27. februar 2018 Mona Naomi Lintvedt

Presentasjon om: "27. februar 2018 Mona Naomi Lintvedt"— Utskrift av presentasjonen:

1 27. februar 2018 Mona Naomi Lintvedt
Personvernforordningens regulering av automatiserte individuelle avgjørelser 27. februar 2018 Mona Naomi Lintvedt

2 Personopplysningsloven § 22
§ 22 Rett til informasjon om automatiserte avgjørelser Hvis en avgjørelse har rettslig eller annen vesentlig betydning for den registrerte og fullt ut er basert på automatisk behandling av personopplysninger, kan den registrerte som avgjørelsen retter seg mot, kreve at den behandlingsansvarlige gjør rede for regelinnholdet i datamaskinprogrammene som ligger til grunn for avgjørelsen. § 25 Rett til å kreve manuell behandling Den som en fullt automatisert avgjørelse som nevnt i § 22 retter seg mot eller som saken ellers direkte gjelder, kan kreve at avgjørelsen overprøves av en fysisk person. Retten etter første ledd gjelder ikke dersom den registrertes personverninteresser varetas på tilstrekkelig måte og avgjørelsen er hjemlet i lov eller knytter seg til oppfyllelse av kontrakt.

3 Ot. prp. nr. 92 ( ) til § 22 Ettersom sentrale deler av vår forvaltningslovgivning allerede innebærer et krav om at offentlige organer i visse tilfeller må kunne redegjøre for «logikken» i de datamaskinprogrammene som er bestemmende for det rettslige innholdet i forvaltningsvedtak (uavhengig av om vedtakene er automatisert eller ei), får bestemmelsen om logikkinnsyn først og fremst betydning for privat sektor. Som også utvalget peker på, må det nok antas at det i dag er et meget lite antall datamaskinsystemer i privat sektor som vil omfattes av forslaget til innsynsregel, ettersom det ved de fleste automatiserte tjenester finner sted en manuell overprøving av beslutningen. Innsynsregelen gir imidlertid uttrykk for en rett til å kreve innsyn og begrunnelse som prinsipielt sett er viktig, og som kan vise seg å få større praktisk betydning i fremtiden.

4 Ot. prp. nr. 92 ( ) til § 25 Hvor stor betydning bestemmelsen får for personvernet vil bl a avhenge av hvor strenge krav som stilles til tiltakene for å vareta personvernet. Det er kun hvis disse tiltakene er tilfredsstillende at manuell vurdering ikke kan kreves. Datatilsynet kan ta stilling til om tiltakene er tilfredsstillende. En kan ikke utelukke en samfunnsutvikling der de typer fullstendig automatiserte beslutninger hvor nektelsesretten gjelder blir vanligere. Det er derfor mulig at en norsk lovbestemmelse etter mønster av artikkel 15 vil kunne påvirke utformingen av de automatiske behandlingene i en - sett fra personvernhensyn - positiv retning.

5 Personvernforordningen art. 22
Automated individual decision-making, including profiling 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

6 Fortalen 71 - eksempler The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. 

7 Based solely on automated processing
Ikke menneskelig involvering i behandlingen The controller cannot avoid the Article 22 provisions by fabricating human involvement. For example, if someone routinely applies automatically generated profiles to individuals without any actual influence on the result, this would still be a decision based solely on automated processing. To qualify as human intervention, the controller must ensure that any oversight of the decision is meaningful, rather than just a token gesture. Men kan bruke automatisert behandling for å produsere en anbefaling, som så behandles manuelt før endelig avgjørelse.

8 Legal or similarly significant effects
Legal effects entitled to or denied a particular social benefit granted by law, such as child or housing benefit; refused entry at the border; subjected to increased security measures or surveillance by the competent authorities; or automatically disconnected from their mobile phone service for breach of contract because they forgot to pay their bill before going on holiday Similarly significantly affects him/her decisions that affect someone’s financial circumstances, such as their eligibility to credit; decisions that affect someone’s access to health services; decisions that deny someone an employment opportunity or put them at a serious disadvantage; decisions that affect someone’s access to education, for example university admissions.

9 Personvernforordningen art. 22 forts.
2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (c) is based on the data subject's explicit consent. 3. […] the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 2. (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests *4. Decisions […] shall not be based on special categories of personal data, unless [consent or substantial public interest on basis of law] and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

10 Hmmm …

11 Fortalen 71 – Krav til hjemmel
However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller Må automatisert avgjørelse følge uttrykkelig av lov? helsefrikort

12 Fortalen 71 - Krav om informasjon og kontradiksjon
In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision Forvaltningsloven o.l. regler om utredningsplikt, kontradiksjon, begrunnelse og klageadgang tilstrekkelig? Retten til å klage tilstrekkelig som suitable safeguard?

13 Transparens art. 13, 14, 15 Data controllers must inform the data subjects about: the existence of automated decision-making, including profiling […] [and provide data subjects with] meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing. Informasjon om systemet generelt, men ikke begrunnelse for avgjørelse?

14 Informasjon om logikken
For instance in the case of credit scoring, they should be entitled to know the logic underpinning the processing of their data and resulting in a ‘yes’ or ‘no’ decision, and not simply information on the decision itself The controller explains that this process helps them make fair and responsible lending decisions. It provides details of the main characteristics considered in reaching the decision, the source of this information and the relevance. This may include, for example: the information provided by the data subject on the application form; information about previous account conduct , including any payment arrears; and official public records information such as fraud record information and insolvency records.

15 Informasjon om betydningen og konsekvensene
An insurance company uses an automated decision making process to set motor insurance premiums based on monitoring customers’ driving behaviour. To illustrate the significance and envisaged consequences of the processing it explains that dangerous driving may result in higher insurance payments and provides an app comparing fictional drivers, including one with dangerous driving habits such as fast acceleration and last-minute braking. It uses graphics to give tips on how to improve these habits and consequently how to lower insurance premiums.

16 Les mer WP29 Guidelines on automated decision making and profiling
ICO Rights related to automated decision making including profiling Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation Wachter, Mittelstadt, Floridi (2017) The Right Not to be Subject to Automated Decisions Based on Profiling Mendoza, Bygrave (2017)