The GDPR Article 22 provides rights relating to automated individual decision-making, including profiling. It starts:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
What exactly is "a decision" in this sentence?
Consider the business model:
- Loan Provider Inc. offers loans to Alice and Bob in a fully automated way over the internet
- Loan Provider Inc. send PI to Credit Reference Agency Inc.
- Credit Reference Agency Inc. decides that Alice has a score of 900 and Bob has a score of 700 in a fully automated way.
- Credit Reference Agency Inc. returns scores to Loan Provider Inc.
- Loan Provider Inc. offers Alice a loan because she has a score higher than 800, and this involves a human. Because Bob is lower than 800 he not offered the loan and no human is involved in the decision.
There are a number of different features one could examine when trying to interpret this:
The process or the instance
One could consider the whole process, as defined by computer code and SOPs humans follow as the decision, such that there is one instance for both Alice and Bob. Alternatively one could consider the process as events that occur, such that there are two instances, one for for each of Alice and Bob.
Do both data controllers make one decision, or is it "split" by controller?
It could be that the whole process is one decision, and this decision spans two data controllers. It could be that each controller makes a decision, one as to what the appropriate credit score is for this individual, and another as to whether to offer a loan given that credit score. It is possible this the answer to this question depends on if they are joint controllers or separate data controllers. In this case assume that these are separate data controllers, as I believe would be the case in the real world.
Does making a decision that others use to produces legal effects produce legal effects?
In the case that the process is split by controller, it could be that the fact that only Loan Provider Inc. actually makes a yes/no decision about offering a loan means Credit Reference Agency Inc. is never involved in a decision which produces legal effects. It could be that the logical causality of the decision to assign a low or high credit score has over the eventual outcome of the process defines that the decision as to the credit score has a legal effect and both Credit Reference Agency Inc. and Loan Provider Inc. are making a decision which produces legal effects.
Depending on the answer to these questions there are multiple possible legal outcomes, ranging from there being no automated individual decision-making occurring to three instances, two for Bob and one for Alice.
What is the actual situation? How many automated individual decision-making instances occurred in the above scenario?