Automated decision making & the EU-US Privacy Shield

Increasingly, decisions that affect our lives are being automated. Whether getting a job interview, a mortgage or an insurance policy, algorithms and data are at the core of such automated decision-making processes (ADM). TNO and US legal experts conducted a study into commercial uses of automated decision-making based on personal data transferred under the EU-USA Privacy Shield Framework. The study was requested by the European Commission.

The researchers found that the differing legal regimes in the EU and US make it difficult to compare protection in the two territories for decisions based solely on automated processing that produces legal or similarly significant effects. Despite these differences, protection does exist in US law in many contexts where automated processing informs decision-making. However, as significant efforts are being made to develop and deploy the commercial application of ADM, close monitoring by the European Commission (EC) is recommended.

Further conclusions

TNO and the US legal partners further concluded in their study that between 2017-2018:
1. Unlike profiling, commercial ADM was still in an emerging phase: most decisioning automation capabilities were more likely to be partially than fully automated.
2. Commercial applications with (partial) ADM capabilities that were already available included those in the categories: financial (e.g. credit scoring, commercial loans, commercial insurance), human resources (applicant tracking, applicant background checks, talent management, hiring), and marketing and advertising. An emerging category is that of health-related ADM applications.
3. Most providers of commercial ADM applications were not customer-facing and would have qualified primarily as data processors.
4. Actual transfers of EU data to the US could not be estimated, although companies were actively offering personal data and profiles of individuals as well as data analytics and decisioning software.
5. Most ADM-based consumer services would have been aimed primarily at US users and therefore not relevant for EU data subjects.
6. Actual use of solely ADM applications that would produce legal or similarly significant effects based on EU data transferred to the US by Privacy Shield self-certified companies is likely to have been very low.

ADM & the Privacy Shield 2017-2018

As part of the second yearly review of the EU-US Privacy Shield, the EC required a study intended to support its assessment of the framework. The EC specifically wished to know to what extent Privacy Shield-certified companies in the US take decisions affecting the individual based on automated processing of personal data transferred from the EU to the US under the Privacy Shield. Furthermore, the EC wanted to know which safeguards for individuals are provided by US federal law for such situations and the conditions under which these safeguards apply.

Background

EU data protection law contains protection for individuals in cases of automated decision-making (ADM). Article 22 of the General Data Protection Regulation (GDPR) provides for the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or has a similarly significant effect on him or her. This principle is subject to exceptions, in which cases the data controller is obliged to implement appropriate safeguards to protect the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
No principle that would provide similar protection to Article 22 of the GDPR is contained in the EU-US Privacy Shield – a voluntary self-certification system by which US companies commit to adhere to a set of privacy principles.

Read about the TNO Privacy Shield study

Download it now via the European Commission’s website

Download
Knowledge

Digital Policy: Data-driven and future-proof policy development

Society is becoming digital. This has an effect an government, including consequences for policy. With its knowledge of digital policy, TNO is helping government to explore strategies and research the... Read more

Strategy & Policy
Contact

Drs. Gabriela Bodea

  • Privacy
  • Data protection
  • Cyber security
  • Social impact of ICT
Email

FOLLOW TNO ON SOCIAL MEDIA

Stay up to date with our latest news, activities and vacancies

TNO.nl collects and processes data in accordance with the applicable privacy regulations for an optimal user experience and marketing practices.
This data can easily be removed from your temporary profile page at any time.
You can also view our privacy statement or cookie statement.