Part 5Data protection and privacy

Chapter 1Data protection

Automated decision-making

80Automated decision-making

(1)

For Article 22 of the UK GDPR (automated individual decision-making, including profiling) substitute—

“Section 4AAutomated individual decision-making

Article 22AAutomated processing and significant decisions

1.

For the purposes of Articles 22B and 22C—

(a)

a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and

(b)

a decision is a significant decision, in relation to a data subject, if—

(i)

it produces a legal effect for the data subject, or

(ii)

it has a similarly significant effect for the data subject.

2.

When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

Article 22BRestrictions on automated decision-making

1.

A significant decision based entirely or partly on processing described in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met.

2.

The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.

3.

The second condition is that—

(a)

the decision is—

(i)

necessary for entering into, or performing, a contract between the data subject and a controller, or

(ii)

required or authorised by law, and

(b)

point (g) of Article 9(2) applies.

4.

A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea).

Article 22CSafeguards for automated decision-making

1.

Where a significant decision taken by or on behalf of a controller in relation to a data subject is—

(a)

based entirely or partly on personal data, and

(b)

based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(3).

2.

The safeguards must consist of or include measures which—

(a)

provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject;

(b)

enable the data subject to make representations about such decisions;

(c)

enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;

(d)

enable the data subject to contest such decisions.

Article 22DFurther provision about automated decision-making

1.

The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations.

2.

The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject.

3.

The Secretary of State may by regulations make the following types of provision about the safeguards required under Article 22C(1)—

(a)

provision requiring the safeguards to include measures in addition to those described in Article 22C(2),

(b)

provision imposing requirements which supplement what Article 22C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in Article 22C(2) must be done or be capable of being done), and

(c)

provision about measures which are not to be taken to satisfy one or more of points (a) to (d) of Article 22C(2).

4.

Regulations under paragraph 3 may not amend Article 22C.

5.

Regulations under this Article are subject to the affirmative resolution procedure.”

(2)

The 2018 Act is amended in accordance with subsections (3) to (5).

(3)

For sections 49 and 50 (law enforcement processing: automated individual decision-making) substitute—

“50AAutomated processing and significant decisions

(1)

For the purposes of sections 50B and 50C—

(a)

a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and

(b)

a decision is a significant decision, in relation to a data subject, if—

(i)

it produces an adverse legal effect for the data subject, or

(ii)

it has a similarly significant adverse effect for the data subject.

(2)

When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

50BRestrictions on automated decision-making based on sensitive processing

(1)

A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.

(2)

The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.

(3)

The second condition is that the decision is required or authorised by law.

50CSafeguards for automated decision-making

(1)

Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is—

(a)

based entirely or partly on personal data, and

(b)

based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).

(2)

The safeguards must consist of or include measures which—

(a)

provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject;

(b)

enable the data subject to make representations about such decisions;

(c)

enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;

(d)

enable the data subject to contest such decisions.

(3)

Subsections (1) and (2) do not apply in relation to a significant decision if—

(a)

exemption from those provisions is required for a reason listed in subsection (4),

(b)

the controller reconsiders the decision as soon as reasonably practicable, and

(c)

there is meaningful human involvement in the reconsideration of the decision.

(4)

Those reasons are—

(a)

to avoid obstructing an official or legal inquiry, investigation or procedure;

(b)

to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

to protect public security;

(d)

to safeguard national security;

(e)

to protect the rights and freedoms of others.

(5)

When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.

50DFurther provision about automated decision-making

(1)

The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.

(2)

The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.

(3)

Regulations under subsection (1) or (2) may amend section 50A.

(4)

The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—

(a)

provision requiring the safeguards to include measures in addition to those described in section 50C(2),

(b)

provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and

(c)

provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2).

(5)

Regulations under this section are subject to the affirmative resolution procedure.”

(4)

In section 96 (intelligence services processing: right not to be subject to automated decision-making)—

(a)

in subsection (1), for “solely on” substitute “on entirely”,

(b)

in subsection (3), after “section” insert “and section 97”, and

(c)

at the end insert—

“(4)

For the purposes of this section and section 97, a decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.”

(5)

In section 97 (intelligence services processing: right to intervene in automated decision-making)—

(a)

in subsection (1)(a), for “solely on” substitute “on entirely”,

(b)

in subsection (4)(b), for “solely on” substitute “on entirely”, and

(c)

omit subsection (6).

(6)

Schedule 6 to this Act contains minor and consequential amendments.