3.1: GDPR Article 22 explicit signaling for automated decisions

[bokelley]

Problem

GDPR Article 22 gives data subjects rights concerning decisions made solely by automated processing. When an AdCP flow makes a spend or targeting decision autonomously, there is no explicit field or signal that says "this request triggered an Art 22 decision and a human-review right attaches."

The FAQ mentions Art 22 scenarios in passing, but there is no normative mechanism in the protocol for a buyer or seller to:

1. Flag a request as subject to Art 22
2. Surface the associated human-review right to the principal
3. Route to a human-in-the-loop path when flagged

For EU deployments this is the kind of mechanism regulators will look for before issuing guidance in our favor.

Context

Surfaced during pre-GA regulatory-readiness review (2026-04-19). Documented as a known limitation in the GA spec-completeness manifest.

Related prior art:

• check_governance invocation is already in the protocol and is the natural attach-point
• Embedded Human Judgment doc covers the philosophy; Art 22 would be the first concrete normative hook
• Compliance work on Art 9 special categories already exists in docs/signals/data-providers.mdx

Proposed output

A normative mechanism covering:

1. An envelope field or check_governance input declaring gdpr_art22_scope: true
2. A MUST requirement that governance agents enforce human-in-the-loop when the scope is declared and the principal is in EU jurisdiction
3. Audit log semantics: the Art 22 declaration, the human-review outcome, and the decision are all captured
4. A reference section in docs/governance/embedded-human-judgment.mdx linking philosophy to normative spec

Disposition

Known limitation at 3.0 GA. Target: 3.1.0.

[bokelley]

Triage

Classification: Feature request (spec)
Bucket(s): spec / protocol, web / site / docs
Status: ready-for-human
Milestone: 3.1.0

What the experts said:

• ad-tech-protocol-expert: AdCP 3.0 already carries substantial Art. 22 machinery — plan.human_review_required auto-triggered via policy_categories, seeded eu_gdpr_advertising/eu_ai_act_annex_iii policies, and annex-iii-obligations.mdx. Adding gdpr_art22_scope: true on check_governance creates split authority with sync_plans and lets buyers self-declare scope — the opposite of the single-authority principle. All three open questions (TCF/GPP integration, policy_categories interaction, TMP boundary) are blockers to schema work.
• adtech-product-expert: DSPs/governance vendors handle Art. 22 at the vertical/seat level, not per-request. A per-check_governance boolean would impose a migration cliff on experimental implementations. The auto-trigger via policy categories already matches how the industry scopes these obligations. TCF/GPP question needs WG input before any schema is drafted — if scope derives from a consent string rather than a buyer-declared flag, the field shape changes entirely.

My take: Both experts converge: the proposed field is in the wrong layer. The right 3.1 path is a seeded eu_gdpr_art22 registry policy + docs cross-links, not a new check_governance input. @bokelley, your call:

Option A — seeded registry policy + docs (recommended):

// New seeded policy entry — auto-triggers existing human_review_required path
{
  "policy_id": "eu_gdpr_art22",
  "governance_domains": ["campaign"],
  "requires_human_review": true
}

Zero new schema fields. Existing sellers unaffected. Slots into the same policy_categories auto-trigger as Annex III policies. Docs cross-links (check_governance.mdx + embedded-human-judgment.mdx → annex-iii-obligations.mdx) ship as a --empty PR regardless.

Option B — new check_governance input field (issue proposal):

 // check_governance request input
+"gdpr_art22_scope": true,
 "plan_id": "plan_abc123",
 "governance_context": "..."

Splits authority with plan.human_review_required. Sellers add new validation branch. Field shape changes if TCF/GPP integration (WG #2437/#2438) resolves to consent-string derivation — schema would need to revert.

If Option A: I can draft the registry + docs PR. If Option B or a hybrid: recommend a WG design pass first to settle the TCF/GPP question before spec work starts.

---

Triaged by Claude Code. Session: https://claude.ai/code/session_016Z5JMHhVbjpvKu2AVR5goQ

---

Generated by Claude Code