The "Automated Means Criterion" is a key factor in determining the material applicability of data protection laws, often extending the scope to cover processing operations that involve automated or partially automated means. ## Provision Examples GDPR Art.2(1) in EU: "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." Federal PDPL Art.2(1) in UAE: "The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by: [...]" ## Description The "Automated Means Criterion" is widely used across jurisdictions to define the scope of data protection laws. This factor typically extends the applicability of these laws to data processing operations that involve automated or partially automated means. The rationale behind incorporating this factor is to address the increased risks and scale of data processing enabled by technology. Automated processing allows for faster, more extensive, and potentially more invasive handling of personal data, necessitating specific legal protections. Common approaches observed in the provisions include: 1. Full coverage of automated processing: Many laws, such as the GDPR and the UAE Federal PDPL, apply to data processing carried out wholly by automated means. 2. Partial automation: Laws often extend to processing that is only partly automated. For example, the GDPR applies to processing "wholly or partly by automated means". 3. Inclusion of non-automated processing in certain cases: Some laws, like the GDPR and Turkey's DPL, also cover non-automated processing if the data forms part of a filing system. The GDPR Recital 15 clarifies: "Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation." 4. Technology neutrality: As stated in GDPR Recital 15, "the protection of natural persons should be technologically neutral and should not depend on the techniques used." 5. Digital focus: Some jurisdictions, like India's DPDP, specifically apply to "digital personal data" or data that is "collected in digital form" or "digitised subsequently". This factor is present in international treaties such as the Convention 108, which defines "automatic processing" and applies to "automated personal data files and automatic processing of personal data". ## Implications The "Automated Means Criterion" extends the application of data protection laws to most modern data processing activities. In practice, this means that nearly all digital data processing by companies, regardless of the scale or sophistication of the technology used, falls under the scope of these laws. For example, under the GDPR, a small business using a simple customer database software would be subject to the regulation, as would a large corporation employing complex AI algorithms for data analysis. Companies have to carefully consider their data processing activities, even when using seemingly simple or limited technological tools.