Magazine article AI Magazine

European Union Regulations on Algorithmic Decision Making and a "Right to Explanation"

Magazine article AI Magazine

European Union Regulations on Algorithmic Decision Making and a "Right to Explanation"

Article excerpt

We summarize the potential impact that the European Union's new General Data Protection Regulation will have on the routine use of machine-learning algorithms. Slated to take effect as law across the European Union in 2018, it will place restrictions on automated individual decision making (that is, algorithms that make decisions based on user-level predictors) that "significantly affect" users. When put into practice, the law may also effectively create a right to explanation, whereby a user can ask for an explanation of an algorithmic decision that significantly affects them. We argue that while this law may pose large challenges for industry, it highlights opportunities for computer scientists to take the lead in designing algorithms and evaluation frameworks that avoid discrimination and enable explanation.


In April 2016, for the first time in more than two decades, the European Parliament adopted a set of comprehensive regulations for the collection, storage, and use of personal information, the General Data Protection Regulation (GDPR) (1) (European Union, Parliament and Council 2016). The new regulation has been described as a "Copernican Revolution" in data-protection law, "seeking to shift its focus away from paper-based, bureaucratic requirements and towards compliance in practice, harmonization of the law, and individual empowerment" (Kuner 2012). Much in the regulations is clearly aimed at perceived gaps and inconsistencies in the European Union's (EU) current approach to data protection. This includes, for example, the codification of the "right to be forgotten" (Article 17), and regulations for foreign companies collecting data from European citizens (Article 44).

However, while the bulk of language deals with how data is collected and stored, the regulation contains Article 22: Automated individual decision making, including profiling (see figure 1) potentially prohibiting a wide swath of algorithms currently in use in recommendation systems, credit and insurance risk assessments, computational advertising, and social networks, for example. This prohibition raises important issues that are of particular concern to the machine-learning community. In its current form, the GDPR's requirements could require a complete overhaul of standard and widely used algorithmic techniques. The GDPR's policy on the right of citizens to receive an explanation for algorithmic decisions highlights the pressing importance of human interpretability in algorithm design. If, as expected, the GDPR takes effect in its current form in mid-2018, there will be a pressing need for effective algorithms that can operate within this new legal framework.


The General Data Protection Regulation is slated to go into effect in April 2018 and will replace the EU's 1995 Data Protection Directive (DPD). On the surface, the GDPR merely reaffirms the DPD's right to explanation and restrictions on automated decision making. However, this reading ignores a number of critical differences between the two pieces of legislation (Goodman 2016a, 2016b).

First, it is important to note the difference between a directive and a regulation. While a directive "set[s] out general rules to be transferred into national law by each country as they deem appropriate," a regulation is "similar to a national law with the difference that it is applicable in all EU countries" (European Documentation Centre 2016). In other words, the 1995 directive was subject to national interpretation and was only ever indirectly implemented through subsequent laws passed within individual member states (Fromholz 2000). The GDPR, however, requires no enabling legislation to take effect. It does not direct the law of EU member states, it simply is the law for member states (or will be, when it takes effect). (2)

Figure 1. Excerpt from the General
Data Protection Regulation.

(European Union, Parliament and Council 2016)

Article 22. … 
Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.