Rb. Amsterdam - 742407 / HA RK 23-366
Rb. Amsterdam - 742407 / HA RK 23-366 | |
---|---|
Court: | Rb. Amsterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 13 GDPR Article 14 GDPR Article 15 GDPR Article 15(1)(h) GDPR Article 22 GDPR |
Decided: | 04.07.2024 |
Published: | 02.08.2024 |
Parties: | Twitter international company ULC |
National Case Number/Name: | 742407 / HA RK 23-366 |
European Case Law Identifier: | ECLI:NL:RBAMS:2024:4019 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | De Rechtspraak (in Dutch) |
Initial Contributor: | ec |
A court held that Twitter needs to proactively inform data subjects about automated decision-making in shadowbanning. The court further ordered Twitter to fully comply with the data subject's access request and imposed a daily penalty of € 4,000 for non-compliance.
English Summary
Facts
The data subject is a user of the platform X (formerly known as Twitter) of which the controller is Twitter International Company ULC.
On 11 October 2023, the controller temporarily restricted ("shadowbanned") the account of the data subject, for posting a message that included the word “child pornography”. The message read:
“The chats of hundreds of millions of people will soon be scanned to detect a relatively small number of criminals, no matter how bad. Strong criticism of European plans against child pornography: 'Not proportionate'” [link to a newspaper article].
The controller automatically detected the post as potentially violating their policy. The shadowban meant that the data subject's account and posted messages temporarily did not appear in searches. The controller did not notify the data subject of the restriction. The data subject only found out through other users that told him they could not find his account.
Subsequently, the data subject did an access request on 13 October 2023, to, amongst other things, understand what the shadowban entailed and why this happened.
On 16 October 2023, the controller lifted the restriction after an additional review. This was also not communicated to the data subject.
On 14 November 2023, the controller responded to the access request, and referred to various sections of their privacy policy in response to the data subject's questions.
On 17 November 2023, the data subject initiated proceedings by application (“verzoekschriftprocedure”) at the District Court of Amsterdam (“Rechtbank Amsterdam”). The data subject requested the court to order the controller to respond to his access request under Article 15 GDPR, and his request for information on automated decision-making under Article 22 GDPR. The data subject also requested the court to impose a penalty of € 4.000 on the controller for every day it did not comply.
The controller argued that they complied with the data subject’s access request by referring to their privacy policy. Moreover, the controller argued that the data subject is a journalist and pursuing a PhD in automated decision-making and may want to write articles about the controller’s systems and thus is misusing their right to access. The controller further argued that they did not provide full access due to trade secrets and fears that the data subject will make these secrets public. Lastly, the controller argued that there was no automated decision-making when shadowbanning users, as the parameters of the detection system are determined by humans.
On 12 January 2024, the data subject received a letter by the controller which provided information about the imposed shadowban.
Holding
On the abuse of right to access
The court held that the data subject does not have to explain the motivation of their access request. A data subject may abuse this right to access, however, it is up to the controller to prove this. The court dismissed the controller’s argument as there was no proof that the data subject had ulterior motives for the access request. Furthermore, it is clear that being a journalist was not be the only reason why the data subject did an access request.
Response to access request was not transparent or concrete
The controller’s only response within a month was a general message that only referred to specific parts of the Privacy Policy. The court found that this did not comply with the GDPR, as it did not extend on how the data subject’s personal data was processed. The response only provided the data subject with information on how the controller may process personal data. This did not allow for the data subject to understand how the controller processed the data subject’s personal data and whether this is lawful. It also forced the data subject to search for answers, rather than providing a clear overview. The court held that the controller so far had not given a clear overview of the data subject’s processing of their personal data.
The court took into account the CJEU judgement in C-33/22 - Österreichische Datenschutzbehörde and held that the controller cannot suffice with a summary of personal data without providing any context on the basis on which it was processed, as the controller did in its letter of 12 January 2024. The court held that the controller needs to provide a full and true copy of the document containing the personal data that has been processed.
The court dismissed the controller’s argument on trade secrets as it did not substantiate its respective claim, or explained why certain personal data of the data subject could not be shared. The court held that the controller could not hide behind 'trade secrets' and thus evade its obligations under GDPR.
Access to information on automated decision-making regarding the shadowban
The court dismissed the controller’s argument that their system to shadowban users is not automated decision-making. The court held that it is not about whether the system is made by people, but whether there is human intervention in the decision-making.
The court found that the automated decision-making significantly affected the data subject, as the data subject used the account professionally and not being findable affected his employment. Moreover, by being connected to child abuse, the controller could have notified an American organisation which would have led to not being allowed to travel to the US.
The court held that under Article 13 GDPR and Article 14 GDPR, the controller should have pro-actively provided transparent information on the automated decision-making. The controller should have notified the data subject on the shadowban and inform him about the next steps and possible consequences. This would have also allowed the data subject to appeal this decision.
The court further held that the controller should have at least provided information about the automated decision-making, its underlying logic, its importance and its expected impact on the data subject when the data subject made an access request and asked for information on the existence of automated decision-making under Article 15(1)(h) GDPR. By only providing information on this, three months after the access request, the controller was too late. The court further held that the information provided was unclear and did not allow the data subject to verify the lawfulness of the processing.
The court held that although the controller has the responsibility to protect its platform and is allowed to shadowban users, it does need to provide information surrounding this and cannot hide behind ‘trade secrets’.
On the specifics of the access request
The court dismissed the controller’s argument that it does not use reputation scores and labels for accounts as there was clear proof it did. The court therefore held that the controller needs to provide access on the reputation scores and labels they use on the accounts of users.
The court further held that the controller needs to provide access on the processing of personal data in the context of their system "Guano", which provides a chronological overview of all actions taken on an account. The court dismissed the controller’s argument of business secrecy, as the access is about the processing of personal data.
Conclusion
Thus, the court held that the controller’s response to the access request was insufficient. The court ordered the controller to respond to the access request within a month and provide information on the various categories of personal data concerned and the automated decision-making. Moreover, the court held that the controller had to provide specific information on reputation scores, labels and their system Guano. The court imposed a penalty of € 4.000 per day for non-compliance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.