Article 15 of the EU and UK GDPR not only gives Data Subjects the right to obtain their personal data from the Data Controller but also the right to receive additional information about the processing. This includes: 

 “the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” 

A recent ruling by the European Court of Justice (ECJ) sheds light on the concept of “meaningful information” and will have implications for those deploying AI systems. The case in question, C-203/22 Dun & Bradstreet Austria GmbH, concerns an Austrian mobile telecom operator. The company refused to enter into a contract with a customer due to their poor credit score. This decision was based on an automated credit evaluation provided by a third-party credit agency. 

The customer requested access to the information held by the credit agency so that they could understand the decision. The customer was dissatisfied with the disclosed information and so took legal action to demand further clarification on the logic behind the automated decision-making process. The core issue was whether the credit agency was obligated to provide more detailed information about the automated process under Article 15(1)(h) GDPR (as quoted above). The agency argued that doing so would expose trade secrets. However, the court ruled that it must provide “meaningful information about the logic involved” as required by GDPR. 

The Enforcement Court in Austria, tasked with enforcing the ruling, referred the following questions to the ECJ: 

1. Does “meaningful information about the logic involved” require the controller to provide a comprehensive explanation of the procedures and principles used to come to a specific decision? 

2. In cases where the controller argues that the requested information involves third-party data protected by the GDPR or trade secrets, is the controller obliged to submit the potentially protected information to supervisory authorities or courts for review? 

Meaningful Information 

In response to the first question, the ECJ confirmed that the phrase “meaningful information about the logic involved” fundamentally refers to all relevant details concerning the automated decision-making process. This includes an explanation of the procedures and principles used to arrive at the decision. 

While the ECJ made it clear that “meaningful information” does not require the disclosure of complex algorithms, it does require a sufficiently detailed explanation of the decision-making process. It emphasised that, in line with Articles 13(2)(f) and 14(2)(g) of the GDPR, which establish transparency requirements, the information must be clear, concise, and easily understandable. Data Subjects should be able to comprehend how their personal data is being processed. The right of access enshrined in Article 15 of the GDPR allows individuals to verify the accuracy and lawfulness of the processing of their personal data, which is a crucial safeguard under Article 22(3) that governs automated decision-making and profiling. 

Trade Secrets  

On the second question, the ECJ struck a delicate balance between Data Subjects’ right to access their data and the protection of third-party rights, such as trade secrets. It reiterated that while data protection is a fundamental right, it must be weighed against intellectual property protections as outlined in Recital 63 of the GDPR. 

The ECJ said that if providing access to personal data could violate the rights of third parties, such as revealing trade secrets, the controller must assess whether it is possible to disclose the information without infringing on third party rights. In cases of conflict, the issue must be referred to the relevant supervisory authority or court to decide on an appropriate solution. 

Importantly, the ECJ ruled that no Member State can impose a blanket ban on disclosing business or trade secrets, as doing so would undermine the GDPR’s requirement for a balanced approach to competing rights. In situations where access requests are contested, controllers are required to provide relevant information to supervisory authorities or courts, enabling an informed decision based on the principle of proportionality. 

So what are the implications of this ECJ ruling for AI systems?  

While the ruling specifically focusses on the EU GDPR, it underscores the growing importance of transparency in data processing practices, especially when implementing automated decision-making processes. Organisations using AI for automated decision-making must ensure transparency by providing data subjects with clear, understandable explanations of how decisions are made even if complex algorithms are involved. Developers must design systems that can deliver “meaningful information” about the logic behind automated outcomes, while deployers must ensure this information is communicated effectively to individuals. Transparency is also a key theme of the recently enacted EU AI Act. 

Act Now recently launched the AI Governance Practitioner Certificate. This course is designed to equip compliance professionals with the essential knowledge and skills to navigate this transformative technology being implemented within their organisations while upholding the highest standards of data protection and information governance. 

Author: actnowtraining

Act Now Training is Europe’s leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms.
Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple.
Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.
View all posts by actnowtraining