Know your rights. Empower yourself by understanding your right to avoid automated decision–making that impacts your life

Automated decision-making (ADM) is when computers or algorithms make decisions without human involvement. For example, your bank might use a computer program to deny a loan, a company might reject you based on a negative credit report, or an algorithm could assess your job skills.

ADM uses information from different sources, like survey answers, observations, phone location data, or online profiles you've created. Sometimes, it also involves profiling and creating your digital profile based on data.

In some cases, automated decision-making involves profiling, which means creating a digital profile of you based on data. ADM and profiling are part of our (online) realities today, with benefits and risks.

When important decisions are at stake, it's crucial to know that you have the right to avoid automated decision-making. This empowers you to ensure that decisions about you aren't solely made by computers, AI, or algorithms.

What it is

According to Article 22 of the GDPR, you have the right not to be subjected to decisions based solely on automated processing if these decisions significantly impact you. "Automated processing" means it happens without human involvement, and a "significant effect" refers to legal consequences or major influences on your life, like impacting your right to vote or refusing an online credit application, for example.

Profiling and automated decision-making are common in various sectors, like banking and finance, but while they can be more efficient, they might be less transparent and limit your choices and freedom.

Generally, you may not be the subject of a decision based solely on automated processing, unless permitted by law with proper safeguards. Exceptions include when the decision is necessary for a contract or when you've given explicit consent. In both cases, your rights and freedoms must be protected, and you should be informed about your right to human intervention, allowing you to express your viewpoint and contest the decision.

Example story

John uses an online bank for a loan. He fills in his data, and the bank's algorithm tells him whether the bank will grant him the loan or not and gives the suggested interest rate. John must be informed that he may express his opinion, contest the decision, and demand that the decision made via the algorithm be reviewed by a person.

The difference between ADM and profiling

Automated Decision-Making and profiling are different concepts. Profiling involves analyzing personal data to understand characteristics or behavior patterns, such as performance at work, economic situation, health, personal preferences, interests, reliability, and reactions. It categorizes individuals for further analysis or predicting their actions.

Example of Profiling

You frequently shop online, and the e-commerce platform tracks your purchases, browsing history, and the products you view. The platform uses this data to create a profile of your shopping habits. Based on this profile, the platform might categorize you as a "frequent buyer of tech gadgets." In this case, profiling involves analyzing your personal data to understand your interests and behaviors in shopping.

Profiling doesn't always lead to significant automated decisions about you. In this case, ADM means an algorithm will automatically recommend new gadgets tailored to your preferences.

Benefits and Risks of Automated Decision-Making:

When used correctly, automated decision-making provides benefits. It helps companies interpret data correctly and come up with decisions and solutions that are fair and consistent. For instance, in the medical field, machine learning can be applied to predict patients' health or how well a treatment might work based on a specific group characteristics.

Although these techniques can be useful, there are potential risks:

• Invisible profiling: Sometimes, profiling is happening in the background, and you might not be aware of it
• Surprising use of your info: Your personal info might be used in ways/ for purposes you didn't expect.
• Not easy to understand: It might be hard to understand how these * Negative effects: The decisions made by these systems could impact you.

Bitdefender Digital Identity Protection helps you understand how companies use your data, supporting you in exercising your rights. This tool assists you in discovering where and how your information is being used, giving you more control over how your data is handled.

What to do if you suspect you are subject to automated decision-making

If you suspect you are subject to automated decision-making and are concerned about the potential impact on your rights and interests, here are some steps you can take:

Step 1: Check if your info was used for automated decisions

• Exercise your right to access. Send an access request to find out what the controller is doing with your personal data and confirm whether your personal data has been used for ADM.
• Ask for more details from the controller. Inform the controller that you are seeking details confirming the legal basis for processing, the existence of ADM, and the logic, significance, and consequences of the automated processing.

This step helps you understand if your data played a role in automated decisions and gives you the information you need to decide what to do next.

If you believe you were subjected to unlawful automated decision-making, you can request the controller to stop using ADM. Alternatively, you can file a complaint with a data protection authority.

Step 2: Exercise your right to safeguards in legitimate ADM use

If ADM is being used legally, you have the right to request the restriction of data processing and safeguards in your case.

The European Center for Digital Rights (NOYB) recommends that you ask for confirmation that your data is being used for ADM purposes and request specific safeguards.

An example request could be: "Under EU Regulation 2016/679 Article 22, I am seeking human intervention in relation to the decision, the right to express my point of view, the ability to contest the decision and its grounds, and an explanation regarding the decision.”

Send your request via email and specify your name or another identifier used by the controller (e.g., an account username). Additionally, include information that helps identify your account. Remember to include the date to clarify the controller's information deadline.

What to Expect:

Once the controller receives your request, they have one month to respond. In cases of complexity or multiple requests, this period can be extended once, but only by a maximum of two further months.

The controller may ask for additional information to confirm your identity if there is any doubt. However, such requests should be limited to the necessary information needed for verification.

If the controller rejects your request without a satisfactory explanation, charges you for your request, or doesn't respond after the allowed timeframe (one month or the extended deadline, a maximum of three months in total), you have the right to file a complaint with a data protection authority in your country.

In the US. California's Privacy Protection Agency (CPPA) published a set of draft regulations in November 2023 for the use of people's data in automated decision-making technology (ADMT*). According to these proposed rules, businesses utilizing personal information in automated decision-making systems are required to clearly communicate to consumers how the information is used and inform them about their right to opt out. If the initial notice is insufficient for customers, more information must be made available through a hyperlink explaining why the information is important to the business' systems. The additional information must also include a description of whether the technology has been evaluated for reliability or fairness and the outcome of such information. The formal rulemaking procedure is expected to start in 2024.

Sources: European Commission, noyb.eu, iapp.org