Law 25 and Automated Decision-Making: What to Know

The Quebec Law 25 (which used to be called Bill 64) fundamentally alters the matter regarding personal information processing within the organization. With the development of digital technologies, one direction that comes into the spotlight is automated decision-making, or automated decision-making, that is, decisions that are made automatically and without human control, using the AI and algorithms. These systems are now facing changes in transparency and accountability, which are established under Law 25. Law 25 Compliance has strong links with automation and it is important that the organization be aware of it in order to be on the right side of the law.

What constitutes Automated Decision-Making?

Automated decision-making is the possibility of decision-making whose purpose is achieved entirely without human intervention, usually with help of the algorithms, machine learning or artificial intelligence. Examples are making decisions on credit; hiring suggestions, issuing price of insurance or even advertising themselves. In case a system examines personal information and arrives at a judgment without human intervention, it probably falls within the Law 25 scope.

This type of automation can promise effectiveness and economy, but it can also come with some dangers, bias, opaqueness, and the incapability of individuals to challenge the results. This is the point of Law 25 to provide people with greater control and knowledge of such processes, and it is wise that the organizations implementing automatized systems should be cautious.

The Right to Transparency and an Explanation

Among the most important aspects of Law 25 Compliance, there is a necessity to notify a person that some decision is reached in purely automated form. This has to be clearly disclosed at the stage of data collection or at the stage of decision-making in the companies. Also, people have rights to know the kind of personal information that was utilized, what was taken into consideration when the decision was made and what led to such conclusion.

Such an approach to transparency is consistent with world privacy trends, such as GDPR. Nevertheless, Law 25 emphasizes specifically the need to explain decisions by using understandable language so that the information would be understandable even to the non-technical users. This is a special challenge to the company that uses black-box AI systems.

The Human Intervention Right

Other than accountability, Law 25 also acknowledges the right of individuals to seek human intervention in automated decision. Here, it implies that a decision, made by an AI or algorithm, can be challenged by an affected party and asked to be reviewed by a person. Organizations should be ready to provide this process of review and it involves planning of its process as well as trained staff.

Improper compliance may not just result in monetary fines but even spoil the trust with customers or stakeholders. It has now become crucial to the Law 25 Compliance that a documented response to handling such requests is put in place.

Making Automated Systems Comply

Automated decision-making organizations have to be designed in a way that considers the components of privacy and accountability into their foundations. This involves carrying out Privacy Impact Assessments (PIAs), tracking the results of the algorithms to identify non-discriminatory outcomes and retaining data capable of providing an audit trail. Day to day operations like product development and data scientists should collaborate closely with compliance and legal teams to ensure their systems are within moral and legal boundaries.

Conclusion

Law 25 implies new sets of responsibilities of organizations that make use of automated decision-making. Human oversight, explanation and transparency are not replacements, but as part of Law 25 Compliance are required. The increasing data security entitlements in Quebec offer new wagers to organizations as they need to change the technologies and processes to stand the test of time in a new promising privacy model that reduces the cost of breaches and guarantees the affected businesses can shun penalties.