Guidance-based Algorithms for Automated Decision-Making in Public Administration: the Estonian Perspective

Tags: , ,


Guidance-based Algorithms for Automated Decision-Making in Public Administration: the Estonian Perspective

Tags: , ,

Nonostante l’immagine di una sviluppata e-governance, gli avanzati sistemi di decisione automatizzata non sono stati impiegati estensivamente dall’amministrazione pubblica estone e non esiste un quadro legale generale che li disciplini. La bozza di riforma della Legge sul Procedimento amministrativo, presentata al Parlamento nel 2022 è caratterizzata da un approccio al tema alquanto reticente e limita significativamente l’automazione di decisioni discrezionali e, in particolare, l’uso degli algoritmi di c.d. auto-apprendimento. Il fatto di applicare i principi procedurali inerenti allo Stato di diritto, come il diritto ad essere ascoltati e a ricevere un atto motivato, non sarebbe di per sé idoneo a scoraggiare l’adozione di decisioni amministrative automatizzate. Ad ogni modo, per le decisioni discrezionali automatizzate ove opportuno, è stata avanzata una proposta per quei casi tipici che potrebbero essere risolti in un modo completamente automatizzato attraverso algoritmi predefiniti in base a linee guida interne. Questa soluzione non è ovviamente universale, ma potrebbe garantire un certo grado di innovazione, sempre che siano previste determinate garanzie procedurali e organizzative. Tra queste vi sono, senz’altro, la completa separazione tra l’algoritmo e la sua gestione, nonché la pubblicazione delle linee guida. Un modello ottimale di “public accountability” deve infatti incoraggiare gli organi pubblici ad adottare le dovute precazioni quando impiegano algoritmi.

In spite of the image of a developed e-governance, advanced automated decision-making (ADM) systems have not been widely used in Estonian public administration and there is still no general legal framework for them. The draft bill to amend the Administrative Procedure Act, which was presented to Parliament in 2022, takes a rather cautious approach to the issue too, significantly limiting the automation of discretionary decisions and in particular the use of self-learning algorithms. Automated administrative decisions would not be discouraged by the application of procedural principles inherent to the rule of law, such as hearing and reasoning. However, for the automation of discretionary decisions in appropriate cases, a solution has been proposed whereby typical cases would be solved in a fully automated way by means of predefined algorithms based on internal administrative guidelines. This solution is not an universal magic bullet for every situation, but may allow for a certain degree of innovation, provided appropriate procedural and organisational safeguards are respected. Fundamental preconditions for that are the categorical separation of the guidance and algorithm, as well as the publication of the guide. An optimal model of public accountability has to encourage authorities to take appropriate precautions when implementing algorithms.

Summary. 1. Introduction; – 2. General developments; – 2.1. Automation in Practice; – 2.2. Action Plans; – 3. Legal Framework; – 3.1. Specific Laws; – 3.2. Data Protection; – 3.3. Interoperability; – 3.4. Principles for Managing Services and Governing Information; – 4. Case-Law and Soft-Law; – 4.1. Court Cases; – 4.2. Case-Law of Chancellor of Justice; – 4.3. E-Government Charter; – 5. Amendment of Administrative Procedure Act; – 5.1. Scope of the authorisation; – 5.2. Exception for Administrative guidance: solution for discretionary decisions? – 5.3. Procedural guarantees; – 5.4. Restricted applicability; – 5.5. Code is not law 6. Excursus: State Liability Act; – 7. Conclusion

1. Introduction

Estonia is the birthplace of many technological success stories (e.g., Skype, TransferWise). The country can also show for several results achieved in the development of the e‑government together with the flourishing start-up sector:[1] we have launched reliable digital identification tool (eID) and data exchanges between state information systems, as well ranked high in open data[2] maturity tables.[3] People are eagerly submitting digital tax returns and participating in e-elections.[4] Blockchain technology is used to ensure the reliability of state registries, such as the Healthcare Registry, Property Registry, Business Registry, Digital Court System, State Gazette etc.[5] A lot of things can be taken care of by electronic means: one can apply for a driver’s licence[6] or construction permit, or submit notices of residence. According to the “once-only” principle, application forms are often automatically prefilled using the data recorded in state information systems (§ 431, subsection 3 of the Public Information Act (PIA); § 13 of the General Part of the Economic Activities Code Act; § 9, subsection 2 of the Principles of Managing Services and Governing Information[7]). The Ministry of Justice has even been forced to rebut rumours that the country is planning to recruit robot judges.[8]

In fact, the use of machine-learning algorithms in Estonian public administration today is significantly lower than the image of a successful e-government would suggest. As a small country, Estonia has a flexibility edge over others in implementing several e-government components. In terms of machine learning however, the quantity of data gives an advantage to large countries. Our hope could lie in the creation of as unified an artificial intelligence framework in the EU as possible and the free flow of training data. This does not mean that Estonia itself has no ambitions when it comes to the automation of administrative procedures. In 2018, a task force of government agencies and private sector was assembled and the so-called Kratt Project launched.[9] Due to both EU data protection rules and general principles of national constitutional and administrative law, the automation of administrative decisions must be supported by a sufficiently precise and balanced legal framework. « The reach of ADM in public administration should be determined so that it is possible to avoid leaving the ambit of the rule of law and turning decision-making within public administration into a rule of algorithm.»[10] To date, the Estonian legislator has empowered public authorities to make automatic decisions in a limited number of areas, where routine decisions are made in a large number of typical situations, such as tax administration. In the summer of 2022, a draft law amending the Administrative Procedure Act reached Parliament. The proposal aims to regulate the limits of automatic administrative decision-making in a general way.

The purpose of this paper is to assess which type of general legal framework concerning ADM would be appropriate for Estonia, but probably also for other smaller European countries, to automate administrative decisions in the coming years. To this end, I will first briefly look at the current situation of the automation of administrative procedures in practice and some government’s near-term action plans to promote the e-Governance (2), the relevant legal framework existing today (3) and the experience to date in the form of case law and soft law (4). In the main part of the article, I will try to assess the draft amendments of the Administrative Procedure Act (APA): what types of automated decisions should be allowed, what safeguards this should entail for individuals, and whether the model of guidance-based algorithms proposed in the draft would be enforceable in accordance with the principles of administrative discretion (5). Finally, I would like to add few remarks about the role of state liability in avoiding and, if necessary, remediation errors in algorithmic decisions (6).

2. General developments

2.1. Automation in Practice

Surprisingly, there are still only few success stories in automated administrative decision-making in Estonia. The scholars here, K. Nyman Metcalf and T. Kerikmäe have explained, that Estonian e-governance does not rely primarily on AI, but in a system of governance which utilises information and communication technology otherwise.[11] As of the end of 2021, over 80 AI projects had been implemented in the public sector, for instance: risk models of the State Agency of Medicines for medicinal products’ price agreements; risk-based selection of claims for VAT refund at the Tax and Customs Board;[12] decision-making support at the Unemployment Insurance Fund for assessing the probability of an unemployed person returning to work; analysis of the customers’ calls to the National Social Insurance Board; risk assessment assistant of the Emergency Response Centre; detection of cutting hay with help of satellite image analysis.[13] These include some proactive public services, for example a child is covered by health insurance immediately at birth without the parents having to submit a corresponding request and birth certificate. Such applications include mainly means of communication and decision support systems. But it may be a logical to increase the ADM in the near future.[14]

2.2. Action Plans

The central document defining further steps to be undertaken in current phase is the Estonian National AI-related Action Plan for 2022–2023.[15] To ensure development, agencies are provided advice, training sessions and data management services under the Action Plan, and a cooperation network has been deployed. In coming years, the aim is to focus on the creation of a coordinated ecosystem of proactive and seamless services and virtual assistance tools (#bürokratt, #KrattAI),[16] the development of the state cloud for data, the guaranteeing of computing resources necessary for authorities, the availability of machine-readable open data, as well the supplementing the legal environment.

3. Legal Framework

In 2018 APA was supplemented to regulate electronic communication in public administration. In principle, any administrative act may be issued in electronic form. The requirements set for written administrative acts apply to electronic administrative acts, considering the specifications arising from the electronic form of documents (§ 25 et seq.; § 55). The electronic form is just the question of the medium on which the administrative decision is kept, it doesn’t mean the decision should have been made automatically. The general legal regulation regarding automated decision-making for administration is currently lacking in Estonia.

3.1. Specific Laws

Nonetheless, § 462 of the Taxation Act, which entered into force in 2019, stipulates that the tax authority may issue an administrative act in an automated manner without the direct intervention of an official of the authority. The types of decisions permitted to be generated by automation have also been exhaustively listed. Automation is not provided for cases of discretionary decisions of the authority. A similar approach has been taken, for instance, in the Environmental Charges Act and Unemployment Insurance Act.[17] § 151 of the Social Welfare Act allows automated processing of data of young people (persons aged 16 to 26) for purposes of identifying those who are not in an employment, education, or training relationship.[18]

3.2. Data Protection

Any kind of the automated processing of personal data must be done in compliance with article 22 of the GDPR and § 21 of the Estonian Personal Data Protection Act, which are similar in content. When processing personal data, fully automated administrative decisions may be made if there is a corresponding legal basis for it and provided that necessary protective measures have been taken, a right to be heard is guaranteed, the use of special categories of personal data is restricted and it is prohibited to discriminate against people based on them. E.g., according to the Law Enforcement Act the police may process personal data by using monitoring equipment and obtain data from electronic-communication undertakings (§§ 34 and 35).[19]

3.3. Interoperability

The backbone of the Estonian e-government – both in terms of current solutions as well as potential future automated decisions – is the X-Road data exchange layer connecting the information systems of various authorities (since 2001).[20] Its operation is governed by the Public Information Act (§ 431 et seq.) and the regulation enacted on the basis of this Act.[21] It is a software-based environment enabling the automated interoperability of many decentralised databases.[22] The use of data exchange layer, is mandatory for all state and local government institutions in using their databases. On the other hand, the interoperability and “once-only” principle raise questions regarding its compatibility with the EU data protection law, especially the purpose limitation principle (Art. 5, paragraph 1, letter b of the GDPR).[23] However, it must be kept in mind here that the provisions regulating the X-Road do not permit preservation of data for just in case or their unlimited cross-usage. Queries are encrypted and leave a trace which the data subject can view via the so-called State Portal ([24] Every single act of cross-usage must be necessary for and proportional to conduct an actual administrative procedure. Under § 7, subsection 5 of the APA, administrative authorities are permitted to process personal data regarding only circumstances necessary for a specific matter.[25] If the GDPR implementation practices should move towards a stricter interpretation in the future, then with respect to natural persons, it might become necessary to ask for their permissions for cross-usage[26] or to come up with new technological solutions (e.g., Private Data Vault[27]).

3.4. Principles for Managing Services and Governing Information

The Government of the Republic has issued a regulation to state authorities for the purpose of introducing event driven administration. Among other things, it obliges the authorities to develop proactive services if all the information necessary for decision-making is available in state information systems. A proactive service can be both automated as well as depend on the person’s consent (§ 2, subsection 4; § 4, subsection 3; § 7, subsections 8 and 9 of the Principles of Managing Services and Governing Information).

4. Case-Law and Soft-Law

4.1. Court Cases

There have been only few court cases over automated administrative decision-making. The Criminal Chamber of the Supreme Court has criticised a risk assessment application used when paroling prisoners, which assessed illogically a person’s risk of committing a specific crime as being higher than the same person’s overall risk of offending. The Chamber also noted that the risk assessment methodology had not been clearly explained during the court proceeding.[28] In a case regarding the expulsion of a long-term resident who had served a prison sentence, the Administrative Law Chamber of the Supreme Court emphasised that the results of such quantitative risk assessments provided by decision support systems may not be applied blindly without taking into consideration specific circumstances of case (e.g., the prison’s consent to the inmate’s early release).[29] In another case – Kaptein vs. Agricultural Registers and Information Board, the attention of the Administrative Law Chamber was turned to a software assessing the fulfilment of conditions for agricultural subsidy. The appellant had been accused of having provided information on the maintained land which did not match the calculations of the software run by the Board. The Supreme Court emphasised that the applicants cannot reasonably be expected to predict the results of a computer programme exclusively used by an administrative authority.[30] The Supreme Court has repeatedly dealt with the issues of the transparency and verifiability of information systems when settling complaints filed against electronic elections. None of the complaints have been granted; however, recommendations have been given for the purpose of enhancing the reliability of the system.[31]

In Tallinn Circuit Court there is a pending case concerning automatically issued permits for felling trees in Natura 2000 areas. Of the known cases, this dispute has the most profound implications for automatic administrative procedures until now in the country. The disputed, electronically submitted forest declarations were registered by the Environment Board using a computer program without human intervention. The computer program is based on “business rules”, which are primarily based on objectively measurable criteria. In the lower instance Administrative Court’s view, such business rules do not allow for the exercise of any discretion in automated decision-making. As the Environmental Board did not consider the relevant environmental facts when registering the forest notifications and did not give reasons for its decision, the court declared the permits unlawful.[32]

4.2. Case-Law of Chancellor of Justice

The Chancellor of Justice, who is among other things acting in Estonia as an ombudsman, recently had a case where the electronic population register failed to forward to a local government an application of a mother for the registration of her and her children’s places of residence. The system deleted the application automatically without notifying the mother because it lacked the father’s consent. It was not possible to notify the mother due to the register’s technical solution, although the obligation to notify clearly derives from the applicable law. The system also failed to notify any officials who could have intervened.[33] It is a telling example of a situation where a provision of a law is just forgot when creating an information system but mending the system later is rather difficult.

Several troubles have also occurred recently with the launch of the new building register. The Chancellor of Justice was approached by a property developer who was unable to upload a solar park project to the register. The chancellor stressed that if the governmental authority has set up a register, which should simplify communication with the government, the authority must also ensure the smooth running of the register and to provide people with rapid and effective assistance in the event of a breakdown. Good governance principles must also apply to the use of automated systems. More officials should be recruited where needed to provide rapid help to people in cases of mistakes in the system.[34] The Chancellor of Justice has also stressed that individuals must retain the possibility of communicating with the authorities, if they need or wish so, by means other than electronic systems.[35]

4.3. E-Government Charter

On the initiative of the National Audit Office and Chancellor of Justice, a non-binding E-State Charter has been drawn up in Estonia (updated on 2016). The Charter includes sample questions which enable everyone to assess whether their rights have been taken into consideration when providing electronic public services. The Charter does not deal specifically with automation, but it does cover general matters pertaining to electronic communication and personal data processing.[36]

5. Amendment of Administrative Procedure Act

In 2020, the Ministry of Justice published a legislative intent to draft a general Artificial Intelligence Act.[37] This process was soon suspended due to the EU’s proposal for a trustworthy AI regulation.[38] Nationally it was then decided to only amend the Administrative Procedure Act (APA). In June 2022, the draft for that was sent to the parliament (see the annex of this paper).[39] According to the draft it would be possible to automate the entire administrative procedure or its particular steps. Its focal points are as follows:

  • automated decisions infringing individuals’ rights must be statutorily recognised, i.e., have a legal basis (see 5.1 for that);[40]
  • automation must be advantageous to both, the state as well as an individual (e.g., by speeding up the decision-making);
  • automation as such may not affect the ultimate outcome of the decision – that means the correct application of legal norms may not be anyhow undermined because the decision is taken by a machine instead of an official;
  • the right to be heard, the right to communication between an individual and an authority and the right to have reasons given for automated decisions must be guaranteed, save for some limited exceptions;
  • proactive services must be subject to the clear special provisions and an individual must have an opportunity to decline such services to ensure respect for her dignity.[41]

5.1. Scope of the authorisation

Pursuant to the draft law (§71, subsection 1), the automation of any administrative decision infringing the individuals rights would need a special mandate in a statutory law, additionally to the provisions in the APA. Such an infringement may consist in a content of an administrative decision encumbering an individual (e.g., binding orders like tax payment notice, denial of a licence) or in a manner of processing the individual’s data (e.g., profile analysis[42]).[43] Without a complementary basis norm, only measures in favour of the person or the neutral ones from his or her perspective could be taken.

In the processes restricting rights of private persons, it would only be possible to automate the implementation of clear and imperative provisions which do not use any vague (indeterminate) legal concepts or set out any discretion to administrative authorities.[44] For that purpose, the institutions of public administration might only use algorithms predefined by humans (expert systems), according to the proposed § 71, subsection 2, clause 5 of the APA. Hence, it is currently not planned to permit the application of self-learning algorithms (neural networks etc),[45] although this opportunity would be maintained by means of specific laws.[46] Still, due to the restriction in the draft, that required direct and explicit exception in the law; the general mandate to automate the decision-making weren’t sufficient for administrative decisions based on machine learning.[47] At the same time, expert systems, too, can be quite sophisticated nowadays and thus be classified as artificial intelligence in the broad sense.[48] Nevertheless, in the application of the law, predefined algorithms are fundamentally safer, because they exclude the autonomous modification of the parameters of their objective functions which could lead to the differences between the legal norm and the computer code implementing the law. As noted above, the application of the most advanced forms of machine learning does not appear to be a primary aspiration of the governmental strategic documents at present. Indeed, it may be pragmatic, first to try to domesticate rather routine automated decisions, that machines are best suited to make from the perspective of general principles of administrative law.

5.2. Exception for Administrative guidance: solution for discretionary decisions?

As an exception from the general ban (§ 71, subsection 2, clauses 2 and 3), the use of such discretionary powers in an automated manner would be permitted for standard cases if the discretion could be specified in an appropriate way in an internal soft law guidance of the competent administrative body (§ 71, subsection 3). Based on such guidance, the authority could develop a predefined decision-tree in equivalent way to the expert-systems based on clear statutory provisions. If the situation the authority is dealing with does not exhibit the characteristics of a standard case in the light of the guidance, the decision must be made or at least approved by an official. Hence, the draft is rather cautious than ambitious, trying to provide at current phase of technological development some solution for the automation of the discretionary decisions, but on the other hand to avoid many still unsolved troubles that accompany the machine learning – the difficulties with regard to transparency, fairness, discrimination, due process, quantity, and quality of training data etc.

At first glance, the strategy to convert the discretion to guidelines and algorithms applying them may appear problematic, leading to failures to exercise discretion.[49] Authorities have got their discretion precisely because the nature of many public functions calls for human judgment that cannot be programmed in advance and which machines cannot substitute.[50] In United Kingdom e.g., a public body with statutory discretionary powers, contrary to the common law powers, is not entitled to adopt a strict policy or rule which allows it to dispose of a case without any consideration of the merits of the particular case. On the other hand, it is allowed to have general policy, provided that due consideration of the concrete circumstances takes place i.e., the participant of the procedure is entitled to contest the application of the policy to the particular case in the course of hearing. Especially, it is not permissible for the authority to determine not to hear any application of a particular character in advance.[51]

This is exactly the way the internal administrative guidelines are exploited in a more general context in Estonia and in other countries alike.[52] The Supreme Court of Estonia has – regardless of automation – found general agency guidelines specifying the administrative discretion permissible emphasising though that in non-typical cases or in the event of any justified objections, an official must have the capacity to set such guidelines aside.[53] For example, on the website of the Competition Authority, one can find a considerable number of various instructions and guidelines for the application of competition law and market regulations: e.g., a Guide for Calculating the Price of Water Services, Guide to Calculating the Weighted Average Cost of Capital for the District Heating Sector, Recommendation to Control Waste Shipment Prices etc. In such guidelines, the authorities carry out the first stage of their weighing of the relevant circumstances and interests on a general and abstract level and fix the methodology for analysing the particular applications. The guides will help to ensure equal treatment of businesses and simplify the handling of their applications. Where such guidance is available to individuals, the authority will not normally need to justify the implementation of the solutions set out in the guidance. However, the individual must always be given the opportunity to justify why he or she should be exempted from the guidance or to bring out new arguments why the solution provided for in the guidance is unsuitable as a whole.[54]

Therefore, the authorities could shift their considerations using the discretionary powers in abstract way to a preliminary phase of creating the internal rules and respective algorithms covering some standard situations and leaving the other, extraordinary cases untouched.[55] But even in standard cases, the automatic solution can only be provisional and conditional: the authority should have the possibility and duty to deviate from the proposal based on the algorithm if it ever seems fair and necessary in the light of circumstances not considered in the phase where the algorithm was developed on the basis of the guidance. The fundamental question then is how to ensure in an automated procedure that, in all appropriate cases, an individual could present her or his arguments against the algorithmic decision.

5.3. Procedural guarantees

There are some procedural safeguards in that respect proposed in the draft and the other might be worth to consider. The draft law would require, firstly and particularly, the publication of all guidelines underlying the algorithms used for ADM. It’s important to note that the algorithm itself is not expected to be understood by individuals and publication of this would not be sufficient to achieve the objective of the publication – to give the person concerned the possibility to foresee the content of the possible automated decision in his or her case. Also, the algorithm itself should not be considered as or equated with an administrative guidance in the legal sense because programmes do not steer officials as the subjects of internal rules, they just control computers.[56] A code can be neither law nor guidance (see 5.5 below). But the publication of guidelines could, among other things, be one way to explain the logic of the ADM system to the individuals (Art. 13, paragraph 2, letter f, Art. 14, paragraph 2, letter g, Art. 15, paragraph 1, letter h of the GDPR).[57]

Secondly, an individual who does not consider it appropriate to apply the guidance and algorithm to him or herself must always be able to turn to the authority,[58] and the authority must have to establish some proper mechanism to collect and analyse the objections raised. The draft might be developed to be clearer in that respect. The rights to hearing,[59] to access to file and to reasoning must be maintained in administrative procedure as technology neutral sub-principles of the rule of law. According to the general rules of the due process the institution must inform, in principle, the person concerned of any automated proceedings not initiated by the person’s own request. In principle, it should be possible to transmit such a notification automatically if accurate data on the persons concerned are available. The § 71, subsection 2, clause 4 of the draft seems to preclude an automatic decision where the law requires a person to be heard. This restriction seems too strict. Instead, it would be reasonable to exclude a fully automatic decision only if the person actually exercises his right to object in such a way that needs to be analysed by human officials. The hearing must be accompanied by an obligation to respond to the person’s objections in the reasoning of the administrative decision despite its electronic form and automatic mode. As long as no AI has been developed that could reliably provide these safeguards (i.e., consider the statements of the participants in the procedure and answer to them rationally), the involvement in or at least the supervision of human officials over the management of objections will be necessary. That means, the expert systems implementing discretionary powers on the basis of internal guidelines might enable the full-automated procedures in the lack of any objections in the course of hearing of the participants, but in case of their statements, the proposal in Estonian draft shall de facto lead just to the semi-automatic decisions at today’s level of the technology.

Thirdly and as an ultima ratio, individuals will always be left with the possibility to reactively challenge an administrative decision in the course of the administrative objection or the judicial review procedure on the grounds that the authority in charge did not consider all important circumstances of their cases. The adressee of an automated decision should also explicitly be informed that the decision had been adopted on the basis of an algorithm (§ 55, subsection 41 of the Draft APA). It would be even better if such a note were made to the person concerned before his hearing. Additional safeguards can be recommended for the draft, for example a requirement to identify all public and private registers that the ADM system will use or has used when making the decision.[60]

5.4. Restricted applicability

It must be underlined, that it is not intended to automate all kinds of discretionary decisions in the draft by means of internal administrative rules or any other methods. In principle algorithms can especially be designed for repeated use in recurring, similar decision scenarios in bipolar legal relationships.[61] Tasks that are high in complexity (more deviations from the norm i.e., more variance[62] and less routine) and high in uncertainty (less analysable) should most likely remain completed by human officials. Tasks that are lower in complexity and lower in uncertainty are most likely to be completed by algorithms because relatively standardised and predictable situations they have to deal with. Also, AI could complete some tasks with much uncertainty but less complexity around it, as AI has already a comparative advantage to humans to cope with uncertainty in many situations. However, advanced self-learning algorithms might probably be necessary then.[63] Finally, tasks with higher complexity but lower uncertainty might too be up to a certain amount pre-determined, if their complexity could partially be reduced on the basis of guidelines discussed above (see Table 1).[64]

5.5. Code is not law

Despite the foregoing, it must not be forgotten, that loosely drafted guideline can, indeed, lead to failures of discretion and other serious errors. Even in the absence of the discretion, the transformation of rules in human language into a machine-readable code could turn out to be overly complicated and risky (see the example of the population register above). Such translation would require in-depth concretisation of the law and exhaustive prediction of all the nuances of cases to which it would apply. Mistakes with this are inevitable considering, among other things, that intensive cooperation between lawyers, data scientists and experts in the field to be regulated is required.[65] Human languages and programming languages are fundamentally different. In contrast to program code, the definitions of human language, including laws, are inherently imprecise and vague to some extent. They also need to be interpreted in a constantly changing context. This is the cause of many legal disputes, but it must not be seen as a mere shortcoming or a bug of the law.[66] A certain degree of legal vagueness is needed to give legal rules the necessary abstractness and flexibility. This is the only way to avoid drowning in the norms. When generating a defined algorithm, the legal or regulatory norm must be converted into binary code without vague loopholes characteristic of legal rules. Therefore, a pre-determined algorithm implementing a norm, is not just the abstract translation of the abstract norm but a model describing concrete solutions for all cases of the implementation of the norm that the programmer is able to imagine.[67] Additional difficulties arise when laws are amended, interpreted in courts, and subjected to constitutional reviews – the already functioning system needs to be mended then.[68] State authorities, such as the police,[69] are already now complaining that they are unable to adjust their information systems according to constantly changing laws.

This does not mean that automation must at all costs be limited. Human officials make mistakes too, in some situations even often than machines.[70] Instead of outright bans we need optimal management of risks, procedural safeguards discussed above, and finally, as an ultima ratio, the adequate remedying of mistakes made by robots in public administration. Overregulation by laying down uniform and very detailed limits to all possible automated decisions in APA would not be reasonable. Instead, it should be up to the authorities themselves to carefully assess whether and by which administrative and technological means, the decisions falling within their competence could be automated without undermining the standards of rule of law and due administrative procedure. It must be calculated whether the benefits of automation outweigh the probable costs of likely errors. The draft should therefore, in addition to the legal basis requirement, emphasise the obligation to carry out a high-quality impact assessment before adopting any particular algorithm. Also, it should be borne in mind that there is a risk of an unacceptable narrowing of discretion even in the case of semi-automatic decisions (decision support systems). Such automation bias can be exacerbated by the lack of time or financial resources, by inadequate internal rules, organisational structures, and liability mechanisms.[71] This is all the more reason for caution in the case of a fully automated administrative procedure.

6. Excursus: State Liability Act

The procedural safeguards and substantive limitations that apply in the case of automatic decision making would remain ineffective if they were not complemented by an adequate set of rules on state liability. At the same time, liability must not be so strict as to suffocate innovation in public administration. Considering the potential harms for affected persons and difficulties in the legal regulation of the use of AI, possible victims must be guaranteed efficient compensation for damages. Also, in order to encourage public power institutions to consider all the costs that automatic decisions may entail for society, these costs must be internalised for public administration authorities.[72] The decision to use algorithms for carrying out administrative procedures is usually a question of practicality. There is also room for economic considerations here.[73] Estonia’s direct and generally fault-free[74] state liability doctrine (§ 7, subsection 1 of the State Liability Act) is in principle well suited to achieve these goals.[75] It ensures that in the event of unlawful automated decision there is no need to identify the ultimate cause of the error or a breach of duty by one certain public official.[76] There is also no need for such exotic constructions as legal personality of algorithms or status of fictitious e-officials.[77] We just need to come to terms with the fact that public administration is nowadays functioning by means of both humans as well as machines.

Rules and principles of the state liability must be as technology neutral as possible. This means that automated administrative procedure per se may not give authorities the chance to avoid liability in the case of damages. On the other hand, if we do not want to irrationally hinder innovation, we must not prescribe a stricter liability regime regarding algorithmic administrative decisions than usual, provided that algorithms do not increase the risk of damages in certain types of administrative procedures. The proposals of EU institutions for the compensation of damages caused by[78] AI based on product liability do not take sufficient account of this principle. Pursuant to those proposals state liability would be fault-based in the case of ordinary risk and fault-free in the case of high risk. Such an approach ignores, that public authorities have always a higher duty of care when ensuring the lawfulness of their action and decisions. Particularly, they must consider the fact that mistakes may occur when translating laws into code (see above 5.5). At the same time, many decisions of public administration authorities, e.g., preventive measures in situations of uncertainty pertaining to environmental law or law enforcement, may be accompanied by a high risk of harm independent of the technology used. It seems, that it is time to fully eliminate fault as a requirement for compensation for damages caused by public authorities irrespective of whether the decision is made by an official or a machine. Instead, when necessary, objective circumstances, which make it difficult to avoid damages, should flexibly be considered (compare to Art. 82 of the GDPR) and risks justly divided if the use of algorithm is in the interests of both the state and the addressee of the administrative decision.

7. Conclusion

Estonia is at the moment taking rather careful stance regarding the ADM in the public sector. This is also the case for the draft amendment to the APA currently under discussion in Parliament. That is reasonable until the more advanced machine learning applications have proved themselves in practice. The lack of training data with necessary quantity and quality is first serious obstacle here. In addition, the state of the technology cannot guarantee yet the legality of decision making by learning algorithms in complex cases, either in substance or procedurally. Pre-determined decision trees (expert systems) also require caution, but there are no general fundamental objections for their usage in public administration. This doesn’t mean they are universally applicable everywhere. As administrative discretionary decisions are, under certain conditions, allowed to be guided by internal soft-law rules and policies, this might open up some possibilities for the use of pre-defined algorithms even in cases where authorities have powers of discretion or appreciation.

Table 1. Applicability of AI decisions

Complexity Uncertainty
Low High
High Leaning human, but guidance-based algorithms possible in certain circumstances Human bureaucrats dominate
Low AI could dominate Leaning AI (machine learning)

Annex: Draft Act to Amend Administrative Procedure Act and Other Acts in Relation Thereto (634 SE)

§ 7. Automated Administrative Procedure

(1) If it infringes a person’s rights or freedoms, an administrative authority may carry out an automated electronic administrative procedure, issue an automated administrative act or other document or perform any other automated operations via an information system without the direct involvement of an official or employee acting on behalf of the administrative authority in the cases provided by law.

(2) In the case set out in subsection 1 of this paragraph, the administrative authority shall ensure that:

1) automation is in the interests of both the person as well as the public because it reduces the time spent and facilitates the administration of the cases;

2) the legal provision forming basis for the decision-making does not provide for a right of discretion or such right is defined in detail;

3) the legal provision forming basis for the decision-making does not include an indeterminate legal concept or its meaning is unambiguous and well-known;

4) there is enough information, no need to hear opinions and objections in accordance with § 40, subsection3 of this Act and there is no deviation from existing data;

5) the decision-making procedure is predictable by and understandable to the person, and

6) no rights and interests of third and interested parties are harmed.

(3) In order to apply subsection 2 clauses 2 and 3 of this paragraph in a situation where the legal provision includes a discretionary power, an indeterminate legal concept, or an evaluation option:

1) the administrative authority shall draw up an administrative guidance specified in paragraph 4, subsection 3 of this Act for the purpose of uniform application of the indeterminate legal concept or discretionary power, including evaluation of circumstances, and shall make it available to the participants in the proceeding;

2) in the administrative guidance specified in paragraph 4, subsection 3 of this Act, the administrative authority shall set out the meaning of the indeterminate legal concept and define in detail and unambiguously its standard cases;

3) the administrative authority shall prepare information technology parameters for decision-making in an automated administrative procedure, the operating logic of the algorithm and their general explanations which shall be directly based on the law and the administrative guidance specified in paragraph 4, subsection 3 of this Act;

4) the administrative authority shall ensure that in a case not stipulated in the administrative guidance specified in paragraph 4, subsection 3 of this Act an automated administrative procedure shall not be carried out, no automated administrative acts or other documents shall be issued, and no automated operations performed, and

5) the administrative authority shall not use a self-learning algorithm which permits autonomous alteration of its parameters or an algorithm whose general parameters and operating logic is not explained in the administrative guidance.

  1. See S. Tambur, Lessons from the World’s Startup Capital, e-Estonia 2016. –
  2. Regulation in § 31 of the Public Information Act, available in English at
  3. European Commission, The official portal for European data. Open Data in Europe 2022 –
  4. M. Solvak et al., E-governance diffusion: Population level e-service adoption rates and usage patterns, in Telematics and Informatics, 36, 2019, p. 39 (40).
  5. e-Estonia, Frequently Asked Questions: Estonian blockchain technology, 2019. –
  6. See
  7. Regulation No. 88 of the Government of the Republic of 25 May 2017, available in English at
  8. This misunderstanding was caused by a rather banal automation pilot project launched in undisputed civil cases of low value (§ 4892 of the Code of Civil Procedure); see K. Nyman Metcalf, T. Kerikmäe, Machines Are Taking over – Are We Ready?, in Singapore Academy of Law Journal, 33, 2021, p. 24 (33).
  9. In Estonian mythology, a kratt is a man-made creature who is snatching stuff for its master and whose soul has been bought from the devil; see A. Kivirähk, Les Groseilles de novembre, Le Tripode, Paris, 2019. Nowadays it has become a custom here to call AI applications kratts; see in detail at
  10. M. Suksi, Administrative due process when using automated decision-making in public administration: some notes from a Finnish perspective, in Artificial Intelligence and Law 29, 2021, p. 87 (107).
  11. K. Nyman Metcalf, T. Kerikmäe, Machines Are Taking over, mentioned, p. 27.
  12. See K. Sadekov, AI use cases for Government: How Estonia is Leading the Way, MindTitan 2021. –
  13. See also I. Pilving, M. Mikiver, A Kratt as an Administrative Body: Algorithmic Decisions and Principles of Administrative Law in Juridica International 29, 2020, pp. 47 (48–49).
  14. K. Nyman Metcalf, T. Kerikmäe, Machines Are Taking over, mentioned, p. 27.
  16. e-Estonia. – https://e-estonia. com/ai-govstack-testbed_eng/; R. Dreyling, E. Jackson, T. Tammet, A. Labanava, I. Pappel, Social, Legal, and Technical Considerations for Machine Learning and Artificial Intelligence Systems in Government, in Proceedings of the 23rd International Conference on Enterprise Information Systems 1, 2021, p. 701; K. Vaher, Next Generation Digital Government Architecture, 2020, pp. 51 et seq. –
  17. Furthermore, automated entries are made in various state registries, see K. Nyman Metcalf, T. Kerikmäe, Machines Are Taking over, mentioned, p. 33.
  18. Critically P. K. Tupay et al., Is European Data Protection Toxic for Innovative AI?, in Juridica International 30, 2021, p. 99 (101).
  19. Ibid., p. 108.
  20. K. Vaher, Next Generation Digital Government Architecture, mentioned, p. 7.
  21. Regulation of the Government of the Republic of 23 September 2016 concerning the Data Exchange Layer; available only in Estonian at
  22. On those see e.g., F. Galli, Interoperable Databases: New Cooperation Dynamics in the EU AFSJ?, in European Public Law 26, 2020, p. 109 (111). See also ReNEUAL book VI.
  23. P. K. Tupay et al., Is European Data Protection Toxic for Innovative AI?, mentioned, p. 102–103; R. Dreyling et al., Social, Legal, and Technical Considerations, mentioned, p. 704; M. Martini, M. Wenzel, “Once only” versus “only once”: Das Prinzip einmaliger Erfassung zwischen Zweckbindungsgrundsatz und Bürgerfreundlichkeit, in Deutsches Verwaltungsblatt 2017, p. 749.
  24. Compare art. 14, paragraph 2 of the GDPR.
  25. On general clauses see N. Marsch, T. Rademacher, Generalklauseln im Datenschutzrecht, in Die Verwaltung 54 2021, p. 1. For comparison see Court of Justice, judgement 22 June 2021, C-439/19, Latvijas Republikas Saeima (Points de pénalité), ECLI:EU:C:2021:504, p. 105; judgement 24. February 2022, C-175/20, Valsts ieņēmumu dienests, ECLI:EU:C:2022:124, p. 48–58.
  26. For comparison: § 5 subsection 2 of the German E-Government Act; on that see W. Denkhaus et. al., EGovG § 5, in W. Denkhaus et. al. (Ed.), E-Government-Gesetz. Onlinezugangsgesetz. Kommentar, Beck, München, 2019, comments 16 et. seq.
  27. K. Vaher, Next Generation Digital Government Architecture, mentioned, p. 53 et seq.
  28. Supreme Court, judgement 7 March 2019, 1-09-14104, pp. 26–27.
  29. Supreme Court, judgement 19 February 2019, 3-17-1545, p. 29.
  30. Supreme Court, judgement 20 September 2020, 3-18-305, p. 11.2.
  31. Supreme Court, judgments 24 October 2017, 5-17-32 and 5-17-35; 8 November 2017, 5-17-38; 27 March 2019, 5-19-18 and 5-19-20; 18 June 2019, 5-19-32; 26 June 2019, 5-19-39.
  32. Tallinn Administrative Court, judgement 12 September 2022, 3-21-1203, Eesti Metsa Abiks vs. Keskkonnaamet, p. 20 et seq.
  33. Chancellor of Justice, opinion 28 July 2022, 7-4/220648/2203973.
  34. Chancellor of Justice, opinion 15 December 2022, 7-4/221647/2206594.
  35. Chancellor of Justice, opinion 18 November 2021, 7-5/212011/2107988.
  37. Ministry of Justice, Legislative Intent to Regulate Effects of Algorithmic Systems, 2020,
  39. Riigikogu, Haldusmenetluse seaduse muutmise ja sellega seonduvalt teiste seaduste muutmise seadus, 634 SE, 2022;
  40. See S. Civitarese Matteucci, Public Administration Algorithm Decision-Making and the Rule of Law, in European Public Law 27, 2021, p 103. See also Art. 22, paragraph 2, letter b of the GDPR.
  41. So today also in § 91, subsection 25 of the Rescue Act.
  42. In accordance with the art. 9, subsection 2, letter g of the GDPR.
  43. For comparison see I. Pilving, M. Mikiver, A Kratt as an Administrative Body, mentioned, p. 53.
  44. Similarly in Germany, § 35a of the Federal Administrative Procedure Act (Verwaltungsverfahrensgesetz).
  45. Compare M. Suksi, Administrative due process when using automated decision-making in public administration, mentioned, p. 104.
  46. See also e.g., A. Guckelberger, Automatisierte Verwaltungsentscheidungen: Stand und Perspektiven, in Die Öffentliche Verwaltung 2019, p. 566 (569).
  47. Consequently, such restrictions are not just symbolic, they require qualified and well thought-out mandates to be granted by the legislator, compare A. Tischbirek, Ermessensdirigierende KI. Zum Einsatz intelligenter Systeme in der ermessensermächtigten Verwaltung, in Zeitschrift für Digitalisierung und Recht 2021, pp. 307 (319–320).
  48. See European Commission, proposal for a regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts of 21 April 2021, art. 3, clause 1 –; W. Hoffmann-Riem, Der Umgang mit Wissen bei der digitalisierten Rechtsanwendung, in Archiv des öffentlichen Rechts 145, 2020, p. 1 (3).
  49. Compare, A. Tischbirek, Ermessensdirigierende KI. Zum Einsatz intelligenter Systeme in der ermessensermächtigten Verwaltung, mentioned, p. 322.
  50. N. de Boer, N. Raaphorst, Automation and discretion: explaining the effect of automation on how street-level bureaucrats enforce, in Public Management Review 25, 2023, p. 42 (44).
  51. P. Craig, Administrative Law, Sweet & Maxwell, 2016, pp. 536–538.
  52. E.g., C. Harlow, R. Rawlings, Administrative Law, Cambrige University Press, Cambrige, 2022, pp. 226 et. seq.; A. Tischbirek, Ermessensdirigierende KI. Zum Einsatz intelligenter Systeme in der ermessensermächtigten Verwaltung, mentioned, p. 322.
  53. Supreme Court, judgments 16 January 2008, 3-3-1-81-07; 18 December 2014, 3-3-1-77-14.
  54. Supreme Court, judgements 12 December 2017, 3-11-1355, p. 30–31; 22 September 2022, 3-20-1548, p. 24–25.
  55. Compare in U. Stelkens, § 35a, in P. Stelkens, H. J. Bonk, M. Sachs (Ed.), Verwaltungsverfahrensgesetz, Beck, München, 2022, comment 40; A. Guckelberger, Automatisierte Verwaltungsentscheidungen, mentioned, p. 569.
  56. Compare U. Stelkens, Staatshaftung und E-Government: VerwaltungsorganisationsrechtlicheGestaltungsmöglichkeiten, in H. Hill, U. Schliesky (Ed.), Auf dem Weg zum Digitalen Staat – auch ein besserer Staat, Nomos, Baden-Baden, 2015, p. 216; C. Harlow, R. Rawlings, Law and Administration, University Press, Cambridge, 2022, p. 255.
  57. See also M. Suksi, Administrative due process when using automated decision-making in public administration, mentioned, p. 89.
  58. U. Stelkens, § 35a, mentioned, no 41.
  59. Compare § 28, subsection 2, clause 4 of the APA (Verwaltungsverfahrensgesetz) in Germany.
  60. M. Suksi, Administrative due process when using automated decision-making in public administration, mentioned, p. 106
  61. J. Englisch, M. Schuh, Algorithmengestützte Verwaltungsverfahren, in Die Verwaltung 55, 2022, p. 155 (169); U. Stelkens, § 35a, mentioned, no. 46.
  62. U. Stelkens, § 35a, mentioned, no. 42.
  63. Compare J. B. Bullock, Artificial Intelligence, Discretion, and Bureaucracy, in American Review of Public Administration 49, 2019, pp. 751 (756–757); about differentiation between complexity and uncertainty B. Head, Wicked Problems in Public Policy, in Public Policy 3, 2008, pp. 101 (103).
  64. Compare the original scheme of J. B. Bullock in Artificial Intelligence, Discretion, and Bureaucracy, mentioned, p. 757.
  65. M. Hildebrandt, Code-Driven Law: Freezing the Future and Scaling the Past, in C. Markou, S. Deakin (ed.), Is Law Computable? Critical Perspectives on Law and Artificial Intelligence, Hart, Oxford, 2020, p. 71; M. Seckelmann, Algorithmenkompatibles Verwaltungsrecht?, in Die Verwaltung 54, 2021, pp. 251, 258 et seq.; C. Guitton, A. Tamò-Larrieux, S. Mayer, Mapping the Issues of Automated Legal Systems: Why Worry About Automatically Processable Regulation?, in Artificial Intelligence and Law 3, 2022 –, p. 4; E. Micheler, A. Whaley, Regulatory Technology: Replacing Law with Computer Code, in European Business Organization Law Review 21, 2020, p. 349, 358; M. Suksi, Administrative due process when using automated decision-making in public administration, mentioned, pp. 87, 89.
  66. M. Hildebrandt, Code-Driven Law, mentioned, p. 76.
  67. C. Guitton, A. Tamò‑Larrieux, S. Mayer, Mapping the Issues of Automated Legal Systems: Why Worry About Automatically Processable Regulation?, in Artificial Intelligence and Law 2022, 3, p. 4.
  68. M. Suksi, Administrative due process when using automated decision-making in public administration, mentioned, pp. 101; U. Stelkens, § 35a, mentioned, comment 33.
  70. C. R. Sunstein, Governing by Algorithm? No Noise and (Potentially) less Bias, in Duke Law Journal 71, 2022, p. 1175, 1195.
  71. N. de Boer, N. Raaphorst, Automation and discretion, mentioned, p. 57; J. Englisch, M. Schuh, Algorithmengestützte Verwaltungsverfahren, mentioned, p. 169.
  72. M. A. Lemley, B. Casey, Remedies for Robots, in University of Chicago Law Review, 86, 2019, p. 1311 (1373).
  73. For comparison see U. Stelkens, Staatshaftung und E-Government, mentioned, p. 196 et seq.
  74. State liability is currently fault-based when compensating the loss of reasonably expected profits (lucrum cessans) and non-pecuniary damages; however, case-law keeps moving towards so-called objective and organisational fault placing the burden of proof almost always on the administrative authority causing the damage; see Supreme Court, judgment 17 June 2021, 3-19-1416, p. 27.
  75. T. Kerikmäe et al., 1st Report on Legal Framework and Analysis Related to Autonomous Intelligent Technologies, TalTech, 2019, para. 24–26. See also K. Nyman Metcalf, T. Kerikmäe, Machines Are Taking over, mentioned, p. 34 et. seq.
  76. In contrast to Finland, where a civil servant should always be designated as a responsible party for the ADM system, M. Suksi, Administrative due process when using automated decision-making in public administration, mentioned, p. 106.
  77. T. Kerikmäe et al., Legal Person- or Agenthood of Artificial Intelligence Technologies, in Acta Baltica Histoiae et Philosopiae Scientarium 8, 2020, DOI: 10.11590/abhps.2020.2.05, p. 73; K. Nyman Metcalf, T. Kerikmäe, Machines Are Taking over, mentioned, p. 43 et seq.
  78. Resolution 2020/2014(INL) of the European Parliament of 20 October 2020; Report COM/2020/64 final of the Commission of 19 February 2020,

Ivo Pilving

Associate Professor of Administrative Law at the University of Tartu.