Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities

Guillermo Lazcoz Moratinos; Paul De Hert

doi:10.1016/j.clsr.2023.105833

Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities

Guillermo Lazcoz Moratinos, Paul De Hert

Research output: Contribution to journal › Article › peer-review

5 Citations (Scopus)

172 Downloads (Pure)

Abstract

The GDPR mandates humans to intervene in different ways in automated decision-making (ADM). Similar human intervention mechanisms can be found amongst the human oversight requirements in the future regulation of AI in the EU. However, Article 22 GDPR has become an unenforceable second-class right, following the fate of its direct precedent -Article 15 of the 1995 Data Protection Directive. Then, why should European policymakers rely on mandatory human intervention as a governance mechanism for ADM systems? Our approach aims to move away from a view of human intervention as an individual right towards a procedural right that is part of the culture of accountability in the GDPR. The core idea to make humans meaningfully intervene in ADM is to help controllers comply with regulation and to demonstrate compliance. Yet, human intervention alone is not sufficient to achieve appropriate human oversight for these systems. Human intervention will not work without human governance. This is why DPIAs should play a key role before introducing it and throughout the life-cycle of the system. This approach fits better with the governance model proposed in the Artificial Intelligence Act. Human intervention is not a panacea, but we claim that it should be better understood and integrated into the regulatory ecosystem to achieve appropriate oversight over ADM systems.

Original language	English
Article number	105833
Pages (from-to)	20
Journal	Computer Law and Security Review
Volume	50
DOIs	https://doi.org/10.1016/j.clsr.2023.105833
Publication status	Published - Sep 2023

Bibliographical note

Funding Information:
Earlier versions of this work were discussed in the first half of 2021, during Guillermo's stay in Brussels hosted by Paul. Thanks to the LSTS research group from VUB for their kind welcome. I am also grateful to the Ministry of Universities of the Spanish Government (EST19/00674: Ayudas complementarias de movilidad destinadas a beneficiarios del programa de Formación del Profesorado Universitario). We want to thank Juraj Sajfert and Cristina Cocito for their feedback on early drafts of this work, and also to the anonymous reviewers of the journal.

Publisher Copyright:
© 2023 Guillermo Lazcoz and Paul de Hert

Keywords

AI governance
GDPR

Access to Document

10.1016/j.clsr.2023.105833Licence: CC BY-NC

pdh23&glCLSR Humans-in-the-GDPR-and-AIA-governance-of-automated-and-alg_2023_Computer-LawFinal published version, 0.99 MBLicence: CC BY-NC

Cite this

@article{19facf951f5b4d26ad613d7db778fb2f,

title = "Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities",

abstract = "The GDPR mandates humans to intervene in different ways in automated decision-making (ADM). Similar human intervention mechanisms can be found amongst the human oversight requirements in the future regulation of AI in the EU. However, Article 22 GDPR has become an unenforceable second-class right, following the fate of its direct precedent -Article 15 of the 1995 Data Protection Directive. Then, why should European policymakers rely on mandatory human intervention as a governance mechanism for ADM systems? Our approach aims to move away from a view of human intervention as an individual right towards a procedural right that is part of the culture of accountability in the GDPR. The core idea to make humans meaningfully intervene in ADM is to help controllers comply with regulation and to demonstrate compliance. Yet, human intervention alone is not sufficient to achieve appropriate human oversight for these systems. Human intervention will not work without human governance. This is why DPIAs should play a key role before introducing it and throughout the life-cycle of the system. This approach fits better with the governance model proposed in the Artificial Intelligence Act. Human intervention is not a panacea, but we claim that it should be better understood and integrated into the regulatory ecosystem to achieve appropriate oversight over ADM systems.",

keywords = "AI governance, GDPR",

author = "{Lazcoz Moratinos}, Guillermo and {De Hert}, Paul",

note = "Funding Information: Earlier versions of this work were discussed in the first half of 2021, during Guillermo's stay in Brussels hosted by Paul. Thanks to the LSTS research group from VUB for their kind welcome. I am also grateful to the Ministry of Universities of the Spanish Government (EST19/00674: Ayudas complementarias de movilidad destinadas a beneficiarios del programa de Formaci{\'o}n del Profesorado Universitario). We want to thank Juraj Sajfert and Cristina Cocito for their feedback on early drafts of this work, and also to the anonymous reviewers of the journal. Publisher Copyright: {\textcopyright} 2023 Guillermo Lazcoz and Paul de Hert",

year = "2023",

month = sep,

doi = "10.1016/j.clsr.2023.105833",

language = "English",

volume = "50",

pages = "20",

journal = "Computer Law & Security Review",

issn = "0267-3649",

publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities

AU - Lazcoz Moratinos, Guillermo

AU - De Hert, Paul

N1 - Funding Information: Earlier versions of this work were discussed in the first half of 2021, during Guillermo's stay in Brussels hosted by Paul. Thanks to the LSTS research group from VUB for their kind welcome. I am also grateful to the Ministry of Universities of the Spanish Government (EST19/00674: Ayudas complementarias de movilidad destinadas a beneficiarios del programa de Formación del Profesorado Universitario). We want to thank Juraj Sajfert and Cristina Cocito for their feedback on early drafts of this work, and also to the anonymous reviewers of the journal. Publisher Copyright: © 2023 Guillermo Lazcoz and Paul de Hert

PY - 2023/9

Y1 - 2023/9

N2 - The GDPR mandates humans to intervene in different ways in automated decision-making (ADM). Similar human intervention mechanisms can be found amongst the human oversight requirements in the future regulation of AI in the EU. However, Article 22 GDPR has become an unenforceable second-class right, following the fate of its direct precedent -Article 15 of the 1995 Data Protection Directive. Then, why should European policymakers rely on mandatory human intervention as a governance mechanism for ADM systems? Our approach aims to move away from a view of human intervention as an individual right towards a procedural right that is part of the culture of accountability in the GDPR. The core idea to make humans meaningfully intervene in ADM is to help controllers comply with regulation and to demonstrate compliance. Yet, human intervention alone is not sufficient to achieve appropriate human oversight for these systems. Human intervention will not work without human governance. This is why DPIAs should play a key role before introducing it and throughout the life-cycle of the system. This approach fits better with the governance model proposed in the Artificial Intelligence Act. Human intervention is not a panacea, but we claim that it should be better understood and integrated into the regulatory ecosystem to achieve appropriate oversight over ADM systems.

AB - The GDPR mandates humans to intervene in different ways in automated decision-making (ADM). Similar human intervention mechanisms can be found amongst the human oversight requirements in the future regulation of AI in the EU. However, Article 22 GDPR has become an unenforceable second-class right, following the fate of its direct precedent -Article 15 of the 1995 Data Protection Directive. Then, why should European policymakers rely on mandatory human intervention as a governance mechanism for ADM systems? Our approach aims to move away from a view of human intervention as an individual right towards a procedural right that is part of the culture of accountability in the GDPR. The core idea to make humans meaningfully intervene in ADM is to help controllers comply with regulation and to demonstrate compliance. Yet, human intervention alone is not sufficient to achieve appropriate human oversight for these systems. Human intervention will not work without human governance. This is why DPIAs should play a key role before introducing it and throughout the life-cycle of the system. This approach fits better with the governance model proposed in the Artificial Intelligence Act. Human intervention is not a panacea, but we claim that it should be better understood and integrated into the regulatory ecosystem to achieve appropriate oversight over ADM systems.

KW - AI governance

KW - GDPR

UR - http://www.scopus.com/inward/record.url?scp=85161703243&partnerID=8YFLogxK

U2 - 10.1016/j.clsr.2023.105833

DO - 10.1016/j.clsr.2023.105833

M3 - Article

VL - 50

SP - 20

JO - Computer Law & Security Review

JF - Computer Law & Security Review

SN - 0267-3649

M1 - 105833

ER -

Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this