This document discusses the use of artificial intelligence in administrative procedures in light of GDPR Article 22. It outlines some key characteristics of AI systems and different types of automated decision-making. It examines scenarios where AI could be used, such as automated positive decisions for income tax or family allowance. It also discusses the requirements for fully automated administrative acts under German law, and implications for other legal systems. Specifically, it notes the need to ensure the right to obtain human intervention, express views, and contest decisions when AI is used for profiling or automated decisions under GDPR Article 22.

1. Automating decisions in the
context of public
administration in the light of
Art 22 GDPR
Mag. Bettina Höchtl
Danube University Krems

2. 2
● Why AI in administrative procedure?
○ Impact orientation, limited budget, data in registers, efficiency
● Characteristics of AI
○ Fundamentally different systems: rule-based – autonomous
● Leeway for decision-making
○ Different types of decisions: bound – discretionary
● Application scenarios
○ Partly or fully automated decision-making
1. Context

3. 2. Art 22 GDPR: Prohibition with
exceptions
1. Solely automated processing
2. Decision
3
Profiling
3. Legal effects 3. Similarly
significant
effects
4. Exceptions: Explicit Consent, Legislative
Provision
5. Purpose

4. Profiling
○ Collection of data about
individuals
○ Evaluating their characteristics or
behaviour patterns
○ Categorise the individuals, in
particular to analyse and/or
predict
■ Ability to perform a task
■ Interests
■ Behaviour
(WP251.rev.01, 2018, 7)
4
Art 22 GDPR - Prohibited?
Prevailing opinion:
Profile creation must have an effect on the
individual through a decision or a measure
(e.g. Veil, Art 22 Rz 4; Art 29 WP 260 rev.01, 27)

5. 5
● Automated positive decisions
○ Income tax – administrative procedure without the need to file a
request
○ Family allowance
● Automated preparation of the decision
basis
○ Section Control: Evaluation in case of violation (§ 100 Abs 5b StVO – Re-
identification of indirect personal data by comparison with data on licence holders)
○ Financial Administration “Conspicuousness test”
Exception - Authorization by Union or Member State Law:
No decision making according to Art 22 GDPR in Austria

6. 6
● Appropriate measures, at least
○ Right to obtain the intervention of a person on the part of the controller
○ Right to express one's point of view
○ Right to contest the decision
● Meaningful information about the logic involved, as well
as the significance and the envisaged consequences of
such processing for the data subject
○ Meaningful --> useful/significant [aussagekräftig] (Malgieri/Comandé 2017)
○ Logic involved: Prevailing opinion - No publication of the algorithm - different
regarding self-programming systems? (Hoeren/Niehoff 2018)
○ My opinion: Understandability for the adressee (cf. “aussagekräftig und verständlich” - Art
29 Datenschutzgruppe, Leitlinien zu automatisierten Entscheidungen, 28f)
Art 22 GDPR – Legal Consequences:
Information- and audit obligations

7. 7
• s 35a VwVfG: Requirements for
admissibility
• Legislative provision
• Decision without discretion,
leeway
• Factual information of the party which
is significant for the individual case and
which would not be determined in the
automatic procedure (s 24 VwVfG)
Fully automated administrative
acts in Germany

8. 8
● No comparable provision e.g. in Austrian General Adm. Procedure
Act
● Authority‘s will?
○ Issuance of a decision assigned to a specific person (Hengstschläger/Leeb, §
18 AVG, mn 8)
○ Approval of the program + precisely defined input without leeway for
personnel (VfGH vom 18.6.1980, B122/79; VwGH 14.12.2006, 2005/14/0014)
○ Transferability (with legislative provision) to other areas unclear
● Courts‘ interpretation or need for legal provision similar to s 35a
VwVfG?
§ 35a VwVfG – Implications for other legal orders

9. 9
4. Conclusions: Admissability of automated decisions in the
context of administrative procedure in the light of Art 22 GDPR

10. 10
Filing a request Internal processing Decision
delivery
● Chatbot (implied
consent)
● No request needed +
positive decision
● Proposed
decision:
discretion +
autonomous
system
● Precisely defined
decision + rule-
based system
● Precisely defined decision + rule-
based systems
● Discretion + autonomous system?
(.Barth/Arnold 1999)
Technical Challenges
Administrative discretionary control? (AT
administrative courts)
 Logic involved?

11. THANK YOU FOR YOUR
ATTENTION!
Questions?
bettina.hoechtl@donau-uni.ac.at
Mag. Bettina Höchtl
Department for E-Governance in Business and Administration
Danube University Krems
Dr. Karl-Dorrek-Str. 30
3500 Krems
Austria
11