On 21 April 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) published draft guidelines on the right to explanation in fully automated decision-making (ADM) under Article 22 of the GDPR. The public consultation closed on 26 May 2026. For the better part of a decade, Article 22 has been one of the GDPR's most-cited and least-operationalised provisions: everyone agreed individuals were entitled to "meaningful information about the logic involved" in a decision that produced legal or similarly significant effects, but no regulator had spelled out what a compliant explanation actually looks like. The AP's draft is the most detailed attempt yet to fill that gap.
What the draft actually requires
The guidance splits the obligation into two tiers. A general explanation must be provided proactively — before any decision is made, typically in a privacy statement at the point where someone submits their data. It describes the process in the aggregate: the categories of personal data that may be used and the relative weighting of the factors that drive an outcome. A specific explanation is delivered on request, when an individual exercises their access right or invokes Article 22(3). It must be tailored to that person: which of their data points were used, the essential elements of the algorithm including weightings and intermediate steps, and the relationship between those inputs and the result. Controllers have one month to respond, extendable by two further months with notice, mirroring Article 12(3)'s standard access timeline.
The AP's archetypal examples are deliberately mundane and high-stakes: a loan approval and a car-rental application. These are the everyday automated gatekeeping decisions that determine whether someone gets credit, housing, or a service — exactly the domain Article 22 was written for.
The case for the rules is real
It would be a strawman to treat this as bureaucratic box-ticking. The AP commissioned a survey of 1,480 Dutch residents, published alongside the draft, which found that nearly two in five were unaware they even had a right to human intervention when a machine decides about them. A right nobody knows exists is a right that does not function. And the guidance does not arrive in a vacuum: it operationalises the Court of Justice of the European Union's February 2025 ruling in Dun & Bradstreet Austria (Case C-203/22), where the Court confirmed that Article 15(1)(h) carries a genuine right to explanation and held that "the mere communication of a complex mathematical formula, such as an algorithm" does not satisfy it. The AP is, in effect, telling controllers what the CJEU left abstract. There is a legitimate fairness interest here: a person denied credit by a model they cannot see, contest, or understand has been subjected to power without accountability.
Where proportionality starts to fray
The harder question is whether the AP has calibrated the burden to the risk. Several design choices push toward over-compliance. The draft cautions controllers against hedging language — words like "may" or "could" — and pushes them toward definite statements about how a model behaves. That instinct toward clarity is sound, but modern statistical models are probabilistic by construction. A faithful explanation of a gradient-boosted credit model is, accurately, a statement about likelihoods and feature contributions, not deterministic rules. A guideline that treats hedged language as a defect risks penalising honesty about how machine learning actually works, and nudging firms toward explanations that are crisp but false.
The trade-secret carve-out is narrow in a way that cuts both ways. The AP permits limiting an explanation to protect genuinely proprietary logic or to prevent gaming of the system — but only on a specific, justified basis, never a generic invocation. That is defensible in principle and tracks Dun & Bradstreet, which sent the balancing exercise to supervisory authorities and courts rather than allowing blanket exemptions. In practice, it shifts legal risk onto every controller who must now justify, case by case, what it withholds — a cost that lands hardest on smaller firms without standing legal teams, not on the large incumbents the rule is implicitly aimed at.
Get the implementation right and this is a net positive
The pro-innovation position is not opposition to explanation — it is insistence that the explanation regime reward good engineering rather than punish it. The AP's layered approach (a plain-language overview up front, with algorithmic detail one click deeper) is genuinely the right pattern: it serves the confused consumer without forcing a 40-page model card on someone who just wants to know why their loan was refused. Firms that have built explainability into the design phase — feature attribution, documented weightings, audit trails — will find compliance close to free. Firms that bolted automation on without instrumentation will face real cost, and that cost is, arguably, the point.
The risk is at the margin. If the final guidance treats every probabilistic hedge as a compliance failure, or if the one-month specific-explanation clock turns into a high-volume operational drain for routine decisions, the rational response for some firms will be to retreat from automation altogether — keeping a human nominally "in the loop" purely to escape Article 22, which serves neither speed nor accuracy. That would be a perverse outcome: a transparency rule that produces less automation and worse decisions rather than more accountable ones.
The consultation has closed; the AP should use the responses to soften the language penalties around probabilistic models and to scale the on-request burden to the actual stakes of the decision. Done well, the Dutch guidance becomes a template the rest of the EU can copy — turning a decade-old paper right into a workable one. Done rigidly, it becomes a tax on the very automation that makes consequential decisions faster and, often, fairer than the human discretion it replaced.