Automated decision-making has been regulated under GDPR Article 22 since 2018. The regulation grants individuals the right not to be subject to decisions based solely on automated processing when those decisions produce legal effects or similarly significant effects. When such processing occurs, individuals must be informed, given the right to request human review, and given the right to contest the decision.
What constitutes a 'significant effect' has been interpreted broadly by EU regulators: it encompasses decisions about credit approval, employment screening, insurance pricing, healthcare recommendations, and targeted advertising that materially affects a person's opportunities or access.
Beyond GDPR, the CCPA and CPRA include rights to opt out of 'profiling in furtherance of decisions that produce legal or similarly significant effects,' and several US states have enacted algorithmic accountability laws. For organizations deploying AI in high-stakes contexts, documenting the role of automated systems in decision processes and ensuring meaningful human oversight is both a legal and risk management necessity.