1

The GDPR Article 22 provides rights relating to automated individual decision-making, including profiling. It starts:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

What exactly is "a decision" in this sentence?

Consider the business model:

  • Loan Provider Inc. offers loans to Alice and Bob in a fully automated way over the internet
  • Loan Provider Inc. send PI to Credit Reference Agency Inc.
  • Credit Reference Agency Inc. decides that Alice has a score of 900 and Bob has a score of 700 in a fully automated way.
  • Credit Reference Agency Inc. returns scores to Loan Provider Inc.
  • Loan Provider Inc. offers Alice a loan because she has a score higher than 800, and this involves a human. Because Bob is lower than 800 he not offered the loan and no human is involved in the decision.

There are a number of different features one could examine when trying to interpret this:

The process or the instance

One could consider the whole process, as defined by computer code and SOPs humans follow as the decision, such that there is one instance for both Alice and Bob. Alternatively one could consider the process as events that occur, such that there are two instances, one for for each of Alice and Bob.

Do both data controllers make one decision, or is it "split" by controller?

It could be that the whole process is one decision, and this decision spans two data controllers. It could be that each controller makes a decision, one as to what the appropriate credit score is for this individual, and another as to whether to offer a loan given that credit score. It is possible this the answer to this question depends on if they are joint controllers or separate data controllers. In this case assume that these are separate data controllers, as I believe would be the case in the real world.

Does making a decision that others use to produces legal effects produce legal effects?

In the case that the process is split by controller, it could be that the fact that only Loan Provider Inc. actually makes a yes/no decision about offering a loan means Credit Reference Agency Inc. is never involved in a decision which produces legal effects. It could be that the logical causality of the decision to assign a low or high credit score has over the eventual outcome of the process defines that the decision as to the credit score has a legal effect and both Credit Reference Agency Inc. and Loan Provider Inc. are making a decision which produces legal effects.

Depending on the answer to these questions there are multiple possible legal outcomes, ranging from there being no automated individual decision-making occurring to three instances, two for Bob and one for Alice.

What is the actual situation? How many automated individual decision-making instances occurred in the above scenario?

Improve this question
5
  • Why would an insurance company be doing a credit check? That seems like an improper practice to start with.
    – Dale M
    Commented Jun 7 at 10:34
  • @DaleM I really do not know the system, but I assumed of all the companies that provide services insurance was the most likely to contact Experian. If you can think of a better example I am happy to change it.
    – User65535
    Commented Jun 7 at 10:36
  • How about a someone lending money - that’s an appropriate use for a credit agency.
    – Dale M
    Commented Jun 7 at 10:53
  • @DaleM Loan Provider better?
    – User65535
    Commented Jun 7 at 10:56
  • 1
    CJEU has ruled on this very question in the "Schufa" case C��634/21: "automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person."
    – amon
    Commented Jun 7 at 20:13

1 Answer 1

Reset to default
0

What is the actual situation?

It doesn't matter how many decisions there are because Loan Provider Inc.'s loan decisions are exempt under Article 22.2:

  1. Paragraph 1 shall not apply if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) is based on the data subject’s explicit consent.

Loan Provider Inc. has terms and conditions that say something along the lines of:

Automated decision making involves processing your personal data without human intervention to evaluate your personal situation such as your economic position ...

When we do automated decision making including profiling activity to assess lending and insurance risks, this will be performed on the basis of it being necessary to perform the contract with you or to take steps to enter into that contract.

Improve this answer
5
  • This does not answer the question at all. The example given was to illustrate the point about how there are different ways to look at a decision making process and get different answers about what is legally required. I have changed the details to be a Loan Provider because it was sugested that is more "appropriate". The detail make no difference to the point.
    – User65535
    Commented Jun 7 at 13:54
  • @User65535 In your post there are six sentences ending in question marks and I decided to answer in terms of legal reality.
    – Lag
    Commented Jun 7 at 14:05
  • I agree with OP that this doesn't fully answer the question because OP's scenario involves two data controllers. This answer only explains that one of them (having a direct contract with the data subject) is probably allowed to use automated decision making. It does not address the lawfulness of the scoring agency (for which the CJEU has recently provided interesting rulings, as mentioned in another comment). I'd also caution that the Art 22(2)(a) exception is restricted by Art 22(3) and requires an appeal to human review. "Computer says no" without recourse isn't allowed, regardless of ToS.
    – amon
    Commented Jun 7 at 20:21
  • In the case of Article 7(4), we have case law that requiring consent in order to use something not intrinsically tied to the processing in question ("bundling") does not count as freely given consent. Is their any reason to believe the Article 22(c) consent does fall under Article 7(1)?
    – user1937198
    Commented Jul 8 at 12:45
  • If Article 22(c) is within the scope of Article 7(1), then the ToS likely do not count as freely given consent.
    – user1937198
    Commented Jul 8 at 12:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .