EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

Automated Decision-Making Safeguards

GDPR Art 22 + EU AI Act Art 14 ยท Human-in-the-Loop ยท Right to Object ยท Explanation Rights ยท BFT Governance ยท Red Line Enforcement ยท EAT Directive aligned

GDPR ART 22 EU AI ACT ACTIVE
7
Safeguard Layers
5
Oversight Levels
7
Red Lines Enforced
23/33
BFT Quorum
2s
Stop Response
8
Subject Rights

What is Article 22?

Article 22 of the GDPR grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The data subject has the right to:

The EU AI Act adds further requirements: high-risk AI systems must be designed to allow human oversight (Art 14), enable effective interpretability, and provide transparency to deployers and affected persons.

DEFONEOS implements a multi-layered safeguard framework that ensures no purely automated decision with legal or significant effects can be made without human review opportunities, oversight mechanisms, and contestability.

โš ๏ธ Honesty Register

The safeguard architecture described here is the designed system โ€” the BFT council, red lines, and stop button are functional in the sovereign substrate. However, DEFONEOS has not been deployed in a live public-service context where automated decisions affect data subjects. The "8 subject rights automated" describe the GDPR rights that the system's design supports, not rights that have been exercised in practice by real data subjects. The BFT quorum (23/33) is the governance rule, not a guarantee of correct decisions โ€” it ensures distributed consensus before action.

The 7 Safeguard Layers

1
Red Line Enforcement โ€” Immutable Hard Stops

Seven red lines are embedded in the system at the protocol level. These are not configurable โ€” they cannot be overridden by any agent, council, or operator without source code modification and full BFT council approval. Attempting to violate a red line triggers an automatic halt and security SIGIL.

Red LineWhat It PreventsEnforcement
โŒ No kinetic targetingStrike packages, find-fix-finish, kill ordersCode-level refuse + SIGIL alert + halt
โŒ No personal surveillanceIndividual tracking, face-rec, phone locatingCode-level refuse + SIGIL alert + halt
โŒ No false certificationsClaims without signed letters/evidenceTemplate lock + SIGIL verification
โŒ No DEFONEOS-SEAL without voteCredential issuance without 23/33 quorumMulti-sig enforcement (BFT)
โŒ No DSEI without pilot letterBooth booking without MOD partnerManual gate + evidence check
โŒ No defonos.io domainKnown trap domain acquisitionDNS blocklist
โŒ No compartment cross-linkingMixing meok-defoneos / csoai-defoneos / dagonBuild pipeline isolation + audit
2
BFT Council โ€” Distributed Decision Governance

No significant decision is made by a single agent. The 33-agent BFT (Byzantine Fault Tolerant) council must reach a quorum of 23/33 (70%) before any governance action is executed. Each vote is Ed25519-signed and recorded on the SIGIL chain.

Decision TypeQuorum RequiredTimeoutDefault if No Quorum
Standard governance action23/33 (70%)5 minutesReject (safe default)
DEFONEOS-SEAL credential23/33 (70%)1 hourReject
Red line override request33/33 (100%)24 hoursReject (hard stop)
Emergency halt11/33 (33%)30 secondsHalt immediately
Recovery from halt23/33 (70%)1 hourStay halted
New MCP approval23/33 (70%)10 minutesReject
Conformity assessment23/33 (70%)24 hoursReject

Safe default: In all cases, if quorum is not reached, the safe default is NO ACTION. The system never proceeds without sufficient consensus.

3
Human-in-the-Loop (HITL) โ€” Mandatory Review Points

For any decision that could produce legal effects or significantly affect a person, DEFONEOS routes the decision to a human reviewer before execution. The system pauses and waits for human input.

HITL TriggerWhat PausesWho ReviewsSLA
Automated decision with legal effectDecision executionHuman operator + BFT council4 hours
Cross-border data transferData exportData Protection Officer24 hours
New high-risk use caseFeature deploymentDPO + council + risk officer48 hours
External communicationMessage/email sendHuman operator (Nick)Manual
Financial transactionPayment/chargeHuman operator (Nick)Manual
Serious incident reportAuto-report to regulatorDPO72 hours (Art 73)
4
Stop Button โ€” Emergency Human Override

A physical and software stop button exists at the system level. When pressed, all automated processing halts within 2 seconds. The stop event is logged on the SIGIL chain with a SECURITY op type.

PropertySpecification
Response time< 2 seconds (verified)
ScopeAll MCP processing, all automated decisions, all agent activity
RecoveryRequires 23/33 BFT quorum + human confirmation
LoggingSIGIL SECURITY event with timestamp, actor, reason
NotificationAll agents notified via SIGIL broadcast
TestedMonthly drill, last tested: 2026-06-30 (1.8s)
5
Interpretability โ€” Decision Explanations

Every automated decision includes a machine-readable explanation of why the decision was made, what data was used, and which rules/models produced the output. Explanations are generated automatically and stored on the SIGIL chain.

Explanation ComponentContentAvailable To
Decision rationaleRule/model that fired, threshold that triggeredData subject + DPO
Input dataWhat data was processed (GDPR Art 15)Data subject
Confidence levelStatistical confidence of the outputOperator + DPO
Alternative outcomesOther possible decisions and their scoresDPO + council
Council vote recordHow each agent voted (if BFT decision)DPO + auditor
Red line checkConfirmation that decision passed all 7 red linesAuditor
6
Right to Contest โ€” Objection and Redress

Data subjects affected by automated decisions have clear, accessible paths to object, contest, and seek human review.

RightLegal BasisHow to ExerciseResponse SLA
Object to automated processingGDPR Art 21Written request to DPO1 month
Human review of decisionGDPR Art 22(3)Written request to DPO15 days
Express point of viewGDPR Art 22(3)Hearing or written submission15 days
Contest decisionGDPR Art 22(3)Written challenge with evidence30 days
Right to explanationGDPR Recital 71 + Art 15Access request1 month
Right to erasureGDPR Art 17Erasure request1 month
Right to lodge complaintGDPR Art 77Complaint to ICO (UK)Per ICO
Judicial remedyGDPR Art 79Court proceedingsPer court
7
Automation Bias Mitigation

DEFONEOS actively mitigates the risk that human reviewers over-trust automated outputs ("automation bias"). Without active mitigation, human oversight becomes a rubber stamp.

MitigationHow It Works
Confidence calibration displayDecisions presented with explicit confidence scores. Low-confidence decisions flagged for closer review.
Dissenting opinion displayIf BFT council had dissenting votes, dissenting views are shown to reviewer.
Random review sampling10% of high-confidence automated decisions are randomly selected for human review. Reviewers don't know which were sampled vs. mandatory.
Decision difficulty estimationSystem estimates decision difficulty and presents harder cases with more context.
Reviewer performance trackingTracks reviewer agreement rate. Alerts if reviewer agrees >95% (possible rubber-stamping) or <60% (possible adversarial review).
Counterfactual presentationShows what the decision would be under different inputs, encouraging critical thinking.

GDPR Article 22 Compliance Matrix

RequirementLegal BasisStatusEvidence
Right not to be subject to solely automated decisionArt 22(1)โœ… METNo decision with legal effect is made solely by machine. HITL required.
Exceptions: contract/necessary, authorised by law, explicit consentArt 22(2)โš ๏ธ CONTEXTUALDepends on use case. Each deployment must identify which exception applies.
Human intervention safeguardsArt 22(3)(a)โœ… METHITL framework. 4-hour SLA for legal-effect decisions.
Right to express point of viewArt 22(3)(a)โœ… METWritten submission or hearing within 15 days.
Right to contest decisionArt 22(3)(a)โœ… METWritten challenge with evidence within 30 days.
Special category data protectionArt 22(4)โœ… METSpecial category data (Art 9) requires additional safeguards. DPIA mandatory.
Information about automated decision-makingArt 13(2)(f), 14(2)(g)โœ… METPrivacy notice includes Art 22 information. Decision explanations available.
Meaningful information about logicArt 13(2)(f)โš ๏ธ PARTIALExplanations generated but "meaningful" for laypersons needs UX work.

EU AI Act Cross-Reference

EU AI Act ArticleHow DEFONEOS Complies
Art 13 โ€” TransparencyDeployer instructions include automated decision-making disclosure. See Transparency for Deployers.
Art 14 โ€” Human Oversight5-level oversight framework. See Human Oversight.
Art 86 โ€” Right to ExplanationIndividual right to explanation of individual decision-making. See Right to Explanation (planned).
Art 26 โ€” Deployer ObligationsDeployers must ensure human oversight per Art 26(2). Framework supports this.
Art 10 โ€” Data GovernanceData used for automated decisions governed by Art 10. See Data Governance.

Accountability Chain

Every automated decision has a complete accountability chain, traceable on the SIGIL chain:

DECISION โ†’ MODEL/RULE FIRED โ†’ INPUT DATA โ†’ CONFIDENCE SCORE โ†’ BFT COUNCIL VOTES (if applicable) โ†’ RED LINE CHECK (7 checks) โ†’ HITL REVIEW (if required) โ†’ HUMAN DECISION โ†’ SIGIL SIGNATURE (Ed25519) โ†’ SIGIL HASH CHAIN โ†’ EXPLANATION GENERATED โ†’ SUBJECT NOTIFIED (if applicable) โ†’ RETENTION POLICY APPLIED โ†’ RIGHT TO CONTEST AVAILABLE

If any step in the chain fails verification, the decision is flagged as non-compliant and automatically halted.

โš ๏ธ Honesty Register โ€” Automated Decision Limitations

What IS working: The BFT council, red lines, stop button, and SIGIL logging are functional components of the sovereign substrate. The accountability chain architecture is real. The safeguard framework describes how the system is designed to operate.

What IS NOT proven: DEFONEOS has not been deployed in a context where automated decisions affect real data subjects. The HITL SLAs, contest timelines, and automation bias mitigations are designed policies, not operationally tested workflows. The "meaningful information about logic" requirement (Art 13(2)(f)) requires layperson-comprehensible explanations โ€” current explanations are technical and would need UX work for data subjects. The right-to-contest workflow assumes a functioning DPO (Data Protection Officer) role that is not yet formally designated.

What's missing: (1) Formally designated DPO, (2) Layperson-comprehensible explanation interface, (3) Operational testing of contest workflow, (4) Integration with ICO (Information Commissioner's Office) complaint pathway.

๐Ÿ›ก๏ธ Ready to put DEFONEOS to work?

7 personas ยท 5 tiers ยท 30-second signup ยท free 30-day sandbox for regulators and end-users.

Sign up ยท Ed25519-signed receipt โ†’ For Defence Primes For Regulators (Free) Series A โ€” ยฃ45-90M Round
ED25519 SIGIL receipts ยท UK-sovereign ยท AUKUS-compatible ยท T-27 days to EU AI Act