Against the Dehumanisation of Decision-Making – Algorithmic Decisions at the Crossroads of Intellectual Property, Data Protection, and Freedom of Information

  1. Guido Noto La Diega


This work presents ten arguments against algorithmic decision-making. These re-volve around the concepts of ubiquitous discretionary interpretation, holistic intu-ition, algorithmic bias, the three black boxes, psychology of conformity, power of sanctions, civilising force of hypocrisy, pluralism, empathy, and technocracy. Nowadays algorithms can decide if one can get a loan, is allowed to cross a bor-der, or must go to prison. Artificial intelligence techniques (natural language pro-cessing and machine learning in the first place) enable private and public deci-sion-makers to analyse big data in order to build profiles, which are used to make decisions in an automated way. The lack of transparency of the algorithmic deci-sion-making process does not stem merely from the characteristics of the relevant techniques used, which can make it impossible to access the rationale of the deci-sion. It depends also on the abuse of and overlap between intellectual property rights (the “legal black box”). In the US, nearly half a million patented inventions concern algorithms; more than 67% of the algorithm-related patents were issued over the last ten years and the trend is increasing. To counter the increased mo-nopolisation of algorithms by means of intellectual property rights (with trade se-crets leading the way), this paper presents three legal routes that enable citizens to ‘open’ the algorithms. First, copyright and patent exceptions, as well as trade se-crets are discussed. Second, the EU General Data Protection Regulation is critical-ly assessed. In principle, data controllers are not allowed to use algorithms to take decisions that have legal effects on the data subject’s life or similarly significantly affect them. However, when they are allowed to do so, the data subject still has the right to obtain human intervention, to express their point of view, as well as to contest the decision. Additionally, the data controller shall provide meaningful in-formation about the logic involved in the algorithmic decision. Third, this paper critically analyses the first known case of a court using the access right under the freedom of information regime to grant an injunction to release the source code of the computer program that implements an algorithm. Only an integrated ap-proach – which takes into account intellectual property, data protection, and free-dom of information – may provide the citizen affected by an algorithmic decision of an effective remedy as required by the Charter of Fundamental Rights of the EU and the European Convention on Human Rights.


1. Context and scope of the research*


This work argues that algorithms cannot and should not replace human beings in decision-making, but it takes account of the increase of algorithmic decisions and, accordingly, it presents three European legal routes available to those affected by such decisions.


Algorithms have been used in the legal domain for decades, for instance in order to analyse legislation.  [1] These processes or sets of rules followed in calculations or other problem-solving operations raised limited concerns when they merely made our lives easier by ensuring that search engines showed us only relevant results.  [2] However, nowadays algorithms can decide if one can get a loan,  [3] is hired,  [4] is allowed to cross a border,  [5] or must go to prison.  [6] Particularly striking is the episode concerning a young man sentenced in Wisconsin to a six-year imprisonment for merely attempting to flee a traffic officer and operating a vehicle without its owner’s consent. The reason for such a harsh sanction was that Compas, an algorithmic risk assessment system, concluded that he was a threat to the community. The proprietary nature of the algorithm did not allow the defendant to challenge the Compas report. The Supreme Court found no violation of the right to due process.  [7]


Artificial intelligence techniques (natural language processing, machine learning, etc.) and predictive analytics enable private and public decision-makers to extract value from big data  [8] and to build profiles, which are used to make decisions in an automated way. The accuracy of the profiles is further enhanced by the linking capabilities of the Internet of Things.  [9] These decisions may profoundly affect people’s lives in terms of, for instance, discrimination, de-individualisation, information asymmetries, and social segregation.  [10]


In light of the confusion as to the actual role of algorithms, it is worrying that in “the models of game theory, decision theory, artificial intelligence, and military strategy, the algorithmic rules of rationality replaced the self-critical judgments of reason.”  [11]


One paper  [12] concluded by asking whether and how algorithms should be regulated. This work aims to constitute an attempt to answer those questions with a focus on the existing rules on intellectual property, data protection, and freedom of information. In particular, it will be critically assessed whether “the tools currently available to policymakers, legislators, and courts (which) were developed to oversee human decision-makers (…) fail when applied to computers instead.”  [13]


First, the paper presents ten arguments why algorithms cannot and should not replace human decision-makers. After this, three legal routes are presented.  [14] The General Data Protection Regulation (GDPR)  [15] bans solely automated decisions having legal effects on the data subject’s life “or similarly significantly affects him or her.”  [16] However, when such decisions are allowed, the data controller shall ensure the transparency of the decision, and give the data subject the rights to obtain human intervention, to express their point of view, as well as to contest the decision. Data protection is the most studied perspective but invoking it by itself is a strategy that “is no longer viable.”  [17] Therefore, this paper approaches this issue by integrating data protection, intellectual property, and freedom of information.


As to the intellectual property route, some copyright and patent exceptions may allow the access to a computer program implementing an algorithm, notwithstanding its proprietary nature.


In turn, when it comes to the freedom of information, an Italian court stated that an algorithm is a digital administrative act and therefore, under the freedom of information regime, the citizens have the right to access it.  [18]


In terms of method, the main focus is a desk-based research of EU laws, and of the UK and Italian implementations. The paper is both positive and normative. Whilst advocating against algorithmic decision-making, this research adopts a pragmatic approach whereby one should take into account that the replacement of human decision-makers with algorithms is already happening. Therefore, it is important to understand how to solve the relevant legal issues using existing laws. If algorithms are becoming “weapons of math destruction,”  [19] it is crucial that awareness is raised regarding the pervasivity of algorithmic decision-making and that light is shed on the existing legal tools, in anticipation of better regulations and more responsible modelers. Without clarity on the nature of the phenomenon and the relevant legal tools, it is unlikely that citizens will trust algorithms.

2. Positive and normative arguments against algorithms as a replacement for human decision-makers


The first part of this section is dedicated to presenting the main reasons why algorithms cannot replace human decision-makers. The second part discusses the reasons why such a replacement is not desirable. The analysis is carried out with the judge as the model of a decision-maker.

2.1. The unfeasibility of the replacement


The untenability of the replacement is mainly related to the role and characteristics of legal interpretation. Algorithms could replace human decision-makers if interpretation were a straightforward mechanical operation of textual analysis; where the meaning is easily found by putting together the facts and the norms. The said model of interpretation, which seems flawed, is accompanied by the conviction that there is a clear distinction, on the one hand, between interpretation and application and, on the other hand, between easy cases and hard cases. However, legal interpretation seems to have the opposite characteristics. Indeed, it is ubiquitous  [20] and its extreme complexity relates to several factors,  [21] such as the psychological (and not merely cognitive) nature of the process.  [22] This highlights why it is currently impossible to develop an algorithm capable of interpreting the law as a human judge would do.  [23] The high degree of discretion of the relevant process seems to be the main reason for the impossibility of the replacement. Dworkin’s view whereby there is only one right answer to legal questions  [24] has very few defenders indeed.  [25] Hart  [26] clearly proved his doctrine of strong discretion in judicial interpretation, as “a necessary byproduct of the inherent indeterminacy of social guidance.”  [27] A factor that increases the hermeneutical discretion is that interpreting and applying the law requires value judgements and choices, which are very hard to formalise and compute because of their indeterminacy.  [28] One may object that AI may replace humans at least in the legal interpretation of easy cases (for instance, because there is a robust body of case law on the exact issue at hand). However, it has been shown that it is impossible to determine ex ante whether a case is easy or difficult: the complexity of the legal experience tells us that the factual and normative circumstances make a case easy or difficult. The similar suggestion to limit the use of algorithms to the application of the law is based, finally, on the wrong assumption that there is an interpretation-application dichotomy and that there is no room for interpretation when one applies the law. Conversely, application seems the last (and most important) phase of the interpretive process.  [29]


Even leaving the philosophy of law aside, the actual development of statutory interpretation shows the increasing discretion of this activity. Indeed, it seems clear that nowadays the literal rule of interpretation plays a small and often rhetoric role, whereas a purposive approach to statutory interpretation has become commonplace,  [30] in part as a consequence of the EU’s influence. It has been noted that, whatever the philosophical view one adopts, the discretional power of courts is never expressed in a pure mechanical operation.  [31] A good example of the new face of legal interpretation is provided by the case of the Psychoactive Substances Act 2016.  [32] The parliamentary debate  [33] clearly shows that the intention of the legislator was to ban the so-called poppers (of the class ‘alkyl nitrites’), a recreational drug used traditionally by men who have sex with men due to its effects on the relaxation of muscles (including the sphincter). The broad definition of psychoactive substance seemed to allow the interpretation whereby poppers were banned  [34] and some law enforcement agencies applied it consistently.  [35] However, the final result is that poppers are not banned, because the UK Advisory Council on the Misuse of Drugs explained that since poppers have a merely indirect effect on the nervous system, they do not technically qualify as psychoactive substances and, therefore, fall outside the scope of the Act.  [36] Finally, sectoral empirical studies  [37] are showing that algorithms cannot cope with legal interpretation in a satisfactory way. For instance, it has been shown  [38] that algorithms often reflect a wrong interpretation of the law they enforce,  [39] in particular with regards to the fair use analysis in online infringement cases.  [40] These are just a couple of examples of how interpretation is discretionary, ubiquitous, complex, and unpredictable.  [41] Therefore, it seems that it is currently impossible to design an interpretive algorithm.


This study itself confirms this view, in as much as from an apparently simple provision, such as Article 22 of the GDPR, stem a number of complicated interpretative problems for which there is no easy answer. The relevant difficulties will be explained in section 4 below. Here suffice to say that there is a meta-problem. Even if algorithms could perfectly replace human decision-makers, arguably it would not be fair to let them interpret a provision – Article 22 – which has the aim of protecting citizens from algorithmic decisions.


The above considerations regard the current progress in algorithms-related technologies. However, AI’s growth is exponential, therefore the considerations above may prove to be wrong soon, especially in fields where the issues arising are often similar and there is a lot of precedent. Less so where there is no established case law, and/or the field is fast evolving.  [42] For example, predicting the outcome of succession cases involving only land may prove easier than cyber law cases with cross-border elements. That said, alongside the technologies, the scholarship is evolving. Recently, the first systematic study on predicting the outcome of cases tried by the European Court of Human Rights based solely on textual content was presented.  [43] The model is quite accurate, being able to predict the outcome in 79% of cases. However, there are some considerations to be made. Especially in matters as important as human rights, reaching a wrong decision in 21% of the cases would be utterly unacceptable. Secondly, the reasons for this margin of error should be better analysed; they might stem from the fact that interpretation is not a mere mechanical operation of text analysis. Thirdly, the authors themselves point out that the model would not be a substitute for the human decision-maker, because its role would rather be an “assisting tool”  [44] to identify cases and extract patterns. Lastly, the study did not predict the outcome using the documents filed by the applicants, but only analysing the published rulings. This means that a human judge had already selected the materials and interpreted them, which affects the results of the study.  [45] More generally, it still holds true that “[j]ustification, persuasion and discretion are the main limits of the Artificial Intelligence application in Law.”  [46]


Second, human learning is much more complex than machine learning. According to the seminal Mind over Machine,  [47] the characteristics of human learning would explain why prophecies about real machine intelligence have all been proven wrong,  [48] and why small scale successful experiments conducted in laboratories were not as successful once extended to larger systems and the real world. In particular, machines will not be able to replace human beings when cognitive tasks require intuition and holistic thinking.  [49] By presenting a five-stage model of acquisition of expertise (novice, advanced beginner, competent, proficient, and expert), these authors show that there is more to human intelligence than the computer’s calculative rationality. Only the human brain, at least currently, is capable to properly learn and understand through holistic intuition a world that is – unlike the laboratory – incomplete, imprecise, and unreliable. It seems, indeed, unlikely that training a machine with millions of legal provisions and case law can lead to the same results to the learning of a judge, who is immersed in the real world and learns in ways, which cannot be coded.

2.2. Eight arguments against the desirability of algorithms replacing human decision-makers


Let us assume that the thesis of this paper is wrong. Let us say, for the sake of argument, that either interpretation is not ubiquitous, or it is not discretionary (or that algorithms can cope well with strongly discretionary processes). Let us posit, then, that algorithms can learn in the same way as the humans. Nonetheless, there are at least eight reasons why they should not replace human decision-makers. Two reasons refer to why one should not trust algorithms. Six arguments are, in turn, presented to show why we should trust humans.

2.2.1. The replacement is undesirable because there are good reasons not to trust the algorithms


Let us start with what is not to like in algorithms. One of the strong arguments in favour of the algorithms is that they are more reliable than human beings are. However, there is evidence that algorithms can make mistakes and, when they do so, the effects are on a larger scale than an error made by a human judge in a ruling.  [50] More importantly, algorithms are not more reliable than human beings, because of the emerging problem of algorithmic (or machine) bias.  [51] The founder of the Algorithmic Justice League, for instance, stated that a facial recognition machine could not see her because she is black and, probably, the machine learning algorithm was trained only using white faces.  [52] Contrary to popular belief, algorithms do not eliminate bias, because the relevant models are opaque, unregulated, and incontestable.  [53] Even those who believe that AI should be used (in combination with law and self-regulation) for the governance of the Internet, admit that the “[l]ack of transparency on how algorithms operate is a real issue, as well as the problem that artificial intelligence tends to share the biases of the humans it learns from.”  [54]


In the context of the UK inquiry on algorithms in decision-making,  [55] six reasons why algorithmic systems can produce biased outcomes have been presented.  [56] First, design choices make the decision-making process or the factors it considers too opaque; these choices may also limit the control of the designer.  [57] Second, the output of the system may be affected by the biases in data collection.  [58] Third, unlike human beings, algorithms cannot balance biases in interpretation of data by a conscious attention to the redress of the bias.  [59] Fourth, there are biases in the ways that learning algorithms are tuned based on the testing users’ behaviour.  [60] Fifth, algorithms may be designed for a purpose, but then inserted into systems designed for other purposes.  [61] Lastly, as already said with regard to the Algorithmic Justice League, another factor is the biases in the data used to train the decision-making systems.  [62]


Algorithmic bias is the main problem regarding automated decision-making with legal effects.  [63] It has been submitted that “while persistent inequities stem from a complex set of factors, digitally automated systems may be adding to these problems in new ways.”  [64] It is arguable that even if the automated decision (e.g. a ruling) is biased, the move to algorithms “may at least have the salutary effect of making bias more evident.”  [65] Algorithmic bias is dealt with in a recital of the GDPR,  [66] in a way which is not entirely satisfactory. Indeed, the GDPR calls on the data controller to “use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects”  [67] on the basis of sensitive data. Now, it would seem that the GDPR’s focus is misplaced. The point with discrimination is not only that the data are inaccurate or that they are not secure. The main problem is that these data should never be used to discriminate in the first place,  [68] regardless of their being accurate or not, or that independency constraints should be put in place.  [69]


The second argument revolves around transparency. Indeed, making bias evident would mean ensuring transparency, which seems a chimera for a number of reasons, including the fact that the more accurate an algorithm is, the less transparent.  [70] The trade-off accuracy vs. transparency is easily explained. On the one hand, modelers tend to develop more accurate models “with increasingly complex, data-mining-based black-box models.”  [71] On the other hand, model users tend to favour “transparent, interpretable models not only for predictive decision-making but also for after-the-fact auditing and forensic purposes.”  [72] Against the dominant idea that transparency will solve all the problems, some scholars point out that “[d]isclosure of source code is often neither necessary (because of alternative techniques from computer science) nor sufficient (because of the issues analysing code) to demonstrate the fairness of a process.”  [73] Arguably, however, such disclosure would be necessary to comply with the right to an effective remedy and to a fair trial under the EU Charter of Fundamental Rights and the European Convention on Human Rights.


The lack of transparency is related to the so-called black box (better said, black boxes). Arguably, three different black boxes may be distinguished: the organisational; the technical; and the legal one. The organisational black box will not be the subject of specific analysis. Suffice to say that algorithms are mostly implemented by “private, profit-maximising entities, operating under minimal transparency obligations.”  [74] As to the technical black box, artificial intelligence makes the rationale of decisions intrinsically difficult to access. This is particularly evident with the so-called neural networks that, being modelled on the brain, are at least as opaque. One need only imagine a deep-learning neural network which is trained using old mammograms that have been labelled according to which women went on to develop breast cancer.  [75] It could help us to make predictions on which breasts are likely to develop cancer, but without knowing the risk factors (the rationale), it is unlikely that the patient would undergo therapy and, more generally, the development of cancer research would not be substantive. The legal black box relates to intellectual property and will be presented in the following section.


The lack of transparency has obvious repercussions on the accountability issue. For instance, ensuring fair, lawful, and transparent processing may be difficult “due to the way in which machine learning works and / or the way machine learning is integrated into a broader workflow that might involve the use of data of different origins and reliability, specific interventions by human operators, and the deployment of machine learning products and services.”  [76] Some technical tools to ensure accountability in algorithmic scenarios have been presented,  [77] but they do not seem sufficient to offset the inherent problems in algorithmic decision-making.

2.2.2. The replacement is undesirable because there are good reasons to trust the human beings


This subsection is dedicated to the reasons why one should trust humans over algorithms and, more generally, over non-human agents.


First, human beings tend to emulate the behaviour of the majority of fellow human beings. This should ensure consistency and predictability in societal behaviours. This phenomenon was observed with particular clarity by Solomon Asch, who developed the so-called psychology of conformity.  [78] Needless to say that non-human agents do not have a consciousness  [79] and, therefore, psychology does not apply to them. One could object, however, that conforming to the majority does not equal pursuing the common good, because it could lead to the oppression of the minorities. However, humans have some built-in safeguards.


The argument can be put forward that, despite the different characteristics of human beings, humans tend to act consistently towards the common good. This may be explained with the power of sanctions.  [80] Human beings comply with the law not for a natural disposition, but because they do not wish to be sanctioned. However, it is hardly arguable that non-human agents share this fear. Indeed, neither can they be imprisoned (criminal sanctions), nor do they own assets that can be used to execute civil and administrative sanctions.


The third argument refers, like the previous one, to the effects of group pressure, but in a different setting. It can be summed up by saying that hypocrisy has a civilising force.  [81] Indeed, with regards to the relationship between deliberation and publicity, it has been observed that “the effect of an audience is to replace the language of interest by the language of reason and to replace impartial motives by passionate ones.”  [82] These considerations, rooted in human psychology, do not apply to non-human agents. Therefore, hypocrisy cannot civilise algorithmic decision-makers.


Let us say that it is possible for an algorithm to learn and decide like a human judge. At this point, one may argue, it would be sufficient to find the best judge in the world and create a large number of non-human clones that will gradually replace all human judges. However, this scenario raises some issues. Pluralism seems to be the main one.  [83] Indeed, if pluralism is rooted in the respect for the minorities and in the belief that a multiplicity of viewpoints enriches the understanding of the world, then erasing this by cloning the perfect judge would at least be problematic. Even before that, how does one find the perfect judge to clone? What does it mean to be the best judge? Is it possible to entirely eliminate human bias?  [84]


A fifth reason why this paper takes a humanist stance is empathy, which is the “cognitive ability to understand a situation from the perspective of other people, combined with the emotional capacity to comprehend and feel those people’s emotions in that situation.”  [85] This could come as a surprise, since usually empathy is seen as a bias  [86] and, therefore, as an argument in favour of non-human agents. Conversely, empathy is “a requirement of judicial neutrality.”  [87] It has been shown that arguments in favour of judicial empathy are rooted, perhaps unexpectedly, in “a firm commitment to the rule of law and a deep-seated appreciation of—rather than rejection of— legal doctrine.”  [88] A recent study shed light on the shortcomings of the anti-empathic consensus; indeed, it descends of XIX century formalism, but it has “drifted from its source such that it would almost certainly be condemned by the very formalist scholars from whom it is descended.”  [89] Not only is empathy not a defect in human decision-making, it serves a positive function. This is required by the paramount function of concepts such as reasonableness and balancing tests.  [90] More generally, it can be argued that empathy is the way justice (as opposed to law) enters the decision. When Cicero wrote “summum ius summa iniuria”  [91] he meant that the mechanical application of the law leads to unjust results. Empathy tempers legalistic excesses and algorithms are not capable of it.


Lastly, one needs to choose between democracy and technocracy. In a democratic context, laws are the product of a debate between politicians. This debate is public, and the politicians are democratically elected and accountable both politically and legally. Human judges are either democratically elected or receive specific legal training. Conversely, algorithmic law (as in Lessig’s “code is law”  [92] ) is more problematic. Indeed, “software development, even open source, is opaque, and concentrated in a small programming community, many of whom are employed by few oligopolistic corporations directly accountable to no external party.”  [93] Algorithms could be suitable to apply algorithmic laws, but given the said characteristics, it is hoped that their role and scope remains limited.


For the reasons above, the replacement of algorithms to human beings seems both unfeasible and undesirable.

3. Intellectual property rights: more a problem, than a solution


Even though there are good reasons to believe that algorithms cannot and should not replace human decision-makers, it is becoming obvious that the replacement is already taking place, regardless of the relevant pitfalls. Therefore, a lawyer should be able to provide a sufficiently clear answer to a client subject to an algorithmic decision.


There are at least three routes that can be taken, should the relevant requirements be met. In this section, the focus will be on intellectual property and the relevant exceptions that may enable access to a computer program implementing an algorithm, or the relevant invention, notwithstanding its proprietary nature. The features of the analysed exceptions made scholars talk of “the advent of a more active approach to copyright exceptions,”  [94] which creates quasi-rights, “legal hybrids between exceptions and rights.”  [95] This must be taken into account when interpreting the relevant provisions and striking a balance with the restricted acts. Equally, defences to patent infringement will be dealt with, although there is not enough evidence to claim their nature as quasi-rights.


A major issue is understanding the rationale of algorithmic decisions. This is made difficult by the so-called black boxes. The organisational black box and the technical one have been presented above. The legal black box remains to be analysed. This depends primarily on the (ab)use of intellectual property rights (trade secrets, database rights, etc.) and the kindred rights that companies are collecting on the users’ data, that do not fit easily in the traditional intellectual property categories and are leading to the datafication of the digital economy. Along the same lines, it has been noted that “data, originating from users, from devices, sent through the 4G and 5G networks to the client servers and the Cloud are heavily boxed in by intellectual property rights.”  [96]


Even though there are many open-source machine learning frameworks (e.g. Apache Singa, Shogun, and TensorFlow), most AI algorithms are proprietary (Google search and Facebook news feed are the classical examples) i.e. covered primarily by trade secrets,  [97] which is the “most common form of protection used by business.”  [98] Under the new Trade Secrets Directive,  [99] algorithms can be covered by trade secrets because they are not generally known or easily accessible and they have commercial value.  [100] This is true as long as the person who has control of the algorithm takes steps to keep it secret.  [101] The general rule is that the unauthorised acquisition, use, or disclosure of algorithms covered by trade secrets is unlawful.  [102] However, the acquisition shall be lawful in a limited number of circumstances, the most relevant of which seems to be the “observation, study, disassembly or testing of a product or object that has been made available to the public or that is lawfully in the possession of the acquirer of the information who is free from any legally valid duty to limit the acquisition of the trade secret.”  [103] This appears to be a reference to one of the permitted uses of computer programs under the Software Directive.  [104] There is a potential contrast between the two regimes. To say that the acquisition is legal only if “free from any legally valid duty to limit [it],”  [105] may be construed as meaning that if the owner of the algorithm contractually restricts the said exception, then no observation, study, disassembling, or testing of the algorithm would be allowed. However, under the Software Directive, there is a right to “observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program.”  [106] This Directive goes on pointing out that any contractual provisions contrary to said exception “shall be null and void.”  [107] In the UK, the Copyright, Designs and Patents Act 1988 is clear where it provides that “it is irrelevant whether or not there exists any term or condition in an agreement which purports to prohibit or restrict the act (such terms being […] void).”  [108] The leading case on the matter is SAS Institute v World Programming, where it was found that copyright owners cannot restrict the purposes for which the analysed permitted acts are carried out. Additionally, even though only lawful users can avail themselves of the defence, these are not limited to those who click through the licence.  [109]


Moreover, the Trade Secrets Directive itself recognises the legality of the acquisition, use or disclosure of trade secrets for purposes of freedom of expression and information.  [110] Arguably, there is not an actual conflict here. As an example, let us imagine one buys an Amazon Echo. Under one of the several contracts that one has to accept, one agrees that “all Confidential Information will remain [Amazon’s] exclusive property”  [111] and one may not “reverse engineer, decompile, or disassemble”  [112]  the Alexa  [113] Service or the Alexa Materials.  [114] Under the Trade Secrets Directive this section would be enforceable; however, since the Software Directive, being a lex specialis, will prevail, the section would be unenforceable.  [115] Indeed, the conflict is merely ostensible.


In the event that trade secrets were deemed to prevail over the exceptions provided by the Software Directive, it may be worth it to take account of the relevant defences. The most relevant and flexible defence seems the public interest one. It has been stated that “the right of confidentiality, whether or not founded in contract, is not absolute. That right must give way where it is in the public interest that the confidential information shall be made public.”  [116] It is noteworthy that the disclosure may be seen as in the public interest if there has been non-compliance with a legal obligation.  [117] One may argue that the circumvention of the Software Directive consisting in secreting an algorithm in an absolute way falls within this scenario. However, the defendant in the relevant infringement proceedings would need to prove that the disclosure be in the public interest and not merely interesting to the public, which may be difficult.  [118] Unfortunately, the Trade Secrets Directive does not leave much room for the public interest or other defences. However, it recognises that the Directive shall not affect “the application of [EU] or national rules requiring trade secret holders to disclose, for reasons of public interest, information, including trade secrets, to the public or to administrative or judicial authorities for the performance of the duties of those authorities.”  [119] The European provision regarding the exceptions does not introduce a stand-alone public interest defence. Indeed, a defence is available if the acquisition, use, or disclosure was “for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest”.  [120] Unlike the EU, in the UK the public interest is a defence in its own right.  [121] Since the transposition deadline is in June 2018, one needs to wait and see how this provision will be interpreted.  [122]


Additionally, one should remember that copyright protection covers both source code and object code  [123] of the computer program implementing the algorithm. However, it leaves out some aspects, such as functionalities, data file formats, programming language, and graphic user interface. They are treated as “ideas” and therefore not copyrightable due to the idea-expression dichotomy.  [124] The dichotomy is also one of the alleged reasons of the patentability of computer-implemented inventions. It has been noted, indeed, “copyright is not a sufficient form of protection where it is the  idea  behind the program which is its commercially valuable element.”  [125] Computer-related inventions are growing significantly also in connection to the Internet of Things,  [126] despite the fact that the relevant patents can stifle innovation.  [127] In the US,  [128] in September 2017, there were 481,608 patent specifications referring to algorithms.  [129] More than 67% of the algorithm-related patents (325,805) were issued over the last ten years with a growing trend reflecting the general increase in patents as shown by Table 1 and Graph 1.  [130] Nearly 13% of all patents granted over the last 12 months concern algorithms (ten years ago only 9% of patents were algorithm-related).


Table 1. Software and algorithm patent trends in the US (2007-2017).


All patents granted

Software patents

Algorithm patents









































* The period analysed is from 9 September 2016 to 9 September 2017. The same applies to the following rows.


In theory, in the countries that signed the European Patent Convention (and in the others which adopted a hybrid system,  [131] such as India), computer programs are not patentable “as such”.  [132] Features of the computer program,  [133] as well as the presence of a device defined in the claim  [134] may lend technical character. Moreover, a computer program by itself can be patented if it brings about a further technical effect going beyond the normal physical interactions between the said program and the computer.  [135] In the UK, after Symbian v Comptroller-General of Patents,  [136] the focus is not on the question whether the contribution falls within the excluded subject matter,  [137] but on whether the invention makes a technical contribution to the known art, even if the computer program does not bring any novel effect outside of a computer.  [138]


Even though some courts or examiners may consider algorithms as computer programs, they should probably be more precisely seen as mathematical methods. The European Patent Office’s Board of Appeals stated that algorithms are mathematical methods, as such deemed to be non-inventions; therefore, a technical character of the algorithm can be recognised only if it serves a technical purpose.  [139] The fact that a computer-implemented invention includes an algorithm can make the latter patentable. Indeed, it has been recognised that mathematical algorithms may contribute to the technical character of an invention, inasmuch as they serve a technical purpose.  [140] For example, text classification does not qualify as technical purpose.  [141] A technical effect may arise either from the provision of data about a technical process, or from the provision of data that is applied directly in a technical process.  [142] However, the inclusion of an algorithm in a patent application for a computer-implemented invention does not, in itself, ensure patentability. Indeed, not all efficiency aspects of an algorithm are by definition without relevance for the question of whether the algorithm provides a technical contribution. However, such technical considerations must go beyond merely finding a computer algorithm to carry out some procedure.  [143] In the US, legal scholars  [144] have focused on how to evidence an improvement in algorithmic technique. It has been suggested to run the algorithm on test problems with known solutions and compare the results with those of algorithms in the prior art, with particular regards to speed, performance, memory usage, and ease of implementation.  [145]


Unlike copyright, most uses of a computer-implemented invention are prohibited if not authorised and maybe that is why scholars tend to overlook patent exceptions.  [146] However, in proceedings for infringement, defendants may avail themselves of the private non-commercial use  [147] and experimental use  [148] defences. One can qualify for the first immunity even when the resulting information has a commercial benefit, or the subjective intention was not commercial.  [149] This is particularly interesting because in the UK there is no private copy exception to copyright.  [150] As to the second defence, activities to discover something unknown, to test a hypothesis or to assess whether an invention works are considered as experiments and non-infringing.  [151] However, this defence may be of limited use in the context of accessing algorithms, because it cannot be invoked to show that a product works in the way claimed by the maker.  [152] Yet, arguably, when accessing the algorithm, the affected individual would have an interest to show that the algorithm-related invention does not work in the way claimed by the maker. Thus, this defence could be usefully invoked when an algorithm-related invention is used to take decisions whose rationale one wants to contest.


Intellectual property seems to create more problems than solutions to the issue at hand. The route above is weak for at least four reasons. First, the overlap between, if not abuse of, intellectual property rights  [153] create a legal black box which is very difficult to open. Second, the application of the study and observation exception presupposes the lawful use of a copy of the software,  [154] which is rarely the case in the event of algorithmic decisions. Third, even though the analysed copyright exceptions have been qualified as quasi-rights, there is no precedent interpreting said exceptions to open the algorithmic black box. Lastly, it requires considerable skills to open an algorithm by observing and studying the software that implements it. In most cases, there would be the need to ask an expert third party to carry out such activities on behalf of the lawful user of the software. However, applying SAS Institute,  [155] it is unclear whether said third parties would qualify as lawful users. In the negative, this exception would be of little use in the majority of cases.


To add to the complexity, intellectual property will always be balanced with competing interests, such as data protection. As correctly pointed out, for instance, “trade secrecy (…) may make it difficult for data controllers to comply with their obligation of transparent processing.”  [156] Let us have a look, therefore, at the relevant data protection regime.

4. Algorithmic decision-making and EU data protection


The use of algorithms is under the lens of the data protection authorities, especially with regards to profiling. The European Data Protection Supervisor  [157] has pointed out that the problem is not profiling as such, but “the lack of meaningful information about the algorithmic logic which develops these profiles and has an effect on the data subject.  [158]


Under the Data Protection Directive,  [159] there is a right not to be subject to a decision which produces legal effects or significantly affects the data subjects, if the decision is based solely on automated processing of data aimed at evaluating certain personal aspects concerning them (e.g. creditworthiness). Moreover, there is a right to know the logic involved in any automated processing of data.  [160] Nonetheless, one may be subject to an algorithmic decision in two scenarios.  [161] Firstly, in the course of the entering into a contract (or of the performance thereof), provided the request for the entering into the contract (or the performance thereof), lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests (e.g. the data subject could express their viewpoint). For instance, some law firms  [162] are using AI-enabled computer programs to assess the merits of personal injury cases and decide, therefore, whether to accept the case or to draft contingency fee agreements. Secondly, and more generally, algorithmic decision-making may be authorised by a law, if there are measures to safeguard the data subject's legitimate interests.  [163] Fraud and tax evasion prevention are the typical examples.  [164]


The rules on algorithmic decision-making have been amended by the GDPR,  [165] which is set to come into effect on 25 May 2018, also in the UK, regardless of Brexit.  [166] The general principle is that data subjects should not be subject to algorithmic decisions. However, when non-human agents take a decision that has legal effects on the data subject’s life “or similarly significantly affects him or her,”  [167] the data subject has the rights to obtain human intervention, to express their point of view, as well as to contest the decision.  [168] Correspondingly, the data controller shall provide “meaningful information about the logic involved”  [169] in the algorithmic decision. It is likely that the national implementing measures of the Data Protection Directive will be amended or replaced to recognise a stronger protection to data subjects against algorithmic decisions.  [170]

4.1. The general prohibition on solely automated decisions with a significant effect


Let us start with the provisions directly dealing with algorithmic decision-making;  [171] it is open to debate whether they constitute a considerable step forward. The main right available to the data subject is the right not to be subject to a solely automated decision with legal effects or similarly significantly affecting them.  [172] This can be interpreted as a general prohibition to make algorithmic decisions using personal data, or as a mere right to be oppose (after being informed about) the algorithmic decision.  [173] In the UK, data subjects can require that no solely algorithmic decision be taken against them. However, if no such notice has effect and the decision is taken, the data controller has 21 days to give a written notice explaining the steps that they will take to comply with the data subject request.  [174] Positively, in issuing some guidelines on algorithmic decision-making, the Article 29 Working Party  [175] recommends treating this right as a general prohibition.  [176] Regrettably, however, the only amendment introduced by the Data Protection Bill with regards to algorithmic decisions concerns the safeguarding measures that controllers should take when availing themselves of the consent-based exception.  [177] Arguably, by refusing the “general prohibition” approach, the UK will not comply with the GDPR, with practical consequences for instance in terms of the legality of the EU-UK data transfers. If this provision expresses a core data protection principle,  [178] a partial compliance may cause the EU to deem the UK protection of personal data inadequate, hence hindering cross-border data flows.  [179]


Looking at the core of art 22, there are two main differences between the Data Protection Directive and the GDPR.


First, in the new provision there is an express reference to profiling as an example of automated processing. This brings clarity in a field currently perceived as particularly relevant, but it risks narrowing the interpretation of the provision thus excluding forms of algorithmic decision-making which do not include profiling. Therefore, it is positive that the Article 29 Working Party has observed that “(a)utomated decisions can be made with or without profiling; profiling can take place without making automated decisions.”  [180]


Second, and most importantly, one has the said right only if the decision produces legal effects concerning one “or similarly significantly affects him or her.”  [181] This addition goes in the opposite direction to the one taken when the draft GDPR was first published and it had been suggested that art 22 should cover not only decisions producing legal effects or which significantly affect data subjects, but also the “collection of data for the purpose of profiling and the creation of profiles as such.”  [182]


Now, “legal effect” is quite straightforward, including all the scenarios where a decision affects a person’s rights based on laws or contracts.  [183] In turn, “similarly” may narrow the scope of the provision, if compared with the previous wording, where no reference to this adverb was made. Indeed, it may be seen as meaning that one does not have the right to object to algorithmic decision-making if the effect is not similar to a legal effect  [184] (e.g. significant distress or missed professional opportunities as a consequence of being permanently banned from a popular social network).  [185] If this interpretation were followed, broader national implementations may need to be reviewed accordingly. For instance, the UK refers to decisions take for “the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct”  [186] . The Information Commissioner’s Office accepts that it is hard to explain what “significant effect” means, but it suggests that it refers to “some consequence that is more than trivial and potentially has an unfavourable outcome.”  [187] Businesses have been asking for more detailed guidance  [188] and this has partly arrived with the Article 29 Working Party’s guidelines that indicated that “similarly” means that “the threshold for significance must be similar.”  [189] Therefore, in order for a decision to fall within the scope of art 22, it must not necessarily be a quasi-legal effect in terms of content, being sufficient a decision which profoundly affects the individual as much as a decision affecting her or his rights would. Adding details to the UK attempt of definition, the EU advisory body point out that a similarly significant effect must be “more than trivial and must be sufficiently great or important to be worthy of attention.”  [190] The concept is broad enough to encompass a vast number of scenarios, from e-recruiting to online behavioural advertising, especially if intrusive and targeted to vulnerable groups,  [191] as well as consumer manipulation.  [192]


Even before understanding what ‘legal’ means, one should clarify what a ‘decision’ is. It has been suggested that this could include “an interim or individual step taken during the automated processing.”  [193] It would seem, however, that only rarely interim measures and individual steps will qualify for the application of art 22 of the GDPR, because the provision requires a decision with legal effect or “similarly significant.”


Some aspects of this regime are not clear yet. For instance, it is open to debate what solely automated means. In the past, it was relatively easy to understand what ‘solely’ meant. There was a limited number of organisations taking significant algorithmic decisions and the technologies used were quite rudimental; therefore, reviewing the machine-generated data was relatively straightforward and once a human being reviewed the data, the decision was no longer solely automated.  [194] In light of increasingly complex (and accordingly opaque) algorithmic techniques and of the ubiquitous nature of the phenomenon of algorithmic decisions, that approach should be abandoned. To what extent is the human intervention meaningful vis-á-vis black-box decisions?


The UK Information Commissioner’s Office recently requested feedback on some points of the GDPR,  [195] and they have suggested that ‘solely’ should “cover those automated decision-making processes where a human exercises no real influence on the outcome of the decision, for example where the result of the profiling or process is not assessed by a person before being formalised as a decision.”  [196] The risk of this interpretation is that it is not always easy - especially from the data subject’s perspective - which role the human being played in the decision (was the human being a passive operator? Which discretion did they have while assessing the result?). Moreover, “it may not be feasible for a human to conduct a meaningful review of a process that may have involved third-party data and algorithms (which may contain trade secrets), prelearned models, or inherently opaque machine learning technique.”  [197] Therefore, it would seem more appropriate to recognise the right not to be subject to an algorithmic decision every time that there is not a human being clearly taking the final decision.  [198] It would seem that the Article 29 Working Party hold similar views when they state that a decision is not wholly automated when alongside an automated profile, there is “additional meaningful intervention carried out by humans before any decision is applied to an individual.”  [199] However, there is still a lack of clarity. Indeed, in order to clarify when art 22 GDPR applies or not, the Article 29 Working Party makes the following examples. If a human decides whether to agree the loan based on a profile produced by purely automated means, then art 22 will not apply. In turn, if an algorithm decides whether the loan is agreed and the decision is automatically delivered to the individual, without any meaningful human input, then art 22 will apply. The point is that there is a substantial grey area here. For instance, it is unclear whether art 22 applies when the algorithmic system takes the decision, but a human being reviews it. Arguably, the human review could qualify as “meaningful human input”, but this will have to be assessed on a case-by-case basis.


Even more importantly, controllers should refrain from “fabricating human involvement”  [200] with the purpose of sidestepping art 22; this provision will apply every time that there is not meaningful and genuine human intervention, for instance in the form of actual oversight by a person with “authority and competence to change the decision.”  [201] It is important to stress that the GDPR applies to every automated profiling carried out on personal data to evaluate a natural person’s personal aspects, not only to the ‘solely’ automated one, which means that the general GDPR rules and standards will apply to profiling even when a human being plays a substantial role in the creation of the relevant profile.  [202]

4.2. Three exceptions: contract, consent, law


Even though “as a rule, there is a prohibition on fully automated individual decision-making (…) that has a legal or similarly significant effect,”  [203] this rule has some exceptions. The GDPR has innovated the systems of the exceptions not only by adding a consent-based exception, but also by clarifying the scope of the pre-existing ones. It is unfortunate that the UK Data Protection Bill  [204] is missing out on this opportunity. Indeed, the only innovation that it is being introduced regards algorithmic decisions authorised by law. The UK will keep allowing such decisions in circumstances prescribed by the Secretary of State, in relation to a contract, when authorised or required by or under any enactment, effect of the decision is to grant a request of the data subject, or when steps have been taken to safeguard the legitimate interests of the data subject. No consent-based exception is provided. Unlike the interpretation of the right not to be subject to an algorithmic decision as a general prohibition, the lack of implementation of the consent-based exception is unlikely to endanger the cross-border data transfers with the EU. Indeed, a lack thereof might ensure a stronger protection of personal data. In turn, the broad wording of the contractual exception may be more problematic.  [205]


Art 22 brings clarity to the scenario regarding the entering and performance of the contract by simplifying the language and restricting the contractual exception to the instances when the algorithmic decision-making is necessary to enter into a contract or for its performance.  [206] One may argue, going back to the example of the contingency fee agreements, that in that scenario the algorithmic decision would not be necessary and, thus, it would not fall within the scope of this exception. Following the European Data Protection Supervisor’s approach, if a less privacy-intrusive method is available, then the algorithmic decision is not necessary and, therefore, it is not allowed.  [207]


In turn, the new exception based on the data subject’s explicit consent  [208] is problematic. Consent is explicit when there is “an express statement rather than some other affirmative action.”  [209] Indeed, given the imbalance of bargaining power that characterises many transactions, one should not be surprised if, for instance, a bank could force a potential client requesting a loan to consent to a decision taken by an algorithm. The exception based a law authorising the decision while laying down measures to safeguard the data subject’s legitimate interest  [210] now includes a reference to the data subject’s rights and freedoms and to both EU and national law. These changes are nugatory. Firstly, based on an a minore ad maius argument, it is obvious that if the decision shall respect the legitimate interests of the data subject, it shall do so also with regards to the more relevant rights and freedoms. Secondly, while the reference to national laws is a truism, the one to EU law cannot be interpreted as a power to legislate beyond what already provided by the treaties. However, the growth of artificial intelligence (AI) may have an impact on the analysed regime. Not only because, generally, AI does not always make it feasible to access the rationale of algorithmic decisions. With specific regards to the consent-based exception, it is fair to wonder, “how can informed consent be obtained in relation to a process that may be inherently non-transparent (a ‘black box’).”  [211]


The third exception regards national and EU laws authorising algorithmic decisions.  [212] Regrettably, the Article 29 Working Party do not provide any guidance on the matter. Whereas recital 71 refers only to fraud, tax evasion, and reliability of the service, it would seem that EU and national authorities may allow algorithmic decisions for a potentially infinite number of purposes. Indeed, recital 73 provides that EU and national laws can impose restrictions concerning “decisions based on profiling” inter alia in order to prevent or react to breaches of ethics for regulated professions or for the keeping of public registers kept for reasons of public interest. Therefore, for instance, a Member State could allow algorithmic decisions to disbar a barrister who behaved unethically. Nor are there limits to which kind of public registers a state may keep, for instance for surveillance purposes.  [213] One should not think, however, that if a law authorises the algorithmic-decision making in a specific field, say fraud, data protection legislation can be eluded altogether. Alongside the rights to access, the information rights and right to a human judge, data controllers will still have to comply with all the other data protection principles, including accountability.  [214] The Data Protection Directive required the laws authorising algorithmic decisions to safeguard only the data subjects’ legitimate interests and not also their rights and freedoms. Moreover, it did not specify which laws could authorise algorithmic decisions. The GDPR, in turn, now includes a reference to the data subject’s rights and freedoms and it clarifies that both EU and national laws can authorise algorithmic decisions. Arguably, these changes are nugatory. Firstly, based on an a minore ad maius argument, it is obvious that if the decision should respect the legitimate interests, all the more it should do so with rights and freedoms. Secondly, the clarification that national law can be a legal basis is a truism. So is the one about EU law, which should not be interpreted as a power to legislate beyond what already provided by the treaties.


The UK Data Protection Bill  [215] provides more detail as to the procedure to follow when an algorithmic decision falls under the third exception. Indeed, the controller must, as soon as reasonably practicable, notify the data subject in writing that a decision has been taken based solely on automated processing. Correspondingly, the data subject may, before the end of the period of 21 days, beginning with receipt of the notification, request the controller to reconsider the decision, or take a new decision that is not based solely on automated processing. The provision goes on to point out what the controller must do if such request is made. The procedure is the same that the Data Protection Act currently provides for non-exempt decisions, but interestingly the new regime is more protective of the data subject if compared to the previous one. Indeed, currently the data controller’s notice must only indicate the steps the controller intends to take to comply with the request. This information must be notified before the end of the period of 21 days beginning with receipt of the request. On top of this, the Data Protection Bill provides that when the law authorises an algorithmic decision, the data controller shall consider the request, comply with it, and inform the data subject of the steps taken to comply, and of the outcome of complying with the request. The wording suggests that data controllers have some discretion in complying. However, the discretion regards how to comply, not whether to comply. The only reason why a denial could be allowed would be if the algorithmic decision was not taken solely on the basis of automated processing, if the decision does not significantly affect the data subject, or if it is impossible to identify the data subject.  [216] If the data controller violated the limits of its discretion, the data subject may appeal the decision judicially.


Interpreters will need to avoid a visible inconsistency in the new UK regime on algorithmic decision-making. Namely, it is not rational to give the data subject a weaker protection when a non-exempt decision is at issue, if compared to a decision authorised by the law.


One may observe a departure of UK data protection law from the GDPR. In the UK, there is a three-layered system. As a rule, data subjects must be informed of non-exempt algorithmic decisions and can request that no such decision be taken. If no request has effect, they still have a right to be informed and to request a reconsideration or a human decision. Reconsideration and the right to a human judge, after the Data Protection Bill is enacted, will apply also to the algorithmic decisions authorised by law. Obviously, no right to pre-empt such a decision would apply. Thirdly, data subjects have no rights regarding the other exempt decisions.  [217] This may raise concerns in terms of adequacy of the protection of personal data in the UK in the context of cross-border data transfer with the EU. Since consent is not one of the exceptions, the rights of the first layer will apply. In the EU, in turn, there is a clearer and stronger model. The rule is the general prohibition to take solely algorithmic decisions. There are only three justifications that can be used to make some decisions, but all of them are accompanied by strong safeguards for the data subject.


Lastly, it is not entirely clear if the list of exceptions (contract, consent, law) is exhaustive. A recital  [218] refers to algorithmic decision-making for the purpose of ensuring the security and reliability of a service provided by the controller. However, this should not be interpreted as a fourth exception or as proof of the non-exhaustive character of the list of exceptions. It is plausible, indeed, that this is only an example of a purpose for which national and EU laws can authorise the said decision-making.  [219]

4.3. Measures to safeguard the data subjects’ rights, freedoms, and legitimate interests


The main commendable innovation in the GDPR regards the measures to safeguard the data subject’s rights, freedoms , and legitimate interests affected by an algorithmic decision.  [220]


First, now these measures refer also to the contractual and consent-based exceptions. Second, they are no longer limited to the right to express one’s viewpoint. The provision shall be interpreted as the right to obtain human intervention on the part of the controller and the right to contest the decision. Therefore, if there is a law authorising algorithmic decision making,  [221] if this is necessary for a contract, or if there is the data subject’s explicit consent, a data controller may use algorithms to take decisions having legal effects or similarly affecting the data subject. However, data controllers shall put in place a procedure to appeal the decision with meaningful oversight by a human being that shall ensure an effective right of defence to the data subject.  [222]


This is a major victory for those who think that human decision-making is still better than the automated one.  [223] However, it is unclear which steps the data controller should take once the data subjects avail themselves of the analysed remedy. The Article 29 Working Party further clarify that the review must be carried out by a human being with appropriate authority and capability to change the decision and who shall thoroughly assess “all the relevant data, including any additional information provided by the data subject.”  [224]

4.4. Transparency obligations: a right to explanation?


Moving onto the transparency obligations, these are nearly entirely new,  [225] given that under the Data Protection Directive there was only the right to access, which included the logic involved in the algorithmic decision.  [226] Innovatively, the processing is not deemed fair and transparent, if the controller does not - at the time when personal data is obtained from the data subject - provide specific information on three matters.  [227] First, controllers must disclose the existence of algorithmic decision-making. Second, they need to inform the data subject about the logic involved. Third, the algorithm must be opened in order to provide “meaningful information about […] the significance and the envisaged consequences of such processing for the data subject.”  [228] The same right applies when the data was not obtained from the data subject, who has the right to be informed within a reasonable timeframe  [229] (at the latest within one month),  [230] at the time of the first communication with the data subject,  [231] or when the data is fist disclosed to a third party.  [232] Data controllers who merely make the information available, without actively bringing it to the data subject’s attention, do not meet their transparency obligations. On top of the obligation to inform, there is the right of access, which again regards the existence of the algorithmic decision-making itself and meaningful information about the logic, the significance, and the consequences.  [233]


One should welcome positively the obligation to provide (and the right to access) meaningful information and the reference to the envisaged consequences and significance of the decision. While “envisaged” suggests that information must be provided “about intended or future processing,”  [234] it would seem that “significance” requires real, tangible examples of how the decision may affect the data subject.  [235]


Generally speaking, such meaningful information is what the data subject, who normally will not be a computer scientist, is likely to be interested in. Therefore, for instance, a technical document which includes the algorithm used and the mere explanation of the logic in mathematical terms will not in itself meet the legal requirement. Arguably, this should be interpreted as the disclosure of the algorithm with an explanation in non-technical terms of the rationale of the decision and criteria relied upon.  [236] Regrettably, the Article 29 Working Party  [237] do not consider the disclosure of the algorithm as necessary under the said transparency obligations. However, in order to have a full picture, the data subject has a legitimate interest in asking an expert to analyse the algorithm in order to better challenge the decision. A different interpretation would not comply with right to an effective remedy  [238] and to a fair trial  [239] under the Charter of Fundamental Rights of the EU and the European Convention of Human Rights.


Obviously, it may be the case that, due to the characteristics of artificial intelligence alone, it could be impossible to explain an algorithmic process “in a way that is intelligible to a data subject.”  [240] However, the data controller should make any reasonable effort to adequately inform the data subject.


Scholars have recently criticised the provision because it would entail a right to be informed, but no right to explanation.  [241] Others,  [242] conversely, have pointed out that Articles 15 and 22 should have a wide interpretation that might prove adequate to cope with the transparency challenge; they propose a legibility stress test for the data controller.


To overcome this issue, those who exclude that a right to explanation is provided by the GDPR make a number of recommendations to improve transparency and accountability of algorithmic decision-making, including a trusted third-party regulatory or supervisory body that can investigate algorithmic decisions if one feels that they have been discriminated against. Whereas the idea of an ‘AI watchdog’ can be a positive one, this paper argues that the information rights provided with regards to algorithmic decision-making – which include a reference to the significance and consequences of the decision – can be interpreted as meaning a right to explanation.  [243] Denying it would mean playing down the great potential of legal interpretation. A counterargument could be that the wording ‘right to obtain information’ can be found in recital 71, but not in art 22; this placement in a non-binding part of the Regulation (a recital) has been seen as “a purposeful change deliberated in trilogue.”  [244] However, the pivotal role of recitals in interpreting the provisions of an EU act has been expressly recognised by the Commission.  [245] The reference to the right of explanation in the recital shall be, therefore, used to properly construe art 22 to reflect the context of the provision and the overall purpose of the GDPR, that is increasing the protection of the data subjects’ rights. Hence, even though applying the literal rule, art 22 would not contain a right to explanation, a purposive approach and a correct valorisation of the role of recitals make it clear that data subjects are entitled to such a right. In addition, the data controller is expressly required to provide “concise, transparent, intelligible and easily accessible form, using clear and plain language.”  [246]


Lastly and commendably, the GDPR details the timescale and procedure to provide information.  [247] In particular, the information should be provided without undue delay and in any event  [248] within one month of receipt of the request. The information must be in electronic form to reflect the form of the request, unless the data subject requests otherwise.


Obviously, the problems with the black boxes remain, no matter how broad the interpretation given to the transparency obligations is. Therefore, the transparency obligations may not be fully effective “in cases where a machine learning process involves multiple data sources, dynamic development, and elements that are opaque, whether for technological or proprietary reasons.”  [249]

4.5. Algorithmic decisions with sensitive personal data


Another positive new provision regards sensitive personal data (e.g. data on health or sexuality). Artificial intelligence increasingly relies on this kind of data. One need only think that deep neural networks have been recently used to infer the sexual orientation of people from their faces.  [250] Indeed, in principle, algorithmic decisions shall not be based on sensitive personal data.  [251] For instance, an employer may not let an algorithm decide whether to fire an employee using health data. However, this data may be used with the data subject’s explicit consent or in the interest of public health, provided that mea sures to safeguard the data subject's rights, freedoms, and legitimate interests are in place. Even though ideally it would have been preferable not to have another consent-based exception, unlike the homologous exception regarding non-sensitive personal data, here it is provided that EU or national laws can decide that the prohibition to process sensitive data “may not be lifted by the data subject.”  [252]

4.6. Data Protection Impact Assessments for algorithmic decisions


Lastly, one of the main innovations of the GDPR is the data protection impact assessment (DPIA).  [253] These impact assessments are tools for organisations to manage data protection hazards, a form of a form of ‘meta-regulation’ whereby “state efforts to make corporations responsible and accountable for their own efforts to self-regulate.”  [254] In this field, DPIAs are “a way of showing that suitable measures have been put in place to address those risks (associated to algorithmic decision-making) and demonstrate compliance with the GDPR.”  [255] It is commendable that DPIAs are mandatory when a systematic and extensive evaluation of personal aspects is based on automated processing, and on which decisions are based that produce legal effects or similarly significantly affect a natural person.  [256] Commendably, DPIAs are required both when the decision is wholly automated and when there is human intervention, not only when it is solely based on automated processing.  [257]

4.7. Can children be subject to algorithmic decisions?


An example of poor drafting regards the algorithmic decision-making concerning children. Hidden in a long recital, one finds the obscure sentence “[s]uch measure should not concern a child.”  [258]


Naturally, one would think that children cannot be subject to algorithmic decisions. However, the sentence follows the one that regards the measures to safeguard the data subject’s rights, freedoms, and legitimate interests. Therefore, it may be interpreted as meaning that these safeguarding measures do not apply to children, who could nonetheless be subject to algorithmic decisions. This is obviously against the purpose of the GDPR, which provides an advanced protection to children. The doctrine of noscitur a sociis would lead to absurd consequences; therefore, a purposive approach should prevail. Thus, children should never be subject to algorithmic decision-making.


Regrettably, the Article 29 Working Party does not see this provision as an absolute prohibition, since the wording of the recital is not reflected in art 22. However, they recommend that “wherever possible, controllers should not rely upon the exceptions in art 22(2) to justify”  [259] algorithmic decision-making affecting children. Nonetheless, such decisions may be necessary for instance to protect the children’s welfare, in which case data controllers may resort to the exceptions. Positively, in turn, it is suggested that ‘legal effect’ and ‘similarly significant effect’ be interpreted broadly, because “solely automated decision making which influences a child’s choices and behaviour could potentially have a legal or similarly significant effect on them, depending upon the nature of the choices and behaviours in question.”  [260] Similarly, organisations must put in place safeguards tailored to the specific needs and features of the child.  [261]

4.8. Collective algorithmic decisions


It is unclear, then, what happens to collective algorithmic decisions (e.g. to charge a higher rate of car insurance to the citizens associated to a particular postcode). Indeed, it has been questioned “whether data subjects are protected against decisions that have significant effects on them but are based on group profiling.”  [262] In general, the stress on the shift from individual to collective privacy should be welcomed.  [263] With regards to collective algorithmic decisions, it would seem that art 22 “does not limit ‘profiling’ as such to individual profiling but only requires that the decision based on such profiling is addressed to an individual, in a way that has legal or significant effects for him/her as an individual.”  [264] Therefore, collective profiling is covered by the GDPR when used for individual decisions.

4.9. Data portability, accountability, and data minimisation


Although the focus is on the provisions specifically dedicated to algorithmic decision-making, other rules and principles may affect it. One need only mention data portability, accountability, and data minimisation.


The right to data portability could be used to obtain not only information about the logic, significance, and consequences of the algorithmic decision, but also all “the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.”  [265] One could use this right to export the profiles used for the algorithmic decision.


The principle of accountability, then, may play a positive role. Indeed, in order “to mitigate the risks of automated profiling we must look towards mechanisms that increase the accountability (both through ex ante screening of data mining applications for possible risks and ex post checking of results) and transparency of automated profiling.”  [266] In particular when relying on the consent-based exception, data controllers will have to document it carefully to prove that consent was explicit.


Certain rules should be interpreted broadly, taking into account the characteristics of the phenomenon at hand. For instance, data minimisation and data exclusion, if interpreted narrowly, “may reduce the accuracy of data mining and may deny us the data necessary to detect discrimination in automated profiling.”  [267] However, the principle of data minimisation means that data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.  [268] Arguably, this does not mean that data controllers shall always collect as little data as possible. It means that the quantity must be related to the purpose, provided that the data are adequate. Arguably, the application of artificial intelligence to take decisions that have legal effects can justify the processing of large amounts of data, for at least two interwoven reasons. First, the more data are used to train the algorithm, the more accurate the output may be (big data are ‘necessary’ for the functioning of artificial intelligence). Second, the processing of a low quantity of data, leading to an inaccurate output, would be ‘inadequate’ if one has to take a decision with legal consequences (or which similarly significantly affects the individual).

4.10. Algorithmic decisions taken by EU institutions and bodies


A brief note, finally, on the algorithmic decision-making carried out by the EU and its institutions and bodies (e.g. e-procurement and e-recruiting). The current rules  [269] are more or less the same as the ones laid out in the Data Protection Directive, with the right to be informed about the logic involved in the decision, the right not to be subject to it, and the data controller’s obligation to put in place measures to protect the data subject’s legitimate interests. The only exception recognised is the express authorisation by national law, EU law, or the European Data Protection Supervisor. In January 2017, the Commission adopted a proposal for a new regulation on the processing of personal data by the EU institutions, bodies, offices, and agencies.  [270] The draft provides the same rules as the GDPR as to the information rights (existence, logic, significance, consequences),  [271] right to access,  [272] right to not to be subject,  [273] and mandatory data protection impact assessment.  [274]

4.11. An overall assessment of the new data protection rules on algorithmic decisions


In conclusion, overall the GDPR strengthens the rules on algorithmic decision-making timidly and with some significant flaws, though some positive elements have to be acknowledged. It may well be the case that, as it has been suggested, this regime will act as “legal incentives for technology producers to build accountability mechanisms into the technology.”  [275] It still holds true that even if Article 15 of the Data Protection Directive and Article 22 of the GDPR show that the promise in terms of providing a counterweight to algorithmic decision-making is tarnished by complexities and ambiguities, they nonetheless shall be regarded as expression of a core data protection principle to be embodied in all data protection instruments.  [276]


Now, before moving on to the third legal route, one needs to take account of the relation between intellectual property and data protection. It has been shown above that the Software Directive can prevail on the Trade Secrets Directive. It remains to be assessed what happens if there is a clash between trade secrets (and, more generally, intellectual property rights) and the data subject’s rights. Under the GDPR, the right of access cannot ‘adversely affect the rights and freedoms of others,’  [277] which include ‘trade secrets or intellectual property and in particular the copyright protecting the software.’  [278] However, this provision has been interpreted narrowly by the Article 29 Working Party that observe that intellectual property rights cannot be invoked to deny access or refuse to provide information to the data subject.  [279] In allowing the disclosure of an algorithm covered by a trade secret, however, courts shall dictate measures that safeguard the commercial value of the trade secret, for instance by preventing its further disclosure. It is important to note that intellectual property must be balanced with data protection only when it comes to the right of access. Conversely, it is submitted that, in principle, when it comes to the other data subject’s rights and data controller’s obligations, intellectual property will not be a valid legal basis for exceptions or limitations.


Another regime to take into account – and whose interplay with intellectual property and data protection remains partly unsolved – is freedom of information.

5. Freedom of information and access to the algorithm. The Italian panorama


In 2015, the French Commission d’accès aux documents administratifs obliged the Direction générale des finances publiques to release the source code of the computer program used to estimate the income tax of natural persons.  [280] More recently, the TAR Lazio,  [281] administrative court  [282] in Italy, stated that an algorithm is a digital administrative act and therefore, under the freedom of information regime, the citizens have the right to access it. This section critically analyses this ruling as a prism to understand the application of the freedom-of-information regime to algorithmic decision-making.


Under the Italian Administrative Procedure Act,  [283] citizens have the right to view administrative documents and extract a copy thereof, if they have a “direct, specific, and actual interest, corresponding to a legally-protected situation and linked to the document one intends to access.”  [284] The typical example would be an individual unhappy with the outcome of a public competition (e.g. to become notary public) and, therefore, demands to access the documents relevant to the competition. An important limitation of freedom of information regimes is that they can be actioned only against the State or other public bodies and with regards to administrative documents.  [285] The Government and the public bodies can lay out which documents cannot be accessed for a number of purposes listed in the Administrative Procedure Act, including privacy.  [286] However, there is case law clarifying that in principle, if the right to access and privacy clash, the former shall prevail, at least in the sense that an access request will not be denied for privacy reasons, but the document may be anonymised.  [287] More recently and generally, it has been stressed that freedom of information is a fundamental right and, therefore, the denial to access requests are allowed only in exceptional instances.  [288] This approach can also be found in the Privacy Code  [289] , in which there is a right to access administrative documents even though they contain personal or even sensitive data, because the freedom of information regime “is deemed to be of relevant public interest.”  [290] The balance is struck slightly differently when it comes to data on health or sexual life. Indeed, the access request will only be accepted if the interest underlying the request is a personality right  [291] or other fundamental right or freedom.  [292] One may infer that normally the right to access prevails over opposite interests and rights, even in the event the opposite rights were fundamental, unless the computer program implementing the algorithm processes health data or data about the sexual life of the individual. Thus, it is submitted that also the potential clash between freedom of information and intellectual property should normally be resolved in favour of the former. The GDPR will not affect the balance between privacy and freedom of information, since the recently presented draft implementing decree clarified that access to administrative documents and civic access fall outside the scope of the GDPR, at least in the context of its Italian implementation.  [293]


Only individuals who have a specific, direct, and actual interest in the access to the administrative document can exercise the right of access under the Administrative Procedure Act. However, in 2016, Italy introduced a more general freedom of information regime. Under the Citizen Access Act,  [294] the individual has two rights. First, the right to access all documents, information, and data (not only administrative documents), if there were an obligation to publish them and the relevant public body infringed it by not publishing.  [295] This right (so-called citizen simple access) is absolute and an access request under this provision cannot be denied.  [296] Second, a right to access documents that the State or other public bodies are not obliged to publish, justified with the purpose to “favor a generalised control over the pursuit of the institutional functions and over the use of public resources, as well as to promote the participation to the public debate.”  [297] This citizen generalised access is a limited right.  [298] Indeed, the relevant request can be denied for a number of reasons,  [299] including data protection  [300] and intellectual property.  [301]


There is another regime that may be used to access algorithms used by the State and other public bodies, even though its scope is very narrow. As of 14 September 2016, under the Public Administration Code,  [302] legal and physical persons have the right to reuse computer programs and other “solutions” in order to “adapt them to their needs”.  [303] Therefore, the State or other requested public body have an obligation to make the relevant source code publicly available “alongside the documentation”  [304] under a free and open-source license. However, the requested body can deny access in three scenarios if the computer program or the solution owned by the State or public body were not developed “based on the specific indications by the public customer.”  [305] The denial may be justified also by ordre public, national security, defence, and elections.  [306]


Let us focus on the recent case that applied the Administrative Procedure Act in order to recognise the right to access the source code of the computer program implementing the algorithm used by the Ministry of Education, University and Research with regards to the mobility of the teaching staff; the algorithm had been commissioned to a private company (HPE Services s.r.l.). The teachers’ trade union claimed that they could not defend their members’ right with regards to the mobility procedures if they were not allowed to access the algorithm. The computer program was used to manage the transfer of the teaching staff between provinces and the outcome of the procedure was solely determined by the algorithm. This means that, should the requirements be met (personal data, decision with legal effect, etc.), the applicant may exercise the rights recognised by the GDPR with regards to algorithmic-decision making.  [307]


In the case at hand, the applicant sought to exercise the right to access under the freedom of information regime. However, this was denied by the Ministry of Education for a number of reasons. Firstly, the source code was not an administrative document (and the right to access under freedom of information can be exercised only with administrative documents).  [308] Secondly, the computer program was covered by copyright. The court, however, dismissed both arguments.


Given that, with the current development of AI and kindred technologies, public bodies can increasingly replace human procedures with algorithmic ones, the court held that the use of the algorithm cannot act as justification for restricting the scope of application of the freedom of information regime. Let us imagine what would happen if all procedures were handled by algorithms and the freedom-of-information requests were not applicable to algorithmic documents: the said regime would still exist in the books, but no longer in practice.


The conceptual first step is recognising the existence of the concept of a digital administrative document. In a digital administrative document, an algorithm replaces a human agent acting on behalf of a public body; this is allowed only with regards to the non-discretionary administrative activities.  [309] Indeed, non-discretionary power is compatible with the way computer programs work, because the latter can translate facts and legal data into code, thus bringing to an immutable conclusion through formalised reasoning.  [310] This passage of the ruling reinforces this paper’s argument that algorithms cannot replace human judges (and other decision-makers) because interpretation is ubiquitous and it is an intrinsically discretionary process.


This said, the court needed to qualify the computer program itself as a digital administrative document, otherwise no access to the source code could be granted (at least under this regime). The computer program qualifies as a digital administrative document because it materialises the ultimate will of the public body in a way that is able to create, modify, or extinguish the individual’s legal positions. Consistently with the technology neutrality principle, the relevant statutory provision describes the ‘administrative document’ in a very broad way by encompassing also the electromagnetic representation of a document and any other form of representation.  [311] Therefore, there is no problem in considering a computer program implementing an algorithm as an administrative document (if the other legal requirements are also met).  [312] It may be conceded that, strictly speaking, a computer program is not a document in itself. However, recognising the right to access only to the final document resulting from the algorithmic procedure would equal denying the access request, because without the source code it may prove hard to understand the rationale of the final decision. The right to access often serve the purpose of lodging a complaint against a public body if the final decision affected the individual’s rights or legitimate interests. However, it is unlikely that such a claim would be successful, if the individual does not have access to the rationale of the final decision (which means also accessing the source code, if the decision is algorithmic). Indeed, it is believed that a narrow interpretation of an ‘administrative document’ would not comply with the right to an effective remedy and to a fair trial as enshrined in the Charter of Fundamental Rights of the EU  [313] and in the European Convention of Human Rights.  [314]


One may object that granting the access in this case would be tantamount to granting access to the source code of the computer program (e.g. Microsoft Word) used to write an administrative document. Such an argument would be based on a wrong understanding of what is a digital administrative document. Indeed, the court distinguishes between documents drafted with the aid of a computer and electronically programmed documents, where the software finds and links data and norms. The latter is a digital administrative document (the source code of which is accessible) because it constitutes the final decision; it is not a mere aid to draft it.  [315] This paper joins those who underline that “the electronic processing is the document, it represents it, it makes it known externally, it becomes the form of the document, thus being legally relevant in its electronic form, regardless of its paper transcription.”  [316] The very broad definition of administrative document is seen by the court and by legal scholars as a shift from a focus on the pedigree of the document, to its function:  [317] if the function is administrative (as in concerning the public interest), then it is immaterial how the document was formed and access shall be granted in any event, if the general requirements are met. This said, it is important to stress that the court stated that electronically programmed documents are not allowed when it comes to the exercise of discretionary power,  [318] due to the difficulty “which is scientific as opposed to legal, to map the reasoning underlying the document,”  [319] if this is the outcome of an algorithmic procedure (and not simply drafted by a human being with the aid of a word processor). Again, there is no place for algorithmic decisions where the relevant process is discretionary.  [320]


After recognizing the right to access the computer program, the court went on to state that providing the applicant with the mere description of the algorithm and of its functioning is not a sufficient response.  [321] Only the access to the source code is. Indeed, the Ministry of Education had responded to the access request by describing the algorithmic procedure (collection of input data, appointment to a certain school, distribution of the results), as well as reporting some case studies. The court, however, states, “the assessment of the functionality of the algorithm or of programming errors can be carried out exclusively in light of the knowledge”  [322] of the source code. This should be accompanied by a thorough explanation of the rationale and of the consequences of the decisions, especially if personal data is involved.


Finally, as to the clash with the copyright on the computer program, the steps to follow are: i. Assessment of copyright subsistence; ii. Authorship and ownership; iii. Infringement; iv. Exceptions.


The subsistence, authorship, and ownership of the copyright do not seem to be problematic.  [323] Even though there is no evidence on the point, the court assumes that the Ministry of Education owns the program under a license with HPE Services s.r.l., which retains authorship and the moral rights.  [324]


The court goes on to observe that the purpose of the access does not conflict with the economic interest protected by copyright.  [325] On this point, the court is not clear as to whether it is dealing with the assessment of infringement or with the exceptions. In the latter event, this would be a peculiar ruling, because it would take a flexible “fair use”  [326] -like approach to copyright exceptions, usually interpreted by applying the so-called three-step test, revolving around an exhaustive list of permitted uses.  [327] There is currently no copyright exception for non-commercial use or for purposes of freedom of information. The access to the source code for this purpose may not conflict with the normal exploitation of the work and may not prejudice the interests of the author. However, the third step requires that the exception be expressly provided by the law, which currently does include a general exception for non-commercial acts. Conversely, the point should be better construed as meaning that there can be no infringement because the restricted act is not the distribution of the copyright work, but its distribution for commercial purposes. Indeed, the heading of the chapter of the Copyright Act on the restricted acts is “Protection of the economic use of the work”  [328] and the first relevant provision recognises the “exclusive right to economically use the work within the limits of the Act.”  [329] From this perspective, the clash between freedom of information and copyright is merely ostensible, because the right to access administrative documents does not interfere with the uses of computer programs that are restricted by the law. Additionally, a different conclusion would have led to an unacceptable difference of treatment depending on the technological solution adopted. It is obvious that, in principle, public bodies own copyright on the documents they produce. However, it would be absurd to claim that a freedom of information request can be denied because the public body owns the relevant copyright. This would equal sterilising the right to access. Accordingly, the discretional adoption of a more modern technology cannot justify different considerations. Therefore, just like copyright could never be the basis of an access denial under the analysed regime, it will never justify the access denial with regards to computer programs.


An argument of the Ministry of Education was, then, that the so-called citizen generalised access request can be denied if necessary to avoid an actual prejudice to intellectual property.  [330] However, the right to access under the Administrative Procedure Act (which is the one relevant here) and the citizen access are entirely different things. Their purposes are discrete. The former does not encompass a right to a generalised control over the public bodies:  [331] it serves the purpose to enable the individuals to defend their rights and interests which may be affected by an administrative document. This generalised control, conversely, is the purpose of the citizen access rights under the Citizen Access Act. The requirements of the right to access administrative documents and the citizen access rights (both simple and generalised) are different; therefore, all the remedies can operate in parallel. The balance will have to be struck differently. On the one hand, the former requires access to more detailed information, because it serves the purpose of preparing a claim. On the other hand, under a citizen access regime, even less granular information will be sufficient (e.g., the description of the algorithm may suffice under this regime). The court states that, therefore, it may be that whereas a citizen access is denied, it may be accepted with regards to the same document if the same individual exercises the right to access administrative documents.


It is submitted that the court may have brought into play three more considerations. First and foremost, ubi lex voluit dixit, ubi noluit tacuit. The lawmaker expressly accepts that an access request can be denied for intellectual property purposes under the citizen access regime. However, the fact that the legislator does not provide a similar exception with regards to the right to access administrative documents constitutes evidence of the untenability of an intellectual property exception to the said right. Second, intellectual property is mentioned in the citizen access regime as an example of “economic and commercial interests.”  [332] Therefore, since it has already been proven that the access to the source code would not conflict with the use of the program for commercial purposes, even if the exception were extended to the right to access administrative documents, it would not apply in the case at hand. Third, the exceptions to the citizen access are allowed only if “necessary to avoid an actual prejudice” to the listed interests (including intellectual property). Arguably, denying access to the source code may not always be necessary to avoid such prejudice (for instance, if the applicant agrees to make a non-commercial use of it). Given that there is no intellectual property exception to the right to access administrative documents, one should bear in mind that also trade secrets and patents might not be used to prevent the said access. This is particularly important from our perspective, given the pivotal role of trade secrets in keeping algorithms opaque.


As a consequence of the lack of the elements of infringement, of the inexistence of an intellectual property exception to the right to access administrative documents, as well as of the general assertion whereby “the nature of copyright work does not represent a justification for access denial,”  [333] the court recognises the right to access the source code, provided that the applicant uses the information exclusively for the purposes that legitimised the claim (the right of the teachers’ trade union to defend its members’ rights).


For all the reasons analysed above, the court found in favour of the teachers’ trade union and, therefore, annulled the access denial and ordered the Ministry of Education the release of a copy of the source code of the computer program implementing the algorithm used by the Ministry in handling the teachers’ mobility.


The right to access administrative documents may be seen as a weak tool when it comes to the transparency of the algorithmic decisions taken by the State and other public bodies. Indeed, especially in AI / black box contexts, accessing the source code of the computer program implementing an algorithm does not provide the applicant with valuable and / or intelligible information.  [334] However, denying such access would conflict with the fundamental right to an effective remedy, because an individual could hardly be successful in a claim against a public body, if they cannot access the rationale of an algorithmic decision affecting their rights and legitimate interests.


Some scholars suggest that, in the future, artificial intelligence will be used to adopt algorithmic administrative documents even when it comes to discretionary activity, with the possibility of leaving room for the human intervention in the most difficult cases.  [335] They maintain that this is only a prediction but given the current developments of natural language processing and machine learning, arguably the relevant tools are already available. Even though it cannot be said that artificial intelligence should be banned altogether when it comes to discretionary power, it is believed that some room for ex-ante human intervention should always be left for a number of reasons, including the fact that all administrative activities (like all interpretive operations) are to some extent discretionary. This does not mean, however, that citizens cannot exercise the right to access under the freedom of information regime if the relevant administrative activity is non-discretionary. It means that public bodies are not allowed to use AI when they are exercising a discretionary power.


The question remains as to what citizens can do if public bodies start taking decisions against them even in the discretionary realm. The remedy described in this section operates ex post, once the decision has already been taken. Similarly, the copyright and patent exceptions may constitute a useful ex-post tool, but their scope is quite limited. From an ex-ante perspective, however, it may be argued that a potentially affected individual could obtain an injunction to prevent a public body from taking an algorithmic decision by using the data protection tool under Article 22 of the GDPR. Therefore, an integrated approach to the remedies against algorithmic decisions should be taken.

6. Conclusions


This study presented ten arguments against algorithmic decision-making, as well as three routes available to those affected by algorithms. As pointed out by some scholars,  [336] the most important thing is providing individuals with the means to challenge adverse algorithmic decisions. To do so, intellectual property, data protection, and freedom of information provide adequate protections, particularly if one takes an integrated approach. National implementations of the GDPR should be a precious opportunity to detail the procedures to challenge algorithmic decisions, even though it does not seem that this is the direction that is being taken.


Intellectual property enables the legitimate user of a software implementing an algorithm or of an algorithm-related patent to carry out certain acts (study, observation, etc.) without the intellectual property owner’s consent. Whilst these quasi-rights allow the user to try and understand the algorithm by themselves, they do not give them a positive right to demand the intellectual property owner’s cooperation.


Conversely, a freedom of information request allows all citizens to impose upon public bodies, under certain circumstances, an obligation to release the source code of computer programs that implement algorithms, while explaining the logic involved in the relevant decision. The main shortcoming of this regime is the limitation to public defendants. Much will depend on how courts will strike a balance between freedom of information and intellectual property. In Italy, the former prevails. In turn, arguably, the UK tend to favour the interests of the intellectual property owners.


The only ad-hoc regime against algorithmic decisions is provided by art 22 of the GDPR. One may criticise some aspects of this provision. For instance, it applies only to decisions “solely based on automated processing” means. This paper’s suggestion is to recognise the right not to be subject to an algorithmic decision every time that there is not a human being taking the final decision substantially, as opposed to formally. In spite of its shortcomings, art 22 is clear and detailed in laying out the general principle that businesses, governments, judges, and other data controllers should not make decisions based solely on algorithmic processes. Under certain circumstances (e.g. explicit consent), such decisions can be made, but informing the data subject and allowing him or her to access to the logic involved in the decision, its significance, and the envisaged consequences. Much will depend on the national implementing measures. The UK Data Protection Bill risks not ensuring compliance with the GDPR, thus exposing the UK to the possibility of being considered as ‘inadequate’ in the context of cross-border EU-UK data transfers.


It is submitted that only a document which includes both the algorithm used and an explanation of the logic and consequences in non-technical terms would comply with the GDPR as interpreted in light of the Charter of Fundamental Rights of the EU and the European Convention on Human Rights. Then, the right to a human judge is paramount, because the right to access and to be informed may prove useless. Indeed, when artificial intelligence is used, it is sometimes unfeasible to access the relevant rationale. To the legal black box created by intellectual property rights, one needs to add the technical black box and the organisational one.


Practically, if the algorithmic decision is based on personal data, this latter route is preferable. If not and the decision-maker is a public body, one should opt for a freedom of information request. If a private decision-maker (e.g. a bank) makes an algorithmic decision based on non-personal data, then the route will be that of intellectual property exceptions. The freedom-of-information remedies operate ex post, once the decision has already been taken. In turn, the copyright and patent exceptions may be used before any decision is made, but only to access the algorithm, not to prevent the decision-maker from proceeding algorithmically. The only regime that prevents algorithmic decisions is the one provided by the GDPR.


The trust in artificial intelligence and algorithms derives from the belief that non-human agents are unbiased, and their decisions are not affected by passions and ideologies. In fact, algorithms are as biased as the people who trained them, but in a less transparent and accountable way. The more important algorithms will become, the more we will want them to embed our values (and, therefore, our ideologies and biases).  [337] Further research should be carried out by diverse (also in terms of gender, ethnicity, etc.) multidisciplinary teams in order to find solutions to open the technical, organisation, and legal black boxes and to ensure fair algorithmic decision-making. Indeed, only a strong humanist stance will be able to reduce algorithmic bias.


This paper is a humanist manifesto. It is, indeed, permeated with the belief that we should trust our fellow human beings over the algorithms, despite developments in artificial intelligence allowing the deployment of increasingly refined legal applications. This does not mean that we should reject the use of algorithms altogether. For instance, judges shall use them to improve the quality and consistency of their decisions. However, they shall not let algorithms decide in their stead. In order to better understand how to make the human-algorithm cooperation work best, it has become crucial to shift the focus from the definition of algorithms, artificial intelligence etc. to the understanding of what makes us human.  [338]

* Lecturer in Law (Northumbria University); Director (Ital-IoT Centre for Multidisciplinary Research on the Internet of Things); Fellow (Nexa Center for Internet & Society).


The author is grateful to Sue Farran, Paul Dargue, and Tony Ward for comments on previous drafts of this article. This work has greatly benefited also from the feedback received at the «XXVIII World Congress of Philosophy of Law and Social Philosophy» (Lisbon, 17 July 2017), at the «Café & Chat: Quem Governa os Algoritmos?» (IRIS - Instituto de Referência em Internet e Sociedade and GNET – UFMG, Faculdade de Direito da Universidade Federal de Minas Gerais, Belo Horizonte, 18 August 2017), at the research seminar organised by NINSO The Northumbria Internet & Society Research Interest Group (Newcastle upon Tyne, 8 December 2017), and at a guest lecture given at the Schmalkalden University of Applied Sciences (Schmalkalden, 21 December 2017). Thanks to Katie Atkinson and Giulia Caffarelli for the insight into the AI debate. The author’s appreciation goes to the anonymous referees for the helpful comments and to Philipp Schmechel for the patient editing. Views and errors are solely the author’s responsibility.

Any party may pass on this Work by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing License. The text of the license may be accessed and retrieved at

