Art.22 ¶1 declares:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
without stating who is liable for infringements. Paragraph 3 says
the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
That assumes the data controller is aware of and in control of the AIDM. Often data processors implement AIDM without the data controller even knowing. Art.28 ¶1 says:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Of course what happens in reality is processors either make no guarantee or the guarantee is vague with no mention of AIDM. So controllers hire processors blindly. When the controller is some tiny company or agency and the processor is a tech giant like Microsoft or Amazon, it’s a bit rich to put accountability on the controller and not the processor. The DPAs don’t want to sink micro companies because of some shit Amazon did for which the controller was not even aware.
As a data subject I have little hope that a complaint of unlawful AIDM will play out. It’s like not even having protection from AIDM. Article 29 Working Party wrote AIDM guidelines in 2017, but they make no mention of processors.
That is not what I said. I never said don’t use it. I said black boxes bring problems that require sensible policy.
Of course it makes sense to use black boxes. Someone running a bakery does not have the competency and resources to deploy an email service. Outsourcing email is the only option that makes the business case viable, unless they discard email entirely, in which case they lose business from customers who insist on emailing orders. From there, all processors are black boxes. There is no email provider who gives you the keys to castle. And even if they did, as a baker you wouldn’t know what you’re looking at anyway. Your choice is, use the black box or get into the tech business.
Not even Microsoft can handle email alone. They outsource to Spamhaus, another black box. And Spamhaus outsources to Cloudflare – yet another black box.
I know, it’s what I said. The sensible thing is to not use them.
The options (1) use black box, (2) start a tech company, as you presented in the bakery case, is a false dichotomy. Managed open source is the middleground.
It’s a false middleground. It is still taking on the burden of tech knowledge. It’s a true dichotomy, as follows:
① use a black box
② become technical
(or trichotomy if you figure the baker can nix email)
You still have to understand what’s going on in the FOSS box even if it’s managed – otherwise you are in the same position. The point in being managed is to perform the work you don’t understand. That managed box is still likely to use a Spamhaus gatekeeper or the like which the baker has no clue about. The baker is still unlawfully using AIDM, unwittingly, because he just saw the ad for the managed service saying “spam free” – thinks that’s good but has no idea what questions to ask or how it can go badly. He could just as well ask the relevant questions to the blackbox provider. Just the same, his business carries on uninformed about GDPR infringement.
BTW, you’re also wrong about managed open source services giving you the needed info, even if the customer is highly technical. I use a managed service of FOSS s/w. I can see the source code that runs on the box but I cannot see how it is installed or configured. The account dashboard I get is nannied subset of control. I can do basic tasks like create users, but I cannot see the backend configs or even an inventory of other software running on the host. There could be all kinds of snooping and shenanigans on that host and I have no way of verifying it. It could be littered with AIDM abuses, but I don’t have a root shell account on that host.
It’s the same problem in the end. The data processors have no legal accountability for the logic that they control. At the same time, they are not even required to disclose the AIDM logic, or even the existence of it, to the data controller. Yet the controller is exclusively liable for what they potentially do not control – or even have awareness of. This is all still possible if the processor runs a managed open source service.