Necessity and Institutional Design of Introducing a Qualified Right to Human Review of Significant Automated Decisions in Hong Kong, China: A Comparative Study Based on GDPR Article 22 and the PRC's Personal Information Protection Law

Authors

  • Jingyue Yu the University of Hong Kong, Hong Kong, China Author

DOI:

https://doi.org/10.70088/8kq6kr21

Keywords:

automated decision-making, human review, data privacy, algorithmic accountability, right to explanation

Abstract

The rapid proliferation of automated decision-making (ADM) systems has raised significant concerns regarding algorithmic accountability, transparency, and the protection of individual rights. This article critically examines the necessity and institutional design of introducing a qualified right to human review for significant automated decisions within the legal context of Hong Kong, China. By conducting a comprehensive comparative study based on Article 22 of the European Union’s General Data Protection Regulation (GDPR) and the People’s Republic of China’s Personal Information Protection Law (PIPL), this research identifies the respective strengths and weaknesses of these prominent regulatory frameworks. The analysis demonstrates that Hong Kong, China’s current reliance on voluntary administrative guidelines and fragmented, sectoral-specific regulations is insufficient to address the complex challenges posed by advanced algorithmic systems. Consequently, this study argues that Hong Kong, China urgently requires the enactment of a robust statutory right to human review. To achieve this, the article proposes a five-pronged institutional design: first, redefining the legal scope of ADM subject to mandatory human review; second, establishing substantive and meaningful human intervention mechanisms; third, embedding a clear right to explanation as the foundational pillar for algorithmic transparency; fourth, formulating differentiated regulatory requirements tailored to the public and private sectors, coupled with independent oversight; and fifth, improving practical application, enforcement mechanisms, and accessible remedies. Ultimately, this framework aims to balance technological innovation with fundamental data privacy rights.

References

S. Dashti and S. Ranise, "Tool-assisted risk analysis for data protection impact assessment," in IFIP International Summer School on Privacy and Identity Management, Cham: Springer International Publishing, 2019, pp. 308-324.

I. Carnat, "Automation as Delegation of Power: Constitutional Constraints on AI Systems for the Administration of Justice," Available at SSRN 5690283, 2025.

D. Baldini and K. Francis, "AI Regulatory Sandboxes between the AI Act and the GDPR: the role of Data Protection as a Corporate Social Responsibility," in CEUR Workshop Proceedings, vol. 3731, Jan. 2024.

S. A. Birahim, "Contesting the algorithm: advancing a right to challenge AI decisions under the GDPR for algorithmic fairness," Transforming Government: People, Process and Policy, vol. 19, no. 4, pp. 895-913, 2025.

C. Castets-Renard, "Accountability of algorithms in the GDPR and beyond: a European legal framework on automated decision-making," Fordham Intell. Prop. Media & Ent. LJ, vol. 30, pp. 91, 2019.

L. Colonna, "Teachers in the loop? An analysis of automatic assessment systems under Article 22 GDPR," International Data Privacy Law, vol. 14, no. 1, pp. 3-18, 2024.

E. Bayamlıoğlu, "The right to contest automated decisions under the General Data Protection Regulation: Beyond the so‐called 'right to explanation'," *Regulation & Governance*, vol. 16, no. 4, pp. 1058-1078, 2022.

Article 29 Data Protection Working Party, "Guidelines on Automated Individual Decision‐Making and Profiling for the Purposes of Regulation 2016/679," 2018.

N. N. Ridzuan, M. Masri, M. Anshari, N. L. Fitriyani, and M. Syafrudin, "AI in the financial sector: The line between innovation, regulation and ethical responsibility," Information, vol. 15, no. 8, pp. 432, 2024.

A. F. Zumbini, "Regulatory Framework, Procedural Requirements, and Infrastructural Aspects of Automated Administrative Decisions," Italian J. Pub. L., vol. 18, pp. 352, 2026.

B. Goodman and S. Flaxman, "European Union regulations on algorithmic decision-making and a 'right to explanation'," AI magazine, vol. 38, no. 3, pp. 50-57, 2017.

M. Hawath, "Regulating Automated Decision-Making: An Analysis of Control over Processing and Additional Safeguards in Article 22 of the GDPR," Eur. Data Prot. L. Rev., vol. 7, pp. 161, 2021.

R. Binns and M. Veale, "Is that your final decision? Multi-stage profiling, selective effects, and Article 22 of the GDPR," International Data Privacy Law, vol. 11, no. 4, pp. 319-332, 2021.

J. Hamuľák and A. Kluknavská, "Some Comments on the Unsuitability of the General Data Protection Regulation in the Field of Employment Relations in the Context of Automated Decision-Making," European Studies–The Review of European Law, Economics and Politics, vol. 10, no. 2, pp. 203-220, 2023.

H. L. Janssen, "An approach for a fundamental rights impact assessment to automated decision-making," International Data Privacy Law, vol. 10, no. 1, pp. 76-106, 2020.

T. Kirat, O. Tambou, V. Do, and A. Tsoukiàs, "Fairness and explainability in automatic decision-making systems. A challenge for computer science and law," EURO journal on decision processes, vol. 11, pp. 100036, 2023.

A. Roig, "Safeguards for the right not to be subject to a decision based solely on automated processing (Article 22 GDPR)," European Journal of Law and Technology, vol. 8, no. 3, 2017.

D. Sancho, "Automated Decision-Making and Article 22 GDPR: Towards a more substantial regime for solely automatic decision-making," Cambridge University Press, 2020.

B. P. Paal, "Article 22 GDPR: Credit Scoring Before the CJEU," Global Privacy Law Review, vol. 4, no. 3, pp. 127-137, 2023.

T. Davtyan, "An overview of global efforts towards AI regulation," Bulletin of Yerevan University C: Jurisprudence, vol. 15, no. 2 (41), pp. 158-174, 2024.

F. Thouvenin, A. Fruh, and S. Henseler, "Article 22 GDPR on Automated Individual Decision-Making: Prohibition or Data Subject Right?," Eur. Data Prot. L. Rev., vol. 8, pp. 183, 2022.

G. Malgieri and G. Comandé, "Why a right to legibility of automated decision-making exists in the general data protection regulation," International data privacy Law, vol. 7, no. 4, pp. 243-265, 2017.

S. Wachter, B. Mittelstadt, and L. Floridi, "Why a right to explanation of automated decision-making does not exist in the general data protection regulation," International data privacy law, vol. 7, no. 2, pp. 76-99, 2017.

Downloads

Published

01 June 2026

Issue

Vol. 3 No. 2 (2026)

Section

Article

License

Copyright (c) 2026 Jingyue Yu (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Yu, J. (2026). Necessity and Institutional Design of Introducing a Qualified Right to Human Review of Significant Automated Decisions in Hong Kong, China: A Comparative Study Based on GDPR Article 22 and the PRC’s Personal Information Protection Law. International Journal of Law, Ethics and Social Sciences, 3(2), 27-36. https://doi.org/10.70088/8kq6kr21