Fundamental Rights Impact Assessment and Algorithmic Public Administration: What South-East European Public Authorities Can Learn from the EU AI Act

The central legal question is not whether AI will replace the civil servant, but whether it will quietly reshape the legal conditions under which public authority is exercised. When an algorithm ranks, flags, predicts or recommends within an administrative procedure, digitalisation gives way to something more consequential: algorithmic public power.

This is why the Fundamental Rights Impact Assessment (FRIA), introduced by Article 27 of Regulation (EU) 2024/1689, the EU Artificial Intelligence Act, deserves close attention in South-East Europe. It should not be understood as a bureaucratic annex to AI compliance. It should be read as an emerging tool of administrative legality: a structured ex ante inquiry into whether a high-risk AI system can be deployed without weakening human dignity, equality, non-discrimination, privacy, data protection, good administration, effective remedy, fair trial guarantees and democratic accountability.

From digital administration to algorithmic public power

Digital public administration has often been presented through the vocabulary of efficiency: online portals, interoperable registers, electronic certificates, faster services and reduced direct contact between citizens and officials. These objectives remain legitimate. Yet algorithmic systems introduce a qualitatively different problem. A digital portal may transmit a request. An AI system may influence how the authority understands that request.

Public authority is traditionally organised around competence, procedure, reasons, proportionality, equality, review and responsibility. Algorithmic systems complicate each of these categories. They may distribute responsibility across public bodies, software providers, data suppliers and automated outputs. They may generate classifications that officials do not fully understand but nevertheless treat as authoritative. They may preserve the formal appearance of human decision-making while narrowing the practical space for human judgment. A formally human decision may be substantively shaped by a risk score, ranking, alert or recommendation. In such cases, the question is not whether a human signature appears at the end of the procedure. The question is whether the public authority remains capable of independent assessment, reasoned justification and rights-sensitive correction.

FRIA responds to this precise challenge. Under Article 3 of the EU Artificial Intelligence Act, a provider is the natural or legal person, public authority, agency or other body that develops an AI system, or has it developed, and places it on the market or puts it into service under its own name or trademark. A deployer, by contrast, is the natural or legal person, public authority, agency or other body using an AI system under its authority. In a typical public procurement scenario, the private software company will usually be the provider, while the ministry, municipality, agency or public-service body that uses the system in an administrative process will be the deployer. This distinction explains why Article 27 places the FRIA obligation on the public authority using the system, rather than on the vendor alone: the relevant fundamental-rights risks arise from the concrete administrative context of use. Therefore, it requires the deployer to examine the institutional process in which the AI system will be used, the categories of persons and groups likely to be affected, the specific risks of harm, the human oversight arrangements and the complaint mechanisms that will operate if risks materialise. It makes context, not abstract technological capacity, the centre of the legal analysis.

Article 27 AI Act as an administrative-law innovation

The EU AI Act classifies systems as high-risk when they fall within legally defined categories and may affect health, safety or fundamental rights. Many of the most sensitive categories concern public power or quasi-public functions: access to essential services, education, employment, law enforcement, migration, asylum, border control, administration of justice and democratic processes. In practice, “high-risk” is not a general label for any advanced or sensitive AI system. It is a legal classification under Article 6 and Annex III of the EU Artificial Intelligence Act. Annex III operates as the decisive list of use cases, covering areas such as biometrics, critical infrastructure, education, employment, access to essential public and private services, law enforcement, migration and asylum, administration of justice and democratic processes. For public administrations, the difficult first step is therefore not the FRIA itself, but the prior classification exercise: identifying whether the procured or deployed system falls within an Annex III category, whether it materially influences decision-making, and whether Article 27 is triggered in the concrete administrative setting. A public authority cannot treat the vendor’s description of the product as sufficient; for the purposes of its own Article 27 duty, it must make a deployment-side assessment of the system’s legal role, intended use and rights relevance.

Article 27 requires certain deployers of high-risk AI systems to carry out a FRIA before first use. The obligation applies to bodies governed by public law, private entities providing public services, and certain deployers operating high-risk systems in essential services. The assessment must include a description of the deployer’s process, the period and frequency of intended use, the categories of persons and groups likely to be affected, the specific risks of harm, human oversight measures, and measures to be taken if those risks materialise, including internal governance and complaint mechanisms.

This is a notable legal development for three reasons:

1. Article 27 treats fundamental rights as deployment conditions, not post-hoc litigation standards. The public authority must examine rights implications before the system becomes operational.
2. It shifts attention from the AI system in isolation to the AI system in an administrative setting. The same tool may raise different legal issues depending on whether it is used for internal document management, welfare eligibility, police analysis, migration triage or public procurement control.
3. It links risk assessment with institutional accountability. FRIA is not confined to identifying possible harm. It requires the authority to specify oversight, governance and complaint channels. In that sense, it connects AI regulation with the classical guarantees of administrative justice.

FRIA is not a renamed DPIA

The relationship between FRIA and the Data Protection Impact Assessment under Article 35 of the General Data Protection Regulation  requires conceptual precision. A DPIA is required where a type of processing, especially using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. It focuses on envisaged processing operations, purposes, necessity, proportionality, risks to data subjects and measures addressing those risks.

FRIA has a wider object. It includes data protection, but it is not reducible to it. A high-risk AI system used for social benefits may raise issues of lawful processing and profiling, but also dignity, equality, social exclusion, effective remedy and good administration. A migration-related system may raise questions of personal data, but also family life, procedural fairness, non-discrimination and protection against arbitrary treatment. A public procurement system may involve business data rather than sensitive personal data, yet it may still affect equality of economic actors, corruption control, transparency and public trust.

The AI Act recognises this complementarity. Where Article 27 obligations are already met through a GDPR DPIA or an assessment under Directive (EU) 2016/680. This is also where the broader academic literature matters. Scholarship on algorithmic governance has long warned that computational systems can reshape public authority by embedding normative choices into technical design, as shown in Karen Yeung’s paper on algorithmic regulation. Work on algorithmic impact assessment similarly emphasises that assessment regimes should identify affected persons, institutional responsibilities, documentation duties and opportunities for public contestation, as developed by Moss, Watkins, Singh, Elish and Metcalf in Assembling Accountability: Algorithmic Impact Assessment for the Public Interest. The GDPR experience is also instructive: Kaminski and Malgieri’s analysis of algorithmic impact assessments under the GDPR show why ex ante assessment can become a formalistic exercise if it is not connected to meaningful institutional responsibility, contestability and review. This is crucial for South-East Europe, where data protection authorities often have the most visible role in digital rights oversight, while ombuds institutions, equality bodies, audit authorities, public procurement bodies and administrative courts may still lack a defined position in AI governance. The GDPR experience shows that ex ante assessments can become formal box-ticking exercises if they are treated as internal paperwork rather than as instruments of institutional accountability. FRIA carries the same risk. What prevents formalism is not the existence of an assessment form, but the combination of clear responsibility, public or at least reviewable documentation, meaningful human oversight, complaint mechanisms, procurement obligations, post-deployment monitoring and the possibility of independent review.

The Council of Europe dimension

For South-East Europe, the EU AI Act should be read together with the The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law. The Convention, opened for signature on 5 September 2024, is the first international legally binding treaty in this field. Its objective is to ensure that activities within the AI lifecycle are consistent with human rights, democracy and the rule of law.

Albania, Bosnia and Herzegovina, Montenegro and North Macedonia are listed among its signatories (while Serbia is not currently listed as a signatory), which makes the Convention a relevant regional benchmark even before its full practical effects are felt in domestic legal orders.

Its relationship with FRIA is substantive because the Convention requires Parties to adopt or maintain measures for the identification, assessment, prevention and mitigation of risks posed by AI systems, taking into account actual and potential impacts on human rights, democracy and the rule of law. These measures must consider the context and intended use of the system, the severity and probability of potential impacts, the perspectives of relevant stakeholders, monitoring after deployment, documentation of risks and impacts, and testing before first use or after significant modification.

This architecture closely mirrors the logic of FRIA under the AI Act, but it is broader in scope. Article 27 AI Act operationalises fundamental-rights assessment for certain high-risk AI systems deployed by specific actors. The Council of Europe Convention places the same logic within a wider public-law frame: human rights protection, democratic integrity, procedural safeguards, remedies and rule-of-law oversight. It also covers the use of AI systems by public authorities, including private actors acting on their behalf, which is particularly important for public procurement and outsourced digital administration in South-East Europe.

The Convention therefore strengthens the FRIA argument. It confirms that ex ante assessment should not be treated as a technical compliance form, but as part of a European public-law response to algorithmic administration. The core point is that AI systems used by public authorities must be assessed before they significantly affect persons, procedures or institutional trust.

Why South-East Europe needs ex ante assessment

South-East Europe has particular reasons to develop FRIA practice early. AI systems do not enter a neutral institutional environment. They enter public sectors with uneven administrative capacity, limited technical expertise, frequent procurement weaknesses and incomplete public trust. These conditions do not prohibit AI use. They do, however, increase the need for prior legal control.

The assumption that AI will automatically reduce arbitrariness is too simple. AI may reduce certain forms of direct human discretion, but it can create new forms of computational discretion. It can encode contested policy choices, reproduce historical inequalities in training data, obscure accountability through vendor contracts, and transform a contestable judgment into a seemingly objective output.

This is why FRIA should be treated as a capacity test. A public authority that cannot define the system’s legal basis, intended purpose, affected groups, rights implications, oversight arrangements, explanation duties and remedies should not deploy high-risk AI in rights-sensitive functions. 

Public procurement as a constitutional risk point

In South-East Europe, the decisive legal moment will often occur before deployment: during public procurement. AI systems used by public bodies are frequently acquired from private providers. Contract design may determine whether the authority has access to documentation, audit rights, performance data, bias testing, cybersecurity information, explanation mechanisms and incident-reporting duties. 

FRIA should therefore be integrated into procurement planning. Tender documentation for high-risk AI systems should require a clear description of intended purpose, data governance, system limitations, testing procedures, bias and accuracy analysis, logging, cybersecurity measures, human oversight functions, auditability, complaint support and conditions for independent evaluation.

Comparative models: Canada and the United Kingdom

South-East Europe does not need to design every tool from zero. Canada’s Algorithmic Impact Assessment tool is a useful public-sector model. It is a mandatory risk assessment tool under the Directive on Automated Decision-Making and uses a questionnaire to determine the impact level of an automated decision system. It examines project authority, system design, algorithmic features, decision impact, affected rights and freedoms, equality, dignity, privacy, autonomy, data quality, procedural fairness, audit trails and recourse.

The United Kingdom’s Algorithmic Transparency Recording Standard provides another lesson. It standardises how public-sector organisations publish information about algorithmic tools and algorithm-assisted decisions. It is mandatory for government departments and certain arm’s-length bodies that deliver public or frontline services or interact directly with the public. For South-East Europe, this suggests a practical reform: public registers of AI systems used by public authorities, linked to FRIA summaries, DPIA documentation where relevant, and procurement records.

Institutional ownership of FRIA

FRIA cannot belong to IT departments alone. Nor can it be outsourced to vendors. The deployer may need technical information from the provider, but the public authority must remain legally responsible for the decision to deploy the system. Public procurement authorities should incorporate FRIA duties into tender design. Audit institutions should verify whether AI systems are used according to declared purposes. Administrative courts should treat FRIA documentation as relevant evidence when reviewing AI-supported administrative decisions.

This institutional model also depends on AI literacy. Human oversight is meaningless if the official cannot understand system limits, error patterns, data problems or the conditions under which an output should be disregarded. The UNESCO Recommendation on the Ethics of Artificial Intelligence identifies a human-rights-centred approach to AI, including proportionality, privacy, data protection, responsibility, accountability, transparency, explainability, human oversight, literacy, fairness and non-discrimination. The OECD AI Principles, updated in 2024, similarly link trustworthy AI to human rights, democratic values, transparency, explainability, safety and accountability. These standards should inform training for civil servants, judges, prosecutors, inspectors, regulators, procurement officers and ombuds institutions. 

This institutional allocation should not be presented as if existing oversight bodies in South-East Europe are already fully equipped to perform this role. In most systems in the region, data protection authorities, public procurement bodies, audit institutions, ombuds institutions and administrative courts have adjacent competences, but not necessarily an explicit AI-governance mandate. Procurement bodies may examine legality, competition and tender design, but they are rarely structured to assess algorithmic bias, human oversight or model documentation. Audit institutions may review legality and performance of public spending, but may lack specialised technical capacity to inspect AI systems. Administrative courts can review final administrative acts, but they may not have access to the technical documentation or expert support needed to evaluate the role played by algorithmic outputs.

This is the hardest practical question for the region. FRIA will become credible only if institutional mandates are clarified before high-risk AI systems are deployed. A realistic SEE model should therefore avoid assigning all oversight to a single body. Instead, it should create a layered structure: the deploying authority conducts the FRIA; the data protection authority reviews personal-data risks; the procurement authority ensures that tender documentation includes auditability, documentation and oversight requirements; the ombuds institution examines systemic rights risks and vulnerable groups; the audit institution reviews whether the system is used according to its declared purpose; and administrative courts treat FRIA documentation as evidence when reviewing AI-supported decisions.

FRIA as pre-accession administrative constitutionalism

For EU candidate and potential candidate states, FRIA can function as a form of pre-accession administrative constitutionalism. It translates the abstract vocabulary of European values into operational duties inside public administration by asking the authority to document why AI is used, how it affects people, who supervises it, how outputs are contested, and how remedies remain available. Its digital-regulatory dimension belongs primarily to Chapter 10, Information Society and Media, because AI governance forms part of the Union’s wider digital regulatory architecture. Its rights-based and institutional dimension belongs to Chapter 23, Judiciary and Fundamental Rights, because FRIA concerns fundamental rights, remedies, legality of public administration and judicial review. Where AI systems are acquired through public contracts, Chapter 5 on Public Procurement also becomes relevant; where law-enforcement or migration systems are involved, Chapter 24 on Justice, Freedom and Security may also be implicated.

This is also politically important. Public trust in AI-enabled administration will not depend on technological sophistication alone. It will depend on whether citizens know where AI is used, whether they can understand its role, whether reasons are available, whether officials can depart from outputs, and whether independent bodies can review the system.

South-East European states should therefore move toward five reforms: mapping existing and planned AI use in the public sector; requiring FRIA before the procurement or deployment of high-risk AI systems; integrating FRIA with DPIA, cybersecurity assessment, equality review and procurement documentation; creating public AI registers; and granting oversight bodies the mandate and expertise to review algorithmic systems in practice.

Before algorithmic administration becomes routine

The core legal challenge is not to prevent public authorities from using AI, but to prevent AI from becoming an unexamined layer of public authority. Once algorithmic systems become routine, rights violations may become harder to detect, harder to explain and harder to remedy.

FRIA offers a disciplined answer because it places fundamental rights at the beginning of the AI lifecycle, before litigation, before institutional dependency and connects technical design with administrative legality. 

For South-East Europe, this may be one of the most practical lessons of the EU AI Act. The region does not need to wait for complete regulatory convergence before building rights-based AI governance. It can begin now, through public-sector FRIA as a voluntary rule-of-law alignment measure, capable of preparing domestic administrations for future acquis convergence while improving legality, transparency and accountability before AI systems become embedded in public decision-making.

Before an algorithm classifies, ranks, flags or recommends, the state must answer a prior legal question: what may this system do to people’s rights, and who remains legally responsible when it does?