1.Introduction

The advent of ICT (Information and Communications Technology) has entailed significant prospects for development, affecting almost all parts of society. ‘As a social institution, albeit governed by the principle of legality and the need to follow the political guidelines imposed by the government’L Torchia & SC Matteucci (eds), La tecnificazione (Firenze University Press 2016) 8-9., the public administration has also been affected by what has been defined as the ‘fourth industrial revolution’, which requires a body of rules that can favour its development whilst at the same time containing any potential collateral affects. As far as the public administration is concerned, one of the most significant factors within the current process of renewal is without doubt the introduction of algorithms into administrative procedures.On this issue see MS Bonomi, La motivazione dell’atto amministrativo: dalla disciplina generale alle regole speciali (Roma Tre Press 2020) 48 et seq. This has been defined as a ‘complex move from a condition of street-level bureaucracy to a condition of screen-level bureaucracy, that is a condition under which the administrative act is no longer adopted by the individual official to one in which the measure is implemented by a decision taken by the programming algorithm.’

An algorithm is defined as a series of logical operations that, starting from specific input data, provide particular output data according to a finite sequence of steps.TH Cormen et al, Introduction to Algorithms (MIT Press 2010). In simpler terms, it may be asserted that ‘the principal purpose of algorithms, from the simplest through to the most complex, is to solve problems quickly and impartially’.G Orsoni & E D’Orlando, ‘Nuove prospettive dell’amministrazione digitale: Open data e algoritmi’ (2019) 3 Istituzioni del federalismo. See also MC Cavallaro & G Smorto, ‘Decisione pubblica e responsabilità dell’amministrazione nella società dell’algoritmo’ (2019) 16 Federalismi.it. According to the authors, ‘in many areas algorithms are set to become the instrument for correcting the distortions and imperfections that typically characterise cognitive processes and choices made by human beings, which have been brought to the fore above all in recent years by a considerable body of literature on behavioural economics and cognitive psychology: whereas human beings encounter the limits to their bounded reason and fall prey to emotions, passions and often irrational choices, the algorithm transforms questionable assessments into a finite sequence of logical steps with the goal of making objective and rational choices’.

It is precisely these promises of rapidity and impartiality that make algorithms attractive for administrative procedures, in particular those involving ‘procedures that are serial or standardised, involving the processing of very large numbers of applications, based on the acquisition of data that are certain and objectively verifiable, without any discretionary assessment, or otherwise featuring a high level of mandatory action’.G Orsoni & E D’Orlando (n4); FP Griffi, ‘La decisione robotica’ www.giustizia-amministrativa.it accessed 16 May 2021. However, it is necessary to guard against the temptation to endorse excessively simplistic solutions. It has been stressed in the literature that ‘there is no doubt that to allow algorithms to make decisions is beneficial in that it makes it possible to solve complex issues using instruments that are largely rational, efficient and potentially neutral’.G Orsoni & E D’Orlando, ‘Nuove prospettive dell’amministrazione digitale: Open data e algoritmi’ (2019) 3 Istituzioni del federalismo However, this must not lead us to underestimate the fact that, ‘as sequences of operations, algorithms are not in themselves positive or negative, but depend on the intent with which and the way in which they have been designed and are subsequently used’.G Orsoni & E D’Orlando, ‘Nuove prospettive dell’amministrazione digitale: Open data e algoritmi’ (2019) 3 Istituzioni del federalismo. This means that the supposed neutrality of algorithms, thereby enabling an automated administration to operate in an effectively impartial manner, is only hypothetical.See further F Pasquale, The black box society. The secret algorithms that control money and information (Harvard University Press 2015). In light of the above, it is therefore essential that lawmakers put rules in place to ensure that the right balance is struck between the principles of value for money, impartiality, and the proper conduct of the administration through what may be defined as ‘automated administrative action’.

2.The use of algorithms within administrative procedures: a comparison between national laws in France, Spain and Italy

When confronted with the challenges posed by the use of algorithms within administrative procedures, national lawmakers have pursued widely varying approaches.In general, in accordance with part of the doctrine, we can identify four different regulatory approaches by EU member states: ‘in particular, we have identified four different approaches: a negative approach, a neutral approach, a procedural approach and a proactive approach. In particular, a first approach is what we can call negative: the Member State does not provide any specific case of permitted automated decision making (under Article 22(2), lett. b, GDPR). It is the case of most countries, eg Italy, Romania, Sweden, Denmark, Poland, Finland, Cyprus, Greece, Czech Republic, Estonia, Lithuania, Bulgaria, Latvia, Portugal, Croatia, Slovakia, Luxembourg, Malta, Spain. A second approach is what we can call neutral: the Member State has implemented Article 22(2), lett. b, GDPR but it proposes no specific ‘suitable measure to safeguard the data subject’s rights and freedoms and legitimate interests’. It is the case of Germany and, partially, of Austria and Belgium. A third approach is what we can call procedural: some Member States provide specific safeguards under Article 22(2), lett. b, that are mainly based on a description of procedures that data controllers should take when they perform automated decision-making on individuals (eg notification, review, etc.) or some forms of algorithm impact assessment. It is the case of United Kingdom, Ireland and, partially, Slovenia. A fourth approach is what we can call proactive: some Member States propose new and more specific safeguards under Article 22(2), lett. b (eg the right to know weighting parameters of algorithms, etc.). It is the case of France and Hungary’. G Malgieri, ‘Automated decision-making in the EU Member States: The right to explanation and other “suitable safeguards” in the national legislations’ (2019) 35 Computer Law & Security Review. Emblematic of these different approaches are France, which has adopted detailed rules, Spain, which has launched a process of deregulation, and Italy, which still today lacks a specific body of rules. Based on an analysis of these models, this paper will attempt to clarify whether EU law has any role to play in regulating the significant and increasingly widespread phenomenon of algorithmic administration. In particular, it will attempt to verify whether, based on the provisions and principles of EU law, it is possible to identify a minimum core of rights and guarantees afforded to citizens affected by automated administrative decisions, irrespective of the quality and quantity of state legislation.

2.1.The French model

French law sets itself apart from other EU Member States by the level of detail with which it has regulated the use of algorithms within public decision-making, and more generally the relationship between public power and new technologies.CH Hofmann, ‘Digitalisation and European Public Law of Information’ in JB Auby (ed), Le futur du droit administratif (LexisNexis 2019) 18. This was done in Loi no. 2016-1321 du 7 octobre 2016 pour une République numérique [Law no. 2016-1321 of 7 October 2016 on a Digitalised Republic], which made a series of changes to the Code des relations entre le public et l'administration [Code on Relations between the Public and the Administration] (CRPA), adopting some specific rules in the area of algorithmic governance.D Bourcier & P De Filippi, ‘Transparence des algorithmes face à l’open data: quel statut pour les données d’apprentissage’ (2018) 3 Revue française d'administration publique. In particular, Article L. 311-3-1 CRPA provides that

any individual decision made on the basis of algorithmic processing must be expressly disclosed to the data subject. The provisions governing this processing and the principal manner in which it is implemented must be reported by the administration to the data subject upon request.Code des relations entre le public et l'administration (CRPA) art L. 311-3-1.

Article R. 311-3-1-2 goes on to introduce further forms of protection, providing for a right of access for private individuals to various information concerning the algorithm used, which must be provided by the administration in an intelligible manner, i.e. using language that is readily understandable to that person, which must necessary be different from mathematical language.This is an enhanced notion of the concept of transparency, which presupposes not only that the administration provides the public with certain information but that it does so using a language that makes it fully understandable for the recipient. See further E Mouriesse, ‘L'opacité des algorithmes et la transparence administrative’ (2019) 1 Revue française de droit administratif. In particular, the administration is required to state the extent to which, and the way in which, the algorithm affected the decision; the data processed and where the data was obtained from; the criteria used for processing, as well as the extent to which they impacted upon the decision.This provision must be read in light of Article L. 311-5 of the CRPA, which sets out the specific circumstances under which it is not permitted to disclose the constituent elements of an algorithm on which an administrative decision is based where it relates to a matter for which the law imposes a requirement of secrecy. The Conseil Constitutionel has considered this issue, and held in judgment no. 2018-765 that ‘an automated individual decision cannot be taken using an algorithm where the principles governing its operation cannot be disclosed without violating one of the secrets or interest referred to under paragraph 1 of Article L. 311-5 CRPA’. Alongside the right of access mentioned above, the law subjects certain public administrations, identified according to the criterion of staff numbers, to a duty of transparency. In fact, the combined provisions of Articles L. 312-1-3 and D. 312-1-4 CRPA establish an obligation for administrations with more than 50 staff to publish online, on the body’s official website, the rules setting out the main types of algorithmic processing used during the performing of their tasks where individual decisions are made on the basis of such processing.

French law is also particularly developed as regards the protection afforded to private individuals in relation to the risk of ‘algorithmic discrimination’. In fact, Article 10 of the Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés [Law no. 78-17 of 6 January 1978 on information technology, data processing and civil liberties], as amended following the adoption of Directive 95/46/EC, provides that ‘no decision that results in legal effects for an individual may be taken exclusively on the basis of the automated processing of data intended to establish the data subject’s profile or to assess particular aspects of his personality’,JB Auby, ‘Il diritto amministrativo di fronte alle sfide digitali’ (2019) 3 Istituzioni del Federalismo; JB Auby, ‘Le droit administratif face aux défis du numérique’ (2018) 15 Actualité Juridique du Droit Administratif; JB Auby, ‘Contrôle de la puissance publique et gouvernance par algorithme’, in DU Galetta & J Ziller (eds), Le droit public face au défi des technologies de l’information et de la communication, au-delà de la protection des données (Nomos 2018). On this issue see also S Sassi, ‘Gli algoritmi nelle decisioni pubbliche tra trasparenza e responsabilità’ (2019) 1 Analisi Giuridica dell’Economia. According to the author, ‘the third condition that limits the adoption of an entirely automated decision is engaged where the algorithm is involved in the processing of sensitive data pursuant to paragraph 1 of Article 8 of the loi du 6 janvier 1978, that is personal data relating to ethnic origin, political views, religious or philosophical convictions, trade union membership, genetic, biometric and health data, or data relating to the sexual life or orientation of a natural person’. For a detailed examination of this issue, see also JB Duclerq, ‘L'automatisation algorithmique des décisions administratives individuelles’ (2019) 2 Revue du droit public. such as personal data relating to ethnic origin, political views, religious or philosophical convictions, trade union membership, genetic, biometric and health data, or data relating to the sexual life or orientation of a natural person. Finally, the principles set out in French legislation on algorithmic governance were implemented by judgment no. 2018-765 of the Conseil Constitutionel,See <https://www.conseil-constitutionnel.fr/decision/2018/2018765DC.htm> accessed 16 May 2021. which addressed for the first time the delicate issue of the use of algorithms based on ‘machine learning’. These are algorithms capable of evolving independently of human control with the aim of becoming increasingly accurate, subject, however to the collateral effect of becoming absolutely incomprehensible for the human mind.See further C O’Neil, Weapons of math destruction (Crown Publishers 2016) 75. According to O’Neil, ‘with machine learning, a fast-growing domain of artificial intelligence, the computer dives into data, following only basic instructions. The algorithm finds pattern on its own, and then, through time, connects them with outcomes’. The issue is considered in greater detail also in AG Orofino & G Gallone, ‘L’intelligenza artificiale al servizio delle funzioni amministrative: profile problemaitici e spunti di riflessione’ (2020) 7 Giurisprudenza italiana. According to the Conseil Constitutionnel,

the controller must guarantee control over the algorithmic processing and its development so as to be able to explain to the data subject, in a detailed and intelligible manner, how his or her data have been processed. Consequently, algorithms that are capable of reviewing the rules that they apply cannot be used as an exclusive basis for an individual administrative decision without [human] control and validation by the controller.See further B Raganelli, ‘Decisioni pubbliche e algoritmi: modelli alternativi di dialogo tra forme di intelligenza diverse nell’assunzione di decisioni amministrative’ (2020) 22 Federalismi.it.

This decision of the Conseil Constitutionel confirms the avant-garde approach of French law to administrative automation, including in those sectors such as machine learning, in which regulation appears to be more difficult due to the high degree of technical complexity inherent to the issues addressed.

2.2.The Spanish model

The Spanish model is the antithesis to the French model, which takes particular care to regulate the use of algorithms within administrative procedures. A number of years ago Spanish lawmakers launched a process of deregulation, which applies in particular to the legislation governing the use of algorithms within public decision making. The starting point for the discussion set out below is Article 18(4) of the Spanish Constitution of 1978. This is a far-sighted provision, anticipating by around thirty years certain issues that are currently of topical relevance. Specifically, it introduces a kind of precautionary principle in relation to the use of IT instruments, charging the law with identifying ‘limits on the use of IT in order to safeguard the honour and personal and family intimacy of citizens as well as the full exercise of their rights.’ This constitutional policy statement was implemented by Article 45 of Ley 30/1992 de Régimen Jurídico de las Administraciones Públicas y of the Procedimiento Administrativo Común [Law no. 30/1992 on the Legal Framework applicable to the Public Administrations and Common Administrative Procedures]. This provision first sets out the principle that

the public administrations shall promote the use and application of electronic, information technology and remote techniques and systems in order to carry out their activities and to exercise their powers, subject to the limitations laid down by the Constitution and according to law,Ley 30/1992 de Régimen Jurídico de las Administraciones Públicas y of the Procedimiento Administrativo Común, art 45.

then going on to identify a primary, important form of protection for any person(s) affected by decisions taken with the assistance of administrative instruments. Specifically, it provides that ‘programmes and electronic, information technology and remote applications […] used by the public administrations when exercising their powers must be approved in advance by the competent body, which must give public notice of their characteristics’. This legislation is also particularly innovative when considering the time of its enactment. In line with the Constitution, it first promotes the use of new technologies whilst however subjecting their deployment to a requirement to comply with certain minimum guarantees for the citizen, such as the requirement for prior approval of programmes (and hence also of algorithms) by the administration, along with the obligation to disclose/publish their characteristics.

However, starting from 2007, Spanish law (which had previously been characterised by its early attention to the relationship between new technologies and public power) launched a process of deregulation which, as is clearly apparent, has had the effect of reducing the range of protection offered to private individuals affected by decisions that have been automated either in full or in part.AB Palop, ‘Los algoritmos son reglamentos: la necesidad de extender las garantías propias de las normas reglamentarias a los programas empleados por la administración para la adopción de decisiones’ (2020) 1 Revista de derecho pùblico. The legislation was introduced by Ley n. 11/2007de acceso electrónico de los ciudadanos a los Servicios PúblicosFor a commentary on the legislation, see LC Hueso, ‘Derechos del ciudadano’ in EG Casado & JV Torrijos (eds), La Ley de Administración Electrónica (Thomson-Aranzadi 2008) 117-233. [Law no. 11/2007 on electronic access by citizens to Public Services]. In particular, Article 39 of the Law provides that

in the event that administrative action is automated, the bodies responsible for defining technical specifications, programming, maintenance, supervision, quality control and, as the case may be, the auditing of the information technology system [algorithm] and its source code must be identified in advance. The body responsible for receiving any challenge must also be identified.Ley n. 11/2007 de acceso electrónico de los ciudadanos a los Servicios Públicos, art 39.

Thus, in contrast to the provisions previously laid down by Article 45 of ley n. 30/1992, Article 39 of leyn. 11/2007 does not subject the administration to any requirement to obtain prior approval for the algorithmic instrument used within the administrative procedure. Similarly, it removes the requirement to publish the principal characteristics of the algorithmic programme, it now being sufficient merely to identify the body responsible for its management, along with the body responsible for receiving any challenges to the decision.JV Torrijos, ‘Las garantías jurídicas de la inteligencia artificial en la actividad administrativa desde la perspectiva de la buena administración’ 58 Revista catalana de dret públic; IM Delgago, ‘L’amministrazione digitale come nuovo modello di amministrazione’ in D Marongiu & IM Delgado, Diritto amministrativo e innovazione. Scritti in ricordo di Luis Ortega (ESI 2016) 60-61. In keeping with the general approach previously followed, Spanish lawmakers have made further provisions in this area, approving two separate laws: Ley n. 40/2014 de Régimen Jurídico of the Sector Público [Law no. 40/2014 on the Legal Regime applicable to the Public Sector], which replaced ley n. 11/2007, and Ley n. 39/2015 del Procedimiento Administrativo Común de las Administraciones Públicas [Law no. 39/2015 on the Common Administrative Procedure for the Public Administrations], which replaced Leyn. 30/1992.

Article 41 of Leyn. 40/2014 introduces a new notion of ‘automated administrative activity’, consisting in ‘any act or action carried out entirely remotely by a public administration in relation to an administrative procedure in which a public sector employee has not been directly involved’. Paragraph 2 goes on to identify the guarantees offered to any private individual affected by an automated administrative measure, essentially reiterating the model previously laid down by Article 39 of Ley n. 11/2007, i.e., limiting itself to subjecting the administration to the sole burden of identifying the body responsible for managing the algorithm and the body responsible for receiving any challenges. It is apparent from the wording of the legislation that Spanish lawmakers have sought to progressively reduce the range of guarantees provided to private individuals affected by an automated administrative procedure. In fact, in contrast to what happened in the past, the law as currently applicable does not require any prior checks to be carried out to ensure the proper operation of the algorithm, and, above all, does not require that its characteristics be made public.

As has been stressed within the Spanish literature, ‘the reduction in the legal guarantees [provided to any person affected by an automated administrative procedure] must be associated with the objective of enabling information technology instruments to be used within administrative procedure more frequently and with greater ease.’Palop (n19). However, one must not overlook the fact that the balance struck within Spanish law between the two interests at play (dissemination of new technologies throughout the public administration and protection of citizens’ rights) does not appear to be optimal. In fact, it appears to be excessively skewed in favour of promoting the use of algorithms within administrative procedures, to the detriment of the minimum core of rights typically granted to private individuals in relation to administrative procedures.

2.3The Italian model

As far as Italian law is concerned, it should be noted that – in contrast to French law, which takes particular care to regulate administrative automation, and Spanish law, which has chosen the opposite path of deregulation aimed at promoting its dissemination – it has essentially chosen (for the time being) not to regulate the use of algorithms within administrative procedure. This means that there is ‘essentially a gap in the law, despite the growing social and academic attention (and in some cases concern) at the growing use of algorithms within public decision making.’A Sola, ‘Inquadramento giuridico degli algoritmi nell’attività amministrativa’ (2020) 16 Federalismi.it. In fact, all the provisions approved to date by Italian lawmakers have addressed the computerisation and digitalisation of administrative procedures, whilst entirely disregarding the potential for automation.

An example of this is provided by Article 3-bis of Italian Law no. 241/1990,As introduced by Article 3 of Italian Law no. 15 of 2005. The text of the legislation is as follows: ‘in order to operate more efficiently, the public administrations are incentivising the use of remote means of communication within internal relations among the various administrations and between the administrations and private individuals’. the Italian Law on Administrative Procedure, which sets out incentives for the use of information technology within relations among public administrations and between administrations and private individuals, with a view to enhancing the efficiency of administrative action, without however making provisions regarding automated administrative procedures. In the same way, Legislative Decree no. 82/2005, better known as the Digital Administration Code [Codice dell’Amministrazione Digitale, CAD], does not deal with the automation of administrative action, but rather only its computerisation. This is done in Article 41 CAD, entitled ‘computerised procedures and files’, which is limited to laying down certain rules applicable to the digitalisation of administrative documents, in addition to guaranteeing data interoperability between the digital platforms used by the various public administrations involved in any given administrative procedure (in accordance with the ‘digital first’ principle). However, the issue of the automation of administrative procedure does not appear to be entirely absent from public debate. In particular, it is important to note the publication of a White Paper on Artificial Intelligence at the service of the citizen by the Agency for a Digital Italy (Agenzia per the Italia digitale, AgID) in March, containing a number of insights into, and discussion of, the potential role of AI within the public administration over both the short and the medium termFor a detailed analysis of the contents of the study, see M Tresca, ‘I primi passi verso l’Intelligenza Artificiale al servizio del cittadino: brevi note sul Libro Bianco dell’Agenzia per l’Italia digitale’ (2018) 3 Rivista di diritto dei media..

More recently, the use of algorithms within administrative procedures has been considered within the broader context of a project to reform the public administration drawn up by the ‘Committee of Economics and Social Experts’, appointed by the Italian Government in April 2020, and charged with drafting proposals for the re-launch of the country following the economic crisis caused by the COVID-19 pandemicThe plan is entitled ‘Initiatives to relaunch Italy 2020-2022’. It was drawn up by the group of experts coordinated by Vittorio Colao and presented to the Italian Government in June 2020. In particular, action no. 23 in that plan envisages the promotion of automation throughout administrative procedures, to be associated with new rules limiting the liability of public sector employees.. Both cases involve so-called ‘pre-law’ instruments. As far as the applicable law is concerned, it may therefore be noted that Italian lawmakers have still not enacted legislation to incentivise the digitalisation of administrative procedures as a minimum prerequisite for their automation, although no specific legislation has yet been enacted in relation to automation.

3.Automated administrative activity and European Regulation No 679/2016 (General Data Protection Regulation)

As noted above, when addressing the relationship between automation and administrative decision making, national lawmakers have adopted very different approaches.B Carotti, ‘Algoritmi e poteri pubblici: un rapporto incendiario’ (2020) 1 Giornale di diritto amministrativo. The author explains how ‘the position varies in legal terms from country to country and within each individual country; it is necessary to attempt to understand the phenomenon in detail in a manner that goes beyond epidermic and descriptive approaches. The case law is providing assistance, resolving some problem issues and, in some cases, laying bridges between legal systems’. The legislative gaps within some legal systems have been partially filled by European law. This has occurred specifically through European Regulation No 679/2016, known as the General Data Protection Regulation (GDPR), which, while not making direct provision to regulate the use of algorithms within administrative procedures, has been drawn upon by the courts as an instrument for resolving disputes relating to this issue. In fact, at least three provisions of the GDPR may be theoretically applicable to situations in which public decisions are made using an algorithm.

First and foremost, they may fall under point (f) of Article 13(2) and point (g) of Article 14(2) GDPR, which establish the right of the data subject to be informed concerning ‘the existence of automated decision-making’ in relation to the processing of his or her data, which results from the self-standing right to receive ‘meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.’ Article 22(1) GDPR is also relevant. This provision establishes the right of each person ‘not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.’ As will be noted below, the interpretation of these three provisions has enabled the courts to identify the basic framework governing automated administrative activity, which can avoid automation descending into arbitrariness, thereby violating the rights of individuals.

3.1.Judgment no. 8472/2019 of the Italian Council of State

The GDPR has proved particularly useful in Italy where, as mentioned above, no legislation has yet been enacted to regulate the automation of administrative action. This was particularly the case in judgment no. 8472/2019 of the Italian Council of State, which is of interest due to the tone of the arguments used by the Court in identifying the core principles that should govern the use of algorithms within administrative procedures.For a discussion of this judgment within the literature, see M Timo, ‘Il procedimento di assunzione del personale scolastico al vaglio del Consiglio di Stato’ (2020) 5 Giurisprudenza italiana; A Mascolo, ‘Gli algoritmi amministrativi: la sfida della comprensibilità’ (2020) 3 Giornale di diritto amministrativo; G Mancosu, ‘Les algorithmes publics déterministes au prisme du cas italien de la mobilité des enseignants’ (2018) Revue générale du droit; E Carloni, ‘I principi della legalità algoritmica. Le decisioni automatizzate di fronte al giudice amministrativo’ (2020) 2 Diritto Amministrativo; DU Galetta, ‘Algoritmi, procedimento amministrativo e garanzie: brevi riflessioni, anche alla luce degli ultimi arresti giurisprudenziali in materia’ (2020) 3-4 Rivista Italiana di Diritto Pubblico Comunitario.

In that decision, the Court resolved a dispute, ruling with reference to EU law and in particular Regulation No 679/2016, that had arisen regarding the use of an algorithm to draw up ranking lists under a national procedure for transferring secondary school teachers wishing to change their province of deployment. Upon completion of the procedure, it became apparent that the algorithm (the details of which were, moreover, unknown) had not worked properly, as it had instructed transfers of teachers without taking account of the preferences indicated by them regarding the new place of work, most likely due to a programming error. In the ruling, the Council of State explained how, as a general matter, the public administration must also be able to take advantage of the significant potential offered by the ‘digital revolution’, which makes it possible to achieve major results both in terms of efficiency as well as the neutrality of administrative action.

In particular, the Court held that algorithms

are set to become the instrument for correcting the distortions and imperfections that typically characterise cognitive processes and choices made by human beings; […] within that context, decisions taken by an algorithm taken on […] an aura of neutrality, having resulted from sterile, rational calculations rooted in data.Council of State, 6th Division, judgment no. 8472/2019, conclusions on points of law, section 7.1.

This is the case above all within ‘procedures that are serial or standardised, involving the processing of very large numbers of applications, based on the acquisition of data that are certain and objectively verifiable, without any discretionary assessment.’ibid section 9.1. However, as mentioned above, the neutrality of the algorithm is only apparent. In fact, as was stressed by the Court,

the usage of these instruments in actual fact entails a series of choices and assumptions that are far from neutral: the adoption of predictive models and criteria with reference to which data are collected, selected, sorted, ordered and compiled; their interpretation and the resulting formulation of judgments are all operations resulting from precise value choices, whether intentional or inadvertent. It follows from this that these instruments are required to make a series of choices, which are largely dependent upon the criteria used and the reference data drawn upon, in relation to which it has often been difficult to ensure the requisite transparency.ibid section 7.2.

In the light of these considerations, it is clear that algorithms cannot be used within administrative procedures without abiding by certain principles established to protect the rights of private individuals in the eventuality of the (potential) breakdown of the instrument used to carry out the calculation. Regarding this aspect, in judgment no. 8472/2019, the Council of State inferred three fundamental principles from EU law, compliance with which is essential for establishing the admissibility of algorithms used within administrative procedures. First of all, the principle of transparency, which can be inferred from Articles 13 and 14 GDPR, postulates the right of each person to be informed about the existence of automated decision-making in relation to him or her, and to receive meaningful information about the principal rules governing the algorithm’s operation. In other words, the principle of transparency subjects the administration to two requirements: to provide information on the existence of an automated procedure, and full transparencyibid section 13.1. This is an ‘enhanced configuration of the principal of transparency, which implies also the principle that a rule expressed in language different from legal language must be fully knowable’. The issue also involves the delicate question of the possibility of publishing the ‘source code’ for the algorithm. Generally speaking, the public administration does not have the necessary professionalism within it to develop algorithms, which means that the relevant expertise must be procured on the market. However, companies supplying these services have no interest in disclosing the source code, essentially to protect their own industrial secrets. The question was resolved by the Council of State in the judgment cited. In fact, according to the Court, ‘the confidentiality requirement of the producers of the information technology mechanisms used cannot have any relevance since, in placing those instruments in the service of the public authorities, they must evidently accept the related consequences in terms of the necessary transparency’. The same approach is apparent within resolutions no. 123-124/2016 of the Comissió de Garantia del Dret d’Accés a la Informació Pública (GAIP) of the Generalitat de Catalunya. According to the Commission, insofar as the algorithm is available to the administration, ‘it constitutes public information’ and as such ‘must be fully accessible to the public, except under the terms of any limitations, which must be duly motivated by the administration’. GAIP resolution no. 200/2017 expresses a similar position. The issue has also been considered in M Brkan & G Bonnett, ‘Legal and Technical Feasibility of the GDPR’s Quest for Explanation of Algorithmic Decisions: of Black Boxes, White Boxes and Fata Morganas’ (2020) 1 European Journal of Risk Regulation. According to the authors, ‘trade secrets, which are distinct from intellectual property rights, can potentially stand in the way of effective exercise of the right to explanation. As stipulated by the Trade Secrets Directive, a trade secret is information which is secret, has commercial value due to its secrecy and has been kept secret by reasonable steps of the information holder, such as an undisclosed know-how and business information. Algorithms can certainly fall within this definition and have been effectively covered by trade secrets in practice. Indeed, national case law has already recognised such protection and some Member States specifically offered the possibility of acquiring trade secrets over technology when transposing the Trade Secrets Directive into national law’. on the characteristics of the algorithm used. According to the Council of State, this transparency

must be guaranteed in all respects: from the authors through the procedure used for processing, to the decision making mechanism, including the priorities assigned to the procedure for evaluating the data identified as relevant and for making a decision on the basis of that data. The aim of this is to ensure that the criteria and prerequisites for and the outcome to the automated procedure comply with the requirements and purposes laid down by law or by the administration itself before carrying out that procedure and in order to ensure that the procedures and rules with reference to which the procedure was configured are clear and – consequently – amenable to review.Council of State, 6th Division, judgment no. 2270/2019, conclusions on points of law, section 8.3.

The second principle results from the requirement laid down by Article 22(22) GDPR that the decision reached using the algorithm must not be exclusive. This Article establishes the right of each person ‘not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.’ As was effectively summarised by the Council of State, the essence of the principle of non-exclusivity of algorithmic decision-making can be encapsulated in the right of each person to maintain some leeway within the decision-making process, even if minimal, as a ‘human contribution that is capable of endorsing or rejecting the automatic decision.’ibid 15.2. Finally, the third principle identified by the Council of State is that any administrative procedure must comply with the principle of algorithmic non-discrimination. This principle may be identified within recital 71 to the GDPR, which states that

the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect.Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 4.5.2016, Recital 71.

In such cases, as the recital states, it is necessary to rectify the ‘input’ data in order to avoid any discriminatory effects in the ‘output’ decision; to achieve this, it is necessary to cooperate with whoever designs the architecture of the algorithm that is responsible for taking decisions. By this judgment, the Council of State provided an important contribution to the debate into the regulation of algorithmic processes, in line with the position taken by other European courts involved in defining the rules and principles applicable to these instruments which, despite their dissemination, still constitute a ‘frontier’ area of the law.

4.Conclusions

With reference to the three emblematic cases set out above, it may be asserted that the legal framework regulating the relationship between algorithms and public power is fragmented. Only a couple of Member States have decisively engaged with the issues described above, adopting state-of-the-art legislation. However, in many cases and in the absence of specific laws, the task of identifying rules and principles suitable for regulating algorithmic administration has been left to the courts. Within this context, European law (essentially, the GDPR) has constituted a genuine safety net for the courts, offering (at least) a minimum foundation upon which to construct regulation in this area, pending the adoption of legislation. However, it should be considered that the instruments previously used, including in particular the GDPR, feature some critical gaps of their own. Firstly, it is important not to overlook the fact that the GDPR only engages incidentally with the use of algorithms by the public administration. In fact, it was enacted in order to regulate the different issue of data protection, which is without doubt interrelated with the use of algorithms in the exercise of public powers, but is not primarily relevant for such matters. It must once again be pointed out that the main objective of the GDPR is to regulate relations between private parties, predominantly between consumers and businesses, and not relations between citizens and the public administration.Palop (n19). It is clear that these legislative instruments are insufficient and unsuitable to protect the rights of citizens as part of an automated administrative procedure.

Therefore, drawing the various threads of this paper together into a conclusion, it is necessary to postulate some possible solutions. First of all, it should be recalled that a legal basis that allows direct intervention of EU law for regulating the use of algorithms within administrative procedures does not appear to be easily identifiable.In fact, the legal basis offered by Article 114 of the TFEU does not appear to be suitable for establishing a European legislation on the issue of automatization of the administrative procedure. On the other hand, there are some areas where EU law is taking action to regulate the use of artificial intelligence, such as consumer protection and single market. On this point, see Y Meneceur, L’intelligence artificielle en procès (Lefebvre 2020) 295-305. However, whilst adhering to this premise, it is necessary to consider whether it is possible to address the issue of the automation of administrative procedures from the standpoint of EU law. Another issue is whether it is possible to identify a minimum core of guarantees for those affected by automated administrative decisions, irrespective of the quality and quantity of state legislation. The questions mentioned above may be answered in the affirmative based on an analysis of the right to good administration, construed not only as a rule enshrined in Article 41 of the EU Charter of Fundamental Rights, but as a general principle of European law. As such, it is not only binding for the institutions, organs, and bodies of the European Union, but also, if conceptualised as a general principle,Even if it is conceptualised as a general principle, it has the same content as the right to good administration under Article 41 of the EU Charter of Fundamental Rights. the right to good administration inevitably ends up conditioning the modus operandi of the individual national public administrations, introducing a minimum standard of procedural guarantees within a context (i.e., the automation of administrative procedures) that has still not been addressed by various national legal systems.On the debated on the qualification of the right to good administration, see HP Nehl, ‘Good Administration as Procedural Right and/or General Principle?’ in HCH Hofmann & AH Türk (eds), Legal Challenges in EU Administrative Law (Edward Elgar Publishing 2009); HCH Hofmann & C Mihaescu, ‘The Relation between the Charter's Fundamental Rights and the Unwritten General Principles of EU Law: Good Administration as the Test Case’ (2013) 9 European Constitutional Law Review; DU Galetta, ‘Il diritto ad una buona amministrazione nei procedimenti amministrativi oggi (anche alla luce delle discussioni sull’ambito di applicazione dell’art. 41 della Carta dei diritti UE)’ (2019) 2 Rivista italiana di diritto pubblico comunitario; DU Galetta, ‘Il diritto ad una buona amministrazione europea come fonte di essenziali garanzie procedimentali nei confronti della pubblica amministrazione’ (2005) 3 Rivista Italiana di Diritto Pubblico Comunitario; P Provenzano, I vizi nella forma e nel procedimento amministrativo fra diritto interno e diritto dell’Unione europea (Giuffrè 2015) 272-280; C Celone, ‘Il “nuovo” rapporto tra cittadino e pubblica amministrazione alla luce dell’art. 41 della carta dei diritti fondamentali dell’unione europea’ in F Astone et al (eds), Studi in memoria di Antonio Romano Tassone (Editoriale Scientifica 2017).

The adoption of such an interpretative approach would enable solutions to be offered to numerous problem issues. For example, the requirement to inform the individual affected by a measure in advance, about the use of an algorithm to make a decision relating to him/her, could be regarded as a manifestation of the general principle of the right to good administration, even in situations involving the algorithmic processing of non-personal data. In the same way, it may be possible to infer from the principle of good administration an obligation for the national authority to allow citizens’ access to information concerning the functioning and characteristics of the algorithm used, provided in a readily understandable, non-mathematical language. In addition, when interpreted as a general principle, the right to good administration may constitute a basis for significant procedural guarantees in cases involving algorithmic discrimination, or the use of any machine-learning algorithms that circumvent the obligation for administrations to provide reasons for their decisions. Finally, again based on the principle of good administration, it may be considered indispensable to retain some scope for human involvement, even if only to check that the algorithm is working properly, both during the enquiry stage and when adopting the final measure, in order to avoid any discriminatory or biased processing.

Accordingly, the regulation and use of new technologies, including by public administrations, is one of the most ambitious challenges for contemporary society. As noted above, these are issues that national lawmakers often find difficult to regulate, both due to opportunity considerations, as well as for reasons related to the objective complexity of the issues at stake. However, it is evident that technological development and ICT are proceeding at a rate that considerably outpaces lawmakers’ capacity to regulate this phenomenon. However, the absence of any regulation or, in other cases, its objectively limited scope, must not impair or restrict the rights of citizens, or – more specifically in terms of the object of this paper – those affected by automated administrative measures. It is precisely for this reason that it is considered necessary to supplement European law, and in particular its general principles – which must once again fill the gaps present within national legal systems.