The march of the machines is irresistible, with technology providing a range of opportunities for businesses to reduce the need for human input. There is a legal limit to such progress, but how many people know about it?
Section 6B of the Data Protection Acts 1988 and 2003 provides:
a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct
There are, as ever, exceptions to the ban, the most straightforward being consent. I have yet to see a set of terms and conditions containing such consent.
The widest exception concerns decisions made for the purposes of considering whether to contract with the data subject or in the course of performing such a contract. A further exception may arise where automatic decision making is required or authorised by law.
The contractual exception appears to strip the ban of much of its force. However, any exception to the ban on automated decision making only applies if the request for the entering into or the performance of the contract is granted or if there are suitable measures to safeguard the subject’s legitimate interests. Therefore, if the result of an automated decision is to not grant what the data subject requested, that decision will have to be reviewed by a human being.
A glaring question remains: what happens when section 6B is breached? As is often the case with data protection law in Ireland, the answer is unknown but it is likely that some enforcement proceeding might be engaged in by the Data Protection Commissioner.
- Section 6B, which implements into Irish law Article 15 of the EU Data Protection Directive, appears to be ambiguously drafted (due to poor formatting), arguably making the contractual exemption wider than intended. I have, however, gone with the intention of the Directive on this point.
- The real Rage Against the Machine.
2 thoughts on “Rage against the machine”
Great post. Sums up a somewhat tricky area quite well. Have cross posted on the Irish Computer Society’s Data Protection blog (http://blogs.ics.ie/dp) so you might get eyeballs from that side.
Comments are closed.