Law 25: the Issue of Automated Decisions

Does your organization make decisions based exclusively on automated information processing? Law 25 provides advice and guidelines regarding these practices.

Law 25 provides vital clarification regarding the protection of personal information and decision-making based on automated information processing in particular. You must fully understand the rights and obligations regarding the use of personal information in order to comply with the law.

• What is a decision based on automated information processing?
• Was the decision based exclusively on automated information processing?
• As a public organization or as a company, what are your obligations?

What is a decision based on automated information processing?

Decision-making based exclusively on automated information processing can be defined as the use of technology to make decisions without any human involvement. This decision-making process can be conducted using one of the following systems:

• A simple system that applies predefined rules;
• A more complex artificial intelligence (AI) system that is capable of learning and adapting.

Therefore, automated decision-making does not always involve the use of AI. A system can be automated without the use of machine learning techniques and based instead on predefined criteria.

For example, a CV processing system could be configured to automatically exclude the CVs of candidates who do not meet specific predetermined needs such as a minimum number of years of experience in a particular sector.

However, Law 25 does not distinguish between these two types of automation. It applies to all automated decision-making systems, regardless of whether they use AI.

Was the decision based exclusively on automated information processing?

Once a person intervenes in a significant manner in the decision-making process, the specific obligations of Law 25 no longer apply.

This human intervention must be significant in order to exclude the application of Law 25. Technical intervention or automatic validation that do not involve real decision-making powers are not sufficient.

Decision-making involves taking action in the context of a specific situation. The process must allow your organization or business to make a decision regarding an individual and ensure that the decision affects them (legal consequences, granting or denying a service, classification, etc.).

As a public organization or as a company, what are your obligations?

Where an automated decision was made by a public body or company that uses personal information, the person concerned must be informed and may request an explanation.

• Information: the public body or company must inform the individual concerned not later than at the time it informs them of the automated decision.
• Explanations: the individual concerned may request a list of the personal information used to render the decision and the reasons and principal factors that led to the decision.
• Correction: if the information is incorrect, the individual concerned may request that it be corrected.
• Review by a person: the individual concerned has the right to submit their observations and request a review of the decision by a person.

The advances in AI and its growing use in automated decision-making have created additional challenges regarding the protection of personal information.

Law 25 provides guidance on these practices by giving individuals additional rights with regard to transparency, explanations and contesting automated decisions that concern them.

Don't hesitate to reach out to a specialist when implementing your required policies, methodology and procedures to ensure that your company complies with the law and avoids costly penalties.

This article was written in collaboration with Sabrina Roy, Senior Consultant, Information Governance, at Raymond Chabot Grant Thornton.