自動化決策國際規範比較研究與我國法制發展建議

The Comparative Study on International Regulations of Automated Decision-Making and Recommendations for the Development of Taiwan’s Legal Framework

當前全球正處於應否針對人工智慧進行必要監管以及其合適作法的討論浪潮，在正式通過「人工智慧法」（AIA）之前，歐盟便於2018年生效的一般資料保護規則（GDPR）中納入了關聯的「自動化決策」規範，賦權資料當事人，使其可得「不受『對其產生法律效果或類似重大影響』的自動化決策之拘束」。受到具指標意義的歐盟GDPR影響，已有諸多國家於其個人資料保護立法中採納自動化決策規範，然而各國作法略有不同。本文同時分析涉及自動化決策的指標案件，包括意大利個資保護主管機關針對「美食外送服務演算法」作成的Foodinho裁罰案，以及歐盟法院針對「信用評分演算法」是否適用GDPR第22條規定進行先行裁決之Schufa案，相關案例突顯出此一議題規範上的敏感程度與處理上之不易。回歸我國法制而論，當前我國個人資料保護法並未見「自動化決策」明文定義與相應規範，考量自動化決策尚非主要國家立法共通規範之事項，而未入法的國家亦非全然漠視此一議題，而是採取諸如制定行政指導文件等軟法方式加以推動，爰本文認為現時我國暫無立即入法之必要，初期可採取「制定必要指引」作法，中期若有進一步納入個人資料保護法之必要，則宜參考多數國家作法，側重賦予資料主體必要權利，包括歐盟GDPR揭櫫的不受拘束權利，以及後續延伸之「拒絕權利」、「請求解釋權利」與「請求人工另為決策權利」等。

The world is currently in the midst of a wave of discussions on whether and how artificial intelligence should be subject to necessary regulation. Even before the formal adoption of the Artificial Intelligence Act (AIA), the European Union had already incorporated relevant“automated decision-making”provisions into the General Data Protection Regulation (GDPR), which came into effect in 2018. These provisions empower data subjects to be“free from being subject to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them.”Influenced by the GDPR, which holds significant normative weight, many countries have adopted automated decision-making provisions in their personal data protection legislation, although approaches vary. This paper also analyzes landmark cases involving automated decision-making, including the Foodinho decision by the Italian data protection authority concerning a“food delivery service algorithm,”and the Schufa case, in which the Court of Justice of the European Union issued a preliminary ruling on whether a“credit scoring algorithm”falls under Article 22 of the GDPR. These cases highlight the regulatory sensitivity and practical challenges of addressing this issue. Turning to Taiwan’s legal framework, the current Personal Data Protection Act contains no explicit definition or corresponding provisions on“automated decision-making.”Considering that automated decision-making is not yet a common legislative feature among major jurisdictions, and that countries without such provisions are not ignoring the issue but instead adopting“soft law”measures such as administrative guidance, this paper argues that there is no immediate need for Taiwan to legislate on this matter. In the initial stage, Taiwan could adopt the approach of issuing“necessary guidelines.”In the medium term, if it becomes necessary to incorporate automated decision-making provisions into the Personal Data Protection Act, it would be advisable to follow the practice of most countries by focusing on granting data subjects key rights, including the right not to be subject to automated decisions as set out in the GDPR, as well as the derivative rights to object, to request an explanation, and to request human intervention in decision-making.