Published online by Cambridge University Press: 04 July 2020
Machine-learning algorithms are used to profile individuals and make decisions based on them. The European Union is a pioneer in the regulation of automated decision-making. The regime for solely automated decision-making under Article 22 of the General Data Protection Regulation (GDPR), including the interpretative guidance of the Article 29 Working Party (WP29, replaced by the European Data Protection Board under the GDPR), has become more substantial (i.e., less formalistic) than was the case under Article 15 of the Data Protection Directive. This has been achieved by: endorsing a non-strict concept of ‘solely’ automated decisions; explicitly recognising the enhanced protection required for vulnerable adults and children; linking the data subject’s right to an explanation to the right to challenge automated decisions; and validating the ‘general prohibition’ approach to Article 22(1). These positive developments enhance legal certainty and ensure higher levels of protection for individuals. They represent a step towards the development of a more mature and sophisticated regime for automated decision-making that is committed to helping individuals retain adequate levels of autonomy and control, whilst meeting the technology and innovation demands of the data-driven society.