LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. GDPR Article 22 (Automated Decision-Making)

GDPR Article 22 (Automated Decision-Making)

GDPR Article 22 gives individuals the right not to be subject to purely automated decisions that produce legal or similarly significant effects.

Last reviewed: 2026/05/22

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

Does Article 22 apply if a human approves every AI output?
Not automatically. The EDPB has stated that nominal human involvement — approving outputs without substantive review — does not remove the "solely automated" character of the decision. The human must have genuine authority to override and must actually exercise judgment. The test is functional, not formal.
Can explicit consent justify using AI for automated legal decisions?
Yes, under Article 22(2)(c), but GDPR's consent standard is high. Consent must be freely given, specific, informed, and unambiguous. In employment or client relationships where power imbalances exist, regulators are skeptical that consent is truly free. Relying on consent as the primary Article 22 basis for routine legal AI use is risky without careful legal analysis.
Does Article 22 apply to AI tools used only for internal legal research?
Generally no, if the output is used by lawyers to inform their own analysis without affecting data subjects directly. Article 22 requires that the automated decision produce effects on an identifiable natural person. Internal research tools that assist lawyer reasoning, without producing a determination about a specific individual, typically fall outside Article 22's scope — though this analysis should be conducted for each specific use case.

Related Concepts

Security

GDPR (General Data Protection Regulation)

EU Regulation 2016/679 governing personal data collection, processing, and transfer for EU residents — directly applicable to law firms using AI tools on EU client matters.

Security

EU AI Act

Regulation 2024/1689, the world's first comprehensive AI law, classifying AI systems into four risk tiers with obligations applying to providers and deployers including law firms.

Security

AI Act Article 53 (GPAI Transparency)

EU AI Act Article 53 requires general-purpose AI providers to publish training data summaries, copyright policies, and technical documentation for EU market access.

Related Tools

  • Legalfly

    European-compliant AI legal platform with built-in GDPR safeguards for contract review and research.

  • Legora

    Modern AI workspace for collaborative legal work, EU-grown.

  • Harvey AI

    The most expensive legal AI in the market — Am Law 100 firms only.

Related Reading

  • The EU AI Act and Legal AI: What Law Firms Must Know in 2026

Last reviewed: 2026/05/22. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

GDPR Article 22 provides that data subjects have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them. The provision applies across the European Union and, through adequacy decisions and standard contractual clauses, affects any organisation worldwide that processes EU residents' personal data.

The provision is not an outright prohibition. Rather, it establishes a default right, then carves out three exceptions under which automated decision-making is lawful, each carrying its own set of mandatory safeguards. The legal text appears in Regulation (EU) 2016/679, Article 22(1)–(4). Recitals 71 and 72 provide interpretive context that regulators and courts have relied upon heavily.

Understanding Article 22 has become a practical requirement for legal teams deploying AI tools, because several categories of legal AI output — risk scores, settlement valuations, counterparty assessments — arguably fall within the provision's scope.

Legal teams sit at the intersection of two distinct pressures. On one side, clients and counterparties whose data is processed have enforceable rights under Article 22. On the other, law firms and legal departments that deploy AI tools are themselves data controllers or processors with compliance obligations. The provision matters in both directions.

Client-facing AI outputs. When a law firm uses an AI tool to generate a risk score for a counterparty, assess creditworthiness, or produce an automated valuation that forms the basis of a settlement recommendation, the person on the receiving end of that output may have Article 22 rights. If the output "produces legal effects" — changes a legal position, triggers a contractual right, or determines access to a service — Article 22 is engaged. If it "significantly affects" a person — the phrase from Recital 71 — the same analysis applies even if no formal legal effect flows.

Internal workflow design. Lawyers who use AI-assisted document review, contract analysis, or due diligence tools must structure workflows to ensure a qualified human makes the ultimate decision. Simply routing an AI output to a lawyer who approves it without substantive review does not satisfy Article 22, according to guidance from the European Data Protection Board (EDPB Guidelines 05/2020 on automated individual decision-making). The EDPB has stated explicitly that the human involved must have the authority and capability to override the automated output and must actually exercise that capacity — not merely rubber-stamp results.

Enforcement data. As of 2025, DPA enforcement actions citing Article 22 have escalated. The Dutch DPA (AP) fined a financial institution €3.7 million in 2022 partly on Article 22 grounds. The Irish DPC has opened investigations into AI-assisted profiling in financial services. The aggregate enforcement picture, documented in the DLA Piper GDPR Fines & Litigation Report 2025, shows Article 22 citations appearing in roughly 14% of all GDPR enforcement actions involving automated processing.

For legal AI procurement specifically, the EDPB guidance means that a vendor's claim that its tool "supports human oversight" must be interrogated: does the human reviewer have enough information to actually evaluate the AI's output, and is there a documented process for doing so?

How It Works (Technical)

Article 22 is triggered by three cumulative elements: (1) a decision; (2) based solely on automated processing; (3) that produces legal effects or similarly significant effects.

"Decision" is interpreted broadly. It does not require a formal ruling. A recommendation that is followed in practice without independent evaluation has been treated as a de facto decision by national DPAs.

"Solely" is the most litigated element. The natural reading is that human involvement breaks the chain. However, the EDPB Guidelines 05/2020 clarify that purely token human involvement — where a human approves without reviewing the underlying analysis — does not satisfy the "solely" threshold. This is sometimes called the "rubber stamp" problem. If a lawyer approves 200 AI-generated contract risk summaries per day without independently evaluating the underlying documents, regulators may conclude that the decision is functionally automated, regardless of the nominal human in the loop.

"Legal effects or similarly significant effects" covers the obvious cases (a court order, a contract termination) and extends further: the EDPB's examples include decisions that affect access to services, financial conditions, or that have "a serious impact" on circumstances, behaviors, or choices. For legal contexts, this captures: automated litigation risk scores shared with clients, AI-generated creditworthiness assessments of borrowers in transactional due diligence, and settlement valuation outputs that are presented as binding recommendations rather than analytical inputs.

Three lawful exceptions under Article 22(2): - (a) The decision is necessary for the performance of or entering into a contract between the data subject and the controller. - (b) The decision is authorised by EU or member state law with appropriate safeguards. - (c) The data subject has given explicit consent (noting that consent must meet GDPR's high threshold — freely given, specific, informed, and unambiguous).

When an exception applies, Article 22(3) requires: the right to obtain human review, the right to express views, and the right to contest the decision. These safeguards must be implemented in the workflow, not merely recited in a privacy notice.

Intersection with EU AI Act. The EU AI Act (Regulation 2024/1689) adds a structural layer. Article 26 of the AI Act imposes obligations on deployers of high-risk AI systems, including human oversight requirements that overlap with Article 22 but operate independently. Where a legal AI tool qualifies as a high-risk system under EU AI Act Annex III, both regimes apply. The EU AI Act does not supersede GDPR Article 22; each must be satisfied on its own terms.

How Legal AI Vendors Address It

LegalFly explicitly addresses Article 22 in its data processing documentation and terms of service. Its workflow design builds in mandatory human review steps before any output is presented as actionable. LegalFly also discloses, in its privacy documentation, the categories of processing that may engage Article 22 and the exceptions it relies upon. Limitation: LegalFly's Article 22 compliance depends on the law firm's internal workflow actually implementing the human review steps the tool is designed for — the tool cannot enforce lawyer conduct.

Legora is an EU-native legal AI platform that treats Article 22 compliance as a design constraint rather than an afterthought. Its system architecture routes all outputs through a documented human review interface, and it maintains audit logs that can support a data subject's request for human review. Legora has published a compliance brief mapping its features to EDPB Guidelines 05/2020. Limitation: Legora's audit logging is helpful for demonstrating process, but it does not itself ensure that the reviewing lawyer has sufficient expertise to evaluate the AI output substantively.

Harvey AI addresses Article 22 primarily through its framing of outputs as "drafts for lawyer review" rather than decisions. This framing is legally significant: if outputs are presented as analysis rather than determinations, and if a lawyer genuinely reviews and independently decides, the "solely automated" element may not be met. Limitation: the framing alone does not determine legal status. If Harvey is used in a workflow where outputs are consistently adopted without independent review, the functional reality may trigger Article 22 regardless of how outputs are labelled.

A note on vendor assurances generally. No legal AI vendor can guarantee Article 22 compliance on behalf of the law firm or legal department deploying the tool. Article 22 compliance is a property of the overall decision-making workflow — including human behaviour — not of the tool in isolation. Vendor documentation is a starting point for due diligence, not a compliance certification.

How Lawyers Should Verify / Apply It

  1. Map your AI outputs to the Article 22 triggers. For each AI tool deployed, document: what output does it produce? Does that output produce legal effects or significantly affect data subjects? If yes, identify which Article 22(2) exception you are relying upon. This mapping should be recorded in your records of processing activities (RoPA) under GDPR Article 30.

  2. Test your human review for substantiveness. Ask honestly: does the lawyer reviewing an AI output have access to the underlying analysis, the ability to override the result, and the time to do so? If a reviewer approves 50+ AI-generated assessments per hour, document the basis on which that review is considered meaningful. EDPB Guidelines 05/2020 paragraph 38 sets out the criteria regulators will apply.

  3. Implement the Article 22(3) safeguards procedurally. If your workflow relies on one of the three exceptions, you must provide: a mechanism for data subjects to request human review, a channel for them to express views, and a process for contesting the decision. These cannot be buried in a privacy notice — they must be accessible and functional.

  4. Review vendor DPAs for Article 22 risk allocation. Your data processing agreement with AI vendors should specify who is the controller for Article 22 purposes, what the vendor's obligations are if a data subject exercises their rights, and how the vendor supports the human review requirement technically.

  5. Document your compliance rationale. Under GDPR's accountability principle (Article 5(2)), you must be able to demonstrate compliance. Maintain records of: the exception relied upon, the safeguards in place, the human review process, and any data subject requests received and how they were handled.