The researchers found that the differing legal regimes in the EU and US make it difficult to compare protection in the two territories for decisions based solely on automated processing that produces legal or similarly significant effects. Despite these differences, protection does exist in US law in many contexts where automated processing informs decision-making. However, as significant efforts are being made to develop and deploy the commercial application of ADM, close monitoring by the European Commission (EC) is recommended.
TNO and the US legal partners further concluded in their study that between 2017-2018:
1. Unlike profiling, commercial ADM was still in an emerging phase: most decisioning automation capabilities were more likely to be partially than fully automated.
2. Commercial applications with (partial) ADM capabilities that were already available included those in the categories: financial (e.g. credit scoring, commercial loans, commercial insurance), human resources (applicant tracking, applicant background checks, talent management, hiring), and marketing and advertising. An emerging category is that of health-related ADM applications.
3. Most providers of commercial ADM applications were not customer-facing and would have qualified primarily as data processors.
4. Actual transfers of EU data to the US could not be estimated, although companies were actively offering personal data and profiles of individuals as well as data analytics and decisioning software.
5. Most ADM-based consumer services would have been aimed primarily at US users and therefore not relevant for EU data subjects.
6. Actual use of solely ADM applications that would produce legal or similarly significant effects based on EU data transferred to the US by Privacy Shield self-certified companies is likely to have been very low.
As part of the second yearly review of the EU-US Privacy Shield, the EC required a study intended to support its assessment of the framework. The EC specifically wished to know to what extent Privacy Shield-certified companies in the US take decisions affecting the individual based on automated processing of personal data transferred from the EU to the US under the Privacy Shield. Furthermore, the EC wanted to know which safeguards for individuals are provided by US federal law for such situations and the conditions under which these safeguards apply.
EU data protection law contains protection for individuals in cases of automated decision-making (ADM). Article 22 of the General Data Protection Regulation (GDPR) provides for the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or has a similarly significant effect on him or her. This principle is subject to exceptions, in which cases the data controller is obliged to implement appropriate safeguards to protect the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
No principle that would provide similar protection to Article 22 of the GDPR is contained in the EU-US Privacy Shield – a voluntary self-certification system by which US companies commit to adhere to a set of privacy principles.
Download it now via the European Commission’s website