Article 22 and Automated Decision-Making
Article 22 is a general prohibition with three exceptions, never an outright ban: automated decision-making is allowed only when necessary for a Contract, authorised by Law, or based on Explicit Consent (C·L·EC). Explicit consent means freely given, specific, informed and unambiguous.
A general prohibition, but not an outright ban. Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, where it produces legal effects or similarly significant impacts.
Automated decision-making is allowed only if → necessary for a Contract · authorised by Law · based on Explicit Consent.
- Contract → necessary for fulfilment of a contract, e.g. an online bank's algorithms approving loans as part of its service.
- Law → authorised by law, e.g. tax fraud detection systems mandated by national legislation.
- Explicit consent → freely given and informed, with a means to opt out.
| Explicit → clear, direct, unmistakable | Implied → inferred from actions or context |
|---|---|
| Checking a box → "I consent to processing for marketing purposes" | Continuing to use a service to "accept" terms |
| Signing a healthcare form explicitly describing research use | Entering a store with surveillance cameras |
| Verbally agreeing to a specific promotional use after being informed | Posting personal information in a public forum |
| An app requesting location access with a clear explanation | Accepting cookies by simply browsing without opting out |
Implementation realities: broad readings of fairness, lawfulness and transparency mean people must know they are talking to a chatbot before they keep sharing. Rights to accuracy, correction and erasure exist, but there is currently no way to remove data from a trained model and keep it as-is - models don't update inferences without formal retraining. People need a route to complain and request reviews of automated decisions; reviewers must be competent with AI, and the algorithm's logic must be documented and understandable to honour the right.
Two anchors → Article 22 is a general prohibition with three exceptions, never an outright ban. And explicit consent under the GDPR means freely given, specific, informed and unambiguous. Bonus link → automated recruitment is high-risk under the EU AI Act and requires human oversight.