CJEU - C‑203/22 - Dun & Bradstreet Austria
| CJEU - C‑203/22 Dun & Bradstreet Austria | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 15(1)(h) GDPR Article 22 GDPR |
| Decided: | |
| Parties: | Dun & Bradstreet Austria GmbH Magistrat der Stadt Wien |
| Case Number/Name: | C‑203/22 Dun & Bradstreet Austria |
| European Case Law Identifier: | ECLI:EU:C:2024:745 |
| Reference from: | Verwaltungsgericht Wien (Austria) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | wp |
AG De La Tour presented his opinion on the interpretation of Article 15(1)(h) GDPR, explaining that a data subject should be given clear and accessible information about of the automatic decision-making process performed and its logic. However, it does not cover the algorithms used, due to their complex nature
English Summary
Facts
A mobile phone operator refused to enter into a contract with the data subject. The reason for that was alleged lack of sufficient creditworthiness. The phone operator verified the data subject creditworthiness using services of Dun & Bradstreet Austria GmbH (previously: Bisnode Austria GmbH).
The data subject requested the Austrian DPA (DSB) to obtain the information on the logic involved in automated decision-making performed by Dun & Bradstreet. The DPA ordered Dun & Bradstreet to disclose that information.
Dun & Bradstreet appealed the DPA decision with Federal Administrative Court (Federal Administrative Court (Bundesverwaltungsgericht).
The court partially upheld the DPA decision. Dun & Bradstreet violated Article 15(1)(h) GDPR because they didn’t disclose neither the information requested by the data subject, nor sufficient reasons justifying the request rejection.
Within the enforcement proceedings the City Council of Vienna, acting as an enforcing authority, rejected the case, claiming Dun & Bradstreet already provided the data subject with the information.
The data subject challenged the City Council decision before Viennese Administrative Court (Verwaltungsgericht Wien).
Due to doubts regarding interpretation of Article 15(1)(h) GDPR Viennese Administrative Court decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:
1)What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) GDPR?
In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller – where necessary in compliance with an existing trade secret – as part of the disclosure of the “logic involved” which includes, in particular, the disclosure of the data subject’s processed data, the disclosure of the parts of the algorithm on which the profiling is based that are necessary to provide transparency, and the information relevant to establishing the connection between the processed information and the rating arrived at?
In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) GDPR:
a)[the] communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,
b) [the provision of] the input data used for profiling,
c) the parameters and input variables used in the determination of the rating,
d) the influence of these parameters and input variables on the calculated rating,
e) information on the origin of the parameters or input variables,
f) explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and [the] clarification of the implications of such rating, [and]
g)[the] listing [of] the profile categories and [the] explanation as to what rating implication is associated with each of the profile categories?
2) Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpose of Article 15(1)(h) GDPR is enabled to exercise the rights guaranteed by Article 22(3) GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 GDPR concerning him or her in a real, profound and promising way?
3)
a) Must Article 15(1)(h) GDPR be interpreted as meaning that information constitutes “meaningful information” for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?
b) If the above question is answered in the affirmative: what is the procedure if the accuracy of the information provided by a controller can only be verified if third-party data protected by the GDPR must also be brought to the attention of the party entitled to access for the purpose of Article 15(1)(h) GDPR (black box)? Can this tension between the right of access within the meaning of Article 15(1) GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?
c) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) GDPR by creating the black box referred to in point (3b)? Must the data of other persons to be disclosed by the controller for the purpose of Article 15(1) of the GDPR to the party entitled to access for the purpose of Article 15(1)(h) GDPR be disclosed in pseudo-anonymised form in order to ensure that the accuracy can be verified?
4)
a) What is the procedure if the information to be provided in accordance with Article 15(1)(h) GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) of Directive [2016/943]?
Can the tension between the right of access guaranteed by Article 15(1)(h) GDPR and the right to non-disclosure of a trade secret protected by the Know-How Directive be resolved by allowing the information to be disclosed as a trade secret within the meaning of Article 2(1) of the Know-How Directive be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of Article 2(1) of the Know-How Directive exists and whether the information provided by the controller within the meaning of Article 15(1) GDPR is accurate?
b) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in point (4a)?
In [the] case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) of the GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR in their entirety:
i) [the] communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,
ii) [the provision of] the input data used for profiling,
iii) the parameters and input variables used in the determination of the rating,
iv) the influence of these parameters and input variables on the calculated rating,
v) information on the origin of the parameters or input variables,
vi) [the] explanation as to why the party entitled to access for the purpose of Article 15(1)(h) GDPR has been assigned a specific rating and [the] clarification of the implications of such rating, [and]
vii) [the] listing [of] the profile categories and [the] explanation as to what rating implication is associated with each of the profile categories?
5) Does the provision of Article 15(4) of the GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) of the GDPR?If this question is answered in the affirmative, is this right of access limited by Article 15(4) of the GDPR, and how is the extent of the limitation to be determined in each individual case?
6) Is the provision of Article 4(6) of the [DSG], according to which “the right of access of the data subject pursuant to Article 15 of the GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties” compatible with the requirements of Article 15(1) in conjunction with Article 22(3) of the GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility?
Advocate General Opinion
On 12 September the Advocate General (AG) De La Tour issued his opinion. The AG decided to examine the referring court’s questions together.
Firstly, the AG focused on the notion of meaningful information about the logic involved in automated decision-making. According to the AG, a data subject enjoys the “right to an explanation” that refers to the mechanism of automated decision-making used in their case. The AG emphasised that Article 15 GDPR not only allowed a data subject to verify whether a processing activity is lawful, but also enables them to enjoy other data subjects’ rights. This applies to Article 15(1)(h) GDPR as well, especially in the context of data subjects’ rights stemming from Article 22 GDPR. Consequently, the notion of meaningful information about the logic involved has to take into account the purpose of Article 22 GDPR and the protection it provides.
By referring to case C-487/21, the AG clarified the information about the automatic decision-making process disclosed to a data subject needs to be compliant with the transparency requirement. As such, the information has to contain details on the context of the automatic decision-making process performed and its logic. Based on such information, a data subject should be able to understand the process leading to the decision made. As a result, the meaningful information had to be clear and accessible, and when necessary supplemented by additional explanation. Hence, a functional interpretation is advised. Nevertheless, the notion of meaningful information does not cover the algorithm used, due to their complex nature. For the AG a clear and understandable description of the logic involved is more beneficial for a data subject than access to algorithmic formula. The aforementioned description should consist of the method used, the criteria applied and their weighting.
Furthermore, a data subject using the information provided should be able to verify the accuracy of the data used and the decision made. That means a data subject ability to assess whether the processing relies on accurate data and its outcome – the decision made – corresponds to that data. To clarify how the automatic decision-making process works, a controller may give examples of other decisions made, by disclosing anonymised data. However, it’s not mandatory under Article 15(1)(h) GDPR.
Secondly, the AG referred to balancing the rights and freedoms of others in conjunction with Article 15(1)(h) GDPR.
The AG emphasised that the rights and freedoms of others may limit the scope of information disclosed under Article 15(1)(h) GDPR, so as the protection of trade secrets. Yet, even the information about the automated decision-making process involves personal data of other people or trade secrets, a DPA or the court examining the case need to access that information. The reason for that is to perform the balancing test, which result cannot be prescribed in abstracto by Member State law.
Holding
The judgement has not been issued yet.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
