---
title: "Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities"
type: source
tags: [gdpr, gdpr-article-22, ai-act, aia, dpia, human-oversight, automated-decision-making, accountability, legal, regulatory-risk]
authors: [Lazcoz Guillermo; de Hert Paul]
year: 2023
venue: "Computer Law & Security Review 50 (2023) 105833 — Elsevier"
kind: paper
raw_path: "raw/Legal/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance.pdf"
doi: "10.1016/j.clsr.2023.105833"
created: 2026-04-27
updated: 2026-04-27
key_claims:
  - Article 22 GDPR contains TWO distinct human-intervention mechanisms — human-in-the-loop as essential component for 22(1) decisions, and human-out-of-the-loop on request as safeguard for 22(2) decisions — with different rationales (contestability vs. accountability).
  - Both mechanisms require *meaningful* human intervention (per WP29 Guidelines, EDPB endorsement, Amsterdam Uber/Ola case-law) — not nominal rubber-stamping. Meaningfulness needs authority/competence to change the decision, consideration of all relevant data, and avoidance of automation bias.
  - Article 22 has historically been a *second-class right*, "rarely enforced, poorly understood, easily circumvented" — repeating the fate of its 1995 Directive precedent (Art. 15). The way to revive it is to reframe it as a *procedural right* anchored to GDPR's Article 5(2) accountability principle, not as an individual right.
  - Human intervention alone is insufficient; it requires *human governance* — DPIAs (Art. 35 GDPR) are the indispensable tool for continuous evaluation of meaningful intervention and for demonstrating compliance.
  - The proposed AI Act extends GDPR's scope by mandating human oversight for high-risk AI systems already at the *development* phase (Art. 14 AIA, Recital 48), not only at use phase. Article 29 AIA explicitly requires DPIA referencing — a deliberate bridge between AIA users (= GDPR controllers) and GDPR.
  - The 2020 White Paper distinguishes four governance mechanisms — human-in-the-loop, human-out-of-the-loop, human-on-the-loop, human-back-in-control — that complement Art. 22's two mechanisms.
  - Lack of meaningful human intervention is inescapably linked to abdication of responsibilities and therefore to violation of the accountability principle.
---

# Lazcoz & de Hert 2023 — Humans in the GDPR and AIA governance of automated and algorithmic systems

Peer-reviewed article in *Computer Law & Security Review* (Elsevier, 2023). The most thorough doctrinal analysis to date of how mandatory human intervention works under [[concepts/gdpr-article-22|GDPR Article 22]] and how the AI Act (AIA) extends, complements, and operationalises that requirement. **Anchor source for the legal-risk cluster on AI process automation.**

## Contribution

The paper challenges two prevailing positions: (i) that mandatory human intervention is purely an individual right of the data subject, and (ii) that it is an unenforceable "second-class" provision. The authors reframe Art. 22 as a *procedural* right tied to the GDPR's [[concepts/gdpr-accountability-principle|accountability principle]] (Art. 5(2)), and argue that its rationale is dual:

1. **Contestability at stake** — protecting data subjects against loss of control over decisions affecting them (the individual-rights perspective, common in literature).
2. **Accountability at stake** — protecting *controllers* against their own abdication of responsibilities to machines (the systemic perspective, neglected in literature).

This second rationale is the paper's central original contribution and the bridge to the [[concepts/eu-ai-act|AIA]].

## Two intervention mechanisms in Article 22 GDPR

| | **Art. 22(1) GDPR** | **Art. 22(2) GDPR** |
|---|---|---|
| Type of intervention | Human-in-the-loop | Human-out-of-the-loop *on request* |
| Status | **Essential component** of decision-making | **Safeguard** for decisions allowed under 3 exceptions (contract / consent / Union or Member State law) |
| When does it occur | *Prior* to the legal/significant effect | *After* the decision (right to obtain human intervention, express POV, contest decision) |
| Regulatory goal | Avoid automation in decisions producing legal/significant effects | Re-evaluate already-effective automated decisions and ensure contestability |
| Rationale | Accountability (controller-side) | Contestability (subject-side) |

A **decision tree** (Fig. 1 in the paper) classifies decisions into three types:
- **No-Art. 22 decisions** — no legal/significant effect, out of scope.
- **Art. 22(1) decisions** — legal/significant effect, prohibited unless prior human intervention is included → controller adds human in the loop.
- **Art. 22(2) decisions** — legal/significant effect, allowed via the three exceptions → require human-out-of-the-loop safeguards on request, *plus* the right to express POV and contest.

## "Solely" and "meaningful" — the key terms

- **"Solely automated"** is satisfied only when *meaningful* human intervention occurs prior to the effect. A nominal rubber-stamp or formal sign-off does not lift the prohibition (per WP29 Guidelines 2018, endorsed by EDPB; confirmed in Amsterdam District Court Uber transparency case C/13/687315 §4.37 and Ola case C/13/689705 §4.63; Uber deactivation case C/13/692003 / HA RK 20-302).
- **Meaningful intervention** requires:
  1. Authority and competence to change the decision (not merely apply algorithmic output).
  2. Consideration of all relevant data, not just algorithmic output.
  3. Avoidance of [[concepts/automation-bias|automation bias]] — the routine over-reliance on machine output.
- The Spanish DPA (AEPD 2020) and the UK ICO (GDPR Guide 2020) state the same.

## Why DPIAs are central

DPIAs (Art. 35 GDPR) are positioned as the indispensable governance tool. They provide:
- A **systematic and extensive evaluation** of automated processing producing legal/significant effects (mandatory under Art. 35(3)(a)).
- A **continuous** rather than one-off assessment — to be updated through the system's lifecycle.
- An **institutional check** that goes beyond individual case review — addresses cost-and-incentive structures, automation bias, societal side-effects.
- A bridge to the AIA: Art. 29(6) AIA obliges users (= GDPR controllers) to use the information from AI providers in their DPIA.

Italian and Spanish DPA fines (Foodinho €2,600,000; Deliveroo €2,500,000 — both 2021) cited in the paper specifically include violation of Art. 35 GDPR (failure to conduct DPIA) alongside Art. 22 violations, illustrating the practical link.

## The AIA layer

The AIA proposal goes beyond GDPR by:
- Establishing **human oversight** as a mandatory requirement for high-risk AI systems (Art. 8(1) and 14 AIA).
- Imposing duties at the **development phase** (providers — Art. 16(a) AIA) — Recital 48 requires "appropriate human oversight measures" already in design. GDPR Art. 22 only addresses the use phase.
- Defining four oversight measures (Art. 14(4) AIA): (a) understand capacities/limitations; (b) remain aware of automation bias; (c) correctly interpret outputs; (d) decide not to use / override / reverse; (e) intervene via stop button.
- Article 29 AIA explicitly references DPIA-duties — a direct interaction with GDPR governance.
- Recital 48 AIA explicitly references "automation bias" — bringing the WP29 Guidelines vocabulary into the AIA.

The 2020 White Paper on AI distinguishes four governance manifestations: human-in-the-loop, human-out-of-the-loop, **human-on-the-loop** (real-time monitoring, e.g. driverless car), and **human-back-in-control** (technical feature returns control). The AIA condenses these into the use-stage oversight requirement.

## Critical findings

- **Cross-border coherence between GDPR and AIA is intentional.** Art. 29(6) AIA's DPIA reference is "a beautiful example of how the AIA tries to interact and boost the accountability duties contained in the GDPR" (p. 9).
- The "Kafkaesque" dimension is explicit: bureaucratic dehumanisation through ADM is the very harm Art. 15 of the 1995 Directive (Art. 22 GDPR's predecessor) was originally designed against. It largely failed; the paper argues Art. 22 + AIA together can revive that protection — but only if intervention is meaningful.
- Authors caution: "Human intervention is not a panacea, but we claim that it should be better understood and integrated into the regulatory ecosystem" (Conclusion).
- Lack of meaningful intervention by data controllers is "inescapably linked to the principle of accountability" (Section 9). Routine application of algorithmic output = abdication of accountability = violation of Art. 5(2).

## Cited and connected case-law / soft law

- **WP29 Guidelines on Automated Individual Decision-Making and Profiling** (2018, endorsed by EDPB) — the central soft-law reference for "meaningful".
- **SCHUFA (CJEU C-634/21, 2023)** — first CJEU ruling addressing 22(1) GDPR (referenced via Häuselmann's report on the oral hearing).
- **Amsterdam District Court Uber/Ola transparency cases (2021)** and **Uber deactivation case (2023)** — explicitly require "betekenisvolle menselijke tussenkomst" (meaningful human intervention).
- **Italian Foodinho / Deliveroo IT cases (2021)** — DPA fines for combined Art. 22 + Art. 35 violations.
- **Hague Court SyRI judgment (2020)** — addresses Art. 8 ECHR but illuminates the human-rights stakes of social-benefit ADM.
- **French Conseil Constitutionnel decision n° 2018-765 DC** (12 June 2018, §71) — declares human intervention a fundamental safeguard in the design and development of AI algorithms.

## Limitations

- DPIAs are themselves "mainly self-assessment governance tools combined with the potential control of Supervisory Authorities" (p. 16) — vulnerable if SAs are under-resourced.
- "There is no way to know if a human agent is affected by automation bias evaluating a single decision" (p. 16) — institutional rather than case-level review is necessary.
- The paper endorses a "trial-and-error" approach (per Baldwin, Cave & Lodge 2011) rather than grand regulatory schemes.

## Connections

**Concepts:** [[concepts/gdpr-article-22]] · [[concepts/automated-decision-making]] · [[concepts/human-oversight]] · [[concepts/dpia]] · [[concepts/eu-ai-act]] · [[concepts/automation-bias]] · [[concepts/gdpr-accountability-principle]] · [[concepts/profiling]]
**Authors:** [[entities/guillermo-lazcoz]] · [[entities/paul-de-hert]]
**Related sources (in this wiki):** [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai]] (operationalisation of the same governance gap for agentic AI) · [[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]] (US/EU comparison anchored on Art. 22) · [[sources/gdpr-article-22-text]] (primary source)
**Syntheses:** [[syntheses/legal-risk-mapping-ai-process-automation]]

## Open follow-ups

- The SCHUFA judgment (CJEU C-634/21, December 2023) was decided *after* this paper went to press — its reasoning on whether 22(1) constitutes a general prohibition or a contestation right (the paper anticipates this question on p. 5) is now settled and worth a dedicated source page.
- AIA was formally adopted in 2024; the paper analyses the 2021 proposal. Numbering and recital text shifted (e.g. former Art. 14 AIA = current Art. 14 AIA in final text; Recital 48 → Recital 73 in adopted version). When citing operative AIA text, verify against the final 2024 Regulation.