Abstract
AbstractThe General Data Protection Regulation (GDPR) of the European Union has established regulations on automated decisions in Article 22 with the proliferation of artificial intelligence. In response, the Personal Information Protection Act (PIPA) of South Korea, serving as a counterpart to the GDPR, has recently incorporated provisions for automated decisions under Article 37-2 through an amendment. Although the PIPA follows a distinct legal framework from the GDPR, it is crucial to ensure an equivalent level of protection for fundamental rights. Recognising this concern, this study analyses the differences between the PIPA and GDPR regarding automated decisions, focusing on three aspects: format, target, and content. This analysis identifies that the PIPA lacks comprehensive safeguards for data subjects in certain aspects compared to the GDPR. First, regarding the format, the PIPA grants the right to object rather than establishing a general prohibition to automated decisions, posing limitations in protecting individuals who are unable to effectively exercise their rights. Second, in terms of the target, the PIPA regulates a completely automated status at the overall system level, creating a regulatory vacuum for a multi-stage profiling system. Third, concerning the content, the PIPA faces several technical and practical limitations that remain unresolved in delineating the content of the right to explanation. Building upon this analysis, this study proposes potential legislation and interpretation remedies to address these concerns based on each aspect.
Publisher
Springer Science and Business Media LLC
Reference43 articles.
1. Adadi A, Berrada M (2018) Peeking inside the Black-Box a survey on Explainable Artificial Intelligence (XAI). IEEE Acc 6:52138–52160. https://doi.org/10.1109/ACCESS.2018.2870052
2. Ahn C (2023) Artificial Intelligence Accountability and Regulation Act (in Korean). https://likms.assembly.go.kr/bill/billDetail.do?billId=PRC_W2E3F0D8D0C1A0B9I3J1I2I1G4F0G1. Accessed 12 Jul 2024
3. Article 29 Working Party (WP29) (2017) Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251rev.01). https://ec.europa.eu/newsroom/article29/items/612053. Accessed 12 Jul 2024
4. Barocas S, Nissenbaum H (2009) On notice: the trouble with notice and consent. Proceedings of the Engaging Data Forum: The First International Forum on the Application and Management of Personal Electronic Information. October 2009. https://ssrn.com/abstract=2567409. Accessed 12 Jul 2024
5. Binns R, Veale M (2021) Is that your final decision? Multi-stage profiling, selective effects, and Article 22 of the GDPR. Int Data Priv L 11(4):319–332. https://doi.org/10.1093/idpl/ipab020