CJEU - C‑203/22 - Dun & Bradstreet Austria: Difference between revisions

CJEU - C‑203/22 Dun & Bradstreet Austria
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 15(1)(h) GDPR Article 22 GDPR
Decided:
Parties:	Dun & Bradstreet Austria GmbH Magistrat der Stadt Wien
Case Number/Name:	C‑203/22 Dun & Bradstreet Austria
European Case Law Identifier:	ECLI:EU:C:2024:745
Reference from:	Verwaltungsgericht Wien (Austria)
Language:	24 EU Languages
Original Source:	AG Opinion
Initial Contributor:	wp

The Advocate General opined that in case information about the logic involved in automated decision-making (Article 15(1)(h) GDPR) is regarded a trade secret, the information must be disclosed to the DPA which can determine the extent of information that must be provided to the data subject.

English Summary

Facts

A mobile phone operator refused to enter into a contract with the data subject. The reason for that was alleged lack of sufficient creditworthiness. The phone operator verified the data subject creditworthiness using services of Dun & Bradstreet Austria GmbH (previously: Bisnode Austria GmbH).

The data subject requested the Austrian DPA (DSB) to obtain the information on the logic involved in automated decision-making performed by Dun & Bradstreet. The DPA ordered Dun & Bradstreet to disclose that information.

Dun & Bradstreet appealed the DPA decision with Federal Administrative Court (Federal Administrative Court (Bundesverwaltungsgericht).

The court partially upheld the DPA decision. Dun & Bradstreet violated Article 15(1)(h) GDPR because they didn’t disclose neither the information requested by the data subject, nor sufficient reasons justifying the request rejection.

Within the enforcement proceedings the City Council of Vienna, acting as an enforcing authority, rejected the case, claiming Dun & Bradstreet already provided the data subject with the information.

The data subject challenged the City Council decision before Viennese Administrative Court (Verwaltungsgericht Wien).

Due to doubts regarding interpretation of Article 15(1)(h) GDPR Viennese Administrative Court decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:

1) in particular: What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) GDPR?

2) in particular: Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpose of Article 15(1)(h) GDPR is enabled to exercise the rights guaranteed by Article 22(3) GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 GDPR concerning him or her in a real, profound and promising way?

3) in particular: Must Article 15(1)(h) GDPR be interpreted as meaning that information constitutes “meaningful information” for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?

4) in particular: What is the procedure if the information to be provided in accordance with Article 15(1)(h) GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) of Directive [2016/943]?

5) Does the provision of Article 15(4) of the GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) of the GDPR?If this question is answered in the affirmative, is this right of access limited by Article 15(4) of the GDPR, and how is the extent of the limitation to be determined in each individual case?

6) Is the provision of Article 4(6) of the [DSG], according to which “the right of access of the data subject pursuant to Article 15 of the GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties” compatible with the requirements of Article 15(1) in conjunction with Article 22(3) of the GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility?

Advocate General Opinion

On 12 September the Advocate General (AG) De La Tour issued his opinion. The AG decided to examine the referring court’s questions together.

Firstly, the AG focused on the notion of meaningful information about the logic involved in automated decision-making. According to the AG, a data subject enjoys the “right to an explanation” that refers to the mechanism of automated decision-making used in their case. The AG emphasised that Article 15 GDPR not only allowed a data subject to verify whether a processing activity is lawful, but also enables them to enjoy other data subjects’ rights. This applies to Article 15(1)(h) GDPR as well, especially in the context of data subjects’ rights stemming from Article 22 GDPR. Consequently, the notion of meaningful information about the logic involved has to take into account the purpose of Article 22 GDPR and the protection it provides.

By referring to case C-487/21, the AG clarified the information about the automatic decision-making process disclosed to a data subject needs to be compliant with the transparency requirement. As such, the information has to contain details on the context of the automatic decision-making process performed and its logic. Based on such information, a data subject should be able to understand the process leading to the decision made. As a result, the meaningful information had to be clear and accessible, and when necessary supplemented by additional explanation. Hence, a functional interpretation is advised. Nevertheless, the notion of meaningful information does not cover the algorithm used, due to their complex nature. For the AG a clear and understandable description of the logic involved is more beneficial for a data subject than access to algorithmic formula. The aforementioned description should consist of the method used, the criteria applied and their weighting.

Furthermore, a data subject using the information provided should be able to verify the accuracy of the data used and the decision made. That means a data subject ability to assess whether the processing relies on accurate data and its outcome – the decision made – corresponds to that data. To clarify how the automatic decision-making process works, a controller may give examples of other decisions made, by disclosing anonymised data. However, it’s not mandatory under Article 15(1)(h) GDPR.

Secondly, the AG referred to balancing the rights and freedoms of others in conjunction with Article 15(1)(h) GDPR.

The AG emphasised that the rights and freedoms of others may limit the scope of information disclosed under Article 15(1)(h) GDPR, provided that such a restriction of right to access is compliant with the proportionality test. Also the protection of trade secrets under Article 2(1) Directive 2016/943 serves the same purpose. Yet, even the information about the automated decision-making process involves personal data of other people or trade secrets, a DPA or the court examining the case need to access that information. The reason for that is to perform the balancing test to confirm whether or not the information should be disclosed. Doubtless, Member State law cannot in abstracto prescribe results of the balancing test. The case-by-case approach is necessary.

Holding

The judgement has not been issued yet.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!