CJEU - C‑203/22 - Dun and Bradstreet Austria
| CJEU - C‑203/22 Dun & Bradstreet Austria | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 15(1)(h) GDPR Article 22 GDPR |
| Decided: | |
| Parties: | Dun & Bradstreet Austria GmbH Magistrat der Stadt Wien |
| Case Number/Name: | C‑203/22 Dun & Bradstreet Austria |
| European Case Law Identifier: | ECLI:EU:C:2024:745 |
| Reference from: | VGW (Austria) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | wp |
The CJEU held that in case of automated decision-making, an explanation of the procedure and principles actually applied must be provided to the data subject under Article 15(1)(h) GDPR. Any interfering trade secrets, must be disclosed to the competent court or DPA, in order to determine the extent of the data subject’s right of access.
English Summary
Facts
A mobile phone operator refused to enter into a contract with the data subject. The reason for that was alleged lack of sufficient creditworthiness. The phone operator verified the data subject creditworthiness using services of Dun & Bradstreet Austria GmbH (previously: Bisnode Austria GmbH).
The data subject requested the Austrian DPAto obtain the information on the logic involved in automated decision-making performed by Dun & Bradstreet. The DPA ordered Dun & Bradstreet to disclose that information. Dun & Bradstreet appealed the DPA decision with Federal Administrative Court (Bundesverwaltungsgericht - BVwG).
The court partially upheld the DPA decision. Dun & Bradstreet violated Article 15(1)(h) GDPR because they didn’t disclose neither the information requested by the data subject, nor sufficient reasons justifying the request rejection. Within the enforcement proceedings the City Council of Vienna, acting as an enforcing authority, rejected the case, claiming Dun & Bradstreet already provided the data subject with the information.
The data subject challenged the City Council decision before Viennese Administrative Court (Verwaltungsgericht Wien - VGW). Due to doubts regarding interpretation of Article 15(1)(h) GDPR this court ourt decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:
- What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) GDPR?
- Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpose of Article 15(1)(h) GDPR is enabled to exercise the rights guaranteed by Article 22(3) GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 GDPR concerning him or her in a real, profound and promising way?
- Must Article 15(1)(h) GDPR be interpreted as meaning that information constitutes “meaningful information” for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?
- What is the procedure if the information to be provided in accordance with Article 15(1)(h) GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) of Directive [2016/943]?
- Does the provision of Article 15(4) of the GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) of the GDPR?If this question is answered in the affirmative, is this right of access limited by Article 15(4) of the GDPR, and how is the extent of the limitation to be determined in each individual case?
- Is the provision of Article 4(6) of the [DSG], according to which “the right of access of the data subject pursuant to Article 15 of the GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties” compatible with the requirements of Article 15(1) in conjunction with Article 22(3) of the GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility?
Advocate General Opinion
On 12 September the Advocate General (AG) De La Tour issued his opinion. The AG decided to examine the referring court’s questions together.
Firstly, the AG focused on the notion of meaningful information about the logic involved in automated decision-making. According to the AG, a data subject enjoys the “right to an explanation” that refers to the mechanism of automated decision-making used in their case. The AG emphasised that Article 15 GDPR not only allowed a data subject to verify whether a processing activity is lawful, but also enables them to enjoy other data subjects’ rights. This applies to Article 15(1)(h) GDPR as well, especially in the context of data subjects’ rights stemming from Article 22 GDPR. Consequently, the notion of meaningful information about the logic involved has to take into account the purpose of Article 22 GDPR and the protection it provides.
By referring to case C-487/21, the AG clarified the information about the automatic decision-making process disclosed to a data subject needs to be compliant with the transparency requirement. As such, the information has to contain details on the context of the automatic decision-making process performed and its logic. Based on such information, a data subject should be able to understand the process leading to the decision made. As a result, the meaningful information had to be clear and accessible, and when necessary supplemented by additional explanation. Hence, a functional interpretation is advised. Nevertheless, the notion of meaningful information does not cover the algorithm used, due to their complex nature. For the AG a clear and understandable description of the logic involved is more beneficial for a data subject than access to algorithmic formula. The aforementioned description should consist of the method used, the criteria applied and their weighting.
Furthermore, a data subject using the information provided should be able to verify the accuracy of the data used and the decision made. That means a data subject ability to assess whether the processing relies on accurate data and its outcome – the decision made – corresponds to that data. To clarify how the automatic decision-making process works, a controller may give examples of other decisions made, by disclosing anonymised data. However, it’s not mandatory under Article 15(1)(h) GDPR.
Secondly, the AG referred to balancing the rights and freedoms of others in conjunction with Article 15(1)(h) GDPR.
The AG emphasised that the rights and freedoms of others may limit the scope of information disclosed under Article 15(1)(h) GDPR, provided that such a restriction of right to access is compliant with the proportionality test. Also the protection of trade secrets under Article 2(1) Directive 2016/943 serves the same purpose. Yet, even the information about the automated decision-making process involves personal data of other people or trade secrets, a DPA or the court examining the case need to access that information. The reason for that is to perform the balancing test to confirm whether or not the information should be disclosed. Doubtless, Member State law cannot in abstracto prescribe results of the balancing test. The case-by-case approach is necessary.
In summary, the AG opined that in case information about the logic involved in automated decision-making is regarded a trade secret, the information must be disclosed to the DPA which can determine the extent of information that must be provided to the data subject.
Holding
Extent of the information the controller must provide following Article 15(1)(h) GDPR (Questions 1 and 2 and 3(a))
The CJEU noted on the wording of Article 15(1)(h) GDPR that the concept of ‘meaningful information’ differs in the various language versions. However, the court found them to be complementary in allowing for a broad intepretation encompassing all relevant information concerning the use, by automated means, of personal data with a view to obtaining a specific result. The court found this also to be consistent with the context of the provision taking into account the same wording in Article 13(2)(f) and Article 14(2)(g) GDPR which the court in C‑634/21, Schufa, had found to form one whole with Article 15(1)(h) GDPR. Additionally, the court found, that its case law (in particular in C-487/21, DSB) regarding Article 12(1) GDPR was also applicable, meaning that the provided information must be concise, transparent, intelligible and easily accessible.
Regarding the provision's objective the court found, that the right to obtain ‘meaningful information about the logic involved’ in automated decision-making must be understood as a right to an explanation of the procedure and principles actually applied to obtain a specific result (such as a credit profile). This, the court stated, aims at enabling the data subject effectively to exercise the rights conferred on them by Article 22(3) GDPR, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
The court found, that those requirements cannot be satisfied either by the mere communication of an algorithm, or by the detailed description of all the steps in automated decision-making, since none of those would constitute a sufficiently concise and intelligible explanation. The court held, that the controller should find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the automated decision and must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in the automated decision-making at issue. As one way to meet these requirement the court stated, that it could be appropriate to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result.
Thus the court concluded that Article 15(1)(h) GDPR must be interpreted as meaning that, in the case of automated decision-making in accordance with Article 22(1) GDPR, the data subject may require the controller to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile.
Obligation also to provide Information on GDPR protected data of third parties and trade secrets (Questions 3(b) and (c), 4(a) and (b), 5,6)
The court stated, that a balance has to be struck between exercising the right of full and complete access to personal data and the rights or freedoms of others. Therefore, it stated (reiterating C-268/21, Norra Stockholm Bygg) that a national court may require that the personal data of the parties or of third parties must be disclosed to it to effectively balance the interests involved and to guarantee the right to an effective judicial remedy of Article 47 CFR.
This, the court held, could be fully transposed to situations in which the information to be provided to the data subject under Article 15(1)(h) GDPR is likely to result in an infringement of the rights and freedoms of others.
Thus, the Court found, that the GDPR precludes the application of a national provision which definitively prescribes the outcome of such a balancing of conflicting rights and interests on a case-by-case basis, such as § 4(6) of the Austrian Data Protection Act (Datenschutzgesetz - DSG. This provision precludes, as a rule, the data subject from having access to his or her personal data, provided for in Article 15 GDPR, where such access would compromise a business or trade secret of the controller or of a third party.
Consequently, the court held, that Article 15(1)(h) GDPR must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject contains data of third parties protected by the GDPR or trade secrets, within the meaning Directive (EU) 2016/943, that controller is required to provide the allegedly protected information to the competent DPA or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
