft on Automated Processing

The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I’ve found. GDPR Article 22 is one of several that begin “The data subject shall have the right”, in this case:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This had been widely understood (including by the Working Party when they proposed this wording in 2014!) as meaning that individuals could request that any such decisions be reviewed by a human, in line with all the other Articles creating rights. The Information Commissioner says that “You must ensure that individuals are able to obtain human intervention“. However the Working Party is now stating, without explanation, that the Article actually bans such decisions being made in the first place.

Our response (PDF) points out how this will make many decision-making processes – including in network security, personalisation and prioritisation – both slower and more privacy-invasive. We hope this persuades them to revert to their earlier interpretation.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *