Article 22 of GDPR and Artificial Intelligence Contracts

Robot using a laptop computer with circle pointers in city, infographic template. artificial intelligence in futuristic technology concept, 3d illustration

Europe’s General Data Protection Regulation “GDPR” can play a major role in artificial intelligence projects.  Article 22 of the GDPR provides that data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces a legal or similar adverse effect.  While there are exceptions, 22(3) requires the data controller to implement suitable measures to safeguard the data subjects’ rights and freedoms and legitimate interests, at the least the right to obtain human intervention on the part of the controller to express his or her point of view and to contest the decision.

GDPR’s right of human intervention has widespread implications for AI.  It also demonstrates the need for transparency involving AI initiatives involving personal data.  In the event of a regulatory investigation, controllers are going to need to be able to provide the relevant facts pertaining to processing to demonstrate compliance with the regulation.

Depending on the nature of the AI solution, many other regulatory regimes may be implicated and therefore need to be addressed in the contract.  Including an indemnity obligation related to vendors failure to comply with applicable laws, together with a limitation of liability carve-out for indemnity claims are important risk balancing solutions in artificial intelligence contracts.