The Normative Potential of the European Rule on Automated Decisions: A New Reading for Art. 22 GDPR
This article looks into the normative potential of the rule on automated decisions in the European Union’s (EU’s) General Data Protection Regulation (GDPR). It explains the regulative approach taken in Art. 22 GDPR and reveals its nature as a law by design obligation. To comply with Art. 22 GDPR, it is not enough to abide by a strict set of rules. The technological and socio-technical design of each automated decision-making system (ADMS) has to be performed in a way that is in accordance with the data subject’s rights and freedoms and legitimate interests. Art. 22 GDPR, therefore, requires a full assessment of the positive and negative impacts of the ADMS and the measures to mitigate them. The article also looks into the legislative history of Art. 22 GDPR and shows how emerging technologies were addressed over the years and what the state of the art is in Member States of Convention 108. Finally, it inquires into current trends of the regulation of ADMS in the context of European Union law.