Rb. Amsterdam - 742407 / HA RK 23-366
Rb. Amsterdam - 742407 / HA RK 23-366 | |
---|---|
Court: | Rb. Amsterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 13 GDPR Article 14 GDPR Article 15 GDPR Article 15(1)(h) GDPR Article 22 GDPR |
Decided: | 04.07.2024 |
Published: | 02.08.2024 |
Parties: | Twitter international company ULC |
National Case Number/Name: | 742407 / HA RK 23-366 |
European Case Law Identifier: | ECLI:NL:RBAMS:2024:4019 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | De Rechtspraak (in Dutch) |
Initial Contributor: | ec |
A court held that Twitter needs to proactively inform data subjects about automated decision-making. The court further ordered Twitter to fully comply with the data subject's access request and imposed a daily penalty of € 4,000 for non-compliance.
English Summary
Facts
The data subject is a user of Twitter (the controller). On 11 October 2023, the controller temporarily restricted the account of the data subject, for posting a message that included the word “child pornography”: “The chats of hundreds of millions of people will soon be scanned to detect a relatively small number of criminals, no matter how bad. Strong criticism of European plans against child pornography: 'Not proportionate'” linking to a newspaper article. The controller automatically detected the post as potentially violating their policy. The restriction meant that his account and posted messages temporarily did not appear in searches. The controller did not notify the data subject of the blocking. The data subject only found out through other users that told him they could not find his account. Subsequently, the data subject did an access request on 13 October 2023, to, amongst other things, understand what the restriction entailed and why this happened. On 15 October 2023, the data subject extended on his access request and included the categories of personal data in the context of the shadowban and the restrictions of their account. In his access request dated 13 October 2023, [applicant] requests access to his personal data, specifically relating to the restriction imposed (shadowban). On 15 October 2023, he made a supplement requesting a variety of categories of personal data, in the context of the shadowban and relating to specific information regarding restrictions on his account. On 16 October 2023, the controller lifted the restriction after an additional review as it was not justified. This was also not communicated to the data subject. On 14 November 2023, the controller responded to the access request, and referred to various sections of their privacy policy in response to the various questions. On 17 November 2023, the data subject initiated proceedings by application (“verzoekschriftprocedure”) at the District Court of Amsterdam (“Rechtbank Amsterdam”). The data subject requested the court to order the controller to respond to his access request under Article 15 GDPR, and his request for information on automated decision-making under Article 22 GDPR. The data subject also requested the court to impose a penalty of € 4.000 on the controller for every day it did not comply. On 12 January 2024, the data subject received a letter by the controller which provided information about the restriction imposed on the data subject's account. Twitter argued that they complied with the data subject’s access request by referring to their privacy policy. Moreover, they argued that the data subject is a journalist and pursuing a PhD in automated decision-making and may want to write articles about the controller’s systems and thus is misusing their right to access. The controller argued that the access request was only related to the shadowban. The controller argued that they did not provide full access due to trade secrets and fears that the data subject makes these secrets public. The controller makes use of a system called Guano, which provides a chorological overview of all actions taken on an account.
Holding
The court held that the data subject does not has to motivate their request to access. A data subject may abuse this right to access, however, it is up to the controller to prove this. The court dismissed the controller’s argument as there was no proof that the data subject had ulterior motives for the access request. Furthermore, it is clear that being a journalist would not be the only reason why the data subject did an access request. The court dismissed the controller’s argument that the access request was only related to the shadowban. The court found that it was clear that the access request was both a general and specific access request. It also seemed to follow from the controller’s initial response to the access request that it did not construe the access request as relating only to the restriction by providing a general answer and later a more detailed response on the shadowban. Moreover, the court held that even if the controller was at all in doubt about the scope of the access request, it was up to them to ask the data subject for further clarification. The court held that the controller’s response to the access request was not sufficient. 1) the response was not transparent and not concrete. The controller’s only response within a month was a general message that only referred to specific parts of the Privacy Policy. The court found that this did not comply with the GDPR, as it only provided the data subject how the controller may process personal data. It did not extend on how the data subject’s personal data was processed. The court held that the references to the Privacy Policy did not allow for the data subject to check how the controller processed the data subject’s personal data and whether this is lawful. It also forced the data subject to search for answers, rather than providing a clear overview. The court held that the controller so far had not given a clear overview of the data subject’s processing of their personal data. The court took into account the CJEU judgement in case C-33/22 - Österreichische Datenschutzbehörde and held that the controller cannot suffice with a summary of personal data without providing any context on the basis on which it was processed, as the controller did in its response of 12 January 2024. The court held that the controller needs to provide a full and true copy of the document containing the personal data that has been processed. The court dismissed the controller’s argument on trade secrets as it barely substantiated that claim, or why certain personal data of the data subject could not be shared. The court held that the controller cannot hide behind 'trade secrets' and thus evade its obligations under GDPR. Access to automated decision-making on the shadowban The court dismissed the controller’s argument that their system to restrict users is not automated decision-making. The court held that it is not about whether the system is made by people, e.g. decided on the parameters, but whether there is human intervention in the decision-making. The court held that the automated decision-making significantly affected the data subject, as the data subject used the account professionally and not being findable affected his employment. Moreover, by being connected to child abuse, the controller could have notified an American organisation which would have led to not being allowed to travel to the US. The court held that under Article 13 GDPR and Article 14 GDPR, the controller should have pro-actively provided transparent information on the automated decision-making. The controller should have notified the data subject on the shadowban, to also allow the data subject to appeal this. The court further held that the controller should have at least provided information about the automated decision-making, its underlying logic, its importance and its expected impact on the data subject when the data subject made an access request under Article 15(1)(h) GDPR. By only providing (insufficient) information on this, three months after the access request, the controller was too late. The court further held that the information provided was unclear and did not allow the data subject to verify the lawfulness of the processing. The court held that although the controller has the responsibility to protect its platform and is allowed to shadowban users, it does need to provide information surrounding this and cannot hide behind ‘trade secrets’. Specific access request The court dismissed the controller’s argument it does not use reputation scores and labels for accounts as there was clear proof it did. The court therefore held that the controller needs to provide access on the reputation scores and labels they use on the accounts of users. The court further held that the controller needs to provide access on the processing of personal data in the context of their system Guano and dismissed the controller’s argument of business secrecy, as the access is about the processing of personal data. Conclusion The court ordered the controller to respond to the access request within a month and provide information on the various categories and automated decision-making. Moreover, the court held that the controller had to provide specific information on reputation scores, labels and their system Guano. The court imposed a penalty of € 4.000 per day for non-compliance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.