¹ See eg Citron, D Keats and Pasquale, FA ‘The scored society: due process for automated predictions’ (2014) 89 Washington Law ReviewGoogle Scholar; Binns, R ‘Data protection impact assessments: a meta-regulatory approach’ (2017) 7 International Data Privacy Law 1CrossRefGoogle Scholar; F Doshi-Velez et al ‘Accountability of AI under the law: the role of explanation’ (2017) Harvard Public Law Working Paper No 18-07, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3064761 (last accessed 17 June 2019).

² Coglianese, C and Lehr, D ‘Regulating by robot: administrative decision making in the machine-learning era’ (2017) 105 Georgetown Law Journal 1147Google Scholar.

³ Sueur, A Le ‘Robot government: automated decision-making and its implications for parliament’ in Horne, A and Sueur, A Le (eds) Parliament: Legislation and Accountability (Oxford: Hart Publishing, 2016) p 183Google Scholar.

⁴ Oswald, M ‘Algorithm-assisted decision-making in the public sector: framing the issues using administrative law rules governing discretionary power’ (2018) 376 Philosophical Transactions of the Royal Society 2128CrossRefGoogle ScholarPubMed.

⁵ Throughout, this paper uses the term ‘public body’, or ‘public bodies’, to refer to ministers, public authorities, local authorities, health authorities, chief constables, reviewable tribunals, regulators, and any other decision-maker which is subject to judicial review when acting in a public law capacity. Note that the Data Protection Act 2018 (DPA 2018) uses its own definition of ‘public body’ for the purposes of GDPR (DPA 2018, s 7).

⁶ L Dencik et al ‘Data scores as governance: investigating uses of citizen scoring in public services’ (2018) p 3, available at https://datajusticelab.org/data-scores-as-governance (last accessed 17 June 2019).

⁷ Dencik et al, above n 6.

⁸ For more in-depth but legally accessible discussion of how machine learning systems operate see Lehr, D and Ohm, P ‘Playing with the data: what legal scholars should learn about machine learning’ (2017) 51 UC Davis Law Review 653Google Scholar; for a deeper dive into machine learning research, see Domingas, P ‘A few useful things to know about machine learning’ (2012) 55 Communications of the ACM 10Google Scholar.

⁹ Barocas, S and Selbst, AD ‘Big data's disparate impact’ (2016) 104 California Law Review 671Google Scholar; Boyd, D and Crawford, K ‘Critical questions for big data: provocations for a cultural, technological, and scholarly phenomenon’ (2012) 15 Information, Communication and Society 5CrossRefGoogle Scholar; Eubanks, V Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor (Macmillan, 2018)Google Scholar.

¹⁰ Burrell, J ‘How the machine “thinks”: understanding opacity in machine learning algorithms’ (2016) 3(1) Big Data & SocietyCrossRefGoogle Scholar; Kroll, JA et al. ‘Accountable algorithms’ (2017) 165 University of Pennsylvania Law Review 633Google Scholar; Pasquale, F The Black Box Society: The Secret Algorithms That Control Money and Information (Cambridge, Mass: Harvard University Press, 2015)CrossRefGoogle Scholar.

¹¹ van den Hoven van Genderen, R ‘Privacy and data protection in the age of pervasive technologies in AI and robotics’ (2017) 3 European Data Protection Law 3Google Scholar; Council of Europe ‘Algorithms and Human Rights: Study on the human rights dimensions of automated data processing techniques and possible regulatory implications’ (2017) Council of Europe study DGI(2017)12, available at https://edoc.coe.int/en/internet/7589-algorithms-and-human-rights-study-on-the-human-rights-dimensions-of-automated-data-processing-techniques-and-possible-regulatory-implications.html (last accessed 17 June 2019).

¹² Primarily in the ‘FAT-ML’ – Fairness, Accountability, and Transparency in Machine Learning – research community; see https://www.fatml.org/.

¹³ Burrell, above n 10.

¹⁴ R Guidotti et al ‘A survey of methods for explaining black box models’, available at https://arxiv.org/abs/1802.01933 (last accessed 17 June 2019).

¹⁵ The benefits of transparency have their limits: see Ananny, M and Crawford, K ‘Seeing without knowing: limitations of the transparency ideal and its application to algorithmic accountability’ (2016) 20(3) New Media & Society 973CrossRefGoogle Scholar; Edwards, L and Veale, M ‘Enslaving the algorithm: from a “right to an explanation” to a “right to better decisions?”’ (2018) 16 IEEE Security & Privacy 3CrossRefGoogle Scholar.

¹⁶ F Poursabzi-Sangdeh et al ‘Manipulating and measuring model interpretability’ (2018), available at https://arxiv.org/abs/1802.07810 (last accessed 17 June 2019).

¹⁷ The need for useful tools for those involved in operating or assessing ADM systems has been recognised elsewhere: see M Veale et al ‘Fairness and accountability design needs for algorithmic support in high-stakes public sector decision-making’ (2018) Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI'18), available at https://arxiv.org/abs/1802.01029 (last accessed 17 June 2019).

¹⁸ In another common law jurisdiction, the Australian Government's best practice principles for ADM emphasise that decisions made by or with the assistance of ADM must comply with administrative law (Australian Government Automated Assistance in Administrative Decision-Making: Better Practice Guide (2007) p ix, available at https://www.oaic.gov.au/images/documents/migrated/migrated/betterpracticeguide.pdf (last accessed 17 June 2019)).

¹⁹ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

²⁰ As well as providing for clarifications, qualifications, and exemptions from GDPR where permitted, DPA 2018 also extends GDPR to many circumstances where automated-decision making by public bodies is not otherwise covered by GDPR because their activities lie outside the scope of EU law (see DPA 2018, Pt 2 Ch 3; Pt 3; Pt 4).

²¹ That is, any information relating to an identified or identifiable natural person (GDPR, Art 4(1)).

²² The natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of processing (GDPR, Art 4(8)). Where the purposes and means of processing are determined by an enactment, the data controller will be the person on whom the obligation to process the data is imposed by that enactment (DPA 2018, s 6(2)) – this will most likely be the public body in question.

²³ GDPR, Art 4(8).

²⁴ GDPR, Art 5; see also Recital 39.

²⁵ GDPR, Art 5(2).

²⁶ Processing means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ (GDPR, Art 4(2)).

²⁷ GDPR, Arts 13–14.

²⁸ The existence, extent, and usefulness of this right is much debated. See eg B Goodman and S Flaxman ‘European union regulations on algorithmic decision-making and a “right to an explanation”’ (2016) 2016 ICML Workshop on Human Interpretability in Machine Learning (WHI 2016), available at https://arxiv.org/abs/1606.08813 (last accessed 17 June 2019); Wachter, S et al. ‘Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation’ (2017) 7 International Data Privacy Law 2CrossRefGoogle Scholar; Selbst, AD and Powles, J ‘Meaningful information and the right to explanation’ (2017) 7 International Data Privacy Law 4CrossRefGoogle Scholar; Malgieri, G and Comandé, G ‘Why a right to legibility of automated decision-making exists in the General Data Protection Regulation’ (2017) 7 International Data Privacy Law 4CrossRefGoogle Scholar; Edwards, L and Veale, M ‘Slave to the algorithm? Why a “right to an explanation” is probably not the remedy you are looking for’ (2017) 17 Duke Law & Technology Review 18Google Scholar.

²⁹ See eg Cane, P ‘Understanding judicial review and its impact’ in Hertogh, M and Halliday, S (eds) Judicial Review and Bureaucratic Impact (Cambridge: Cambridge University Press, 2008)Google Scholar; Elliott, M and Thomas, T ‘Tribunal justice and proportionate dispute resolution’ (2012) 71 Cambridge Law Journal 2CrossRefGoogle Scholar.

³⁰ J Singh et al ‘Responsibility & machine learning: part of a process’ (2016), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2860048 (last accessed 17 June 2019).

³¹ Skitka, LJ et al. ‘Does automation bias decision-making?’ (1999) 51 International Journal of Human-Computer Studies 5CrossRefGoogle Scholar.

³² Council of Civil Service Unions v Minister for the Civil Service [1984] 3 All ER 935Google Scholar; see also Associated Provincial Picture Houses v Wednesbury Corporation [1947] 2 All ER 680Google Scholar.

³³ See eg R v Lord Chancellor, ex p Witham [1997] 2 All ER 779Google Scholar.

³⁴ Note that DPA 2018 makes specific provision for law enforcement (Pt 3), intelligence services (Pt 4), and other processing which would normally be outside the scope of GDPR (Pt 2 Ch 3).

³⁵ A natural person who can be identified, directly or indirectly, from personal data (GDPR, Art 4(1)).

³⁶ GDPR, Art 22; Recital 71; see also Article 29 Data Protection Working Party ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’ (2018a) 17/EN WP251rev.01, p 19, available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053 (last accessed 17 June 2019).

³⁷ Article 29 Data Protection Working Party, above n 36, p 20.

³⁸ The Article 29 Data Protection Working Party was an EU advisory body which consisted of representatives of the Data Protection Authorities of each Member State, the European Data Protection Supervisor, and the European Commission. It provided official guidance on the interpretation and application of EU data protection law. It was replaced by the European Data Protection Board (which adopted the work published by the Article 29 Data Protection Working Party) in May 2018.

³⁹ Article 29 Data Protection Working Party, above n 36, p 21.

⁴⁰ GDPR, Art 35; Recitals 84, 91–94; Article 29 Data Protection Working Party, above n 36, p 21. Data controllers (including public bodies where ADM involves personal data) are required to undertake a DPIA in advance of any processing which is likely to pose a high risk to individuals, and particularly that which involves automated processing which produces legal or similarly significant effects (although note that DPA 2018 does not require necessity and proportionality assessments in DPIAs for processing undertaken for law enforcement purposes (s 64)).

⁴¹ GDPR, Art 22(1).

⁴² Article 29 Data Protection Working Party, above n 36, p 21.

⁴³ Article 29 Data Protection Working Party, above n 36, p 21.

⁴⁴ GDPR, Recital 71.

⁴⁵ Article 29 Data Protection Working Party, above n 36, p 21.

⁴⁶ GDPR, Art 22(2)(a); while public bodies are unlikely to enter into contracts with individuals who are using their services, they may do so in the context of employment decisions, for example.

⁴⁷ GDPR, Art 22(2)(b).

⁴⁸ GDPR, Art 22(2)(c).

⁴⁹ DPA 2018, s 14.

⁵⁰ ‘Special category data’ is personal data revealing racial or ethnic origin, political opinions, religious philosophical beliefs, or trade union membership, or the processing of genetic data, biometric data for the purposes of uniquely identifying an individual, data concerning health, or data concerning an individual's sex life or sexual orientation (GDPR, Art 9(1)).

⁵¹ GDPR, Art 22(4).

⁵² GDPR, Art 9(2)(a).

⁵³ GDPR, Art 9(2)(g); see DPA 2018, s 10, including, in particular, s 10(3) – processing under GDPR, Art 9(2)(g) will be lawful only where it meets a condition set out in DPA 2018, Sch 1 Pt 2. Note also that DPA 2018, s 14 places certain requirements on data controllers which rely on Art 9(2)(g) in making a solely automated decision which produces legal or similarly significant effects.

⁵⁴ GDPR, Art 4(11); see also Recital 32; Article 29 Data Protection Working Party ‘Guidelines on consent under Regulation 2016/679’ (2018b) 17/EN WP259 rev.01, available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051 (last accessed 17 June 2019); Information Commissioner's Office Lawful Basis for Processing: Consent (2018), available at https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent-1-0.pdf (last accessed 17 June 2019).

⁵⁵ GDPR, Art 7(4); Recital 43.

⁵⁶ GDPR, Recital 43.

⁵⁷ GDPR, Art 22(3)–(4); see also Recital 47.

⁵⁸ GDPR, Art 9(2)(g).

⁵⁹ Arising from the fact that these grounds only permit processing where it is necessary.

⁶⁰ See Article 29 Data Protection Working Party, above n 36, p 23.

⁶¹ Article 29 Data Protection Working Party, above n 36, p 23; see also European Data Protection Supervisor Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (2017), available at https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf (last accessed 17 June 2019).

⁶² GDPR, Art 5(1)(a).

⁶³ GDPR, Art 21.

⁶⁴ DPA 2018, s 15.

⁶⁵ GDPR, Art 6(1); note that public bodies may not rely on the ‘legitimate interest’ grounds set out in in Art 6(1)(f).

⁶⁶ GDPR, Art 6(1)(a).

⁶⁷ GDPR, Art 6(1)(b).

⁶⁸ GDPR, Art 6(3); see DPA 2018, s 8; this ground can only be relied upon if the processing is undertaken pursuant to EU or domestic law which meets an objective in the public interest and is proportionate to the aim pursued.

⁶⁹ GDPR, Art 9(2)(h); see also Recital 53; DPA 2018, ss 10–11; depending on the circumstances, public bodies may able to process special category data where it is necessary for a variety of healthcare purposes.

⁷⁰ See eg Noon v Matthews [2014] EWHC 4330 (Admin); R v London Borough of Tower Hamlets, ex p Khalique [1994] 26 HLR 517Google Scholar.

⁷¹ Carltona Ltd v Commissioners of Works [1943] 2 All ER 560 (CA)Google Scholar.

⁷² H Lavender & Son v Minister of Housing and Local Government [1970] 1 WLR 1231Google Scholar.

⁷³ Ellis v Dubowski [1921] 3 KB 621.

⁷⁴ Mills v London County Council [1925] 1 KB 213Google Scholar.

⁷⁵ Le Sueur, above n 3, pp 188–189; see Social Security Act 1998, s 2.

⁷⁶ Article 29 Data Protection Working Party, above n 36, p 21.

⁷⁷ This should be reflected in the public body's DPIA if the decision involves personal data or concerns a natural person.

⁷⁸ See eg Padfield v Minister of Agriculture, Fisheries and Food [1968] 1 All ER 694Google Scholar; British Oxygen Co Ltd v Minister for Technology [1971] AC 610; R v Warwickshire County Council, ex p Collymore [1995] ELR 217; R (Gujra) v Crown Prosecution Service [2012] UKSC 52.

⁷⁹ See eg R (BBC) v Secretary of State for Justice [2012] 2012 EWHC (Admin); R (GC) v Commissioner of Police for the Metropolis [2011] UKSC 21.

⁸⁰ Australian Government, above n 18, p viii, p 37; see also Le Sueur, above n 3, pp 196–197.

⁸¹ See eg R (Lumba) v Secretary of State for the Home Department [2011] UKSC 12; Nzolameso v City of Westminster [2015] UKSC 22.

⁸² Le Sueur, above n 3, p 198.

⁸³ R (Gallaher Group Ltd) v The Competition and Markets Authority [2018] UKSC 25 at [24]–[30].

⁸⁴ See eg R v Minister for Agriculture, Fisheries and Food, ex p Padfield [1968] 1 All ER 694Google Scholar; R v Secretary of State for Foreign and Commonwealth Affairs, ex p World Development Movement [1994] EWHC 1 (Admin); and Porter v Magill [2001] UKHL 67.

⁸⁵ GDPR, Art 5(1)(b); see also Recital 50.

⁸⁶ GDPR, Art 5(2).

⁸⁷ R v Secretary of State for the Home Department, ex p Doody [1993] 3 WLR 154.

⁸⁸ R v Civil Service Appeal Board, ex p Cunningham [1991] 4 All ER 310.

⁸⁹ Ibid.

⁹⁰ Stefan v General Medical Council [1999] UKPC 10, [2002] All ER (D) 96.

⁹¹ R v Secretary of State for the Home Department, ex p Fayed [1996] EWCA Civ 946, [1998] 1 WLR 763.

⁹² R v Higher Education Funding Council, ex p Institute of Dental Surgery [1994] 1 All ER 651Google Scholar.

⁹³ See the requirements for reasons set out in South Buckinghamshire District Council v Porter (No 2) [2004] 1 WLR 1953 at [36].

⁹⁴ Guidotti et al, above n 14.

⁹⁵ See eg R (Nash) v Chelsea College of Art and Design [2001] EWHC (Admin) 538 at [34]; see also Re Brewster's Application [2017] UKSC 8 at [50]–[52] (although this was heard on reference from Northern Ireland).

⁹⁶ R v Higher Education Funding Council, ex p Institute of Dental Surgery [1994] 1 All ER 651 at [665]–[666].

⁹⁷ As they would be entitled to conclude if the decision was made by a human: see R v Minister of Agriculture Fisheries and Food, ex p Padfield [1968] 1 All ER 694Google Scholar at [1053]–[1054]; R v Secretary of State for Trade and Industry and another, ex p Lonrho plc [1989] 2 All ER 609 at [620]Google Scholar.

⁹⁸ For example, as permitted by Deregulation and Contracting Out Act 1994, Pt II or by secondary legislation made under that Act.

⁹⁹ For which the public body would act as a data controller.

¹⁰⁰ GDPR, Arts 24–36; see also Recitals 81–83; Information Commissioner's Office ICO GDPR guidance: Contracts and liabilities between controllers and processors (2017) draft, available at https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf (last accessed 17 June 2019).

¹⁰¹ R Clayton ‘Accountability, judicial scrutiny and contracting out’ (2015) UK Constitutional Law Blog, available at https://ukconstitutionallaw.org/2015/11/30/richard-clayton-qc-accountability-judicial-scrutiny-and-contracting-out [accessed 17/07/2018].

¹⁰² GDPR, Art 5(2); Art 24.

¹⁰³ See eg R v Servite Houses and Wandsworth LBC, ex p Goldsmith [2001] LGR 55 (QBD).

¹⁰⁴ GDPR, Art 28; Recital 81; this is a new requirement which did not exist in previous legislation.

¹⁰⁵ Clayton, above n 101.

¹⁰⁶ Arguments for other approaches in relation to other forms of outsourced public decision-making have also been proposed: see eg Scott, C ‘Accountability in the regulatory state’ (2000) 27 Journal of Law and Society 1CrossRefGoogle Scholar.

¹⁰⁷ See R v Panel on Take-overs and Mergers, ex p Datafin [1987] 1 All ER 564Google Scholar.

¹⁰⁸ See eg Anisminic Ltd v Foreign Compensation Commission [1968] 2 WLR 163Google Scholar.

¹⁰⁹ See eg Associated Provincial Picture Houses v Wednesbury Corpn [1947] 2 All ER 680Google Scholar; R v Somerset County Council, ex p Fewings [1995] 1 WLR 1037Google Scholar; R (Venables) v Secretary of State for the Home Department [1998] AC 407.

¹¹⁰ GDPR, Art 5(1)(d).

¹¹¹ GDPR, Art 5(2).

¹¹² See eg Brodley, CE and Friedl, MA ‘Identifying mislabeled training data’ (1999) 11 Journal of Artificial Intelligence Research 131CrossRefGoogle Scholar.

¹¹³ GDPR, Art 5(1)(c).

¹¹⁴ D Colquhoun ‘An investigation of the false discovery rate and the misinterpretation of p-values’ (2014) Royal Society Open Science, available at https://royalsocietypublishing.org/doi/full/10.1098/rsos.140216 (last accessed 17 June 2019).

¹¹⁵ GDPR, Art 5(1)(d).

¹¹⁶ GDPR, Art 5(1)(c).

¹¹⁷ R (Gallaher Group Ltd) v The Competition and Markets Authority [2018] UKSC 25 at [24]–[41].

¹¹⁸ Equality Act 2010, Pt 2 Ch 2.

¹¹⁹ The protected characteristics are age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation (Equality Act 2010, ss 4–12).

¹²⁰ Equality Act 2010, s 13.

¹²¹ Equality Act 2010, s 19.

¹²² See eg Veale, M and Binns, R ‘Fairer machine learning in the real world: Mitigating discrimination without collecting sensitive data’ (2017) 4(2) Big Data & SocietyCrossRefGoogle Scholar.

¹²³ Association Belge des Consommateurs Test-Achats and Others v Conseil des Ministers (C-236/09) ECLI:EU:C:2011:100, [2012] 1 WLR 1933.

¹²⁴ See eg Friedman, B and Nissenbaum, H ‘Bias in computer systems’ (1996) 14 ACM Transactions on Information Systems 3CrossRefGoogle Scholar, available at http://www.nyu.edu/projects/nissenbaum/papers/biasincomputers.pdf (last accessed 17 June 2019); Barocas and Selbst, above n 9; Eubanks, above n 9.

¹²⁵ Where a protected characteristic is involved, this could potentially also constitute unlawful discrimination.

¹²⁶ Davidson v Scottish Ministers [2004] UKHL 34 at [6]; although note that his was a case heard on appeal from Scotland.

¹²⁷ See eg R Courtland ‘Bias detectives: the researchers striving to make algorithms fair’ (2018) 558 Nature, available at https://www.nature.com/articles/d41586-018-05469-3 (last accessed 17 June 2019).

¹²⁸ Courtland, above n 127.

¹²⁹ See eg J Kleinberg et al ‘Inherent trade-offs in the fair determination of risk scores’ (2016), available at https://arxiv.org/abs/1609.05807 (last accessed 17 June 2019); R Berk et al ‘Fairness in criminal justice risk assessments: the state of the trt’ (2017), available at https://arxiv.org/abs/1703.09207 (last accessed 17 June 2019); S Corbett-Davies et al ‘Algorithmic decision making and the cost of fairness’ (2017), available at https://arxiv.org/abs/1701.08230 (last accessed 17 June 2019).

¹³⁰ R v Secretary of State for the Environment, ex p Kirkstall Valley Campaign [1996].

¹³¹ Re Medicaments and Related Classes of Goods (No 2) [2001]; see also Lawal v Northern Spirit [2004].

¹³² R v Local Commissioner for Administration in North and North East England, ex p Liverpool City Council [1999] All ER (D) 155.