Hostname: page-component-77f85d65b8-grvzd Total loading time: 0 Render date: 2026-03-29T12:37:58.846Z Has data issue: false hasContentIssue false
  • English
  • Français

The courts have spoken: examining judicial responses across the EU to algorithmic bias in automated decision-making through the lens of non-discrimination law

Published online by Cambridge University Press:  27 March 2026

Konstantinos Lamprinoudis Open the ORCID record for Konstantinos Lamprinoudis [Opens in a new window]
Konstantinos Lamprinoudis*
Affiliation:
Europa Institute, Leiden University, the Netherlands
*
Email: k.lamprinoudis@law.leidenuniv.nl
Rights & Permissions [Opens in a new window]

Abstract

For as vivid the academic debate around issues of algorithmic bias, discrimination and unfairness has been in the context of EU law, little attention has been paid thus far to the way in which such instances have been dealt with by courts. This article examines from a non-discrimination law perspective how domestic courts of Member States as well as the European Court of Justice have approached cases of algorithmic bias in automated decision-making, by focusing on the judges’ engagement with discrimination-related considerations. For the purposes of my analysis, I propose a taxonomy of judgments dealing with cases of algorithmic bias and analyse a number of examples accordingly to showcase the distinct features of each category. In this regard, a first distinction is drawn between judgments relating to cases of ‘algorithmic discrimination’ and those concerning cases of ‘unfair algorithmic differentiation’. Depending on the extent to which courts take into account any risks of discrimination in the cases falling under the second category, I further distinguish between judgments of ‘discrimination reflection’, those of ‘discrimination awareness’, and those of ‘discrimination silence’. On the basis of this classification, I then attempt to shed more light on how non-discrimination and data protection law may interact with each other in practice in cases of algorithmic bias. Finally, the article concludes with some reflections on the prevailing tendency to address equality concerns through recourse to data protection rules.

Keywords

algorithmic biasnon-discriminationdata protectioncourtsEU law

Information

Type
Core analysis
Information
European Law Open , First View , pp. 1 - 27
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2026. Published by Cambridge University Press

1. Introduction

During the last decades, the rise of digitalisation and automation has undoubtedly become the ‘talk of the town’, disrupting the way in which various tasks and activities have been carried out so far. This has been the case also in the field of decision-making, where sophisticated technologies, including algorithmic and artificial intelligence (hereafter ‘AI’) tools, are increasingly deployed by public authorities and private operators alike to support or even fully automate the way decisions are taken about individuals (what is known as ‘automated decision-making’, hereafter ‘ADM’).Footnote 1 From border control management, taxation and social security, to online advertising, financial services and insurance, to name just a few examples, automated assessments are applied in a wide array of sectors within the European Union (hereafter ‘EU’), enhancing the efficiency, speed and precision of the decision-making process.Footnote 2 The outputs delivered through these assessments may take a myriad of forms, ranging from ratings, rankings and recommendations, to more adverse decisions relating, for instance, to the closure of bank accounts, the dismissal of employees or the refusal to grant credit.Footnote 3

The functioning of ADM systems usually consists in data mining and profiling techniques employing algorithms.Footnote 4 By discovering correlations and patterns in data, algorithms divide individuals into different groups based on common traits, with the aim of making predictions about them pursuant to their belonging to a specific ‘cluster’ and thus driving decision-making accordingly.Footnote 5 Yet, such algorithmic classifications and the decisions taken on the basis of them may entail far-reaching consequences for the rights and interests of the natural persons concerned, who may be selected, scored, rejected, disqualified or otherwise affected by the decisions in question.Footnote 6 Acknowledging this potentially serious impact of automated decisions on individuals, the EU General Data Protection Regulation (hereafter ‘the GDPR’) has laid down in its Article 22 a general prohibition of decision-making practices based solely on automated processing of personal data which produce legal effects on the persons concerned or similarly significantly affect them, save in exceptional circumstances and subject to strict safeguards.Footnote 7

In particular, the use of algorithms in decision-making practices has been found prone to generate potentially discriminatory outcomes, resulting in perpetuating existing stereotypes and exacerbating structural inequalities.Footnote 8 Such an inherent risk of algorithmic and especially AI-driven decisions to discriminate against particular individuals or societal groups has not gone unnoticed by the EU legislature which has integrated equality and non-discrimination concerns into its digital policy machinery,Footnote 9 such as in the GDPRFootnote 10 and the Artificial Intelligence Act (hereafter ‘the AI Act’).Footnote 11 Against this background, the legal challenges surrounding the notion of so-called ‘algorithmic discrimination’, sometimes also referred to as ‘digital’Footnote 12 or ‘emergent’ discrimination,Footnote 13 in EU law have already been the object of substantial scholarly discussions during the last years. These have predominantly focused on the limits of EU non-discrimination legislation, which comprises most notably a number of Equality DirectivesFootnote 14 and Article 21(1) of the Charter of Fundamental Rights (hereafter ‘the Charter’),Footnote 15 as well as on the potential relevance of the data protection rules contained in the GDPR for providing effective enforcement tools to the individuals affected by discriminatory algorithmic decisions.Footnote 16

It seems, however, that the term ‘discrimination’ is sometimes used interchangeably with ‘bias’ to describe instances of unfair differentiation between people caused by ADM, as if the two notions were synonymous. Some clarifications are thus warranted at this point. In general, even though the concept of ‘bias’ has a neutral meaning indicating a sort of a slant or deviation from a standard, it is commonly used with a rather negative moral connotation.Footnote 17 Accordingly, in the technical context of algorithms, whereas ‘bias’ generally refers to skewed or incorrect results of algorithmic systems,Footnote 18 it is mostly deployed as encompassing any kind of disadvantage against an individual or a group that could be deemed as ethically wrong.Footnote 19 As such, the term algorithmic ‘bias’ is much broader than the legal notion of algorithmic ‘discrimination’, which solely covers cases of unjustified disadvantageous treatment of certain population categories protected by law because of their specific attributes (eg, gender, race, sexual orientation, etc) and exclusively in certain social contexts (eg, employment).Footnote 20 Hence, legally speaking, these concepts may overlap only in part, in the sense that not all cases of biased algorithmic decisions fall within the scope of non-discrimination law.Footnote 21 As regards those instances of algorithmic bias that do not qualify as discriminatory, I consider the term ‘unfair algorithmic differentiation’ more appropriate.Footnote 22

For as vivid the academic debate around these issues of algorithmic bias, discrimination and unfairness has been in the context of EU law, little attention has been paid thus far to the way in which such instances have been dealt with in practice by courts across the EU. Although most of the judicial decisions delivered in this regard have been already spotlighted by scholars because of their far-reaching implications in terms of data protection and privacy law, their relevance from a non-discrimination perspective has been barely explored, if at all.Footnote 23 In view of this gap in existing literature, this article examines how domestic courts of EU Member States as well as the Court of Justice of the EU (hereafter ‘the CJEU’) have approached cases of algorithmic bias in ADM through recourse to discrimination-related considerations. For the purposes of my analysis, I propose the following taxonomy of judgments dealing with cases of algorithmic bias: given the legally crucial difference between the notions of discrimination and bias/unfairness as explained before, a first distinction can be drawn between judgments relating to cases of algorithmic discrimination and those concerning cases of unfair algorithmic differentiation. Depending on the extent to which courts take into account any risks of discrimination in cases falling under the second category, I further distinguish in descending order of relevance between judgments of ‘discrimination reflection’, those of ‘discrimination awareness’, and those of ‘discrimination silence’. Based on this classification, I then attempt to shed more light on how non-discrimination and data protection considerations may interact in court cases of algorithmic bias.

The reason for conducting such a comparative case law analysis lies in the particular architecture of the EU judicial system, which entrusts the full application of EU law in all Member States as well as the protection of the rights that individuals derive therefrom to both national courts and the CJEU.Footnote 24 In this context, the uniform interpretation and consistency of EU non-discrimination and data protection law is guaranteed through a dialogue between the domestic courts of Member States and the CJEU established by the preliminary reference procedure under Article 267 of the Treaty on the Functioning of the EU (hereafter ‘TFEU’).Footnote 25 It is precisely because of this judicial dialogue that I focus on jurisprudence, having a merely cursory look at the significant administrative practice of the Member States’ competent sectoral authorities, namely national equality bodies and data protection authorities (hereafter ‘DPAs’), to complement my case law findings where necessary.Footnote 26

The article is structured as follows: Section 2 examines the judgments rendered on cases of algorithmic discrimination, while Section 3 looks into the judgments on cases of unfair algorithmic differentiation, further distinguishing between those of discrimination reflection, those of discrimination awareness, and those of discrimination silence (Sections 3A, 3B and 3C). In the aforementioned sections, the article delves indicatively into certain judicial decisions, which merely serve as examples showcasing the particularities of each category of my proposed case law taxonomy, without purporting though to form an exhaustive or representative list of all the judgments that could potentially fall under the respective categories. Then, in Section 4, after setting the theoretical framework that explains the interrelation between non-discrimination and data protection law in general (Section 4A), the article moves on to explore how considerations relating to these two legal regimes may interact in practice in cases of algorithmic bias, by highlighting the degree of such interplay in judicial reasoning (Section 4B), as well as its framing by different courts across the EU (Section 4C). Finally, the article concludes in Section 5 with some reflections on the prevailing tendency to address equality concerns through recourse to data protection rules.

2. Judgments on cases of algorithmic discrimination

The judgments comprising this category deal with cases covered by the protective scope of EU non-discrimination law, in the sense that they relate to the discriminatory effects of algorithmic systems against individuals or groups with legally protected traits in certain areas of life. As such, these cases resemble the ones concerning instances of ‘traditional’, non-algorithmic discrimination that are already familiar to non-discrimination scholars, encompassing instances of both direct and indirect discrimination. More specifically, when membership in a protected group is inputted as a negatively weighted variable in an algorithmic model, the ensuing outcome of the decision-making process may fall within the ambit of direct (algorithmic) discrimination.Footnote 27 Indirect discrimination, for its part, may capture a large spectrum of situations where the algorithmic output itself or the relevant factors used for its generation are apparently neutral but could put a protected group at a specific disadvantage: this is the case, for example, with biased training data leading to under- or over- representation of certain groups, or proxy variables which correlate with a protected ground.Footnote 28

The main distinguishing feature of algorithmic discrimination cases in relation to ‘traditional’ instances of discrimination seems to be the use of some sort of algorithm- or AI-driven tool to differentiate between individuals in a certain decision-making process. Given its technology neutral character, though, EU non-discrimination law is not prevented from applying to automated assessments in areas that fall under its material scope.Footnote 29 Yet, algorithmic discrimination sits uneasily with the well-established dichotomy between direct and indirect discrimination.Footnote 30 In fact, the dividing line between these two concepts in the context of complex algorithmic decisions may prove to be fine,Footnote 31 especially in the case of proxies, which, depending on the degree of their link with a protected ground, can amount to either direct or indirect discrimination.Footnote 32

To date, there are only a handful of judicial decisions dealing with cases of algorithmic discrimination based on legally protected characteristics. Two notable examples, in this regard, are the judgments delivered by the Finnish Non-Discrimination and Equality Tribunal and the Bologna District Court in the Svea Ekonomi and Deliveroo cases, respectively.

A. Svea Ekonomi (Finnish Non-Discrimination and Equality Tribunal)

Following a request from Finland’s Non-Discrimination Ombudsman, the Finnish Non-Discrimination and Equality Tribunal (Yhdenvertaisuus- ja tasa-arvolautakunta) was called upon to adjudicate on a discrimination claim brought against the financial company Svea Ekonomi in the field of credit scoring.Footnote 33 The Finnish tribunal ruled that, by refusing on the basis of a scoring algorithm to grant credit to a client for online purchases, Svea Ekonomi directly discriminated against him on several grounds.Footnote 34

In particular, the score deployed by Svea Ekonomi was not established by conducting an individual assessment of the loan applicant’s financial situation but, instead, by using abstract statistical data obtained by an external service provider on the basis of various factors, including the applicant’s sex, language, place of residence and age.Footnote 35 According to the method deployed for the score calculation, men scored fewer points than women, native Finnish speakers scored less than native Swedish speakers, people living in remote rural areas scored less than those living in residential areas, and age had a similar impact on the number of points scored. For these reasons, the Finnish tribunal concluded that Svea Ekonomi’s scoring practice amounted to multiple discrimination against the client concerned.Footnote 36

B. Deliveroo (Bologna District Court)

In December 2020, the Labour division of the Bologna District Court (Tribunale Ordinario di Bologna, Italy) found that the reputational ranking algorithm deployed by Deliveroo’s platform to give its riders access to a booking system for working sessions was indirectly discriminatory on grounds related to the riders’ trade union activity.Footnote 37 The said system ranked each rider for the purpose of prioritising bookings for the attribution of services on the basis of statistics determined by two parameters: the rider’s reliability, in the sense of her actual participation in the booked working session, and her availability during peak hours for food deliveries. Accordingly, riders who did not participate in the booked session or cancelled it beyond the time limits prescribed by Deliveroo’s contractual regulation would see their ‘scores’ decreasing, thereby getting eventually marginalised from the priority order and having less opportunities to access work in the future.

However, as noted by the Italian court, the way that Deliveroo’s system would ‘penalise’ riders by affecting their statistics did not take into account the reasons behind the riders’ absence from work, such as their participation in a strike. By deeming irrelevant the reasons for the non-participation in the booked session or the late cancellation thereof, the algorithm in question was found to treat in the same way the riders who do not participate for trivial reasons and those who do so because of exercising their right to strike or for other legitimate reasons (eg, illness, disability, needs related to the care of a disabled person or minor children, etc). Under these circumstances, the Bologna Court concluded that Deliveroo’s seemingly neutral cancellation policy applied through its algorithm-driven booking system resulted in placing riders, who adhere to collective actions or otherwise lawfully abstain from work, at a particular disadvantage, thus indirectly discriminating against them.Footnote 38

3. Judgments on cases of unfair algorithmic differentiation

Contrary to the judgments featuring under the previous category, the ones classified hereunder do not deal with cases of discrimination as understood from a legal point of view. Rather, the differentiated treatment of people resulting from the algorithmic decision-making practices at issue in these cases is not based on any legally protected grounds or proxies thereof, or at least it is not proved to be so. Such a situation may arise due to the algorithms’ ability to identify complicated patterns and statistical correlations by relying on granular forms of data, for the purpose of making predictions about people and categorising them accordingly into new, non-traditional groups.Footnote 39 These algorithmically created groups may be based on seemingly irrelevant characteristics (eg, being a dog owner or a video gamer), or parameters that are even incomprehensible to humans (eg, browsing behaviour and various electronic signals),Footnote 40 or other attributes that are currently not recognised by law as worthy of protection (eg, socioeconomic status, education, income, etc) or a combination thereof.Footnote 41 As such, classifications resulting from data-driven forms of profiling might often be ephemeral, arbitrary or random,Footnote 42 and might not necessarily correspond to any real-life social groups,Footnote 43 thereby falling between the cracks of non-discrimination law.

That said, it has been correctly argued that these ‘new’ types of algorithmic differentiation may still be unfair or at least ethically controversial depending on the circumstances of each specific case, even if they do not harm people with protected traits.Footnote 44 Unfairness could emerge, in particular, when such differentiation reinforces structural inequalities in society to the detriment of already vulnerable groups (eg, higher prices charged to low-income consumers), or is based on seemingly innocuous criteria (eg, denial of credit on the basis of a consumer’s postal code or type of car), or leads to incorrect predictions about individuals (eg, a large deposit requested from a consumer who is wrongly predicted to default on her payments).Footnote 45 Thus, despite the inapplicability of non-discrimination legislation to these instances of unfair algorithmic differentiation regardless of legally protected identities, discrimination-related concerns may still be of some relevance depending on the context of each case.

This is not to say, though, that any instance of unfair algorithmic differentiation is necessarily relevant from a non-discrimination law perspective. It is only where a certain ADM practice at issue raises a sufficiently plausible risk or suspicion of discriminatory effects that judges may touch upon the underlying discrimination matters, and still to a varying degree of explicitness and detail, as the case may be, if at all. Accordingly, in relation to this kind of unfair algorithmic decision, my classification of relevant judgments is based on whether the courts concretely reflect on the discrimination risks of those automated decisions (‘judgments of discrimination reflection’); whether they appear merely aware of the discriminatory potential of ADM in general (‘judgments of discrimination awareness’); or whether they remain completely silent on these matters (‘judgments of discrimination silence’).

A. Judgments of discrimination reflection

In the rulings classified under this category, the judges examine in concreto the potentially discriminatory nature or effects of the algorithmic systems at issue, duly considering the ensuing harms for the persons affected under the specific circumstances of each particular case. Hence, discrimination-related considerations form an integral part of the courts’ reasoning and weight with their final conclusion. To better illustrate this judicial approach, I will indicatively refer to the SyRI judgment of the District Court of the Hague, the GALOP II judgment of the Dutch Administrative High Court, the CJEU’s ruling in Ligue des droits humains, as well as to the German Federal Constitutional Court’s judgment on the envisaged use of certain policing systems in Hessen and Hamburg.

SyRI (District Court of the Hague)

In a seminal ruling delivered in February 2020, the District Court of the Hague (Rechtbank Den Haag) pronounced itself on the legality of the ‘SyRI’ algorithm (Systeem Risico Indicatie, System Risk Indication), a digital welfare fraud detection system developed by the Dutch government, through which data from various sources were linked and analysed, generating risk reports about persons worthy of investigation.Footnote 46 Despite the critiques voiced against this tool mainly due to the disproportionately extensive types of personal data collected and processed,Footnote 47 the relevant legislation allowing for the deployment of SyRI was eventually adopted and the system was applied in four Dutch municipalities, thus prompting a challenge on behalf of a coalition of civil society organisations and two citizens.

In its verdict, the Court of the Hague found that the SyRI legislation violated the right to private life under Article 8 of the European Convention of Human Rights (hereafter ‘ECHR’), as interpreted in light of the data protection principles deriving from the EU Charter and the GDPR, by failing to provide sufficient safeguards to comply with the criterion of being ‘necessary in a democratic society’ under Article 8(2) ECHR.Footnote 48 Interestingly, though, the Dutch court inferred from the ECHR’s right to a private life ‘the right to equal treatment in equal cases and the right to protection against discrimination, stereotyping and stigmatisation’.Footnote 49 In this regard, the Court of the Hague noted that the SyRI system had been applied only to neighbourhoods with higher concentrations of poorer and vulnerable groups of people (the so-called ‘problem districts’), as also highlighted by the claimants and the United Nations Special Rapporteur on extreme poverty and human rights acting as an amicus curiae in the case.Footnote 50 Given the large amounts of data processed by the system, there was, in the court’s view, ‘a risk that SyRI inadvertently creates links based on bias, such as a lower socio-economic status or an immigration background’.Footnote 51 Nevertheless, the opacity surrounding the system’s risk indicators and the functioning of its risk model prevented the court from assessing whether or not such a discrimination risk was sufficiently neutralised.Footnote 52

GALOP II (Dutch Administrative High Court)

In the aftermath of the SyRI judgment, another algorithmic risk model, which was used in the context of the ‘GALOP II’ project in the Netherlands for the purposes of identifying addresses in certain areas worthy of further investigation into potentially fraudulent entitlement to social assistance, came under judicial scrutiny before the Dutch Administrative High Court (Centrale Raad van Beroep).Footnote 53 The case was initiated by an individual who was flagged and subjected to home visits based on that risk model, claiming that he was selected for an investigation on discriminatory grounds.Footnote 54

Against this background, the Dutch court emphasised that, when applying risk profiles for investigation purposes, public authorities must comply with the prohibition of discrimination under Article 14 ECHR and Article 1 of Protocol 12 to the ECHR, and refrain from unjustifiably infringing the right to privacy under Article 8(2) ECHR, while also respecting other principles such as transparency, the prohibition of arbitrariness, and legal certainty.Footnote 55 However, by explicitly relying on the findings of the District Court of the Hague in SyRI, the High Court admitted that the lack of transparency regarding the method used by the system in question to select addresses for targeted checks made it impossible to assess whether the aforementioned principles were respected in the case at issue.Footnote 56 Accordingly, the court concluded that the claimant’s suspicion of discriminatory treatment could not be refuted and thus the home visits carried out as part of the project were unlawful.Footnote 57

Ligue des droits humains (CJEU)

In the context of a preliminary reference procedure initiated by the Belgian Constitutional Court (Cour constitutionnelle/Grondwettelijk Hof) in Ligue des droits humains,Footnote 58 the CJEU was asked to review the validity of Directive 2016/681 which regulates the collection of Passenger Name Record (‘PNR’) data by air carriers and the transfer of such data to the Member States’ law enforcement authorities (hereinafter, ‘the PNR Directive’).Footnote 59 In its lengthy Grand Chamber ruling, the Court interpreted the Directive in light of Articles 7, 8, 21(1) of the Charter, laying down a number of obligations and safeguards that Member States need to comply with when implementing the Directive to ensure its consistency with the fundamental rights to privacy, data protection and non-discrimination enshrined in those Charter provisions, respectively.Footnote 60

Interestingly, even though the Belgian court’s request for a preliminary ruling did not originally include any reference to Article 21(1) of the Charter, the CJEU decided by its own motion to extend the scope of its interpretation of the PNR Directive, by also addressing issues of discrimination through the lens of that provision.Footnote 61 More specifically, the CJEU ruled that any processing of PNR data by automated means cannot be based on pre-determined criteria or databases that include factors relating to a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation, the use of which may result in discrimination.Footnote 62 In this regard, the Court pointed out that the prohibition of discrimination based on such characteristics covers both direct and indirect discrimination, so that any pre-determined criteria must be defined in such a way that, even if formulated in a neutral fashion, their application does not place persons bearing any of the those characteristics at a particular disadvantage.Footnote 63 Accordingly, national authorities shall not generally rely on such protected personal traits to target individuals, but must instead take into account special features in the factual conduct of persons giving rise to reasonable suspicions.Footnote 64 Lastly, the Court emphasised that the national authorities in charge of collecting PNR data need to review individually through non-automated means any positive matches resulting from the automatically performed comparison against databases or pre-determined criteria in order to exclude any discriminatory outcomes generated by automated operations.Footnote 65

Policing systems in Hessen and Hamburg (German Federal Constitutional Court)

Faced with actions challenging two pieces of legislation adopted by the German Länder of Hesse and Hamburg, which authorised the police to process stored personal data for law enforcement purposes through the use of automated data analysis (Hesse Act) or automated data interpretation (Hamburg Act) respectively, the German Federal Constitutional Court (Bundesverfassungsgericht) declared the relevant provisions unconstitutional. By carrying out a detailed proportionality analysis, the German court considered that the two Acts breached the general right of personality enshrined in the German Basic Law in its manifestation as the right to informational self-determination due to the broad powers conferred to police authorities.Footnote 66

In the court’s view, the interference with these rights becomes even greater when the automated investigation methods increase the risk of objectively innocent persons being targeted for further investigations, thereby amplifying discrimination in the context of police activity.Footnote 67 The German court acknowledged that although the greater automation of police work has the potential to prevent discrimination, it also harbours specific risks of amplifying discrimination.Footnote 68 The court noted, in this respect, that the severity of the interference with the personality rights of the persons affected may be influenced by the permissible methods of data analysis or interpretation, depending on factors such as the margin of error, the likelihood of discrimination and the difficulty of scrutinising the algorithms involved.Footnote 69 In case an automated investigation method allows the processing of large amounts of data with the aim to detect statistical correlations, then sufficient safeguards are to be provided to prevent any inappropriately distorting or discriminatory effects.Footnote 70 Most prominently, the German Constitutional Court highlighted the adverse consequences stemming from the use of AI self-learning systems by police authorities, noting that a specific challenge is posed by the need to prevent the emergence of algorithmic discrimination.Footnote 71

B. Judgments of discrimination awareness

This category comprises judgments where the risk of algorithmic discrimination is identified in abstracto and only briefly mentioned in the courts’ reasoning in passing, without eventually having particular influence on the outcome of the respective cases. In other words, although courts appear to generally acknowledge the discriminatory potential of ADM as well as the importance of appropriate safeguards to prevent the materialisation of such a risk, they refrain from drawing any concrete conclusion therefrom. This was, for instance, the approach adopted by the CJEU in SCHUFA and by the Italian Council of State in the Buona Scuola line of judgments that are examined below.

SCHUFA (CJEU)

In a case that arose before the Administrative Court of Wiesbaden (Verwaltungsgericht Wiesbaden) concerning an individual who was denied a loan by a financial institution due to a negative credit score established by the German credit reporting agency SCHUFA, the CJEU was asked to render a preliminary ruling on the question whether such credit scoring practice constitutes ‘automated individual decision-making’ within the meaning of Article 22(1) GDPR.Footnote 72 In the Court’s view, the automated establishment, by a credit information agency, of a probability value in the form of a credit score falls in itself under the scope of Article 22 GDPR, where a third party draws strongly on that value to establish, implement or terminate a contractual relationship with the person concerned.Footnote 73

To reach this conclusion, the Court corroborated its interpretation of Article 22(1) GDPR by pointing to the purpose pursued by this provision with regard to the protection of individuals against the particular risks of automated data processing, including any potential discriminatory effects arising therefrom on the basis of protected characteristics, as per recital 71 GDPR.Footnote 74 In this regard, the Court also stressed the need for automated decisions to be accompanied by appropriate measures safeguarding the rights of the persons concerned in a way that prevents, among others, the emergence of discriminatory effects.Footnote 75 Nevertheless, such risks of discrimination have been recognised by the CJEU by simply repeating the text of recital 71 verbatim and without reference to any concrete risks posed by the algorithmically generated credit score at issue for the individual affected.Footnote 76

Buona Scuola (Italian Council of State)

In a series of cases brought against the Italian Ministry of Education, the Italian Council of State (Consiglio di Stato) pronounced itself on the legitimacy of an algorithm-based mobility mechanism which formed part of the so-called ‘Buona Scuola’ educational reform, leading to the misplacement of thousands of school teachers across Italy.Footnote 77 In particular, the Italian court inferred from EU law three principles that must be taken into consideration when using automated tools in decision-making: firstly, the principle of knowability (principio di conoscibilità) which requires that individuals are aware of the existence of an ADM process and can receive meaningful information about the logic involved therein; secondly, the principle of non-exclusivity of an algorithmic decision (principio di non esclusività), pursuant to which individuals have the right not to be subjected to ADM based solely on automated means; and thirdly, the principle of algorithmic non-discrimination (principio di non discriminazione algoritmica).Footnote 78 However, the Council of State concluded that the placement algorithm used by the Ministry did not seem to comply with these principles, especially since it was impossible to understand the reason why the legitimate expectations of the teachers affected were confuted and the way in which the available posts were allocated.Footnote 79

Most notably, algorithmic discrimination was explicitly recognised by the Italian court as a fundamental principle (principio fondamentale) that derives from and is defined by recital 71 GDPR: data controllers must use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure that factors resulting in inaccuracies of personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the individuals concerned and that prevents discriminatory effects on natural persons on the basis of prohibited grounds (eg, race or ethnic origin, political opinions, religion, etc) or that result in measures having such an effect.Footnote 80 In this context, the Council of State further noted that, even if an algorithm does not constitute the sole ground of a decision, it must not assume a discriminatory character, as in such a scenario it would be incumbent to rectify the input data in order to prevent any discriminatory effects in the decision’s output.Footnote 81

C. Judgments of discrimination silence

Contrary to the two previous categories of judgments, in the rulings classified hereunder the courts completely refrain from dealing with the discriminatory potential of unfair algorithmic classifications. As such, judgments of this kind may at first sight look like a mismatch with a taxonomy related to non-discrimination considerations. However, it is the existence of a sufficiently plausible risk or suspicion of discrimination resulting from the use of the ADM in the cases at issue that explains the relevance of these rulings for the purposes of my taxonomy, even though any relevant non-discrimination concerns are eventually overlooked by judges.Footnote 82 As indicative examples of the judicial approach described above, I will examine the judgments delivered by the French Council of State and the French Constitutional Council with regard to the Parcoursup student admission platform, and the judgment rendered by the District Court of the Hague in a case concerning Bunq’s de-risking practices in banking transactions.

Parcoursup (French Council of State and Constitutional Council)

In 2018, a national platform for admission to university studies was established in France under the name ‘Parcoursup’, enabling secondary school students to pre-register, submit their course preferences and respond to admission offers from various higher education institutions.Footnote 83 Following Parcoursup’s implementation, the French Defender of Rights received several complaints alleging lack of transparency as well as potential discrimination in the selection process due to the ranking of applications on the basis of the candidates’ high-school of origin (lycée d’origine), which could be to the detriment of applicants coming from schools with a lower reputation that are mostly located in disadvantaged areas.Footnote 84 In response to these allegations, the Defender of Rights addressed recommendations to the Ministry of Education, emphasising, in particular, that the use of the school of origin as a criterion for the selection of candidates may give rise to discrimination if it results in exclusionary outcomes, by favouring certain candidates or disfavouring others on the basis of their school’s geographical location.Footnote 85

Against this background, the National Student Union of France requested three French Universities, namely the University of Antilles, Reunion and Corsica, to disclose the algorithms and source codes used in the context of reviewing applications via the Parcoursup platform. After its requests were rejected, the union challenged the rejection decisions in court. In the case against the University of Antilles, the French Council of State (Conseil d’État) ruled that the access to documents relating to the algorithmic processes deployed by higher education institutions is restricted to individual candidates, only after the decision concerning them has been made, and concerns only the relevant criteria and methods used for examining their own application.Footnote 86 As regards the cases against the Universities of Reunion and Corsica, albeit reaching the same conclusion, the Council of State decided to refer the issue to the French Constitutional Council (Conseil constitutionnel),Footnote 87 which eventually found that these limitations on the right of access to information did not infringe upon the right of access to administrative documents nor upon the right to effective legal protection.Footnote 88 Nevertheless, despite the explicit warning of the Defender of Rights about the discriminatory potential of the algorithmic admission procedure, neither the Council of State nor the French Constitutional Council raised any concern in this regard.

Bunq’s de-risking practices (District Court of the Hague)

In a case concerning an individual whose accounts had been blocked by a bank called ‘Bunq’ following an automated due diligence investigation, the District Court of the Hague (Rechtbank Den Haag) was asked to rule on that person’s right under the GDPR to obtain information about the assignment of his risk profile, the reasons behind the monitoring and subsequent blocking of his accounts, as well as the underlying logic of the bank’s transaction screening system.Footnote 89 Automated tools are increasingly used by financial or other institutions to monitor financial transactions and identify ‘suspicious’ transfers for the detection of underlying criminal activities in compliance with EU and national rules on anti-money laundering and countering financing of terrorism.Footnote 90 Yet, such tools have been found likely to exclude perfectly innocent customers, particularly those belonging to certain nationalities, ethnic or religious groups, from access to the regular banking system.Footnote 91

In the case at issue, however, no discrimination concerns were raised either by the claimant or by the Dutch court. The Court of the Hague confined itself in rejecting the claimant’s access request, considering that there was no automated decision involved in Bunq’s due diligence process within the meaning of Article 22(1) GDPR: whereas the identification of an allegedly suspicious payment transaction giving rise to further investigation was automatically performed by the bank’s algorithmic monitoring system, all subsequent measures taken, including the blocking of the claimant’s accounts, required the intervention of Bunq’s employees.Footnote 92

4. Deciphering the case law: the interplay between non-discrimination and data protection law

It follows from my proposed case law taxonomy as developed above that the judicial decisions delivered in the field of algorithmic bias can be highly diverse.Footnote 93 The diversity concerns not only the subject matter at issue but also the legal argumentation deployed. What is most remarkable is how differently the judges in each case engage simultaneously with non-discrimination and data protection considerations. The lack of a coherent and uniform body of case law in this regard should not come as a surprise though; it rather reflects the intricate interplay between non-discrimination and data protection law underlying the reasoning of the relevant judgments, which may be often articulated in a different way by various courts across the EU.

Before examining how these two areas of law may interact in judgments relating to concrete instances of algorithmic bias, it is necessary first to delineate the theoretical framework that explains their interrelationship in general. I will then move on by exploring to what degree non-discrimination and data protection considerations may intertwine with each other in judicial reasoning, and on which terms such interplay may be framed by different courts across the EU.

A. The theoretical framework of the interplay

The parallels and close relation between EU non-discrimination and data protection law have been already noted by scholars.Footnote 94 It has been argued, in particular, that both non-discrimination and data protection law encompass elements of fairness.Footnote 95 This is also acknowledged by recital 71 GDPR which entails that fair processing of personal data requires the implementation of measures that prevent any discriminatory effects on natural persons.Footnote 96 Accordingly, apart from being potentially captured by EU non-discrimination rules, data-driven or algorithmic discrimination will further amount to unfair data processing contrary to Article 5(1)(a) GDPR.Footnote 97 Similarly, in case the discriminatory outcomes in question derive from biased or otherwise incorrect data, the principle of accuracy under Article 5(1)(d) GDPR will also be violated.Footnote 98 At the same time, since the fairness of data processing is inextricably linked to its lawfulness as indicated by the wording of Article 5(1)(a) GDPR,Footnote 99 it follows that the non-discriminatory character of data processing also constitutes a precondition for its lawfulness.

The interaction between non-discrimination and data protection law is perhaps more evident when looking at Article 9 GDPR, which in principle prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, subject to certain derogations and safeguards.Footnote 100 By a simple reading of the text of Article 9(1) GDPR, one cannot help but notice that the categories of data considered as ‘sensitive’ largely correspond to the prohibited grounds of discrimination under the EU Equality Directives and Article 21 of the Charter, even though they do not fully overlap with those.Footnote 101 These data are afforded greater protection under data protection legislation due to their inherent risks for the fundamental rights and freedoms of individuals, notably due to their increased potential of giving rise to discrimination in case of misuse.Footnote 102 Sometimes, however, using such data as variables in ADM models may be necessary to prevent discrimination.Footnote 103 Be that as it may, Article 9 GDPR clearly illustrates that certain personal traits are recognised by both non-discrimination and data protection regimes as deserving special legal guarantees. It has even been suggested, in this respect, that the GDPR and a broad understanding of the notion of ‘sensitive data’ could indirectly contribute to expanding the limited scope of the Equality Directives.Footnote 104

Yet, it is in the context of ADM processes where the convergence of non-discrimination and data protection considerations becomes mostly prevalent. Since structural inequalities, biases and stereotyping patterns are often reflected in the data used by algorithmic or AI systems as training material, the outputs generated therefrom may further reproduce or magnify existing discrimination against persons belonging to certain vulnerable social groups.Footnote 105 Given the particularities of algorithmic decision-making, any discriminatory or otherwise unfair outcomes produced by ADM systems can spread at a wider scale and at a much quicker pace in comparison to human decisions, thereby exacerbating their ramifications for a greater number of people.Footnote 106 Because of these risks, Article 22 GDPR confers on individuals the right not to be subject to automated data processing, unless certain conditions are met and provided the data controller – responsible for determining the means and purposes of the processing – implements appropriate measures to safeguard the rights and freedoms of the individuals concerned.Footnote 107 As per recital 71 GDPR, these measures are intended, among others, to prevent inaccuracies, errors, and discriminatory effects of automated decisions. Such an explicit connection between non-discrimination and data-related considerations is further made, albeit beyond the field of data protection, by Article 10 AI Act which requires that the datasets used for training, validation and testing of high-risk AI systems are ‘relevant, sufficiently representative, and to the best extent possible, free of errors and complete’ and become subject to data governance and management practices that involve the examination for possible biases likely to have a negative impact on fundamental rights or lead to discrimination, and provide for appropriate measures to detect, prevent and mitigate any biases identified. Nevertheless, an analysis of these requirements goes beyond the scope and purpose of the present article.

In the context of automated decisions, whether algorithmically generated or AI-based ones, the interrelation between non-discrimination and data protection considerations usually revolves around the concepts of ‘transparency’, ‘explainability’ or ‘interpretability’ of the ADM systems concerned.Footnote 108 Due to their complex internal functioning, commonly described as ‘black box’, algorithms and particularly advanced AI machine-learning models are typically not only unknown but also incomprehensible to laypersons, so that the understanding of how a particular algorithmic output has derived from specific data inputs and whether it is discriminatory often proves to be challenging.Footnote 109 Such opacity of algorithmic tools significantly impedes victims of discriminatory or otherwise unfair outcomes from detecting and proving algorithmic bias within a given automated decision, especially for the purposes of establishing a prima facie case of discrimination.Footnote 110 As a matter of fact, the persons affected by ADM systems may sometimes not even be aware of the occurrence of a discriminatory practice against them.Footnote 111 Thus, absent sufficient knowledge or understanding of the functionality of automated systems, the affected persons cannot successfully contest the relevant decisions concerning them, while the judges will be unable to properly assess the facts of the case brought before them.Footnote 112 Accordingly, transparency plays an instrumental role in ensuring non-discrimination in ADM processes, not only by facilitating the prevention and detection of biases but also by enabling the persons affected by biased decisions to contest them.Footnote 113 As such, it proves to be crucial for safeguarding the individuals’ right to have recourse to effective judicial redress against automated decisions of discriminatory or otherwise unfair character.Footnote 114

In view of the crucial function of transparency in ADM processes, Article 15(1)(h) GDPR enshrines the right of individuals to be informed about the existence of automated data processing and have access to ‘meaningful information about the logic involved as well as the significance and the envisaged consequences’ of such processing for them.Footnote 115 Following the CJEU’s ruling in Dun & Bradstreet Austria, this right has explicitly been deemed tantamount to ‘a genuine right to an explanation’ about the functioning of the mechanism involved in the ADM process and the result of that decision.Footnote 116 Accordingly, the persons affected by algorithmic outcomes will be entitled to receive an explanation of the procedure, principles and input data that were actually used to obtain the specific result concerning them in a concise, transparent, intelligible and easily accessible form, without general information about complex mathematical formulas, such as algorithms, being sufficient.Footnote 117 The disclosure of the most important features of an automated individual decision does not only enable the individuals concerned to effectively exercise the rights conferred on them by the GDPR;Footnote 118 it also contributes to the detection of discrimination, by enabling affected persons to determine to what extent a given ADM process might have been driven by variables overlapping or correlated with prohibited grounds of discrimination.Footnote 119 It is precisely for this reason that the so-called ‘judgments of discrimination silence’ become relevant from the standpoint of non-discrimination law: insofar as these rulings reflect the attempt of individuals to gain insight into the way in which unfair algorithmic outputs are produced, they pave the way for those persons to take follow-on actions, by exercising their rights granted under non-discrimination legislation, including the right to file a discrimination claim within a national equality body and the right to request compensation or reparation for the loss and damage sustained.Footnote 120

Against this background, it has been convincingly advocated in academic literature that data protection rules, notably the GDPR, and EU non-discrimination law could complement each other for the purpose of addressing any biased or discriminatory effects that may arise from ADM operations.Footnote 121 The potential synergies between the two areas of law concern not only the substance but also, and primarily, enforcement, with the GDPR providing the appropriate mechanisms that may contribute both to the ex ante control and prevention of unfair biases or discrimination, and to their correction ex post where applicable.Footnote 122 By way of illustration, the obligation imposed on data controllers under Article 35 GDPR to carry out a Data Protection Impact Assessment whenever the processing of personal data concerned is likely to result in a high risk to the individuals’ rights and freedoms, including their right to non-discrimination, ensures that controllers assess the likelihood and severity of risks of errors, biases or discrimination before the processing takes place, and take any measures necessary to mitigate such risks accordingly.Footnote 123 In addition, the right to receive information/explanations pursuant to Article 15(1)(h) GDPR, as further clarified by the CJEU in Dun & Bradstreet Austria, constitutes a promising tool which enables the individuals affected by discriminatory or otherwise unfair algorithmic results to be granted a certain degree of transparency about the ADM operations concerning them and thus to establish, as the case may be, a prima facie case of discrimination. Finally, apart from private enforcement through individual rights, the GDPR further provides for collective redress mechanisms and grants substantial public enforcement powers to DPAs, such as the conduct of audits and investigations and the imposition of hefty fines, thus compensating for the existing shortcomings of EU non-discrimination law in this regard.Footnote 124 This is why, besides, a close collaboration between national equality bodies and DPAs is deemed essential in the field of algorithmic bias.Footnote 125

B. The degree of the interplay in judicial reasoning

Having set the theoretical framework about how non-discrimination and data protection considerations may conceptually and legally converge, I will now examine how this interplay may be practically reflected in court cases of algorithmic bias. It is submitted from the outset that the two areas of law do not necessarily interact in a fixed and balanced manner in judicial reasoning. Instead, as my suggested taxonomy of judgments indicates, the degree of their interplay will usually be dynamic and sometimes even totally asymmetrical.

On the one hand, the courts’ reasoning in cases of algorithmic discrimination seems to predominantly revolve around arguments and concepts of non-discrimination law, whether of EU or national origin or both, leaving aside any data protection concerns. For instance, in Svea Ekonomi, the Finnish Non-Discrimination and Equality Tribunal reached its conclusion about the discriminatory nature of the credit scoring system in question on the basis of the personal characteristics protected under the Constitution of Finland, the Finnish Non-Discrimination Act and the Act on Equality between Women and Men, while also referring to Directive 2004/113/EC and its interpretation by the CJEU’s in Test-Achats.Footnote 126 In a similar vein, the District Court of Bologna in Deliveroo interpreted the Italian Legislative Decree transposing Directive 2000/78/EC in light of the CJEU’s case law to establish that the discrimination on grounds of trade union activity that Deliveroo’s riders suffered through the platform’s scoring system is covered by the protected ground of personal beliefs; to uphold the legal standing of associations or organisations in cases of discrimination against an unspecified group of workers; and to confirm that discrimination can be found even in the absence of an identifiable complainant.Footnote 127 In both cases mentioned above, the national courts seised of the disputes at issue approached them solely from the perspective of non-discrimination rules without considering the potential relevance of Article 22 GDPR and the consequences arising therefrom.Footnote 128 Given that the source of discrimination in such instances lies precisely in the use or omission of data relating to certain protected personal characteristics, any relevant data protection considerations will most likely be completely ‘absorbed’ by a non-discrimination law analysis and thus eventually become ‘invisible’ in the judicial reasoning.

As concerns judgments pertaining to cases of unfair algorithmic differentiation, on the other hand, the interplay between non-discrimination and data protection norms is far more complex and nuanced. Given that, in the absence of any (proven) correlation with legally protected attributes, instances of algorithmic bias are not captured by non-discrimination legislation, courts across the EU will be mainly called upon to address questions about specific data protection aspects of the ADM processes deployed in the cases concerned, notably regarding the (lack of) transparency of the algorithmic systems used.Footnote 129 Thus, recourse to data protection rules seems to be the only option of legal redress available under EU law for the individuals affected by this kind of biased decisions. Nevertheless, a certain degree of interaction with non-discrimination considerations still exists in some of these cases, depending on the context and the distinction drawn between judgments of discrimination reflection, those of discrimination awareness, and those of discrimination silence.

In judgments of discrimination reflection, the courts tend to expressly engage with the equality concerns raised in relation to the specific ADM processes in the cases at hand, only to ultimately subsume them within the broader framework of data protection law. One can think, for example, of the ruling in SyRI where the District Court of the Hague, albeit expressly acknowledging the risk of discrimination emerging from the use of the algorithmic system at issue, addressed that risk through the lens of its principal data protection/privacy line of argumentation.Footnote 130 As regards judgments of discrimination awareness, non-discrimination assumes a merely marginal role, by corroborating the data protection framework only at the level of abstract principles. This is exactly what happened, for instance, in SCHUFA where the CJEU briefly referred to the discriminatory effects that automated decisions may entail in general to support its interpretation of Article 22 GDPR.Footnote 131 As for the category of judgments of discrimination silence, courts across the EU will focus solely on data protection issues, such as transparency concerns, while completely disregarding any potential discrimination risks arising therefrom, as was the case in the ruling delivered by the District Court of the Hague in Bunq.Footnote 132

C. The framing of the interplay by courts

A closer look at the judicial decisions listed in this paper enables one to observe that the interplay between non-discrimination and data protection considerations in the context of algorithmic bias in ADM processes is framed in various ways by different courts across the EU. Yet, certain recurrent themes seem to exist: the interplay between the two legal regimes is mostly anchored in the principles of lawfulness/fairness of data processing and in the notion of transparency often combined with the right to effective judicial protection.

As a first point, it is noted that the interrelation between non-discrimination considerations and the lawfulness/fairness of data processing is explicitly acknowledged by the CJEU in Ligue des droits humains, where the Court stated that the Member States’ competent authorities must ensure the lawfulness of the automated processing of PNR data, in particular its non-discriminatory nature.Footnote 133 Similarly, such a link underlies the reasoning of the District Court of the Hague in SyRI, where the concerns about the discriminatory potential of the SyRI algorithm were raised in the context of assessing whether the conditions of Article 8(2) ECHR, which reflect the principle of lawful processing, were fulfilled.Footnote 134

Accordingly, given the overlaps between non-discrimination and data protection principles, the finding of algorithmic discrimination by a court or a national equality body does not preclude the simultaneous or subsequent finding of data protection violations by a DPA, or vice versa. Albeit not in a judicial context, this was the case, for instance, of the use of a categorical upper age limit in Svea Ekonomi’s credit assessment system, which was not only deemed discriminatory by the Finnish Non-Discrimination Tribunal but was also found unlawful by Finland’s Data Protection Ombudsman. The latter took the view that the mere age of clients ‘does not describe their solvency, willingness to pay or ability to deal with their commitments’ and ordered Svea Ekonomi to change its data processing practices.Footnote 135 Another notable example in this regard is offered by the decision of the Dutch DPA on the so-called ‘childcare benefits scandal’ in the Netherlands which concerned the deployment of a self-learning algorithm by the Dutch Tax Administration to assess childcare benefit applications and combat fraud. The DPA concluded that the way in which the Tax Administration processed the nationality data of childcare benefit applicants for years, amounted to a serious breach of the GDPR and was also discriminatory by introducing an unjustified distinction on the basis of nationality, thus infringing the principle of fairness under Article 5(1)(a) GDPR.Footnote 136 Dealing with the follow-up discrimination claims brought by the victims of the benefits case, the Dutch Institute of Human Rights also concluded that the selection criteria used by the Tax Administration for the discontinuation and recovery of childcare benefit from the complainants indirectly discriminated against them on the basis of their foreign origin.Footnote 137

Turning to transparency-related concerns, these constitute the point of convergence between non-discrimination and data protection that appears perhaps most prominently as a leitmotif in the courts’ rulings examined in this paper. For instance, the District Court of Bologna pointed out in Deliveroo that the failure of the delivery company to clarify the concrete mechanism of its algorithm and the specific calculation criteria it deployed precluded a more in-depth judicial examination of the system’s prejudicial effects on the riders concerned. Yet, this remark related only to the defendant company’s failure to discharge its burden of proof by challenging the prima facie case of discrimination brought against it and thus did not prevent the Italian court from upholding the existence of algorithmic discrimination in that case.Footnote 138 On the contrary, though, courts across the EU have declared on several occasions that they were unable to properly assess the discriminatory potential of certain ADM systems due to their lack of sufficient transparency. This was the case, most notably, in SyRI,Footnote 139 GALOP II,Footnote 140 as well as in the Buona Scuola line of judgments.Footnote 141

Regarding, in particular, the tripartite relation between transparency, effective judicial protection and discrimination-related concerns as explained before, a clear illustration thereof is provided in the CJEU’s reasoning in Ligue des droits humains. The Court emphasised there that the individuals concerned must be able to understand how algorithmic programs and the criteria used therein work, so that they can decide with full knowledge of the relevant facts whether or not to exercise their right to judicial redress, in order to call into question, as the case may be, the discriminatory nature of the said criteria.Footnote 142 In the CJEU’s view, this is particularly so with regard to AI-driven self-learning tools, the opacity of which renders it impossible to understand the way decisions are taken and is thus likely to compromise the right of the persons concerned to an effective judicial remedy under Article 47 of the Charter, especially when it comes to challenging the discriminatory nature of the results obtained.Footnote 143 Similarly, in the case of the Policing systems in Hessen and Hamburg, the German Constitutional Court recognised the difficulties in scrutinising complex algorithmic tools, as well as the far-reaching consequences arising therefrom in relation to both the legal protection of the individuals suffered from erroneous assessments and the administrative oversight by state authorities.Footnote 144 Such connection between the inability to understand how a certain automated decision has been reached by a given ADM system and the right of individuals to defend themselves against that decision was also drawn by the District Court of the Hague in SyRI.Footnote 145 Interestingly enough, although the plaintiffs in that case had also argued for a violation of their right to a fair trial under Art 6 ECHR, the Dutch court, having already established a violation of Art 8 ECHR, did not address this claim.Footnote 146

5. Concluding remarks

Reading the existing case law concerning instances of algorithmic bias in ADM operations through the lens of non-discrimination law, the EU judicial landscape appears highly fragmented. The great diversity that permeates the interplay between non-discrimination and data protection considerations can be primarily attributed to the specific claims brought forward by the parties in the course of legal proceedings, which largely determine if and to what extent courts will look more into one legal regime or the other or even both at the same time.Footnote 147 Taking a step back, though, the plaintiffs’ choice as to the exact articulation of their legal argumentation inevitably depends on their ability to successfully discharge the relevant burden of proof required by each set of rules. As regards non-discrimination law, this burden proves to be disproportionately high, given that, apart from the existing barriers to discrimination-related litigation in general,Footnote 148 the granularity and opacity of ADM processes make it particularly hard to identify and prove the discriminatory potential of the decisions concerned.

Such obstacles, along with the inapplicability of non-discrimination law to instances of unfair algorithmic differentiation beyond legally protected attributes, may explain why victims of algorithmic bias tend to frame the harm they suffered mostly in data protection terms when seeking justice before courts, while only reserving a secondary role for non-discrimination considerations, if at all.Footnote 149 That said, as long as that the latter are organically integrated into data protection norms, such as those relating to fair and lawful data processing or transparency, this approach should be welcomed, since it respects the particularities of both non-discrimination and data protection law, while at the same time reflecting their complementarities. Conversely, though, where equality concerns are completely overshadowed by data protection law and ‘reduced’ to rather technical data-related issues, the social functions performed by non-discrimination law remain unaddressed, thereby disregarding the objectives of substantive equality that the latter is meant to accomplish.Footnote 150

In other words, data protection considerations alone fail to properly acknowledge and condemn the social stigma and the disadvantage suffered by victims of algorithmic discrimination.Footnote 151 To quote Hakkarainen, by framing discrimination in purely data-centric terms, the GDPR and data protection law more broadly treat it as a merely ‘mechanical question about abusive data processing’ and, consequently, tend to ‘lose sight of the human behind the data’.Footnote 152 Therefore, leaving aside any clear-cut cases of algorithmic discrimination, it seems to me that the hybrid paradigm represented by the so-called ‘judgments of discrimination reflection’, which organically combine aspects of both non-discrimination and data protection law, could serve as the appropriate benchmark guiding the interplay between the two sets of rules in future cases of algorithmic bias that may reach the courtrooms.

Acknowledgements

An earlier draft of this article was presented at the Third Max Planck European Law Group Conference ‘Equality in an Unequal Europe? Assessing Anti-Discrimination Law in Context’ held in Berlin in October 2024, and at the ELU-S Annual Conference ‘European Law Unbound: What Kind of Europe Can We Reach For?’ that took place in Prague in September 2025. I extend my gratitude to the organisers and participants of these conferences for giving me the opportunity to discuss my ideas and receive feedback. I would also like to particularly thank Professor Christa Tobler for her insightful suggestions during the drafting stage of this article as well as the two anonymous reviewers for their valuable comments. The usual disclaimer applies.

Funding statement

None.

Competing interests

The author has no conflicts of interest to declare.

References

1 According to the definition proposed by T Rodríguez de las Heras Ballell, Guiding Principles for Automated Decision-Making in the EU (European Law Institute 2022) 8–9, ADM is ‘a (computational) process, including AI techniques and approaches, that, fed by inputs and data received or collected from the environment, can generate, given a set of pre-defined objectives, outputs in a wide variety of forms’. As such, ‘the concept of ADM includes algorithmic decision-making as well as AI-driven decision-making’. In the absence of uniform terminology to describe the variety of such processes, I will be referring to ‘ADM’ as an umbrella term under the said definition.

2 For an overview of the current usage and policy debates around ADM across the EU, see AlgorithmWatch and Bertelsmann Stiftung, ‘Automating Society | Taking Stock of Automated Decision Making in the EU’ (January 2019). For an elaborate analysis of the potential risks stemming from the spread of ADM practices across EU policy sectors, see H Hofmann and F Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press 2024).

3 For the variety of decision types captured by ADM and the different categories of this concept, see M Brkan, ‘Do Algorithms Rule the World? Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond’ 27 (2) (2019) International Journal of Law and Information Technology 91–121, 94–5.

4 Data mining refers to the ‘nontrivial process of identifying valid, novel, potentially useful and ultimately understandable patterns in data’. See U Fayyad et al, ‘From Data Mining to Knowledge Discovery in Databases’ 17 (3) (1996) AI Magazine 37–54, 40–1. Profiling, for its part, is defined according to Art 4(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 1995 L 119/1, as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’.

5 See T Zarsky, ‘“Mine Your Own Business!”’: Making the Case for the Implications of the Data Mining or Personal Information in the Forum of Public Opinion’ 5 (1) (2002–2003) Yale Journal of Law and Technology 17–47, 9ff; B Goodman and S Flaxman, ‘European Union Regulations on Algorithmic Decision Making and a “Right to Explanation”’ 38 (3) (2017) AI Magazine 50–7, 53, noting that the use of algorithmic profiling is in a certain sense ‘inherently discriminatory’. See also in this regard B Mitellstadt, ‘From Individual to Group Privacy in Big Data Analytics’ 30 (2017) Philosophy and Technology 475–94, 477, arguing that ‘grouping of individuals is a core and unavoidable technique in algorithmic classification’.

6 See T Rodríguez de las Heras Ballell (n 1) 9. With regard to the discrimination and privacy issues related to data mining and profiling practices, see B Custers et al (eds), Discrimination and Privacy in the Information Society: Data Mining and Profiling in Large Databases (Springer 2013).

7 For detailed analysis of Art 22 GDPR, see Art 29 Data Protection Working Party (‘Art 29 Working Party’, the predecessor of the current European Data Protection Board), ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’ (WP251rev.01, 3 October 2017, as last revised and adopted on 6 February 2018).

8 For a detailed overview of the various ways in which algorithms may lead to discrimination, see most prominently S Barocas and A Selbst, ‘Big Data’s Disparate Impact’ 104 (3) (2016) California Law Review 671–732.

9 See, eg, European Commission, Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, ‘Fostering a European approach to Artificial Intelligence’, COM(2021) 205 final, 21.04.2021. For the so-called ‘mainstreaming’ of equality in EU law more generally, see A Timmer, ‘Editorial: Mainstreaming Equality in EU Law and Beyond’ 19 (3) 2023 Utrecht Law Review 1–7; E Muir et al, ‘The Horizontal Equality Clauses (Arts 8 & 10 TFEU) and Their Contribution to the Course of EU Equality Law: Still an Empty Vessel?’ 7 (3) 2022 European Papers 1381–403.

10 See, in particular, recital 71 and Art 9(1), discussed in greater detail below in Section 4A.

11 Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act), OJ L 2024/1689. See, in particular, Art 10 and recitals 27–8, 31, 44–5, 48, 54–8, 67, 70 thereof.

12 See, eg, N Criado and J Such, ‘Digital Discrimination’ in K Yeung and M Lodge (eds), Algorithmic Regulation (Oxford University Press 2019) 82–97.

13 See, eg, M Mann and T Matzner, ‘Challenging Algorithmic Profiling: The Limits of Data Protection and Non-Discrimination in Responding to Emergent Discrimination’ 6 (2019) Big Data and Society 1–11.

14 Council Directive 79/7/EEC of 19 December 1978 on the progressive implementation of the principle of equal treatment for men and women in matters of social security, OJ L 6/24; Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin, OJ L 180/22; Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation, OJ L 303/16; Council Directive 2004/113/EC of 13 December 2004 implementing the principle of equal treatment between men and women in the access to and supply of goods and services, OJ L 373/37; Directive 2006/54/EC of the European Parliament and of the Council of 5 July 2006 on the implementation of the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation (recast), OJ L 204/23; Directive 2010/41/EU of the European Parliament and of the Council of 7 July 2010 on the application of the principle of equal treatment between men and women engaged in an activity in a self-employed capacity and repealing Council Directive 86/613/EEC, OJ L 180/1.

15 Charter of Fundamental Rights of the European Union, OJ 2016 C 202/389.

16 See, among others, A Cîrciumaru, ‘Discrimination in the Age of Algorithms - Is EU Law Ready?’ in C van Oirsouw et al (eds), European Yearbook of Constitutional Law 2023Constitutional Law in the Digital Era (T.M.C. Asser Press 2024) 111–35; R Xenidis, ‘When Computers Say No: Towards a Legal Response to Algorithmic Discrimination in Europe’ in B Brożek et al (eds), Research Handbook on Law and Technology (Edward Elgar Publishing 2023) 222–34; J Gerards and F Zuiderveen Borgesius, ‘Protected Grounds and the System of Non-Discrimination Law in the Context of Algorithmic Decision-Making and Artificial Intelligence’ 20 (1) (2022) Colorado Technology Law Journal 1–56; D Morondo Taramundi, ‘Discrimination by Machine-Based Decisions: Inputs and Limits of Non-Discrimination Law’ in B Custers and E Fosch Villaronga (eds), Law and Artificial Intelligence: Regulating AI and Applying AI in Legal Practice (T.M.C. Asser Press 2022) 73–85; R Xenidis and L Senden, ‘EU Non-Discrimination Law in the Era of Artificial Intelligence: Mapping the Challenges of Algorithmic Discrimination’ in U Bernitz et al (eds), General Principles of EU law and the EU Digital Order (Kluwer Law International 2020) 151–80; R Xenidis, ‘Tuning EU Equality Law to Algorithmic Discrimination: Three Pathways to Resilience’ 27 (6) (2020) Maastricht Journal of European and Comparative Law 736–58; F Zuiderveen Borgesius, ‘Strengthening Legal Protection Against Discrimination by Algorithms and Artificial Intelligence’, 24 (10) (2020) International Journal of Human Rights 1572–93; P Hacker, ‘Teaching Fairness to Artificial Intelligence: Existing and Novel Strategies Against Algorithmic Decision-Making Under EU Law’ 55 (2018) Common Market Law Review 1143–86; F Zuiderveen Borgesius, Discrimination, Artificial Intelligence, and Algorithmic Decision-Making (Council of Europe 2018).

17 See B Friedman and H Nissenbaum, ‘Bias in Computer Systems’ 14 (3) (1996) ACM Transactions on Information Systems 330–47, 332, drawing a distinction between preexisting, technical, and emergent bias in computer systems (pp 333–6); D Danks and AJ London, ‘Algorithmic Bias in Autonomous Systems’ (Twenty-Sixth International Joint Conference on Artificial Intelligence, Melbourne, August 2017) 4691–7, 4692, also pointing out that whereas some forms of algorithmic bias may be problematic, others may be even socially or ethically desirable (pp 4694–5). See also Criado and Such (n 12) 85, arguing that algorithms actually need some degree of bias.

18 See M Rovatsos et al, ‘Landscape Summary: Bias in Algorithmic Decision-Making’ (Centre for Data Ethics and Innovation 2019) 11.

19 See J Gerards and R Xenidis, Algorithmic Discrimination in Europe: Challenges and Opportunities for Gender Equality and Non-Discrimination Law (European Commission, Publications Office of the European Union 2021) section 1.5.1, 47–8. See also in this regard High-Level Expert Group on Artificial Intelligence set up by the European Commission, ‘Assessment List for Trustworthy AI’ (2020) 23, defining algorithmic bias as ‘systematic and repeatable errors in a computer system that create unfair outcomes, such as favouring one arbitrary group of users over others’.

20 Gerards and Xenidis (n 19) 47, clarifying the difference between the terms ‘bias’ and ‘fairness’ deployed mostly in computer science, statistics and ethics, on the one hand, and the legal notions of ‘discrimination’ and ‘equality’, on the other hand. See also Xenidis, ‘When Computers Say No’ (n 16) Section 2B, noting that ‘non-discrimination law does not address bias itself, but rather some of the harms which it creates for legally protected groups’; Criado and Such (n 12) 85.

21 The distinction between the notions of ‘bias’ and ‘discrimination’ in the context of AI systems seems to be also implicitly recognised by the AI Act, see, eg, recital 27 referring to ‘discriminatory impacts and unfair biases that are prohibited by Union or national law’, recitals 32 and 52 using the terms ‘biased results’ and ‘discriminatory effects’, as well as recital 70 referring to ‘discrimination that might result from the bias in AI systems’.

22 See Gerards and Zuiderveen Borgesius (n 16) 7, suggesting a distinction between instances of differentiation based on protected grounds that fall under the scope of non-discrimination law and other types of unfair differentiation in the context of AI technologies. See also Zuiderveen Borgesius (n 16) 7–8 and 66–7; M van Bekkum et al, ‘AI, Insurance, Discrimination and Unfair Differentiation: An Overview and Research Agenda’ (2024) arXiv:2401.11892 [cs.CY] <https://arxiv.org/abs/2401.11892> accessed 9 June 2025. This distinction seems to also underly the AI Act, see eg recital 59, according to which AI systems ‘may single out people in a discriminatory or otherwise incorrect or unjust manner’.

23 See, eg, S Barros Vale and G Zanfir Fortuna, Automated Decision-Making Under the GDPR: Practical Cases from Courts and Data Protection Authorities (Future of Privacy Forum, May 2022); SE Biber, ‘Between Humans and Machines: Judicial Interpretation of the Automated Decision-Making Practices in the EU’ in H Hofmann and F Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press 2024) 187–212. See also L Metikoš and J Ausloos, ‘The Right to an Explanation in Practice: Insights from Case Law for the GDPR and the AI Act’ (2025) Law, Innovation and Technology 1–36. The only exception so far is the work of Gerards and Xenidis (n 19) section 3.4.2.1, 113–15, who briefly refer to various cases of algorithmic discrimination decided upon by national courts or equality bodies in different Member States.

24 See, eg, CJEU, Opinion 1/09 Agreement on the Creation of a Unified Patent Litigation System ECLI:EU:C:2011:123, para 68.

25 Consolidated Version of the Treaty on the Functioning of the European Union, OJ 2016 C 202/47. The preliminary reference procedure is considered to be the keystone of the EU judicial system, as ruled by the CJEU in its Opinion 2/13 Accession of the Union to the European Convention of Human Rights EU:C:2014:2454, para 176. For a detailed overview of the preliminary reference mechanism in general, see M Broberg and N Fenger, Broberg and Fenger on Preliminary References to the European Court of Justice (3rd edn, Oxford University Press 2021). For an elaborate analysis of the dialogue between national courts and the CJEU in this context, see, eg, T Tridimas, ‘The CJEU and the National Courts: Dialogue, Cooperation, and Instability’ in D Chalmers and A Arnull (eds), The Oxford Handbook of European Union Law (Oxford University Press 2015) 403–30.

26 According to the wording of Art 267 TFEU, the preliminary reference procedure before the CJEU is only available to ‘any court or tribunal’. This is not the case for national equality bodies and DPAs exercising administrative functions, whose decisions are not of a judicial nature. In relation to equality bodies, this has been explicitly confirmed in Case C-394/11 Belov ECLI:EU:C:2013:48.

27 See, eg, Hacker (n 16) 1151–2, who further argues that instances of direct discrimination will be rare in the context of algorithms. On the diminishing relevance of this notion in the field of algorithmic discrimination, see also Gerards and Xenidis (n 17) 69. For the opposite view, see J Adams Prassl et al, ‘Directly Discriminatory Algorithms’, 86 (1) (2023) Modern Law Review 144–75.

28 See, eg, Hacker (n 16) 1153. Because of its broader reach, the concept of indirect discrimination is considered more apt compared with its direct counterpart to address the challenges of algorithmic discrimination, see, eg, Gerards and Xenidis (n 19) section 2.3.2, 70–3.

29 See Xenidis, ‘When Computers Say No’ (n 16) 232.

30 For a detailed analysis of the advantages and drawbacks of these concepts in the context of algorithms, see Gerards and Xenidis (n 19) section 2.3, 67–73.

31 See Xenidis and Senden (n 16) section III.2. For the difficulties as well as the importance of qualifying algorithmic harms as direct or indirect discrimination, see Xenidis, ‘When Computers Say No’ (n 16) section 4.

32 See in this regard, eg, Xenidis, ‘Tuning EU Equality Law to Algorithmic Discrimination’ (n 16) 746–7; H Weerts et al, ‘Unlawful Proxy Discrimination: A Framework for Challenging Inherently Discriminatory Algorithms’ (2024) arXiv:2404.14050 [cs.AI] <https://arxiv.org/abs/2404.14050> accessed 9 June 2025. On the use of affinity or interest groups as proxies for protected traits, see S Wachter, ‘Affinity Profiling and Discrimination by Association in Online Behavioural Advertising’ 35 (7) (2020) Berkeley Technology Law Journal.

33 ‘Credit scoring’ refers to the automated establishment of probability values known as ‘credit scores’ with the aim of predicting the creditworthiness of consumers on the basis of statistical correlations. For more details about these systems, see, eg, N Capon, ‘Credit Scoring Systems: A Critical Analysis’ 46 (2) (1982) Journal of Marketing 82–91. The discriminatory potential of algorithmic credit scoring has been repeatedly highlighted by scholars, who have warned of the risks these practices pose in terms of exacerbating the social exclusion of minorities and other marginalised groups, see, among others, M Hurley and J Adebayo, ‘Credit Scoring in the Era of Big Data’ 18 (2016) Yale Journal of Law and Technology 148–216; K Langenbucher, ‘Consumer Credit in The Age of AI – Beyond Non-Discrimination Law’ (European Corporate Governance Institute, Law Working Paper No. 663/2022, LawFin Working Paper No. 42, 2022). Such risks are also explicitly recognised by recital 58 AI Act, according to which AI systems used to evaluate the credit score or creditworthiness of natural persons are classified as ‘high-risk’, since they determine those persons’ access to financial resources or essential services and may perpetuate historical patterns of discrimination, or create new forms of discriminatory impacts.

34 Yhdenvertaisuus- ja tasa-arvolautakunta, register no. 216/2017, 21 March 2018. An English version of the judgment is available on the court’s website <https://tinyurl.com/2t2fxepz> accessed 9 June 2025. See also press release of the Finnish Non-Discrimination Ombudsman, ‘Assessing credit rating on the basis of statistical data alone is discrimination – credit institutions must revise their practices’ (25 April 2018) <https://tinyurl.com/4ncuck7d> accessed 9 June 2025.

35 Given the proliferation of big data and machine learning technologies, inferences about an individual’s likelihood of future default can be drawn from a vast amount of data collected from numerous sources and not necessarily connected to the individual’s financial standing, see N Aggarwal, ‘The Norms of Algorithmic Credit Scoring’ 80 (1) (2021) Cambridge Law Journal 42–73; N Collado Rogriguez and U Kohl, ‘All Data Is Credit Data’: Personalised Consumer Credit Score and Non-Discrimination Law’ in U Kohl and J Eisler (eds), Data-Driven Personalisation in Markets, Politics and Law (Cambridge University Press 2021) 124–41.

36 For the conceptualisation and legal challenges of the notion of ‘multiple discrimination’ in general, see, eg, G Moon, ‘Multiple Discrimination – Problems Compounded or Solutions Found?’ (2006) Justice Journal 86–102; H Bielefeldt, ‘Tackling Multiple Discrimination – Practices, Policies and Laws’ (European Commission, Office for Official Publications of the European Communities 2007).

37 Tribunale Ordinario di Bologna, Sezione Lavoro, ordinanza nella causa iscritta al n. r.g. 2949/2019, 31 December 2020 (‘Deliveroo’). For a more detailed analysis of the discrimination-related aspects of the case, see V Pietrogiovanni, ‘Deliveroo and Riders’ Strikes: Discriminations in the Age of Algorithms’ 7 (3) (2021) International Labor Rights Case Law 317–21; R Santagata De Castro, ‘Non-Discrimination Law in the Italian Courts: The New Frontiers of the Topic in the Age of Algorithms’ (Centre for the Study of European Labour Law ‘Massimo d’Antona’ 440/2021); A Perulli, ‘La Discriminazione Algoritmica: Brevi Note Introduttive a Margine dell’Ordinanza del Tribunale di Bologna’ (2021) Lavoro Diritti Europa.

38 This was the more so, as it was Deliveroo’s deliberate choice to render its system ‘blind’ with regard to the reasons behind the riders’ abstention from work, thereby treating all abstention reasons indistinctly regardless of whether or not they are protected by law, see Tribunale Ordinario di Bologna, Deliveroo (n 37) para 4.

39 See Gerards and Zuiderveen Borgesius (n 16) 11.

40 See S Wachter, ‘The Theory of Artificial Immutability: Protecting Algorithmic Groups Under Non-Discrimination Law’ 97 (2) (2022) Tulane Law Review, 9–10, arguing for the need to include these algorithmic groups into the protective scope of non-discrimination law as the harms facing these groups are normatively and morally the same as those facing protected groups, the only difference being how these harms are experienced. See also Mann and Matzner (n 13) 1–11.

41 Gerards and Xenidis (n 19) section 1.4.5, 46.

42 Wachter, ‘The Theory of Artificial Immutability’ (n 40) 13. For the dynamic nature of these algorithmic categories that may evolve over time, see Gerards and Xenidis (n 19) section 2.2.6, 66.

43 M Leese, ‘The New Profiling: Algorithms, Black Boxes, and the Failure of Non-Discriminatory Safeguards in the European Union’ 45 (5) (2014) Security Dialogue 494–511, 502, 504, also noting that individuals are likely to not even become aware of their classification in a specific algorithmic category.

44 Gerards and Zuiderveen Borgesius (n 16) 11–2; Zuiderveen Borgesius (14) 67, 69. For the main definitions and measures of algorithmic fairness, see among many others D Pessach and E Shmueli, ‘Algorithmic Fairness’ (2020) arXiv:2001.09784 [cs.CY] <https://arxiv.org/abs/2001.09784> accessed 9 June 2025. For the notion of ‘algorithmic unfairness’ under non-discrimination law, see H Weerts et al, ‘Algorithmic Unfairness Through the Lens of EU Non-Discrimination Law: Or Why the Law Is Not a Decision Tree’ (Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency, Chicago, June 2023) 805–16 also available at arXiv:2305.13938 [cs.CY] <https://arxiv.org/abs/2305.13938> accessed 9 June 2025. For an assessment of fairness metrics under EU non-discrimination law, see S Wachter et al, ‘Bias Preservation in Machine Learning: The Legality of Fairness Metrics Under EU Non-Discrimination Law’ 123 (3) (2021) West Virginia Law Review. See also S Wachter et al, ‘Why Fairness Cannot Be Automated: Bridging the Gap Between EU Non-Discrimination Law and AI’ 41 (2021) Computer Law and Security Review 105567.

45 Gerards and Zuiderveen Borgesius (n 16) 12–5. See also T Zarsky, ‘The Trouble with Algorithmic Decisions: An Analytic Road Map to Examine Efficiency and Fairness in Automated and Opaque Decision Making’ 41 (1) (2016) Science, Technology and Human Values 118–32, 127–8, arguing that ‘[a]s a result of the algorithmic process, individuals might be treated differently than their peers – people similar to them in every relevant aspect – on the basis of irrelevant differences […] For some individuals […] the factors are irrelevant or incorrect. Thus, the process proves to be efficient overall, but in some instances, and for some people, unfair’.

46 Rechtbank Den Haag, zaaknummer C-09-550982-HA ZA 18–388, 5 February 2020 ECLI:NL:RBDHA:2020:1878 (‘SyRI’). A detailed overview of SyRI’s functioning and the relevant legislation regulating its specificities (the so-called ‘SUWI Act’ and ‘SUWI Decree’) is provided by the Court of the Hague in paras 4.1–4.33 of its judgment.

47 See Dutch DPA (College Bescherming Persoonsgegevens), ‘Advies conceptbesluit SyRI’ (z2013-00969, 18 February 2014), and ‘Advies inzake effectiever gebruik van gegevens’, z2012-00237 (4 June 2012). See also Dutch Council of State (Raad van State), ‘Ontwerpbesluit houdende regels voor fraudeaanpak door gegevensuitwisselingen en het effectief gebruik van binnen de overheid bekend zijnde gegevens (Besluit SyRI), met nota van toelichting’ (W12.14.0102/III, 15 May 2014).

48 For a detailed analysis of the judgment, see M van Bekkum and F Zuiderveen Borgesius, ‘Digital Welfare Fraud Detection and the Dutch SyRI Judgement’ 23 (4) (2021) European Journal of Social Security 323–40; S Bekker, ‘Fundamental Rights in Digital Welfare States: The Case of SyRI in the Netherlands’ in O Spijkers et al (eds), Netherlands Yearbook of International Law 2019 (50 Netherlands Yearbook of International Law, T.M.C. Asser Press, Springer 2021) 289–307; A Meuwese, ‘Regulating Algorithmic Decision-making: One Case at the Time: A Note on the Dutch “SyRI” Judgement’ 1 (1–2) (2020) European Review of Digital Administration and Law 209–11.

49 Rechtbank Den Haag, SyRI (n 46) para 6.24. See also van Bekkum and Zuiderveen Borgesius ‘Digital Welfare Fraud Detection’ (n 48) footnote 31, 329.

50 Rechtbank Den Haag, SyRI (n 46) para 6.93. See also Brief submitted by the United Nations Special Rapporteur on extreme poverty and human rights as Amicus Curiae in this case before the District Court of the Hague available at <https://tinyurl.com/4rzdw287> accessed 9 June 2025, paras 8–9 and 16.

51 Rechtbank Den Haag, SyRI (n 46) para 6.93.

52 Ibid., para 6.94.

53 Centrale Raad van Beroep, 19/3942 PW, 8 December 2020 ECLI:NL:CRVB:2020:3294 (‘GALOP II’). Interestingly, although the SyRI system was also supposed to be deployed in the context of the GALOP II project, this did not happen in the case at issue due to certain implementation problems, see para 4.5 of the judgment.

54 Ibid., para 4.1.

55 Ibid., para 4.4.

56 Ibid., paras 4.6–4.7.

57 Ibid., para 4.7.

58 See judgment no. 135/2019 of the Belgian Constitutional Court of 12 October 2023 and the relevant press release 12.3.2-20191017 available at <https://tinyurl.com/3cxwt247> accessed 9 June 2025.

59 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ 2016 L 119/132. The so-called ‘PNR data’ contain a wide array of information provided by passengers at the time they book a flight (eg, contact details, travel itineraries, flight number, etc), see the Glossary of the European Data Protection Supervisor (EDPS) <https://tinyurl.com/4kvaheye> accessed 9 June 2025. A list of these data that are collected by air carriers can be also found in Annex I of the PNR Directive.

60 CJEU, Case C-817/19 Ligue des droits humains ECLI:EU:C:2022:491. For a detailed analysis of the judgment, see, eg, E Brouwer, ‘Ligue Des Droits Humains and the Validity of the PNR Directive: Balancing Individual Rights and State Powers in Times of New Technologies’ 60 (3) (2023) Common Market Law Review 839–62; EM Kuşkonmaz, ‘The Grand Gala of PNR Litigations: Case C-817/19, Ligue Des Droits Humains v Conseil Des Ministers’ 19 (2) (2023) European Constitutional Law Review 294–319. For the judgment of the Belgian Constitutional Court following the CJEU’s preliminary ruling on the case, see Cour constitutionnelle/ Grondwettelijk Hof, arrêt/ arrest no. 131/2023 ECLI:BE:GHCC:2023:ARR.131, as well as the relevant press release (12 October 2023) <https://tinyurl.com/2vatf4tc> accessed 9 June 2025.

61 See, eg, CJEU, Ligue des droits humains (n 60) paras 62, 85.

62 Ibid., paras 189–90 (for databases) and 196–7 (for pre-determined criteria). See also Art 6(4) PNR Directive. As suggested by AG Pitruzzella in his Opinion in Case C-817/19 Ligue des droits humains ECLI:EU:C:2022:65, paras 227, 231, the general prohibition of discriminatory profiling must be considered to cover all the grounds of discrimination referred to in Art 21 of the Charter, even where they are not mentioned expressly, so that that the list of protected grounds provided for by the PNR Directive should be supplemented by adding those contained in Art 21. See also recital 20 of the PNR Directive replicating the list of Art 21 of the Charter.

63 CJEU, Ligue des droits humains (n 60) para 197. See also HP Olsen and C Wiesener, ‘Beyond Data Protection Concerns – The European Passenger Name Record System’ 13 (2) (2021) Law, Innovation and Technology 398–421, arguing that the real risk of discrimination in the context of PNR data comes from the challenge of extending the specific non-discrimination safeguards established by the PNR Directive, including Art 13(4) thereof on the prohibition of processing of sensitive data, to forms of indirect or intersectional discrimination.

64 CJEU, Ligue des droits humains (n 60) para 199. See also in this regard CJEU, Joined Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net ECLI:EU:C:2020:791, para 181, where the Court noted that any automated analysis carried out on the basis of models and criteria founded on the premise that such protected characteristics could, in themselves and regardless of the individual conduct of that person, be relevant in order to prevent terrorism, would infringe the rights guaranteed in Arts 7 and 8 of the Charter, read in conjunction with Art 21 thereof.

65 CJEU, Ligue des droits humains (n 60) paras 203–4. The Court also recalled that the competent authorities are entrusted with the duty to guarantee the lawfulness of both the automated data processing and the individual review of positive matches under Art 7(6) PNR Directive, including their non-discriminatory nature (paras 208–9).

66 Bundesverfassungsgericht (BVerfG), Judgment of the First Senate of 16 February 2023 – 1 BvR 1547/19, 1 BvR 2634/20 ECLI:DE:BVerfG:2023:rs20230216.1bvr154719 (‘Policing systems in Hessen and Hamburg’). For an English version of the judgment, see the German Constitutional Court’s website <https://tinyurl.com/ypvfmjar> accessed 9 June 2025, as well as press release no. 18/2023 of the court (16 February 2023) <https://tinyurl.com/4adc3vt6> accessed 9 June 2025.

67 BVerfG, Policing systems in Hessen and Hamburg (n 66) para 77.

68 Ibid.

69 Ibid., para 90.

70 Ibid., para 95.

71 Ibid., para 100. It is worth noting that, although the English translation of the judgment published by the German Constitutional Court uses the term ‘algorithmic discrimination’, the original German version refers to the emergence and application of ‘discriminatory algorithms’ (Herausbildung und Verwendung diskriminierender Algorithmen).

72 This question can be originally traced in a judgment of the German Federal Court of Justice (Bundesgerichtshof), Urteil des VI. Zivilsenats - VI ZR 156/13, 28 January 2014, which predated the adoption of the GDPR and concerned the scope of the individuals’ right to information against credit scores created by credit reporting agencies such as SCHUFA. For the functions of credit bureaus in the EU more generally, see F Ferretti, ‘Credit Bureaus Between Risk-Management, Creditworthiness Assessment and Prudential Supervision’ (Working Paper, EUI LAW, 2015/20).

73 CJEU, Case C-634/21 SCHUFA Holding (Scoring) ECLI:EU:C:2023:957, particularly paras 47–50. Compare with the judgment of the German Federal Court (n 72), which concluded that credit scoring does not constitute in itself an automated decision, but merely a data evaluation that precedes and forms the basis for a final decision made by a human (paras 33–4). For a more detailed discussion about the CJEU’s judgment, see F Andrade and D Morgado Rebelo, ‘SCHUFA’s Case C-634/21 on ADM: The ‘Lenders’ Quest’ for GDPR-Friendly Scoring Has Not Been Settled Yet!’ (JusGov Research Paper No. 2024-03, 2 July 2024); A Silveira, ‘Automated Individual Decision-Making and Profiling [on Case C-634/21 -SCHUFA (Scoring)]’ 8 (2) (2023) UNIO – EU Law Journal 74–85; N Genicot, ‘To Score Is to Decide: About the SCHUFA Case’ (Verfassungsblog, 14 December 2023) <https://verfassungsblog.de/to-score-is-to-decide/> accessed 9 June 2025. On the applicability of Art 22 GDPR in ADM with multiple stages, see R Binns and M Veale, ‘Is That Your Final Decision? Multi-Stage Profiling, Selective Effects, and Art 22 of the GDPR’ 11 (4) (2021) International Data Privacy Law 319–32.

74 CJEU, SCHUFA Holding (Scoring) (n 73), paras 51, 57–9.

75 Ibid., paras 65–6.

76 It is worth noting, however, that the Administrative Court of Wiesbaden had already pointed out in its request for a preliminary ruling that Art 22(1) GDPR is intended to protect individuals against discriminatory decisions as well as to ensure transparency and fairness in decision-making, given the algorithms’ ability to work with correlations and probabilities that may lead to incorrect, unfair or discriminatory conclusions, see request of 15 October 2021, para 26 <https://tinyurl.com/ttcunara> accessed 9 June 2025. Similarly, AG Pikamäe had also warned that, since Art 22(1) GDPR seeks to offer protection against the potentially discriminatory and unfair effects of automated data processing, particular vigilance is required when interpreting this provision, see Opinion of AG Pikamäe in Case C-634/21 SCHUFA Holding (Scoring) ECLI:EU:C:2023:220 para 38. Interestingly, the AG had also underscored the detrimental consequences of a negative score for the individuals concerned that may even lead to their stigmatisation in society, see para 43 of his Opinion.

77 Consiglio di Stato, Sezione VI, sentenza no. 2270/2019, 8 April 2019 ECLI:IT:CDS:2019:2270SENT; Consiglio di Stato, Sezione VI, sentenza no. 8472/2019, 13 December 2019 ECLI:IT:CDS:2019:8472SENT; Consiglio di Stato, Sezione VI, sentenza no. 8473/2019, 13 December 2019, ECLI:IT:CDS:2019:8473SENT; Consiglio di Stato, Sezione VI, sentenza no. 8474/2019, 13 December 2019 ECLI:IT:CDS:2019:8474SENT; Consiglio di Stato, Sezione VI, sentenza no. 881/2020, 4 February 2020 ECLI:IT:CDS:2020:881SENT. For more details about the ‘Buona Scuola’ reform, see V Capuzza et al, La Buona Scuola: Introduzione Alla Riforma Dell’istruzione Italiana (G Giappichelli Editore 2016). The algorithm used to implement the mobility scheme in question would assign the locations on the basis of a score attributed to candidates depending on their work experience, their preferred destinations and the actual vacancies available, giving priority to the ones having a higher score. However, many teachers ended up being wrongly transferred to provinces located far away from their place of residence or different from the ones indicated as preferred. See in this regard, Algorithm Watch, ‘Automating Society 2019/ Italy’ <https://tinyurl.com/mvnbyhuh> accessed 9 June 2025; ‘Scuola, Trasferimenti di 10mila Docenti Lontano da Casa – Il Tar: “L’Algoritmo Impazzito Fu Contro la Costituzione”’ (La Repubblica, 17 September 2019) <https://tinyurl.com/5dsxxmn9> accessed 9 June 2025.

78 Consiglio di Stato, sentenza no. 8472/2019 (n 77) para 15; sentenza no. 8473/2019 (n 77) para 15; sentenza no. 8474/2019 (n 77) para 15; sentenza no. 881/2020 (n 77) para 11.

79 Consiglio di Stato, sentenza no. 8472/2019 (n 77) para 16; sentenza no. 8473/2019 (n 77) para 16; sentenza no. 8474/2019 (n 77) para 16; sentenza no. 881/2020 (n 77) para 12.

80 Consiglio di Stato, sentenza no. 8472/2019 (n 77) para 15.3; sentenza no. 8473/2019 (n 77) para 15.3; sentenza no. 8474/2019 (n 77) para 15.3; sentenza no. 881/2020 (n 77) para 11.3.

81 Ibid.

82 Accordingly, absent any such link to some sort of discriminatory instances, judgments delivered on cases of unfair algorithmic differentiation will fall outside the scope of my classification, bearing no relevance from a non-discrimination law perspective. See, eg, the judgment of the Amsterdam Court of Appeal (Gerechtshof Amsterdam), zaaknummer 200.295.742/01, 4 April 2023 ECLI:NL:GHAMS:2023:793 concerning certain Uber drivers who, after receiving a notice from the platform informing them that their professional accounts had been automatically deactivated due to suspicions of fraud allegedly committed by them, exercised their rights to receive information about that system under Arts 15(1)(h) and 22 GDPR. See also the judgment of the Spanish National High Court (Audiencia Nacional), SAN 2013/2024, 30 April 2024 ECLI:ES:AN:2024:2013 that rejected the plaintiffs’ request to get access to the source code of the so-called ‘BOSCO’ software that was created by the Spanish government to review applications for a discount rate of electricity bills for economically or socially vulnerable households, resulting in numerous eligible applicants being wrongly dismissed. In both instances, neither was any allegation of discrimination raised by the respective courts or by the plaintiffs themselves, nor did any suspicion of discrimination emerge from the factual circumstances surrounding the use of the ADM practices at issue.

83 For more details, see the platform’s website <https://tinyurl.com/4zjy6jff> accessed 9 June 2025.

84 Décision du Défenseur des droits no. 2019-021, 18 January 2019, particularly paras 8, 9, 41, 60 <https://tinyurl.com/4zfwu9bj> accessed 9 June 2025. See also C Strombon, ‘Parcoursup : Le Défenseur des Droits Demande Plus de Transparence’ (Le Monde, 21 January 2019) <https://tinyurl.com/mr228st9> accessed 9 June 2025. Concerns for the discriminatory potential of the Parcoursup platform have been also expressed by the National Students Union of France (UNEF) in its press release ‘Parcoursup : Le Renforcement de la Sélection, des Inégalités et des Discriminations à l’Entrée de l’Université’ (13 March 2018) <https://tinyurl.com/5729j4pb> accessed 9 June 2025. See also in this regard N Bechichi, J Grenet and G Thebault, ‘Ségrégation à l’Entrée des Études Supérieures en France et en Région Parisienne : Quels Effets du Passage à Parcoursup ?’(Institut National de la Statistique et des Études Économiques, Document de travail no. 2021-003, November 2021).

85 Décision du Défenseur des droits no. 2019-021 (n 84) paras 65, 88–9.

86 Conseil d’État, décision no. 427916, 12 June 2019, ECLI:FR:CECHR:2019:427916.20190612, paras 8, 12.

87 Conseil d’État, décision no. 433296, 15 January 2020, ECLI:FR:CECHR:2020:433296.20200115, paras 4, 8.

88 Conseil constitutionnel, décision no. 2020-834 QPC, 3 April 2020 ECLI:FR:CC:2020:2020.834.QPC, paras 13–20.

89 Rechtbank Den Haag, zaaknummer C/09/662309/HA RK 24-104, 9 September 2024 ECLI:NL:RBDHA:2024:14477 (‘Bunq’).

90 See, eg, Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849, OJ L 2024/1640; Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, OJ L 2024/1624.

91 For the potentially discriminatory effects of such de-risking practices in general, see CJEU, Case C-562/20 Rodl & Partner ECLI:EU:C:2022:883. See also M Sciurba, The Incompatibility of Global Anti-Money Laundering Regimes with Human and Civil Rights: Reform Needed? (Nomos 2019), Chapter 10 ‘Discrimination in the UK Banking Sector: The Negative Side Effects of Anti-Money Laundering and Counter-Terrorism Financing Policies’ 153–61; A Bertrand et al, ‘Do AI-Based Anti-Money Laundering (AML) Systems Violate European Fundamental Rights?’ 11 (3) (2021) International Data Privacy Law 276–93. For example, instances of algorithmic discrimination in the financial sector have been often reported in the Netherlands by individuals of Arab origin and/or Muslim affiliation, who may often see their money transfers being blocked or their bank accounts being ‘frozen’ or even permanently closed through the use of ADM detecting allegedly suspicious transaction elements, see, eg, ‘Customers Sue ING Bank, Allege Racial Profiling in Anti-Terror Screening’ (nltimes, 13 April 2024) <https://tinyurl.com/4p8efswa> accessed 9 June 2025; ‘“Nieuw Toeslagenschandaal” Ontstaat in de Omgang van Banken met Moslims’ (Trouw, 6 June 2023) <https://tinyurl.com/bddpmy3f> accessed 9 June 2025. Similarly, the Dutch Institute for Human Rights (College voor de Rechten van de Mens) has on several occasions found that the use of automated transaction screening methods by banks led to indirect discrimination on grounds of nationality or race, see, eg, oordeelnummer 2024-100, 5 December 2024, as well as oordeelnummers 2024-62 and 2024-63, 25 July 2024.

92 Rechtbank Den Haag, Bunq (n 89) paras 4.8–4.10. Regarding the absence of human involvement in a decision-making process in order for that decision to be based solely on automated data processing under Art 22(1) GDPR, see Art 29 Working Party’s Guidelines (n 7) 21.

93 See also Gerards and Xenidis (n 19) section 3.4.2.1, 114–15.

94 See notably R Gellert et al, ‘A Comparative Analysis of Anti-Discrimination and Data Protection Legislations’ in B Custers et al (eds), Discrimination and Privacy in the Information Society: Data Mining and Profiling in Large Databases (Springer 2013) 61–89; A Calvi, ‘Exploring the Synergies between Non-Discrimination and Data Protection: What Role for EU Data Protection Law to Address Intersectional Discrimination?’ 14 (2) (2023) European Journal of Law and Technology. On the similar constitutional design of the two areas of law, see E Muir, EU Equality Law: The First Fundamental Rights Policy of the EU (Oxford University Press 2018) 136–43. Furthermore, it is worth noting that the CJEU has linked data protection considerations with the principle of non-discrimination on grounds of nationality under what is now Art 18(1) TFEU, see Case C-524/06 Huber ECLI:EU:C:2008:724, paras 66, 79–80.

95 See, eg, Hacker (n 16) 1172; A Häuselmann and B Custers, ‘Substantive Fairness in the GDPR: Fairness Elements for Article 5.1a GDPR’ 52 (2024) Computer Law and Security Review 9; G Malgieri, ‘The Concept of Fairness in the GDPR: A Linguistic and Contextual Interpretation’ (Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency, New York, January 2020) 154–66, section 2.4, 158–9.

96 See also Art 29 Working Party’s Guidelines (n 7) 10, mentioning that ‘[p]rofiling may be unfair and create discrimination’.

97 See Hacker (n 16) 1172, referring to algorithmic discrimination as ‘the epitome of an unfair algorithmic process’.

98 Ibid.

99 See Malgieri, ‘The Concept of Fairness in the GDPR’ (n 95), section 2.2.2, 156.

100 See in the same vein Art 10 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119/89; Art 10 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295/39. For a detailed analysis of Art 9 GDPR, see L Georgieva and C Kuner, ‘Article 9 Processing of Special Categories of Personal Data’ in C Kuner et al (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 365–84.

101 Notably, the protected grounds of sex, age and disability are not recognised as sensitive data under the GDPR, while some categories of sensitive data do not constitute prohibited grounds of discrimination (eg, data concerning a person’s health or sex life), see Gerards and Xenidis (n 19) 49–50.

102 See recitals 51 and 71 GDPR. See also Art 6(2) of the Council of Europe’s Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (the so-called ‘Convention108’), CM/Inf(2018)15-final – 128th Session of the Committee of Ministers, 18 May 2018; Art 29 Working Party, ‘Advice Paper on Special Categories of Data (“Sensitive Data”)’, 4 April 2011, 4. See further P Quinn and G Malgieri, ‘The Difficulty of Defining Sensitive Data – The Concept of Sensitive Data in the EU Data Protection Framework’ 22 (2021) German Law Journal 1583–612, 1585.

103 See M van Bekkum and F Zuiderveen Borgesius, ‘Using Sensitive Data to Prevent Discrimination by Artificial Intelligence: Does the GDPR Need a New Exception?’ 48 (2023) Computer Law and Security Review 105770; I Žliobaitė and B Custers, ‘Using Sensitive Personal Data May Be Necessary for Avoiding Discrimination in Data-Driven Decision Models’ 24 (2016) Artificial Intelligence and Law 183–201. Following this approach, Art 10(5) AI Act now exceptionally allows the processing of sensitive data to ensure the detection and correction of biases in high-risk AI systems, albeit under strict conditions, see in detail M van Bekkum, ‘Using Sensitive Data to De-Bias AI Systems: Article 10(5) of the EU AI Act’ 56 (2025) Computer Law and Security Review 106115.

104 See Calvi (n 94). Regarding the increasing challenges surrounding the task of determining the sensitive nature of a given dataset, see P Quinn and G Malgieri (n 101) 1596ff.

105 See. eg, Gerards and Xenidis (n 19) 43. This phenomenon is commonly known in computer science as ‘garbage in, garbage out’, see, eg, Selbst and Barocas (n 8) 683; Xenidis and Senden (n 16) 156. See also SG Mayson, ‘Bias In, Bias Out’, University of Georgia School of Law Legal Studies Research Paper No. 2018-35, 128 (2019) Yale Law Journal 2218.

106 See Gerards and Xenidis (n 19) section 1.4.5, 46; Morondo Taramundi (n 16) 75.

107 However, it is recalled that the scope Art 22 GDPR covers decisions ‘based solely on automated processing’, ie without human involvement, see in detail Art 29 Working Party’s Guidelines (n 7) 20–1.

108 For a definition of these concepts, see, eg, C Castelluccia and D Le Métayer, ‘Understanding Algorithmic Decision-Making: Opportunities and Challenges’ (Panel for the Future of Science and Technology, European Parliamentary Research Service, European Parliament 2019) 26. See also D Liga, ‘The Interplay Between Lawfulness and Explainability in the Automated Decision-Making of EU Administration’ in H Hofmann and F Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press 2024) 239–64; P Hacker and JH Passoth, ‘Varieties of AI Explanations Under the Law: From the GDPR to the AIA, and Beyond’ in A Holzinger et al (eds), xxAI - Beyond Explainable AI (Springer 2022) 343–73.

109 See, eg, F Pasquale, The Black Box Society: The Secret algorithms That Control Money and Information (Harvard University Press 2015). See also J Burrell, ‘How the Machine “Thinks”: Understanding Opacity in Machine Learning Algorithms’ 3 (1) (2016) Big Data and Society.

110 See in detail Gerards and Xenidis (n 19) section 1.4.4, 45–6, and section 2.4, 73–5. For the burden of proof in discrimination cases under EU law, see Art 8 of Directive 2000/43/EC, Art 10 of Directive 2000/78, and Art 9 of Directive 2004/113/EC.

111 See Gerards and Xenidis (n 19) 11, 75; Hacker (n 16) 169. See also M Hildebrandt, Smart Technologies and the End(s) of Law (Edward Elgar 2015) 96.

112 See B Custers, ‘A Fair Trial in Complex Technology Cases: Why Courts and Judges Need a Basic Understanding of Complex Technologies’ 52 (2024) Computer Law and Security Review, arguing that in such cases there is a risk of violation of the right to a fair trial under Art 6 ECHR.

113 See Hacker and Passoth (n 107) 344, 365, who refer in this regard to ‘fairness-enabling’ and ‘rights-enabling’ transparency respectively. For the so-called ‘contestability requirement’ of automated decisions, see E Bayamlıoğlu, ‘The Right to Contest Automated Decisions under the General Data Protection Regulation: Beyond the So-Called “Right to Explanation”’ 16 (2022) Regulation and Governance 1058–78. It is also recalled here that, in a different context, the CJEU highlighted early on the importance of (pay) transparency for the effective enforcement of equality between women and men in the employment field, see Case C-109/88 Handels- og Kontorfunktionærernes Forbund i Danmark v Dansk Arbejdsgiverforening, agissant pour Danfoss ECLI:EU:C:1989:383, paras 12–13.

114 For the relation between opacity, discrimination and effective judicial protection in the context of algorithmic profiling, see Leese (n 43).

115 In the past, this provision gave rise to an intense debate as to whether it enshrines a real right to explanation. See, eg, S Wachter et al, ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’ 7 (2) (2017) International Data Privacy Law 76–99; G Malgieri and G Comandé, ‘Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation’ 7 (4) (2017) International Data Privacy Law 243–65.

116 CJEU, Case C-203/22 Dun & Bradstreet Austria ECLI:EU:C:2025:117, para 57. Likewise, a right to obtain ‘clear and meaningful explanations’ is also conferred on the persons affected by decisions taken on the basis of outputs from high-risk AI systems under Art 86(1) AI Act. Nevertheless, as per Art 86(3) AI Act, the right to explanation established therein applies only to the extent that such right is not otherwise provided for under EU law. For more details about the right to explanations under the GDPR and the AI Act, see L Metikoš and J Ausloos (n 23).

117 See Dun & Bradstreet Austria (n 116) paras 58–61, pointing also to Art 29 Working Party’s Guidelines (n 7) 25. See also in this regard Opinion of AG Pikamäe in SCHUFA Holding (Scoring) (n 76) paras 57–8. See in the same vein Opinion of AG Richard de la Tour in Case C-203/22 Dun & Bradstreet Austria ECLI:EU:C:2024:745, paras 72–7, arguing that the data controller can, nevertheless, decide to disclose information of technical nature on a voluntary basis, provided that such information is accompanied by appropriate explanations.

118 These rights include, most notably, the ones enshrined in Art 22(3) GDPR, namely the individuals’ right to express their point of view on the decision concerning them and to contest it, see Dun & Bradstreet Austria (n 116) paras 55–6. The CJEU added in this regard that the right granted by Art 15(1)(h) GDPR is also necessary to enable the persons affected to exercise their rights to rectification, erasure or restriction of processing in accordance with Arts 16, 17 and 18 GDPR respectively, as well as their right to object to the processing of their personal data under Art 21 GDPR, the right of action, and the right to compensation under Arts 79 and 82 GDPR respectively (para 54).

119 See Hacker and Passoth (n 107) 365.

120 See Arts 7, 13 and 15 of Directive 2000/43; Arts 9 and 17 of Directive 2000/78; and Arts 17, 18, 20 and 25 of Directive 2006/54. See in detail C Tobler, ‘Remedies and Sanctions in EC Non-Discrimination Law: Effective, Proportionate and Dissuasive National Sanctions and Remedies, with Particular Reference to Upper Limits on Compensation to Victims of Discrimination’ (European Commission, Publications Office of the European Union 2005). For an overview of national enforcement practices implementing the EU Equality Directives, see R Iordache and I Ionescu, ‘Effectively Enforcing the Right to Non-Discrimination: Promising Practices Implementing and Going Beyond the Requirements of the Racial Equality and Employment Equality Directives’ (European Commission, Publications Office of the European Union 2021).

121 See most notably Hacker (n 16) section 4, 1170ff. See also Zuiderveen Borgesius, ‘Strengthening Legal Protection’ (n 16) and ‘Discrimination, Artificial Intelligence, and Algorithmic Decision-Making’ (n 16), discussing also the potential use of consumer protection law. See further Gerards and Xenidis (n 19) 50; Calvi (n 94). The interplay between non-discrimination and data protection rules in this regard has been noted also by R Allen and D Masters, ‘Regulating for an Equal AI: A New Role for Equality Bodies – Meeting the New Challenges to Equality and Non-Discrimination from Increased Digitisation and the Use of Artificial Intelligence’ (Equinet 2020) 53–9.

122 See Hacker (n 16) 1171, 1179, 1184, pointing out that, whereas non-discrimination law provides the concepts to determine to what extent discrimination can be condoned, data protection law offers the necessary instruments to open the algorithmic black box.

123 See recital 90 GDPR. See in detail Y Ivanova, ‘The Data Protection Impact Assessment as a Tool to Enforce Non-discriminatory AI’ in L Antunes et al (eds) Privacy Technologies and Policy (8th Annual Privacy Forum, APF 2020, Lisbon, 22–23 October 2020, Springer 2020) 3–24. See also Hacker (n 16) 1174–9.

124 See, in particular, Arts 58, 83, and 80 GDPR. See in this regard Hacker (n 16) 1171, 1173. The need for victims of algorithmic bias to opt for more public and collective forms of redress, where available, has been advanced by scholars, see eg Xenidis and Senden (n 16) section IV.1; Gerards and Xenidis (n 19) 11, 76–7. For the collective judicial redress mechanisms available under EU non-discrimination law, see L Farkas, ‘Collective Actions Under European Non-Discrimination Law’ 19 European Non-Discrimination Law Review (European Commission 2014) 25–40; S Benedi Lahuerta, ‘Enforcing EU Equality Law Through Collective Redress: Lagging Behind?’ 55 (3) (2018) Common Market Law Review 783–817.

125 See Allen and Masters (n 120) 12.

126 CJEU, Case C-236/09 Test-Achats ECLI:EU:C:2011:100.

127 See Tribunale Ordinario di Bologna, Deliveroo (n 37) paras 2, 3, 4 respectively. Regarding the legal standing of associations in discrimination cases, the Italian court referred to Case C-507/18 Associazione Avvocatura per i diritti LGBTI ECLI:EU:C:2020:289. As concerns the finding of discrimination without the existence of an individual victim, the Bologna court referred to Case C-54/07 Feryn ECLI:EU:C:2008:397, as well as to Case C-81/12 Asociaţia Accept ECLI:EU:C:2013:275. It also worth noting that apart from non-discrimination law the District Court of Bologna relied also on national labour law.

128 Regarding the judgment in Deliveroo (n 37), see explicitly Barros Vale and Zanfir Fortuna (n 23) 39.

129 See also Gerards and Xenidis (n 19) 113, 115.

130 See Meuwese (n 48) 210, who also considers the court’s focus on Art 8 ECHR ‘remarkable’, as the main argument of the applicants’ coalition related to the stigmatisation of certain areas and its inhabitants.

131 CJEU, SCHUFA Holding (Scoring) (n 73) paras 57–9.

132 It is noted, though, that questions of transparency may be also based on a different legal framework from data protection law (eg, national administrative law on access to public documents), depending on the concrete case at issue, as was the case in the judgments rendered by the French Council of State and Constitutional Council in relation to the functioning of the Parcoursup platform.

133 CJEU, Ligue des droits humains (n 60) para 209.

134 Rechtbank Den Haag, SyRI (n 46) paras 6.92–6.96. For the view that the principle of lawful processing should be understood by reference to the conditions for limitations of the right to data protection or of the right to privacy under Art 52(1) of the Charter and Art 8(2) ECHR respectively, see C de Terwangne, ‘Article 5 Principles Relating to Processing of Personal Data’ in C Kuner et al (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 309–20, 314; Fundamental Rights Agency (FRA), ‘Handbook on European Data Protection Law’ (Publications Office of the European Union 2014) 62.

135 See press release, ‘The Data Protection Ombudsman Ordered Svea Ekonomi to Correct Its Practices in the Processing of Personal Data’ (1 April 2019) <https://tinyurl.com/ks2k4ps8> accessed 9 June 2025.

136 See Autoriteit Persoonsgegevens, ‘Methods Used by Dutch Tax Administration Unlawful and Discriminatory’ (17 July 2020). See also the relevant report of the Dutch DPA ‘Onderzoeksrapport: Belastingdienst/Toeslagen - De Verwerking van de Nationaliteit van Aanvragers van Kinderopvangtoeslag’, section 3.8, 50–3 <https://tinyurl.com/4hk2vep5> accessed 9 June 2025.

137 See College voor de Rechten van de Mens, oordeelnummers 2023-101, 2023-102, 2023-103, 2 October 2023. See also the preliminary investigation published by the Institute ‘Vooronderzoek naar de Vermeende Discriminerende Effecten van de Werkwijzen van de Belastingdienst/Toeslagen’ (September 2022) <https://tinyurl.com/usybvx98> accessed 9 June 2025.

138 See Tribunale Ordinario di Bologna, Deliveroo (n 37) para 4.

139 See, eg, Rechtbank Den Haag, SyRI (n 46) para 6.94.

140 See Centrale Raad van Beroep, GALOP II (n 53) paras 4.6–4.7.

141 See Consiglio di Stato, sentenza no. 8472/2019 (n 77) para 16; sentenza no. 8473/2019 (n 77) para 16; sentenza no. 8474/2019 (n 77) para 16; sentenza no. 881/2020 (n 77) para 12.

142 CJEU, Ligue des droits humains (n 60) para 210. See also the Opinion of AG Pitruzzella in that case (n 62) para 228, arguing that transparency in the functioning of algorithms constitutes a necessary precondition for the exercise of the data subjects’ rights to complain and to an effective judicial remedy.

143 CJEU, Ligue des droits humains (n 60) para 195.

144 See BVerfG, Policing systems in Hessen and Hamburg (n 66) para 90.

145 See Rechtbank Den Haag, SyRI (n 46) para 6.90.

146 Ibid., para 6.107.

147 However, in the context of the preliminary reference procedure, the CJEU may decide to reformulate the questions referred by the referring court, if necessary to provide that court with a useful answer. For instance, the CJEU may take into account additional EU law provisions, as was the case in Ligue des droits humains (n 60) paras 62, 85, 228, where the Court reviewed the compatibility of the PNR Directive with the Charter also in light of Art 21(1) thereof, although it had been only asked by the referring court to consider Arts 7, 8 and 52(1) of the Charter.

148 For an overview of these barriers, see I Chopin et al, ‘A Comparative Analysis of Non-Discrimination Law in Europe 2018: The 28 EU Member States, the Former Yugoslav Republic of Macedonia, Iceland, Liechtenstein, Montenegro, Norway, Serbia and Turkey Compared’ (European Commission, Publications Office of the European Union 2019) 97–9.

149 In fact, it remains still unclear, at a more normative level, what the role of non-discrimination law in the field of algorithmic bias should be and where the line of its application should be drawn, see, eg, Xenidis, ‘When Computers Say No’ (n 16) section 3.2; Xenidis, ‘Tuning EU Equality Law to Algorithmic Discrimination’ (n 16) 754. In this regard, it has been suggested that it would perhaps make more sense to develop a new, more nuanced way of understanding the concepts of ‘discrimination’ and ‘inequality’ in the realm of ADM practices, by adhering to some sort of broader fairness standards, see, eg, B Custers, ‘Reconsidering Discrimination Grounds in the Data Economy: An EU Comparison of National Constitutions’ 50 (2023) Computer Law and Security Review 10–3; Hacker (n 16). See similarly Barocas and Selbst (n 8) 672, who argue that ‘[f]inding a solution to big data’s disparate impact […] will require a wholesale reexamination of the meanings of “discrimination” and “fairness’’’.

150 See by analogy Weerts et al, ‘Algorithmic Unfairness Through the Lens of EU Non-Discrimination Law’ (n 44) 10. For the opposite view, see Hacker (n 16) 1172. Regarding the fourth-dimensional conception of substantive equality, pursuant to which equality is intended to redress disadvantage, tackle stigma, stereotyping, prejudice and violence, facilitate participation in decision-making and social inclusion, and promote structural changes and the accommodation of difference, see S Fredman, Discrimination Law (3rd edn, Oxford University Press 2023) 29–44; S Fredman, ‘Substantive Equality Revisited’ 14 (3) (2016) International Journal of Constitutional Law 712–38.

151 See I Solanke, Discrimination as Stigma: A Theory of Anti-Discrimination Law (Hart Publishing 2017).

152 See J Hakkarainen, ‘Naming Something Collective Does Not Make It So: Algorithmic Discrimination and Access to Justice’ 10 (4) (2021) Internet Policy Review 13. The different conceptual approaches between data protection and non-discrimination law with regard to algorithmic discrimination are also noted by Gerards and Xenidis (n 19) 49–50. For the view that non-discrimination law is more apt than data protection law to address algorithmic discrimination, see Mann and Matzner (n 13).