Okay.
Here we don't have too much novelty. The GDPR does not mention the artificial intelligence, but there is a provision which is in continuity with the current directive. It provides for this article 22, which provides for a line of continuity. The data subject will continuing having a right not to be subject to a decision based solely on automatic processes, including but not totally providing...when the decision is likely to produce legal effects concerning him or her, or with a view to significantly affecting him or her. There are some exceptions in the case of the necessity relating to a contract between the data subject and the data controller, explicit consent by the data subjects. What is needed is that in case of a derogation, some suitable measures be listed by the legislator to safeguard the data subjects and rights.
We see a line of continuity in having a human evaluation as part of the process. We recognize the ability of the controller to build largely on an automated individual decision-making process. However, the question is on what is at the end, how the decision is placed, and to which extent there is a human contribution. This is a specific right. The wording is “shall”, and therefore now the question is to what extent we may build on safeguards.
Let me say that with regard to artificial intelligence, we have posted on our website an important background document for the last conference of all data protection and privacy and information commissioners from all around the world—a meeting in Marrakech—with a view to going beyond the GDPR being part of the artificial intelligence debate by the data protection people, and a list of questions for a more synchronized approach by DPS. In case you fail to identify the web page, we can provide you with the relevant link.