GDPR Article 22 and Automated Decisions: The Right to a Human Answer
Why the right to human review and a real explanation must be forethought built into every automated decision, not a complaint form bolted on after the harm is done.
There is a line in the General Data Protection Regulation (GDPR) that many teams read once and then quietly hope never to test. Article 22 says a person has the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal effects or similarly significant effects on them. A loan refused. A job application filtered out. A benefit withdrawn. A fraud flag that freezes an account. The regulation does not ban these decisions. It insists that when they are made by a machine, a human can be brought back into the loop, and the person affected can ask why.
Most systems bolt that right on afterwards. A complaint form appears somewhere in a settings menu, a support queue swells, and by the time a human looks at the case the harm is already done and the reasoning is already lost. We build Mickai the other way round. We treat the right to human review and the right to an explanation as forethought, wired into the moment a decision is made, not a courtesy offered once someone objects.
What Article 22 actually demands
Read plainly, Article 22 sets three obligations. First, purely automated decisions with serious consequences are restricted by default, permitted only on narrow legal grounds such as explicit consent, contractual necessity, or authorisation in law. Second, where such a decision is made, the person must be able to obtain human intervention, express their point of view, and contest the outcome. Third, the person must be given meaningful information about the logic involved. That last phrase, meaningful information about the logic, is where good intentions usually collapse. A model that cannot say why it decided as it did cannot satisfy it.
The European Union Artificial Intelligence Act (EU AI Act) sharpens the same edge for high-risk systems, adding requirements for human oversight, logging, and transparency. The Digital Operational Resilience Act (DORA) and the second Network and Information Security Directive (NIS2) push the operational resilience and accountability of the systems making those decisions. None of these frameworks is satisfied by a promise. They are satisfied by evidence: a record of what was decided, on what basis, by which authority, and how a person could challenge it. Evidence is an architectural property. You cannot retrofit it onto a system that threw the reasoning away.
Forethought, signed before the act
In Mickai, no consequential action happens without an Operation Attestation Record (an OAR) signed before it executes. This is the heart of how we honour Article 22. The OAR captures the intent, the inputs, the brain or brains that reasoned about the case, the policy that authorised it, and the confidence attached to the outcome. It is signed with a post-quantum signature, the FIPS 204 ML-DSA-65 standard, and hash-linked into a SHA-3-512 chain. The decision is committed to the record before it touches the world, not reconstructed from logs afterwards.
This ordering is the whole point. A conventional pipeline decides, acts, and then, if anyone asks, tries to explain. By then the state has moved on and the explanation is a best guess. Mickai forces the explanation to exist first. The record is the permission slip for the act. If the reasoning cannot be attested, the action does not run. Forethought stops being a virtue we hope for and becomes a gate the system cannot pass without.
The route to a human is a first-class path
Human intervention under Article 22 is not a mood. It is a designed route. For decisions that carry weight, Mickai does not treat a human handoff as an exception to be caught after failure. It is a standing option written into the decision policy. A brain can propose. A person, or a quorum of brains together with a human, disposes. For the most significant actions we require multi-brain agreement plus voice-biometric approval, so that the person stepping in is verified and their authority is itself recorded.
Because every step is captured in the attestation ledger, a challenge does not send anyone hunting through server logs. The affected person, or the caseworker acting for them, retrieves the exact record: the decision, the logic, the authority, and the point at which a human could and did intervene. Contesting an outcome becomes a matter of reading a signed document, not filing a grievance and waiting to be believed.
Explanation you can hand to a regulator
Meaningful information about the logic involved is only meaningful if a regulator, an auditor, or the person themselves can actually read it. An explanation buried in floating-point weights is not an explanation. So the OAR records the human-legible basis of the decision alongside the cryptographic proof that it has not been altered. The two travel together. One says what was reasoned. The other guarantees the record is the original and not a convenient rewrite.
Crucially, this verification works offline. A regulated customer does not have to call our servers to confirm a decision was made as claimed. The signature and the hash chain can be checked on hardware the customer owns, air-gapped if they insist. That matters under GDPR, DORA, and the ISO 42001 artificial intelligence management standard alike, because it removes us from the chain of trust. The customer does not have to take Mickai's word for anything. The mathematics does the vouching, and the mathematics is theirs to check.
Revocable brains and the boundary the cloud cannot cross
Article 22 lives inside a wider truth: the data subject stays in control. In Mickai every brain is revocable. If a reasoning subsystem is found to be biased, drifting, or simply out of scope for a given decision class, it can be withdrawn, and the ledger shows precisely which decisions it touched before it was pulled. That is accountability with a timeline, not a vague assurance that the model has since improved.
This is also where the regulated boundary comes into focus. The public cloud giants, OpenAI, Microsoft, AWS, Google, and Oracle, are allies operating at a different layer, and they do extraordinary work there. But an automated decision about a citizen's benefit, a patient's care, or a defendant's risk score often cannot leave the institution's own walls. Mickai runs on hardware the customer owns, on-premise or air-gapped, with zero data egress. The decision, its record, and its explanation never depend on a network the customer does not govern. The right to human review is only real if the machine making the decision sits inside the boundary the law protects.
The bottom line
Article 22 is not an obstacle to automation. It is a specification for automation done responsibly. It asks for three things: a reason to make the decision at all, a way back to a human, and an explanation a person can understand. Built as an afterthought, those become a complaints backlog and a legal exposure. Built as forethought, signed before the act, routed to a human by design, and verifiable offline, they become a competitive advantage. Mickai is built and live on exactly that principle, and its architecture is protected by 104 filed UK patent applications, about 2,340 claims, owned by Mickai LTD, framed around the capability to attest, explain, and revoke a decision before it ever reaches the person it concerns.




