“Just” Algorithms: Justification (Beyond Explanation) of Automated Decisions Under the General Data Protection Regulation

The regulation of automated decision-making (ADM) in the General Data Protection Regulation (GDPR) is a topic of vivid discussion. If the first commentators focused mostly on the existence of a right to an explanation in the body of the Regulation, the following discussion has focused more on how to reach a good level of explainability or, even better, a good level of algorithmic accountability and fairness.

This paper argues that if we want a sustainable environment of desirable ADM systems, we should aim not only at transparent, explainable, fair, lawful, and accountable algorithms, but we also should seek for “just” algorithms, that is, automated systems that include all the above-mentioned qualities (transparency, explainability, fairness, lawfulness, and accountability). This is possible through a practical “justification” statement and process through which the data controller proves, in practical ways, the legality of an algorithm with respect to all data protection principles (fairness, lawfulness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability). Indeed, as this article shows, all these principles are necessary components of a broader concept of just algorithmic decision-making.

This justificatory approach might be not only comprehensive of many other fragmentary approaches proposed thus far in the legal or computer science literature, but also might solve many existing problems in the artificial intelligence (AI) explanation debate, for example, the difficulty in “opening” black boxes, the transparency fallacy, and the legal difficulties in enforcing a right to receive individual explanations.

Section 2 mentions the general rules about profiling and ADM in the GDPR, while Section 2.1 refers to the debate about the interpretation of those rules. Then, Section 3 addresses the definition and limits of the concept of “explanation,” and Section 4 tries to propose some preliminary, tentative solutions to those limits—adopting a systemic accountability approach. Developing upon these first elements, Section 5 introduces the concept of Algorithm Justification, while Section 6 contextualises this concept in the legal field and Section 7 in the GDPR field, explaining on which bases a “justificatory” approach is not only useful but also necessary under the GDPR. Further developing this challenge, Section 8 addresses how an ADM justification should be conducted, considering in particular the data protection principles in Article 5. Finally, Section 9 proposes a practical “justification test” that could serve as a first basis for data controllers who want to justify ADM data processing under the GDPR rules.

The GDPR has tried to provide a solution to risks of automated decision-making through different tools: a right to receive/access meaningful information about logics, significance, and envisaged effects of automated decision-making processes (Articles 13(2), lett. f; 14(2), lett. g; and 15(1), lett. h) and the right not to be subject to automated decision-making (Article 22) with several safeguards and restrains for the limited cases in which automated decision-making is permitted.

Article 22(1) states as follows: “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” This right shall apply almost always in case of sensitive data

For sensitive data we refer to “special categories of personal data” according to Article 9(1). This exemption does not apply in case of point (a) or (g) of Article 9(2) (i.e., sensitive data given with explicit consent of data subject or processing necessary for reason of substantial public interest) when “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.”

In cases (a) and (c) from the above list “the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision” (Art. 22(4)). In addition, recital 73 explains that such suitable safeguards “should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.”

In sum, in case of a “decision based solely on automated processing, including profiling, which produces legal effects concerning [data subjects] or similarly significantly affects [them],” individuals have two different safeguards:

The right to know the existence of that processing and meaningful information about its logic, significance, and consequences.

Most of these proposed solutions are based on transparency, explainability, and interpretability of artificial intelligence.

See e.g., in general, Andrew D. Selbst and Solon Barocas, “The Intuitive Appeal of Explainable Machines,” 87 Fordham Law Review 1085 (2018).

In the field of Computer Science, explanation of AI has been referred to as making it possible for a human being (designer, user, affected person, etc.) to understand a result or the whole system.

Clément Henin and Daniel Le Métayer, ‘A Framework to Contest and Justify Algorithmic Decisions’ [2021] AI and Ethics <https://doi.org/10.1007/s43681-021-00054-3>.

The GDPR (and, in particular, the provisions in Article 22 and recital 71) are often interpreted as referring to only “one” kind of explanation. Actually, there is no unique explanation in practice;

Miller, (n 14); Selbst and Barocas, (n 13).

These last considerations may lead to an insurmountable dichotomy: either we prohibit more technologically advanced and inscrutable decision-making systems because they cannot comply with the GDPR explainability requirements; or we tolerate AI-based decision-making systems that do not formally respect the transparency duties in the GDPR.

In addition, explanations are not only sometimes problematic, but also not sufficient to make AI socially and legally “desirable.” In particular, several scholars reflected upon the “transparency fallacy” of algorithmic explanation,

Edwards and Veale, (n 3); Lilian Edwards and Michael Veale, “Enslaving the Algorithm: From a ‘Right to an Explanation’ to a ‘Right to Better Decisions’?” 16 IEEE Security & Privacy 46 (2018).

To overcome the above-mentioned limits of AI explanation, a possible solution might be to look at the broader picture of the GDPR. Article 22(3) and recital 71, when mentioning the possible measures to make automated decisions more accountable, do not address only the right to an individual explanation, but several other complementary tools (e.g., the right to contest and the right to human involvement and algorithmic auditing). In particular, there are several principles and concepts that might influence the interpretation of accountability duties also in case of algorithmic decision-making: the fairness principle (Article 5(1)(a)), the lawfulness principle (Article 5(1)(a)), the accuracy principle (Article 5(1)(d)), the risk-based approach (Articles 24, 25, 35), and the data protection impact assessment model (Article 35).

Also looking at these last provisions, a justification of automated decisions taken is not only more feasible but also more useful and desirable than an explanation of the algorithm.

Sandra Wachter and Brent Mittelstadt, “A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI,” Columbia Business Law Review 2 (2019) available at https://papers.ssrn.com/abstract=3248829; Margot Kaminski, Binary Governance: Lessons from the GDPR's Approach to Algorithmic Accountability, 92 S. Cal. L. Rev. 1529 (2019):12–17, available at https://scholar.law.colorado.edu/articles/1265.

This justification process will be addressed in the next section. However, at this moment we can already affirm that justification and explanation are not necessarily in conflict with each other. When explanations are not satisfactory or feasible, the data controller should implement some complimentary accountability tools.

Edwards and Veale, “Enslaving the Algorithm,” (n 24).

Before describing the practicalities of a possible justification model and before exploring the advantages of this approach, it is useful to understand what justification means in general as well as in the legal field, particularly with regard to data protection. In general terms, a justification is an action to prove or show something (a person, an action, opinion, etc.) to be just, right, desirable, or reasonable.

Lexico, “Justification,” https://www.lexico.com/definition/justification (accessed on 25 November 2020).

While the explanation, as mentioned above, aims to make humans understand why a decision was taken, a justification aims at convincing that that decision is “just” or “right” (following the different benchmarks of rightness in different fields).

Or Biran and Courtenay V. Cotton, “Explanation and Justification in Machine Learning: A Survey,” /paper/Explanation-and-Justification-in-Machine-Learning-%3A-Biran-Cotton/02e2e79a77d8aabc1af1900ac80ceebac20abde4, accessed 26 November 2020.

The proof can follow logical reasoning standards, while the “norm” depends on the specific context at issue. As shown above, the norm can be based on theological, philosophical (utilitarian, deontological, etc.), scientific (scientific method) and, of course, legal grounds. Indeed, in legal terms, justification means proving that a certain action or act respects the current law and, more generally, the legality principle.

Aarnio, (n 19) 8; Mireille Hildebrandt, Law for Computer Scientists and Other Folk (Oxford University Press 2020), 267.

Actually, as Loi and colleagues argue,

Michele Loi, Andrea Ferrario, and Eleonora Viganò, “Transparency as Design Publicity: Explaining and Justifying Inscrutable Algorithms” in Ethics and Information Technology, https://doi.org/10.1007/s10676-020-09564-w, accessed 30 November 2020.

Returning to the notion of legal justification, scholars proposed different approaches to it,

See, in general, Aarnio, (n 19); Arno R. Lodder, Dialaw: On Legal Justification and Dialogical Models of Argumentation (1999° edizione, Kluwer Academic Publishers, 1999).

In sum, while an explanation tends to clarify only why a decision was taken (on which “primary goals,” and on which practical interests and needs it was taken),

See also Kiel Brennan-Marquez, “ ‘Plausible Cause’: Explanatory Standards in the Age of Powerful Machines,” 70 Vanderbilt Law Review 70, no. 53 (2017)<<Au: Pls supply date>>: 1288; Kaminski, (n 26) 1545.

Both these approaches appear incomplete to our purposes (justification of algorithmic decisions). A desirable justification should not merely show the compliance with the “law,” but with the core or essence of the legal principles, that is, with the legality principle.

On the link between legality and justification, see Hildebrandt, (n 35) 267.

In the GDPR we observe several references to justification of data processing in general, and of automated decision-making in particular. In different parts of the GDPR, when there is a prohibition (e.g., the prohibition to repurpose the data processing, as stated in Article 5(1)(b); the prohibition to process sensitive data, as stated in Article 9(1); the prohibition to conduct automated decision-making, as stated in Article 22(1); the prohibition of transferring data outside the European Union, as mentioned in Article 44, etc.), there is always a list of exceptions, often accompanied by some safeguards to protect fundamental rights and freedoms of the data subject. This combination of exceptions and safeguards is the basis of what we can consider a justification. In addition, in these cases the GDPR often refers to the “principles of data processing” as the overarching norm or goal with which the data controller needs to comply in order to justify the legality of some nominally illegal acts (see, e.g., recital 72 about profiling or recital 108 about data transfer).

We might observe another strong example of justification in the GDPR: it is the case of high-risk data processing (Article 35). Under the Data Protection Impact Assessment (DPIA) model, data controllers must prove the legal proportionality and necessity of the data processing, and thus the legal necessity and proportionality of eventual automated decisions taken (Article 35(7)(d)). This may constitute a form of justification of data processing on the basis of legality and legitimacy, aiming at the “essence” of data protection.

Dariusz Kloza et al., “Data Protection Impact Assessment in the European Union: Developing a Template for a Report from the Assessment Process,” (LawArXiv 2020) DPiaLab Policy Brief 29 available at https://osf.io/7qrfp, accessed 1 December 2020.

In addition, the Article 29 Working Party Guidelines on profiling recommend that data controllers (in order to comply with Articles 13–15) explain the pertinence of categories of data used and the relevance of the profiling mechanism.

See Article 29 Working Party, Opinion on Automated Individual Decision-Making, Annex, p. 30.

Interestingly, empirical research revealed that justification of algorithms (defined as showing the fairness of goals and rationales behind each step in the decision) is the most effective type of explanation in changing users’ attitudes toward the system.

Biran and Cotton (n 33); Kaminski (n 26) 1548; Tom R. Tyler, “Procedural Justice, Legitimacy, and the Effective Rule of Law,” Crime and Justice 30, no. 283, (2003): 317–18, according to whom a justification based on a fair process is more likely to make people accept a decision.

While some scholars have already addressed the need for justification of automated decision-making (rather than a mere need for explanation), very few authors have tried to clarify what this ADM justification should be and how it should be conducted under the GDPR rules. This article argues that, considering the meaning of “legal justification,” as mentioned in the previous sections, justifying an algorithmic decision should prove the legality of that decision. For “legality,” we mean not just lawfulness, but also accountability, fairness, transparency, accuracy, integrity, and necessity.

In recent years, scholars have called for fair algorithms,

Future of Privacy Forum, “Unfairness by Algorithm: Distilling the Harms of Automated Decision-Making,” (2017) available at https://fpf.org/2017/12/11/unfairness-by-algorithm-distilling-the-harms-of-automated-decision-making/, accessed 8 February 2020; Sainyam Galhotra, Yuriy Brun, and Alexandra Meliou, “Fairness Testing: Testing Software for Discrimination,” Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering—ESEC/FSE 2017, (ACM, 2017) http://dl.acm.org/citation.cfm?doid=3106237.3106277, accessed 31 May 2019; Andrew D. Selbst et al., “Fairness and Abstraction in Sociotechnical Systems,” Proceedings of the Conference on Fairness, Accountability, and Transparency (ACM, 2019) http://doi.acm.org/10.1145/3287560.3287598, accessed 16 September 2019.

Interestingly, the principles of data protection seem to lead to the desirable characteristics of automated decision-making, as mentioned above. We will now analyse them one by one, contextualising them to the case of algorithmic decision-making.

Article 5(1)(a) refers to lawfulness, transparency, and fairness. As regards to lawfulness, automated decision-making should be lawful, that is, it should have a legal ground and respect fundamental rights and freedoms. Such a legal basis can be found not only in Article 6(1) (or in Article 9(2) in case of special categories of personal data), but also in Article 22. Since Article 22(1) is interpreted as a prohibition of automated decision-making,

WP29, Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679, 23: “Article 22(1) sets out a general prohibition on solely automated individual decision-making with legal or similarly significant effects, as described above. This means that the controller should not undertake the processing described in Article 22(1) unless one of the following Article 22(2) exceptions applies (. . .).” See Michael Veale and Lilian Edwards, “Clarity, Surprises, and Further Questions in the Article 29 Working Party Draft Guidance on Automated Decision-Making and Profiling,” Computer Law & Security Review 34 (2018): 398.

As regards to fairness justification, the data controller should prove that the decision-making processing is fair, that is, it is nondiscriminatory, unbiased, nonmanipulative, and that, in general, it does not exploit a significant imbalance between the controller and the subject in particular contexts (vulnerable individuals).

Damian Clifford and Jef Ausloos, “Data Protection and the Role of Fairness,” Yearbook of European Law 37 (2018): 130; Gianclaudio Malgieri, “The Concept of Fairness in the GDPR: A Linguistic and Contextual Interpretation,” Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (Association for Computing Machinery 2020) available at https://doi.org/10.1145/3351095.3372868, accessed 29 January 2020.

As regards to transparency justification, the data controller should prove that the algorithmic processing is legible

Malgieri and Comandé (n 9).

Article 5(1)(b) refers, then, to purpose limitation. According to this principle, the justification should also prove that the ADM system is based only on data collected for the specific (licit and declared) purpose of obtaining an automated decision affecting the data subject. Under a broader perspective, the purpose limitation justification also should clarify that the algorithm was not originally developed for other purposes (military, commercial, etc.) and then eventually repurposed for the processing at stake.

See the importance of purposes in the legibility test proposed in Malgieri and Comandé (n 9) 259–60.

Article 5(1)(c) mentions the principle of data minimisation. Under this principle, the justification of the data controller should prove that the ADM is based on the processing of only data that are adequate, relevant, and limited to what is necessary for the purpose of taking that automated decision. To present an example, if the controller is an employer who needs to hire a new employee and she declares that the automated decision-making processing has the purpose of selecting the worthiest candidate, any information about, for example, the sexual orientation, ethnic origin, religion, or the possibility of taking maternity leave (fertility, marital status, etc.), are unnecessary and should not be collected. This might be a way also to prevent intentional discrimination

Pauline T. Kim, “Data-Driven Discrimination at Work,” 58 Wm. & Mary L. Rev. (2017), 857: 884.<<Au: Pls verify citation: 857 is the first page, 884 is the page I want to refer to>>

Article 5(1)(d) refers to data accuracy. When justifying ADM, accuracy is also fundamental. The data controller should prove that the algorithmic decision is correct and accurate. Recital 71 (addressing ADM) requires data controllers to make sure “that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised.”

Italics added.

Article 5(1)(e) mentions the principle of storage limitation. Although in the field of ADM this principle seems not so pertinent, its function is important. This principle requires that data should be stored for no longer than necessary for the purpose of the processing: This time limitation also should apply to algorithmic decision-making. In other words, ADM should not be based on data that are no longer necessary (e.g., outdated data) for the purpose and the context of the decision. At the same time, controllers should not use algorithms that are no longer necessary for the declared purposes.

Article 5(1)(f) mentions the principle of integrity and confidentiality. In the context of ADM, it is central that algorithmic decisions are integrous and do not lead to cybersecurity risks that could adversely affect the safety (or any other fundamental right or freedom) of the data subject. Recital 71 also indirectly refers to these “risks” when mentioning automated decisions. However, cybersecurity, safety, and integrity are central elements to consider when justifying algorithms. A “just” algorithm is based on and produces integrous data, and does not endanger the (digital or physical) safety of the data subject.

European Parliament resolution of 20 October 2020 with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics, and related technologies (2020/2012(INL)), § 26: “Stresses that the protection of networks of interconnected AI and robotics is important and strong measures must be taken to prevent security breaches, data leaks, data poisoning, cyber-attacks and the misuse of personal data, (. . .); calls on the Commission and Member States to ensure that Union values and respect for fundamental rights are observed at all times when developing and deploying AI technology in order to ensure the security and resilience of the Union's digital infrastructure.”

The last principle in Article 5 is accountability (Article 5(2)). Accountability of ADM is an overarching goal that is considered the final objective of legally desirable AI, in particular in the data protection framework.

See, e.g., Bryce Goodman, “A Step Towards Accountable Algorithms?: Algorithmic Discrimination and the European Union General Data Protection” (2016); Dillon Reisman et al., “Algorithm Impact Assessment: A Practical Framework for Public Agency Accountability,” (AI Now Institute: 2018); Sonia K. Katyal, “Private Accountability in the Age of Artificial Intelligence,” UCLA Law Review 66 (2019): 88; Kroll et al., (n 50); Kaminski (n 26); Lepri et al., (n 51).

On the other hand, the methodological perspective of accountability indicates how the justification should be conducted, that is, how the justificatory auditing should be carried out (see below) and what the legal approach to justification should be. In particular, the accountability principle—as Article 5(2) indicates—put the burden of proving data processing compliance on the data controller.

Information Commissioner's Officer, “Accountability and Governance,” (1 October 2020) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-tothe-general-data-protection-regulation-gdpr/accountability-and-governance/, accessed 29 November 2020.

After having explained what the ADM should be, in terms of content and approach, this section is going to present a possible practical example of a justification test (and the related justification statement for data subjects and Data Protection Authorities). In a previous paper, the author and a co-author proposed a “legibility test” for automated decisions under the GDPR.

Malgieri and Comandé (n 9) 264.

Such a justification test might act as an initial framework for conducting Algorithmic Auditing under a legal (and not merely technical) perspective. This test also might be the basis for conducting DPIA on automated decision-making, in particular for what concerns the vague reference to the “assessment of the necessity and proportionality of the processing operations in relation to the purposes” (Article 35(7)(b)). The WP29 Guidelines on DPIA have proposed some criteria for an acceptable DPIA. These guidelines explain that the “assessment of the necessity and proportionality of the processing operations” also implies a good and comprehensive implementation of —inter alia—data protection principles in Article 5 (namely the lawfulness, purpose limitation, data minimisation, and storage limitation principles).

Article 29 Working Party, Guidelines on DPIA, Annex II, 21.

Following the structure of Article 5 and the framework discussed in the previous section, a possible ADM Justification test might be as follows:

ADM lawfulness justification:

Does the ADM data processing have a lawful basis under Article 6(1)?

In recent years, legal scholars and computer scientists have discussed widely how to reach a good level of AI explainability, algorithmic accountability, and fairness. This paper argues that, in the field of data protection, the GDPR already proposes a sustainable environment of desirable ADM systems, which is broader than any ambition to have “transparent,” “explainable,” “fair,” “lawful,” or “accountable” ADM: We should aspire to just algorithms, that is, justifiable automated systems that include all the above-mentioned qualities (fairness, lawfulness, transparency, accountability, etc.).

This might be possible through a practical “justification” process and statement through which the data controller proves, in practical ways, the legality of an algorithm with respect to all data protection principles (fairness, lawfulness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability). This justificatory approach might also be a solution to many existing problems in the AI explanation debate, for example, the difficulty of “opening” black boxes, the transparency fallacy, and the legal difficulties in enforcing a right to receive individual explanations.

After an overview of the GDPR rules (Section 2) and of the definition and limits of AI explanations (Section 3), this article has proposed a wider systemic approach to algorithmic accountability (Section 4). In order to do that, the concept of justification is introduced and analysed both in general (Section 5), and in the legal and data protection fields (Sections 6 and 7). This article argues that the justificatory approach is already required by the GDPR rules. Accordingly, Sections 8 and 9 explain why and how the data protection principles could be a meaningful basis to justify ADM systems.