Last review date: January 2025

Yes

The restrictions or requirements are as follows:

☒   qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

☒   right to information / transparency requirement

☒   right to request human review of the automated decision making

☒   other

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

Art. 22 GDPR sets forth a qualified right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning a data subject or similarly significantly affects him or her. In this respect, "decisions producing legal effects" are those which, for example, affect someone's legal rights, such as the freedom to associate with others, to vote in an election or to take legal action, or their legal status or rights under a contract. On the other hand, for data processing to “similarly significantly affect” someone the effects of the processing must be sufficiently great or important to be worthy of attention (e.g., it has potential to significantly affect the circumstances, behavior or choices of the individuals concerned, have a prolonged or permanent impact on the data subject, or to lead to the exclusion or discrimination of individuals).

Arts. 13 and 14 GDPR require data controllers to inform data subjects of the existence of automated decisions that meet the above description, including providing meaningful information about the logic involved, as well as the significance and envisaged consequences of the processing for the data subject.

In certain cases where the data subject right laid down in Art. 22 GDPR does not apply in light of legal exceptions, Art. 22 GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

There are also other EU data regulations that impose requirements or restrictions in relation to profiling and automated decision making. For example, AI systems used for profiling in the course of the detection, investigation or prosecution of criminal offences for law enforcement purposes are considered high-risk systems under the AI Act.

Last review date: January 2025

Yes

The exceptions are as follows:

For instance, the right not to be subject to a decision based solely on automated processing, including profiling, laid down in Article 22 GDPR, is not applicable if, in particular, the decision (i) is necessary for entering into or performance of a contract between a data subject and a data controller, (ii) is authorized by EU or Member State law to which the data controller is subject (and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests), or (iii) is based on the data subject’s explicit consent.

Last review date: January 2025

Yes

The EDPB has endorsed the Guidelines on Automated individual decision-making and Profiling produced Article 29 Working Party in 2018. Additionally, it has published other more specific guidelines such as the Guidelines 8/2020 on the targeting of social media users and Statement 2/2019 on the use of personal data in the course of political campaigns.

Last review date: January 2025

☒   Enforcement activity against AI developer(s)

☒   Enforcement activity against AI user(s)/deployer(s)

☒   Enforcement activity under existing privacy law

☒   Enforcement activity by data or cyber regulator

Last review date: January 2025

☒   Yes, laws in force

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

The EU AI Act entered into force on 1 August 2024. From 2 February 2025, specified “prohibited systems” will be banned in the EU, and a risk-based framework of obligations for other AI systems will begin to take effect from 2025 onwards. Depending on the nature of the AI system and the way it is being used, those obligations might include a requirement for human oversight and/or transparency requirements. The use of automated decision making or profiling by AI systems may determine their classification from a regulatory perspective and the respective obligations that arise.

The Digital Services Act (Regulation 2022/2065 of 19 October 2022 on a Single Market For Digital Services - “DSA”), which entered into force on 17 February 2024, imposes specific restrictions on certain uses of profiling. In particular, under Art. 26 DSA, providers of online platforms may not present advertisements to recipients of the service based on profiling as defined in Art. 4 (4) GDPR using special categories of personal data referred to in Art. 9(1) GDPR. Furthermore, pursuant to Art. 28 DSA, providers of online platforms may not present advertisements on their interface based on profiling (within the meaning of Art. 4(4) GDPR) using personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor. Lastly, according to Art. 38 DSA, providers of very large online platforms and of very large online search engines that use recommender systems must provide at least one option for each of their recommender systems which is not based on profiling (within the meaning of Art. 4(4) GDPR).

In addition, under Art. 15 of the Digital Markets Act (Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector – “DMA”), within 6 months after its designation, a gatekeeper must submit to the Commission an independently audited description of any techniques for profiling of consumers that the gatekeeper applies to or across its core platform services listed in the designation decision. The Commission will transmit that audited description to the European Data Board.