The unprecedented technological development required the adaptation of the existing legal means. The General Data Protection Regulation (“GDPR”) was one of the first legislative landmarks on the European Union (“EU”), allowing the harmonization in data protection law across all Member States. One of the most controversial provisions, as a result of the legislator’s lack of attention, is related to article 22, which is applicable to automated individual decision-making.
We aim to reflect on the scope and possible existence of a “right to explanation”. The Artificial Intelligence (“AI”) systems are characterized by their opacity, something that makes it more difficult to comprehend the decisions adopted. For the GDPR, and if there is an automated individual decision-making, the data subject will exercise the rights set out in article 22, namely: the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. The provision does not establish, expressly, the right to explanation of the decision. The only mention is made on recital 71 of the GDPR, according to which the data subject must have the possibility to obtain “an explanation of the decision reached after such assessment and to challenge the decision”. This was the main argument presented in legal scholarship by authors such as Bryce Goodman and Seth Flaxman. Therefore, the recognition of the right to explanation would be inserted within the scope of the adequate guarantees’ measures of the data subject.
We know, however, that the recitals do not have binding legal force, constituting an interpretative guide. Recently, the Court of Justice (“CJ”) had the opportunity to analyze this issue on the case CK v. Magistrat der Stadt Wien (C-203/22). A mobile telephone operator refused the data subject the conclusion or extension of a mobile telephone contract, which would have required a monthly payment, on the ground that, according to an automated credit assessment, she did not have sufficient financial creditworthiness. The data subject brought the matter before the Austrian data protection authority, which ordered the disclosure to the data subject meaningful information about the logic involved in the automated decision-making based on personal data concerning her. After an appeal before the Federal Administrative Court of Austria, this question arose, within a preliminary ruling, to the CJ.
To what concerns this question, the court unequivocally recognized that the data subject will not be able to fully exercise the rights under article 22(3) if there is not a comprehension of the motives that lead to a certain decision. Thus, the CJ supports the existence of a “meaningful information about the logic involved”, invoking for that effect recital 71 and article 15(1)(h) of the GDPR. Hence, the duty regarding which the controller is required to respect will not be fulfilled by the mere communication of a complex mathematical formula (such as an algorithm), or by the detailed description of all the steps in automated decision-making, since none of those would constitute a sufficiently concise and intelligible explanation. Considering that most data subjects are not expected to be specialists in AI or mathematics, the explanation given must be intelligible.
In our point of view, this is the most important topic of the decision. For the first time, the CJ leaves it clear that a right to explanation is not a mere formality, as it must be accompanied by a logical, effective and transparent explanation on the criteria applied during the process of automated decision-making, in a way that the data controller can, effectively, understand.
The court advocates that the explanation must be followed by a description of procedure and principles applied in such a way that the data subject can understand which of his or her personal data have been used in what way in the automated decision-making at issue.
Firstly, we think that the arguments presented by the court are very interesting. For many years, the scholars that defended the right to explanation based their position on recital 71, something that was criticized by many authors, precisely for the absence of binding value.
Additionally, the court recognizes that the explanation given to the data subject will have to be effective, as it is not enough for controllers to give abstract information and a mere mathematical formula. Considering that AI is characterized by its opacity, and that is not expected to have the knowledge to fully understand algorithmic systems, which may prompt controllers to reconsider their policies.
This ruling represents a significant advancement in the protection of data subjects. It is relevant to mention that, regardless of the ambiguity attached to the GDPR, the AI Act foresaw on article 86 a right to explanation. Thus, any person affected by a decision adopted by a high-risk AI system and if it considers that the decision had an adverse impact on its health, safety and fundamental rights will have the right to explanation concerning the role of the AI system in the decision-making procedure and the main elements of the decision taken. Nevertheless, the inclusion of this right on the AI Act does not solve all the questions. On one hand, not all automated individual decision-making, for the GDPR’s context, will be adopted by high-risk AI systems. On the other hand, not all the outputs produced by a high-risk AI system will constitute and automated individual decision-making under the GDPR. In both scenarios a legal vacuum may be created, which is not desired.
Although it is not possible to anticipate the end of the doctrinal debate, the CJ made a tremendous step in the construction of the right to explanation. From now on, it will be relevant to assess how the protection of fundamental rights will take place in this digital context. what is clear is that the scholarship that denied, so far, the existence of a right to explanation will not be able to ignore this landmark decision of the court.
© image source: https://www.urmconsulting.com/blog/the-gdpr-5-myths-dispelled
Author: Diana Camões
