--- title: Automated Decision-Making (ADM) type: concept tags: [adm, gdpr, profiling, ccpa, legal, regulatory-risk, ai-governance] sources: ["[[sources/gdpr-article-22-text]]", "[[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]]", "[[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]]"] created: 2026-04-27 updated: 2026-04-27 --- # Automated Decision-Making (ADM) A decision-making process — typically affecting an individual — produced *solely or significantly* by automated processing of personal data. Hub concept for the legal-risk cluster. ## Definitions across regimes | Regime | Definition / scope | |---|---| | **GDPR Art. 22** | Decision based *solely* on automated processing (incl. profiling) producing legal or similarly significant effects | | **CCPA proposed § 7001(f)** | "Automated Decision-Making Technology" (ADMT) — tools that *replace human judgment* or are a *key factor* in significant decisions; excludes mere assistive systems | | **EU AI Act** | "AI system" definition (Art. 3) — systems generating output influencing decisions; "high-risk AI systems" subject to Art. 14 oversight obligations | | **Council of Europe (Conv. 108+)** | Right not to be subject to a decision significantly affecting one without one's views taken into consideration | ## ADM is hybrid socio-technical Per [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance|Lazcoz & de Hert 2023]] (citing Spielkamp 2019): ADM systems are *hybrid systems*, involving humans and artificial agents in a particular socio-technological framework. The proliferation of AI is automating decision-making in more and more domains, with increasing reliance on delegation of tasks coupled with an *expectation of trust* in such delegation. ## Three types of ADM decisions (per Art. 22 framing) 1. **No-Art. 22 decisions** — no legal/significant effect → out of scope (e.g. routine product recommendations). 2. **Art. 22(1) decisions** — *solely automated* + legal/significant effect → prohibited unless prior meaningful human intervention. 3. **Art. 22(2) decisions** — meet contractual necessity / explicit consent / law-authorisation exception → allowed, but require Art. 22(3) safeguards. ## Examples in process-automation - **Credit scoring** (CJEU *SCHUFA* C-634/21) — qualifies as Art. 22 ADM even when scoring is performed by a third-party vendor. - **Loan and insurance underwriting** — Art. 22 + likely high-risk AI Act. - **Employment decisions** — recruitment, promotion, dismissal — Art. 22 + AI Act high-risk Annex III. - **Platform deactivation** — Amsterdam *Uber* deactivation case C/13/692003. - **Welfare allocation** — Hague *SyRI* judgment 2020. - **Customer offboarding** — frequently structured as Art. 22(2)(a) contractual necessity, but the safeguard duties apply. ## Profiling vs ADM [[concepts/profiling|Profiling]] (Art. 4(4) GDPR) is one *form* of ADM but not the only one. Not all profiling triggers Art. 22 — only profiling that produces legal/significant effects does. Pure classification for statistical/aggregate purposes (without individual decisioning) is profiling but not Art. 22 ADM. ## Operational risk surface ADM in process-automation contexts is the regulatory pivot point that determines whether: - A DPIA is mandatory (Art. 35(3)(a)). - Human-in-the-loop is required (Art. 22(1)). - Article 9 special-category data restrictions apply. - Cross-border transfer requires Chapter V safeguards. - AI Act Art. 14 oversight obligations stack on top. ## Related [[concepts/gdpr-article-22]] · [[concepts/profiling]] · [[concepts/human-oversight]] · [[concepts/dpia]] · [[concepts/eu-ai-act]] · [[concepts/automation-bias]]