For most deployers, the right to explanation has been a clause in the privacy notice. It sits between the breach-notification line and the retention paragraph. No one has been asked to operate it. Article 22 GDPR has been on the books since 2018. Article 86 of the EU AI Act has been law since August 2024. Neither has been routinely tested. That posture is ending.
On 21 April 2026 the Dutch Data Protection Authority published a 31-page draft and opened it for consultation. It is titled “The right to an explanation in automated decision-making.” The window closes on 26 May. The final guidance lands later this year. The draft is already the clearest operational signal yet. The right to explanation has shifted from an information duty in theory to a deliverable on demand.
What the AP says about the right to explanation
The AP draft does what no European regulator has yet done at this level of detail. It sets out what the right to explanation must contain when an organisation makes an automated decision with serious consequences. The two worked examples are not arbitrary: credit scoring and algorithmic recruitment. Both sit inside Annex III of the AI Act as high-risk deployments.
After the consultation closes, the AP will publish an anonymised summary of responses. It will then issue a finalised set of practical handvatten, the Dutch term for operational tools. The product is intended to fit alongside the AP’s earlier work on meaningful human intervention in algorithmic decision-making, which followed the same consultation-then-tool pattern.
This is a Dutch instrument, but in practice it sets a reference point other authorities will read closely. The AP’s position on credit scoring already aligns with the Court of Justice’s SCHUFA ruling on Article 22. Compliance teams in other Member States should treat this as the operational template they will eventually be measured against.
Where Article 22 GDPR and Article 86 AI Act stack
The two rights do not collapse into each other. They overlap, and the overlap is where deployer obligations stack. Article 22 GDPR targets decisions based solely on automated processing that produce legal effects. Article 86 of the AI Act targets deployer decisions taken on the output of a high-risk AI system. Both apply when the decision significantly affects the person’s rights.
Take a credit decision built on an AI-assisted scoring model. Under the GDPR, the controller owes the data subject meaningful information about the logic involved. Under the AI Act, the deployer owes a clear explanation of the AI system’s role and the main elements of the decision. A single applicant making a single request can trigger both.
What the three-layer right to explanation actually contains
The AP draft pushes deployers toward an explanation built in three layers. The third layer is where most internal documentation falls short.
The input layer
The first layer covers the variables the system used: income, employment status, address history, time on file. Most controllers can already produce this layer. It is the part the data they hold makes obvious.
The logic layer
The second layer covers how the system combined those variables. Not the model weights, but the decision logic in terms a non-technical applicant can understand. The phrase “meaningful information about the logic involved” in Article 15(1)(h) GDPR has lived here for years. No regulator has pressed on what “meaningful” actually requires. The AP draft is that pressure.
The individual-decision layer
The third layer covers why this person received this outcome. Which factors weighed against them. What would have to change for the decision to be different. This is where the right to explanation stops being an information duty about a system. It becomes a reason-giving duty about a person. Most deployer documentation does not reach this layer.
Three deployer actions for the quarter ahead
The final guidance will arrive in Q3 2026. Deployer capability needs to exist before it does, not because of it.
First, sample five recent AI-assisted decisions. Then attempt to produce the explanation the data subject would actually receive. Not the documentation about the system; the explanation about the person. The gap is the size of the problem.
Second, map where in the system the explanation can be generated. Some of it sits with the vendor in the model logic. Some sits with the deployer in the configuration and use of the output. The contract review that follows is the same one many organisations are already running under stacked AI compliance regimes.
Third, build the right to explanation request into the DSAR workflow rather than as a separate channel. The data subject will not distinguish between an Article 22 request and an Article 86 request. Neither should the intake. A single trigger should drive a single internal process that produces a layered response.
The diary date is August 2026
The Dutch DPA’s draft is not the final word. It is the strongest indication yet that the regulatory direction sits with deployer capability, not deployer paperwork. The same direction shows up across adjacent enforcement signals. We have been drawing the same operational lesson in our work on AI governance divergence and in our workforce-decision case studies. The right to explanation is the test case where all of it lands on a real applicant.
Set an internal review of your right to explanation capability for August 2026. If the team cannot produce a credible three-layer explanation for a sampled decision by then, the gap is the work.
Newsletter
Releted Blogs
LATEST NEWS
AI governance is not a future problem
Regulation is already in effect. Your competitors are already building internal capability. The gap between ‘we are aware of AI’ and ‘we have operational control’ is closing, and it closes faster with a structured framework.
Book a 30-minute discovery call. No obligation. We will assess where your organisation stands and what a realistic starting point looks like.
No sales pressure. No jargon. Just a structured conversation about your organisation's AI readiness.