This judgment clarifies the GDPR provisions regarding the right of access to personal data (Article 15(h)) and the obligations of controllers in cases of automated individual decision-making and profiling (Article 22). The key issues addressed by the CJEU relate to the interpretation of what constitutes “meaningful information about the logic involved” and whether an underlying algorithm must be disclosed in response to a data subject access request. The case also ruled on the balance between GDPR transparency requirements in this context and the protection of trade secrets. The key conclusions of the CJEU include:
- In case of automated individual decision-making, including profiling, that the data subject may require the controller to explain the procedure and principles actually applied in order to use their personal data for obtaining a specific result, such as a credit profile- providing a complex mathematical formula, an algorithm or detailed steps in automated decision-making would not be compliant, as these options are not sufficiently concise and intelligible; and
- Where a controller considers that the information includes data of third parties or trade secrets, it must provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue and determine the extent of the data subject’s right of access. This aspect of the judgment in particular is likely to lead to further questions about when and how such a consultation should occur, as well as placing a further burden on supervisory authorities.
Background
The case originates from a dispute between an individual (CK) and Dun & Bradstreet Austria GmbH (D&B). CK was refused a mobile phone contract based on an automated credit assessment by D&B, which deemed her financially uncreditworthy. CK invoked her GDPR right of access to obtain meaningful information about the logic used by D&B in profiling based on her personal data, but D&B refused to provide detailed information, claiming the algorithm used in the decision-making process was protected by a trade secret. After lengthy proceedings in the national courts, the case was referred to the CJEU for a preliminary ruling.
CJEU on the requirements of “meaningful information”
The CJEU confirmed that the right of data subjects to obtain the “meaningful information” under Article 15(1)(h) encompasses all relevant information about the procedure and principles relating to the use, by automated means, of the personal data of the data subject with a view to obtaining a specific result, such as a credit profile. To comply with the GDPR, this relevant information must be provided in a concise, transparent, intelligible and easily accessible form.
The CJEU appears to agree with the approach of the Guidelines on automated decision-making and profiling of the Article 29 Working Party, subsequently endorsed by the European Data Protection Board (EDPB). The Guidelines suggest, in essence, that providing a data subject with an algorithm (or its part) is not required to respond to the data subject access request. The Guidelines state that the controller must find simple ways to tell the data subject about the rationale behind, or the criteria relied on, in reaching the automated decision, but that the meaningful information about the logic involved in automated decision-making does not necessarily require a “complex explanation of the algorithm used or disclosure of the full algorithm”.
In paragraph 59 of the judgment, the CJEU goes further and states that merely providing a complex mathematical formula, such as an algorithm or a detailed step-by-step description of automated decision-making (none of which offer a sufficiently concise and intelligible explanation), cannot satisfy the requirements of Articles 15(1)(h) and 22(3) GDPR.
In the present case, the CJEU clarifies that if there is a discrepancy between the result of the “actual” profiling and the result communicated by D&B to CK, this discrepancy falls within the scope of “meaningful information about the logic involved” in the profiling. D&B must explain the procedure and principles that were actually applied to obtain the result of the “actual” profiling. This should ensure that CK can understand how her personal data was used in the automated decision-making process and how it led to the specific result, such as her credit profile. The CJEU reiterates that this explanation is necessary for CK effectively to exercise her rights under the GDPR, including the right to express her point of view and to contest the automated decision.
Balancing transparency and trade secrets
The CJEU recognised the need to balance the right of access with the protection of trade secrets. Article 23(1)(i) GDPR allows for restriction on the right of access to protect the rights and freedoms of others, including trade secrets. However, such restrictions must respect the essence of fundamental rights and freedoms, be necessary and proportionate, and should not result in a refusal to provide all information to the data subject.
When a controller asserts that the information to be disclosed contains data of third parties or trade secrets (within the meaning of Article 2(1) of the Trade Secrets Directive (EU) 2016/943), the controller must provide the allegedly protected information to the relevant supervisory authority or court. The supervisory authority or court must then balance the rights and interests at issue to determine the extent of the data subject's access right. According to the CJEU, this process should ensure that the data subject’s right of access is not unduly restricted and that the data subject can effectively exercise their rights under the GDPR.
The CJEU further noted that a Member State cannot determine the outcome of this balance through national legislation. The competent supervisory authority or court must assess each case individually, considering its specific circumstances rather than applying a blanket rule. Therefore, the GDPR precludes the application of Article 4(6) of the Austrian Law on Data Protection which provides a blanket exclusion of the right of access based on trade secrets of the controller or a third party.
The judgment is available here, the press release here, and the opinion of the advocate general here.
