Article 22 of the GDPR restricts automated individual decision-making and gives data subjects the right to obtain meaningful information about the logic involved. Most AI systems cannot provide this. AI Asset Assurance Shapley attribution generates individual-level causal explanations: "Your application was declined because Variable X contributed 52% and Variable Y contributed 31% of the decision."
Request evaluationEvery requirement maps directly to an AI Asset Assurance capability. One evaluation pipeline covers everything you need.
Data subjects have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects them.
Controllers must provide data subjects with meaningful information about the logic involved in automated decision-making, as well as the significance and envisaged consequences.
Where automated decisions are permitted, the controller must implement suitable measures to safeguard the data subject's rights, including the right to obtain human intervention and to contest the decision.
A DPIA is required for systematic and extensive evaluation of personal aspects based on automated processing, including profiling, on which decisions are based that produce legal effects.
These are the organizations most likely to need compliance evaluation under this regulation.
Automated credit decisions, loan approvals, and account closures affecting EU data subjects. Instant credit assessments are a primary enforcement target.
Automated underwriting, claims processing, and pricing decisions. Algorithmic insurance pricing in the EU is under increasing regulatory attention.
Automated hiring, performance evaluation, and termination decisions. AI-powered ATS systems processing EU candidate data are directly in scope.
Content moderation, account suspension, and advertising targeting decisions that significantly affect EU users. Includes social media platforms and e-commerce marketplaces.
AI-assisted diagnostic, treatment recommendation, and triage systems processing EU patient data. Article 9 special category data protections add additional requirements.
GDPR has extraterritorial reach. If you process EU residents' personal data for automated decisions — regardless of where your servers are — Article 22 applies.
AI Asset Assurance doesn't just find problems — it identifies root causes with Shapley attribution and prescribes exactly how to fix them.
AI Asset Assurance identifies which decisions in your system are "solely automated" under Article 22, which have meaningful human involvement, and which qualify for exemptions. This mapping is the foundation of your compliance posture.
Shapley attribution produces individual-level explanations for each automated decision. Not "the model considered your income and credit history" but "your income contributed 38% to the decision, your credit history contributed 27%, and your employment tenure contributed 19%." Genuinely meaningful.
When a data subject challenges a decision, the decomposed explanation enables substantive human review. The reviewer sees the specific variables and their contributions, can assess whether the decision was appropriate, and can make an informed override. This satisfies Article 22(3).
Governance platforms help you build internal compliance programs — but they sell software to the companies they evaluate. Consulting auditors provide independence — but take weeks per engagement. AI Asset Assurance combines both: genuine structural independence delivered through a streamlined platform, with patent-protected evaluation methods no other provider offers.
| Capability | Generic "explainability" | LIME / SHAP library | Holistic AI | AI Asset Assurance |
|---|---|---|---|---|
| Individual-level explanations | Template statements | ✓ Technical output | Aggregate metrics | ✓ Per-decision causal |
| Meaningful to data subjects | Generic language | Requires expertise | Dashboard metrics | ✓ Plain-language causal |
| Enables contestation | — | Partial | — | ✓ Decomposed for review |
| Independent validation | Self-assessment | Self-implemented | Single platform | ✓ 5 independent validators |
| DPIA-ready documentation | — | — | ✓ Templates | ✓ Technical assessment |
Each scenario reflects documented patterns from DPA enforcement actions, CJEU rulings, and GDPR complaints — applied to automated decision-making covered by Article 22.
GDPR penalty structure: Up to €20 million or 4% of global annual turnover (whichever is higher) for violations of data subject rights including Article 22. DPAs across 30 EEA countries can investigate and enforce independently. Since 2018, GDPR fines have exceeded €4.5 billion cumulatively. Article 22 gives every individual the right not to be subject to automated decisions that produce legal or significant effects — unless the controller can demonstrate safeguards including the right to obtain meaningful information about the logic involved.
A European digital lender uses an AI model for instant credit decisions. A customer in Germany is denied and exercises their Article 22(3) right to obtain "meaningful information about the logic involved." The lender responds with a generic explanation: "the decision was based on creditworthiness factors including income, employment, and credit history." The customer files a complaint with the BfDI (German DPA). The CJEU has ruled (Case C-634/21, SCHUFA) that merely naming categories of data isn't sufficient — the data subject is entitled to understand how the decision was actually reached, including the significance and consequences of the processing.
The lender can't provide more detail because the model is a black box. The BfDI finds an Article 22 violation — the explanation was not "meaningful." The lender must either stop automated lending decisions for EU data subjects or provide genuine explanations. Remediation requires rebuilding the explanation pipeline. During the enforcement period, every automated decision is a potential violation. At €200M revenue, maximum penalty exposure is €8M.
Shapley attribution generates per-decision explanations: "Your application was declined primarily because of a 34% contribution from employment tenure (less than 12 months at current employer), 28% from debt-to-income ratio (above 42%), and 19% from credit utilization rate. The most impactful change would be maintaining current employment for 6 additional months, which would improve your score by an estimated 15 points." That's meaningful. That's what Article 22 requires.
CJEU Case C-634/21 (SCHUFA Holding, Dec 2023) — the Court ruled that credit scoring by automated means constitutes automated decision-making under Article 22, and data subjects are entitled to meaningful explanations of the logic involved.
A social media platform uses AI to automatically remove content and suspend accounts. A user in France has their account suspended for "community guideline violations" based on automated content classification. The user contests the decision under Article 22. The platform can identify which guideline was triggered but cannot explain why the AI classified the specific content as violating that guideline — particularly when similar content from other users was not flagged. The disparity suggests the AI's classification logic may correlate with language patterns associated with certain ethnic or religious communities.
The CNIL investigates after multiple complaints about disproportionate content removal affecting French-speaking North African users. The platform cannot explain why the AI treats linguistically similar content differently. Article 22 violation compounded by potential Article 9 violation (processing revealing racial or ethnic origin). For a platform with €10B annual revenue, 4% penalty exposure is €400M. The DSA may also apply, compounding enforcement.
Cohort analysis reveals the content removal disparity across linguistic and demographic groups. Shapley attribution identifies specific language patterns — dialectal Arabic-French code-switching, certain cultural references — as the features driving disproportionate flagging. The platform adjusts the classification model to distinguish between actual violations and cultural linguistic patterns. Each individual contestation can be answered with specific causal explanation.
Multiple DPAs have investigated social media content moderation as automated decision-making under Article 22. The DSA's transparency requirements for algorithmic systems compound the GDPR exposure.
A European insurer automates health insurance claim processing using AI. Claims under €5,000 are processed entirely by the AI — approved or denied without human involvement. The insurer characterizes this as "human-in-the-loop" because a human designed the rules. But Article 22 requires meaningful human intervention in individual decisions, not just system design. When a policyholder in the Netherlands has a claim denied and requests human review, the "review" consists of a human confirming the AI's output without independent assessment — rubber-stamping, not reviewing.
The AP (Dutch DPA) investigates and finds the insurer's process doesn't meet Article 22(3) — the human review is pro forma, not meaningful. The insurer can't explain to denied policyholders why their specific claim was rejected beyond "it didn't meet the model's criteria." Thousands of claims were processed without valid Article 22 safeguards. The AP has issued fines exceeding €50M for GDPR violations. Every denied claim without meaningful explanation is a potential individual complaint.
Shapley attribution provides per-claim explanations: "This claim was denied because the treatment code (42% contribution) is classified as elective under your policy terms, and the provider's billing code (31% contribution) doesn't match the diagnosis code." The human reviewer receives the causal decomposition and can make a genuinely informed decision. The policyholder receives a meaningful explanation. The insurer demonstrates Article 22(3) compliance with documented, explainable human oversight.
Comparable: UnitedHealth/nH Predict — AI algorithm denied post-acute care claims with 90% reversal rate on appeal, demonstrating that automated claim denial without meaningful human review produces systematic harm.
A European multinational uses AI to score internal employees applying for transfers and promotions across EU offices. The system automatically rejects applications below a threshold score. An employee in Spain, denied a transfer to a senior role, exercises their GDPR right to request information about the automated decision. The HR department can only provide the score — not what drove it. The employee notices that colleagues with similar qualifications but different national backgrounds were approved. The employee files a complaint with the AEPD (Spanish DPA) and simultaneously files a labor discrimination claim.
The employer can't explain the score difference between the complainant and approved colleagues. The AEPD finds an Article 22 violation. The labor court finds the employer cannot demonstrate the decision was non-discriminatory — the burden of proof shifts to the employer under EU anti-discrimination law, and without explanation capability they can't meet that burden. Dual exposure: GDPR penalty plus labor damages, back pay, and potential reinstatement order.
Shapley attribution provides individual-level explanations for every internal transfer decision — showing exactly which variables drove each score and by how much. The employer can explain to the Spanish employee precisely why their score differed from approved colleagues, addressing specific variables. If the explanation reveals a legitimate difference (relevant experience in the target role), the employer has documented evidence. If it reveals a proxy for national origin, the employer can fix the model before more employees are affected.
Article 22 complaints are increasingly combined with anti-discrimination claims, creating dual GDPR + labor law exposure. The CJEU's SCHUFA ruling strengthened the right to explanation for all automated decisions with significant effects.
Article 22's right to explanation requires per-decision causal attribution — exactly what Shapley decomposition provides. Every individual affected by your AI has the right to understand why. AI Asset Assurance makes that explanation possible, accurate, and documented.
Not template language. Not aggregate scores. Individual-level causal attribution that satisfies Article 22 and actually means something to the person affected.
Request evaluation