A recent decision by the Court of Justice of the European Union will extend the EU General Data Protection Regulation’s automated decision-making restrictions to many present and future use cases of such technologies. While the case at issue concerned the use of automated credit scoring in credit applications, the restrictions may apply to other sectors and organizations using these technologies to generate outputs for a third party’s use in decision-making. In turn, certain EU member states are considering local law amendments to facilitate certain of the data processing activities that may be impacted by the decision.
Since coming into force in May 2018, the EU General Data Protection Regulation (GDPR) and UK GDPR have applied to many automated decision-making processes, artificial intelligence and machine learning (AI/ML), and profiling-related technologies (collectively, ADM). In particular, the EU GDPR and UK GDPR restrict data controllers from making a “decision” that is based “solely” on “automated” processing, including profiling, which produces “legal effects” concerning a data subject or which “significantly” affects them (the ADM restriction).
Until recently, it was understood that the ADM restriction applied to a business that performed a “solely” ADM process and subsequently made a “decision” significantly affecting a data subject. However, a recent important decision of the EU’s highest court, the Court of Justice of the European Union (CJEU), in the Schufa case [1] expands the EU GDPR’s ADM restriction to many current and future use cases of ADM technologies.
Specifically, the EU GDPR’s ADM restrictions are now potentially engaged where an ADM process is performed by a service provider and another entity relies on the output of that ADM process in arriving at a “decision” that significantly affects a data subject. Therefore, because of the Schufa decision, the EU GDPR (including its ADM restrictions) will potentially apply even when the user of an AI/ML output did not create such AI/ML output.
The EU GDPR and UK GDPR both currently contain the ADM restriction. The ADM restriction, if applicable, can potentially impose a high bar for the lawful use of many ADM technologies subject to the EU GDPR or UK GDPR.
The ADM restriction does not apply in three scenarios, namely where the restricted processing (1) is “necessary” for entering or performing a contract; (2) is authorized by EU, EU member state, or UK law to which the controller is subject and which includes suitable safeguard measures; or (3) has been explicitly consented to by the data subject.
Importantly, however, even if ADM restrictions are not applicable, other EU GDPR and UK GDPR requirements may continue to apply, such as controllers being transparent with data subjects about personal data processing.
In Schufa, the CJEU determined that, for the purposes of the EU GDPR, the creation of a credit score relating to a data subject by a credit reference agency (CRA) constituted a “decision” for the purposes of the ADM restriction. Notably, in its consideration of whether the data subject had been significantly affected by the creation of the score, the CJEU had regard for the subsequent use to which the credit score was put by the downstream third-party lender and the fact that it played a determinative role in the lender’s credit decision.
The CJEU’s decision appears to be focused on ensuring that data subjects obtained, in the court’s view, the full protection of the EU GDPR’s ADM restriction. In turn, the court considered that the CRA’s creation of a credit score (by means of an ADM process) relating to a data subject was not merely a preparatory act that was decoupled from a subsequent credit decision relating to such data subject taken by a retail bank relying heavily on such credit score.
The CJEU’s decision also highlighted that the CRA’s ADM processes are subject to the EU GDPR’s many requirements, not just the ADM restriction. These requirements include controllers being transparent with data subjects about the use of, and consequences arising from, ADM processes.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: