Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

Algorithmic decision-making in government: AI Act, admin law and GDPR Art. 22

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

An automated government decision sits under three regimes at once: the AI Act (high-risk), administrative law (reasoning and due care) and GDPR Art. 22 (no solely automated decision with legal effect). They stack; they do not replace one another.

Short answer: When a public body takes a decision (partly) on the basis of an algorithm, three regimes apply at once. The AI Act sets requirements for the system if it is high-risk. Administrative law requires a carefully prepared and properly reasoned decision. And GDPR Art. 22 in principle prohibits a solely automated decision with legal effect. These layers stack โ€” meeting one is not meeting the others.

Three regimes, three questions

Each regime asks its own question. The AI Act: is the system itself safe and compliant? Administrative law: was this decision taken with due care, and can the citizen follow it? The GDPR: may a machine take this decision alone at all, and what are the data subject's rights? A compliant AI system can still produce a poorly reasoned decision. So treat the regimes separately and stack them.

GDPR Article 22 as a floor

Article 22 GDPR prohibits a decision based solely on automated processing that significantly affects the citizen, unless there is a legal basis or consent โ€” with appropriate safeguards. In practice this means meaningful human intervention, a right to explanation, and the ability to express one's view and contest the decision. An official who merely rubber-stamps a system output does not count as meaningful intervention.

Administrative law: due care and reasoning

Administrative law adds requirements independent of privacy. A decision must be carefully prepared and properly reasoned. For an algorithm-assisted decision this means the public body must be able to explain why the outcome arose โ€” not merely that a model said so. An inscrutable "black box" cannot be reasoned and will not survive judicial review.

Human oversight is more than a button

The AI Act requires effective human oversight for high-risk systems (Art. 14): a person must be able to understand, ignore and override the outcome. This aligns with GDPR Art. 22 and administrative law, but it is no formality. Oversight is effective only when the reviewer has the time, authority and insight to genuinely deviate. See the broader context in AI in the public sector and the requirements under high-risk obligations.

What to do

  • Map the three regimes per decision process: AI Act, administrative law and GDPR Art. 22, each separately.
  • Secure meaningful human intervention: no rubber-stamping; real time and authority to deviate.
  • Make reasoning reproducible: the system must explain why, so the decision holds up โ€” see explainability of government algorithms.
  • Run a fundamental rights assessment before use โ€” see FRIA.
  • Register the system in the algorithm register.

An automated government decision is lawful only if it stands up on all three layers. Compliance is the foundation, not the finish line.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): high-risk Annex III and human oversight (Art. 14).
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): Article 22 on automated individual decision-making.

Share on LinkedIn

Read next

U

Right to explanation of an AI decision: what Article 86 of the AI Act gives you

If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision โ€” from the deployer, on top of your GDPR rights.

U

Government Algorithm Transparency

The EU AI Act (2024/1689) requires public authorities deploying high-risk AI systems to register them in an EU database, document their operation transparently, and notify affected individuals; the Netherlands leads with a voluntary Algorithm Register expected to become legally mandatory.

W

Designing human oversight: what does Article 14 of the AI Act require?

Article 14 requires providers of high-risk AI to build in effective human oversight. People must be able to understand the output, ignore it, override it or stop the system โ€” and resist automation bias. This guide explains how to design that.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.