Provisional text
OPINION OF ADVOCATE GENERAL
RICHARD DE LA TOUR
delivered on 12 September 2024 (1)
Case C‑203/22
CK
Interested parties:
Dun & Bradstreet Austria GmbH,
Magistrat der Stadt Wien
(Request for a preliminary ruling from the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria))
( Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 15(1)(h) – Article 22 – Automated decision-making, including profiling – Assessment of the creditworthiness of a natural person – Access to meaningful information about the logic involved in automated decision-making – Verification of the accuracy of the information provided and its consistency with the rating decision at issue – Protection of the rights and freedoms of others – Directive (EU) 2016/943 – Trade secret )
I. Introduction
1. The present request for a preliminary ruling concerns the interpretation, first, of Article 15(1)(h) and (4) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2) (‘the GDPR’), and, secondly, Article 2(1) of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (3)
2. That request was made in the context of a dispute between CK and the Magistrat der Stadt Wien (City Council of Vienna, Austria) concerning an application for enforcement of a court order requiring a credit assessment undertaking to provide CK with meaningful information about the logic involved in profiling relating to her personal data.
3. In the reasoning that follows, I shall clarify what should, to my mind, be understood by ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR, and how the right of access to such information must be weighed against the protection of the rights and freedoms of others, such as trade secrets.
II. The facts of the dispute in the main proceedings and the questions referred for a preliminary ruling
4. CK was refused, by a mobile telephone operator, the conclusion or extension of a mobile telephone contract which would have required a monthly payment of EUR 10 on the ground that she did not have sufficient financial creditworthiness. CK’s allegedly insufficient creditworthiness was substantiated by an automated credit assessment carried out by Bisnode Austria GmbH (now Dun & Bradstreet Austria GmbH; ‘D & B’), an undertaking specialising in the provision of credit assessments.
5. CK submitted a request to the Austrian data protection authority to obtain meaningful information about the logic involved in D & B’s automated decision-making. That authority granted that request.
6. D & B challenged the decision of the Austrian data protection authority requiring it to disclose the information requested by CK before the Bundesverwaltungsgericht (Federal Administrative Court, Austria).
7. By a decision of 23 October 2019, that court partially upheld that decision of the Austrian data protection authority. It thus found that D & B had infringed CK’s right of access under Article 15(1)(h) of the GDPR by failing to provide CK with meaningful information about the logic involved in the automated decision-making concerning CK’s personal data or, at the very least, by failing to give sufficient reasons why it was unable to provide that information.
8. That decision of the Bundesverwaltungsgericht (Federal Administrative Court) has become final and is enforceable under Austrian law.
9. However, CK’s application for enforcement of that decision was rejected by the enforcing authority, the City Council of Vienna, on the ground that D & B had already sufficiently met its obligation to provide information.
10. CK brought an action against that decision before the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria), the referring court. That court states that, in connection with that action, it is called on to take a decision, in place of the enforcement authority, to enforce the decision of the Bundesverwaltungsgericht (Federal Administrative Court). The referring court must therefore determine what specific information D & B is required to disclose to CK. (4)
11. From that perspective, that court considers that Article 15(1)(h) of the GDPR confers on the data subject a right of access to accurate information. In that regard, that court noted that there are clear indications that the information provided by D & B to date – of which there has been very little – is contrary to the facts. While the information provided to CK gave her a particularly high credit rating, the profile actually generated for her effectively found her to have no creditworthiness whatsoever, lacking even the financial capacity to pay the amount of EUR 10 per month. There is therefore a manifest contradiction between, on the one hand, the information disclosed to CK about her processed personal data and the logic involved in the automated assessment and, on the other, the conclusion reached by the mobile telephone operator on the basis of the rating actually given. That contradiction gives rise to doubts as to the accuracy of the information provided to CK to date.
12. Based on that finding, the referring court states that, when profiled, data subjects may assert a right of access to accurate information only where Article 15(1)(h) of the GDPR grants them a right of access which is sufficiently extensive to enable them to verify the consistency and intelligibility of the assessment provided and to ascertain whether the internal logic disclosed to them in connection with their right of access actually served as a basis for the profile of them which was generated. In short, a data subject must, in its view, be able to obtain information on the processed personal data and on the internal logic involved in the automated decision-making which is sufficiently detailed to enable him or her to understand the latter and verify its accuracy.
13. According to that court, that interpretation of Article 15(1)(h) of the GDPR is such as to guarantee the useful effect of that provision by preventing the transmission of incorrect information by the controller. Moreover, that court considers that that interpretation enables the data subject to exercise the rights conferred on him or her by Article 22(3) of that regulation, in particular the right to express his or her point of view on an individual automated decision and to challenge its consistency and accuracy.
14. That court emphasises that the requirement, under Article 15(1)(h) of the GDPR, that the data subject must be able to verify the consistency and accuracy of the information provided has important consequences as regards the extent to which and the degree of detail in which the controller is required to disclose information under that provision.
15. In the main proceedings, the referring court appointed an expert in order to determine specifically what information D & B is required to disclose to CK pursuant to the decision of the Bundesverwaltungsgericht (Federal Administrative Court).
16. According to the appointed expert, in order to have a level of detail capable of supporting the issue of an enforcement order, in order to ensure the automated decision-making is intelligible and in order to verify the accuracy and consistency of the information provided, the data subject should receive, by virtue of the right of access guaranteed to him or her by Article 15(1)(h) of the GDPR, in a sufficiently detailed and in-depth manner, the following minimum information:
– first, the personal data of the data subject which have been processed in order to formulate [credit assessment] factors and the basis on which those factors were formulated, specifying whether they have been weighted;
– secondly, the essential parts of the algorithm on which the automated decision-making is based, which in any event includes: the mathematical formula into which may be introduced, in the form of numerical values, all the information relevant to the calculation of the credit rating so that that formula produces that rating, and the intelligible explanation of all the values used in that formula, in particular those which are not directly derived from the information stored in respect of the data subject, and
– thirdly, the relevant information for establishing the link between the information processed and the valuation carried out, which includes, inter alia, a statement and adequate description of the valuation functions of all the values used in that formula; clarification of the information necessary to establish the link between the information and the valuation in the case of interval evaluations, and clarification of the land register or index functions used.
17. It is clear from the expert’s report that only the disclosure of the mathematical formula and the valuation functions of all the values used in that formula would enable CK to understand the profile of her which was generated, meaning that it would be only on the basis of that information that she would be able to assert the rights conferred on her by Article 22(3) of the GDPR to express her point of view and challenge the decision based on automated processing.
18. According to that report, in order to enable the accuracy of the minimum information disclosed to be verified, D & B must also draw up and submit, in a relatively complete and detailed manner, and to serve as a basis for comparison, a list of all the information on at least 25 cases of comparable non-anonymised profiling which are contemporaneous with the profile generated in respect of CK and which were established using the same calculation rule.
19. As regards the latter aspect, the referring court points out that the communication of such information is likely to affect the rights to the protection of the personal data evaluated in the profiling cases which serve as a basis for comparison.
20. That court therefore raises the question whether, having regard in particular to the provisions of Article 9 of Directive 2016/943, the conflict between the various interests involved could be resolved if the personal data of third parties necessary to verify the accuracy of the minimum information transmitted were disclosed only to the competent authority or court, which would then independently examine whether those third-party data corresponded to the facts.
21. The referring court also notes that, according to the case-law of the Oberster Gerichtshof (Supreme Court, Austria) and the prevailing legal literature, the algorithm used in profiling is a trade secret within the meaning of Directive 2016/943. The referring court states in that regard that D & B relied on the existence of a trade secret worthy of protection in connection with the algorithm on which the processing is based in order to refuse to disclose sufficient information about the logic involved in the automated decision-making. Here too, that court raises the question whether the conflict between the interests of the data subject and those of the controller could be resolved if information classified as a ‘trade secret’ within the meaning of Article 2(1) of Directive 2016/943 were disclosed only to the competent authority or court, which would independently verify whether the information in question may indeed be classified as such and whether the information provided by the controller pursuant to Article 15(1)(h) of the GDPR corresponded to reality.
22. The referring court points out, however, that that method of resolving conflicts between the various interests involved has the disadvantage that the person concerned is deprived of detailed information, which limits, or even renders impossible, the right of access guaranteed by the latter provision. That could have the effect of preventing the data subject from verifying whether the information provided by the controller is comprehensible and accurate and from exercising the rights guaranteed to him or her, inter alia, by Article 22(3) of the GDPR and Article 47 of the Charter of Fundamental Rights of the European Union. (5)
23. In the context of the weighing of the interests of the person requesting a right of access and those of the controller, and with regard in particular to the provisions of Paragraph 4(6) of the Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Federal law on the protection of natural persons with regard to the processing of personal data) of 17 August 1999, (6) in the version applicable to the main proceedings (7) (‘the DSG’), that court also seeks an interpretation of Article 15(4) and Article 23(1)(i) of the GDPR, read in the light of recital 63 of that regulation.
24. In those circumstances, the Verwaltungsgericht Wien (Administrative Court, Vienna) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) of the [GDPR]?
In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller – where necessary in compliance with an existing trade secret – as part of the disclosure of the “logic involved” which includes, in particular, … the disclosure of the data subject’s processed data, … the disclosure of the parts of the algorithm on which the profiling is based that are necessary to provide transparency, and … the information relevant to establishing the connection between the processed information and the rating arrived at?
In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR:
(a) [the] communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,
(b) [the provision of] the input data used for profiling,
(c) the parameters and input variables used in the determination of the rating,
(d) the influence of these parameters and input variables on the calculated rating,
(e) information on the origin of the parameters or input variables,
(f) [the] explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and [the] clarification of the implications of such rating, [and]
(g) [the] listing [of] the profile categories and [the] explanation as to what rating implication is associated with each of the profile categories?
(2) Is the right of access granted by Article 15(1)(h) of the GDPR related to the rights guaranteed by Article 22(3) of the GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 of the GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) of the GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpose of Article 15(1)(h) of the GDPR is enabled to exercise the rights guaranteed by Article 22(3) of the GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 of the GDPR concerning him or her in a real, profound and promising way?
(3) (a) Must Article 15(1)(h) of the GDPR be interpreted as meaning that information constitutes “meaningful information” for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) of the GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?
(b) If the above question is answered in the affirmative: what is the procedure if the accuracy of the information provided by a controller can only be verified if third-party data protected by the GDPR must also be brought to the attention of the party entitled to access for the purpose of Article 15(1)(h) of the GDPR (black box)?
Can this tension between the right of access within the meaning of Article 15(1) of the GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?
(c) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in point (3b)?
Must the data of other persons to be disclosed by the controller for the purpose of Article 15(1) of the GDPR to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR be disclosed in pseudo-anonymised form in order to ensure that the accuracy can be verified?
(4) (a) What is the procedure if the information to be provided in accordance with Article 15(1)(h) of the GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) of Directive [2016/943]?
Can the tension between the right of access guaranteed by Article 15(1)(h) of the GDPR and the right to non-disclosure of a trade secret protected by the Know-How Directive be resolved by allowing the information to be disclosed as a trade secret within the meaning of Article 2(1) of the Know-How Directive be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of Article 2(1) of the Know-How Directive exists and whether the information provided by the controller within the meaning of Article 15(1) of the GDPR is accurate?
(b) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in point (4a)?
In [the] case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) of the GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR in their entirety:
(i) [the] communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,
(ii) [the provision of] the input data used for profiling,
(iii) the parameters and input variables used in the determination of the rating,
(iv) the influence of these parameters and input variables on the calculated rating,
(v) information on the origin of the parameters or input variables,
(vi) [the] explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and [the] clarification of the implications of such rating, [and]
(vii) [the] listing [of] the profile categories and [the] explanation as to what rating implication is associated with each of the profile categories?
(5) Does the provision of Article 15(4) of the GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) of the GDPR?
If this question is answered in the affirmative, is this right of access limited by Article 15(4) of the GDPR, and how is the extent of the limitation to be determined in each individual case?
(6) Is the provision of Article 4(6) of the [DSG], according to which “the right of access of the data subject pursuant to Article 15 of the GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties” compatible with the requirements of Article 15(1) in conjunction with Article 22(3) of the GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility?’
25. Written observations were lodged by CK, D & B, the Spanish, Netherlands and Polish Governments and the European Commission.
III. Analysis
A. Preliminary observations
26. Under Article 22(1) of the GDPR, ‘the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. (8) However, the prohibition thus laid down does not apply in the cases listed in Article 22(2) of that regulation, to which I shall return below.
27. In its judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), (9) the Court held that Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person. (10)
28. Following that judgment, the referring court was asked by the Court whether it wished to maintain its request for a preliminary ruling, to which it answered in the affirmative. In essence, it considered that that judgment did not answer its questions relating, inter alia, to how to resolve the conflict between the data subject’s right to protection of his or her personal data and the controller’s interest in protecting trade secrets. Moreover, that judgment did not answer the question relating to the level of detail required of the ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR.
29. The present case will thus lead the Court to supplement its judgment in SCHUFA Holding and Others (Scoring) (11) by clarifying the scope of the right of access guaranteed by that provision.
30. The referring court must determine the extent and degree of detail of the information which D & B must provide in order to meet the requirements of that provision.
31. With that in mind, that court seeks the Court’s assistance with the following legal questions.
32. In the first place, what is meant by ‘meaningful information about the logic involved’ in automated decision-making within the meaning of Article 15(1)(h) of the GDPR? Does such information include the algorithm used for the purposes thereof? To what extent and in what degree of detail is it possible to require the controller to disclose sufficient information to enable the data subject to verify the accuracy of that information and its consistency with the rating decision at issue?
33. In the second place, to what extent can the protection of the rights and freedoms of others, in particular the protection of a trade secret, affect the controller’s obligation to provide ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR? What mechanisms, if any, could resolve the tension between the rights of the data subject and the interests of the controller?
34. In his Opinion delivered in the case which gave rise to the judgment in SCHUFA Holding and Others (Scoring), (12) Advocate General Pikamäe expressed a view on the main aspects of those questions. He considered that Article 15(1)(h) of the GDPR, read in conjunction with recital 63 of that regulation, must be interpreted as ‘also covering, in principle, the calculation method used by a credit information agency to establish a score, provided there are no conflicting interests that are worthy of protection’. (13)
35. While wishing to ensure a fair balance between the conflicting rights and interests involved, the EU legislature sought to guarantee that ‘a minimum amount of information … be provided in any event so as not to compromise the essence of the right to protection of personal data’. (14) In Advocate General Pikamäe’s view, it follows that ‘while protection of trade secrets or intellectual property in principle constitutes a legitimate reason for a credit information agency to refuse to disclose the algorithm used to calculate the score for the data subject, it cannot under any circumstances justify an absolute refusal to provide information’. (15)
36. In the light of Article 12(1) of the GDPR, pursuant to which ‘the controller shall take appropriate measures to provide any information [under Article 15] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language’, (16) and recital 58 of that regulation, Advocate General Pikamäe took the view that ‘the real objective of Article 15(1)(h) of the GDPR is to ensure that data subjects obtain information in an intelligible and accessible form in accordance with their needs’. (17) In his view, ‘those requirements exclude any obligation to disclose the algorithm, given its complexity. The benefit of communicating a particularly complex formula without providing the necessary explanations for it would be questionable.’ (18)
37. In the light of those elements, Advocate General Pikamäe therefore concluded that ‘the obligation to provide “meaningful information about the logic involved” must be understood to include sufficiently detailed explanations of the method used to calculate the score and the reasons for a certain result. In general, the controller should provide the data subject with general information, notably on factors taken into account for the decision-making process and on their respective weight on an aggregate level, which is also useful for him or her to challenge any “decision” within the meaning of Article 22(1) of the GDPR.’ (19)
38. I agree, in essence, with the interpretation proposed by Advocate General Pikamäe, as I shall explain in more detail in the following paragraphs. (20)
B. The questions referred for a preliminary ruling
39. By its questions, which I propose to examine together, the referring court asks the Court, in essence, whether, first, Article 15(1)(h) of the GDPR must be interpreted as meaning that ‘meaningful information about the logic involved’ in automated decision-making includes information which is sufficiently complete to enable the data subject to verify the accuracy of that information and its consistency with the rating decision at issue, including the algorithm used for the purposes of that automated decision-making. Secondly, that court wishes to know whether and, if so, to what extent the protection of the rights and freedoms of others, such as the protection of a trade secret relied on by the controller, is capable of limiting the scope of the data subject’s right of access under that provision.
1. The concept of ‘meaningful information about the logic involved’ in automated decision-making
40. It should be noted at the outset that the Court has recently highlighted several features of the right of access laid down in Article 15 of the GDPR when ruling on the scope of the right to obtain a copy of personal data undergoing processing, a right provided for in the first sentence of paragraph 3 of that article. Those elements appear to me to be useful in answering the questions raised by the referring court.
41. Article 15 of the GDPR, entitled ‘Right of access by the data subject’, defines, in paragraph 1 thereof, the subject matter and scope of the right of access granted to the data subject and enshrines the right of the data subject to obtain from the controller access to his or her personal data and the information referred to in subparagraphs (a) to (h) of that paragraph.
42. The purpose of the guarantee of such a right is to achieve the objectives pursued by the GDPR, which are, as stated in recitals 10 and 11, to ensure a consistent and high level of protection for natural persons within the European Union, as well as to strengthen and set out in detail the rights of data subjects. (21)
43. More specifically, Article 15(1)(h) of the GDPR provides that a data subject has the right to be informed by the controller of the existence of automated decision-making, including profiling, (22) as referred to in Article 22(1) and (4) of that regulation, and, at least in such cases, obtain meaningful information about the logic involved (23) and the significance and the envisaged consequences of such processing for the data subject. (24)
44. Generally speaking, it is apparent from the case-law of the Court that the right of access provided for in Article 15 of the GDPR must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner. (25)
45. Furthermore, the copy of the personal data undergoing processing, which the controller must provide pursuant to the first sentence of Article 15(3) of the GDPR, must have all the characteristics necessary for the data subject effectively to exercise his or her rights under that regulation and must, consequently, reproduce those data fully and faithfully. (26)
46. In particular, that right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16, 17 and 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, and right of action where he or she suffers damage, laid down in Articles 79 and 82 of the GDPR. (27)
47. As regards the data subject’s right to obtain the information provided for in Article 15(1)(h), I would add that that right of access must enable him or her to exercise the rights conferred on him or her by Article 22 of the GDPR, which relates specifically to the situation in which the data subject is the subject of a decision based on automated processing.
48. Thus, as I stated above, Article 22(1) of that regulation lays down the right of any data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (28) However, that prohibition does not apply in the cases referred to in Article 22(2) of that regulation, namely where that decision is necessary for entering into, or performance of, a contract between the data subject and a data controller (point (a)), where it is authorised by EU or Member State law to which the controller is subject (point (b)), or where it is based on the data subject’s explicit consent (point (c)).
49. Furthermore, Article 22 of the GDPR provides, in paragraphs 2(b) and 3 thereof, that suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests must be taken. In the cases referred to in points (a) and (c) of Article 22(2) of that regulation, the data controller is to implement at least the right of the data subject to obtain human intervention, to express his or her point of view and to contest the decision. (29) In connection with the present case, the referring court emphasises the link between the right of access provided for in Article 15(1)(h) of that regulation and those rights of the data subject to express his or her point of view and to challenge the automated decision.
50. According to the Court, the enhanced requirements laid down by the GDPR as to the lawfulness of automated decision-making and the additional information obligations of the controller and the related additional rights of access of the data subject are explained by the purpose pursued by Article 22 of that regulation consisting of protecting individuals against the particular risks to their rights and freedoms represented by the automated processing of personal data, including profiling. (30)
51. It follows that, with a view to determining what is covered by ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR, account must be taken of the purpose pursued by Article 22 of that regulation, so that the data subject may effectively, on the basis of that information, avail himself or herself of the rights conferred on him or her by the latter article.
52. In those circumstances, it should be noted that, in accordance with the principle of transparency, to which recital 58 of the GDPR refers and which is expressly enshrined in Article 12(1) of that regulation, any information sent to the data subject must be concise, easily accessible and easy to understand, and formulated in clear and plain language. (31)
53. The Court thus deduced from that provision that the controller is obliged to take appropriate measures to provide the data subject with all the information referred to, inter alia, in Article 15 of the GDPR, in a concise, transparent, intelligible and easily accessible form, using plain and clear language. The purpose of that provision, which is an expression of the principle of transparency, is to ensure that the data subject is able fully to understand the information sent to him or her. (32)
54. According to the Court, it follows from those factors that the copy of the personal data undergoing processing, which the controller must provide pursuant to the first sentence of Article 15(3) of the GDPR, must have all the characteristics necessary for the data subject effectively to exercise his or her rights under that regulation and must, consequently, reproduce those data fully and faithfully. (33)
55. The Court also stated that it may be necessary to contextualise the personal data processed in order to ensure that they are intelligible. That is why, in order to ensure that the information thus provided is easy to understand, as required by Article 12(1) of the GDPR, read in conjunction with recital 58 of that regulation, the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential. (34)
56. In particular, according to the Court, where personal data are generated from other data or where such data result from empty fields, that is to say, where there is an absence of information which provides information about the data subject, the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data. (35)
57. Consequently, the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation. (36)
58. The case-law of the Court relating to the requirements with which the controller must comply when providing, pursuant to the first sentence of Article 15(3) of the GDPR, a copy of the personal data undergoing processing provides, in my view, valuable guidance for determining the characteristics which the ‘meaningful information about the logic involved’ in the automated decision-making within the meaning of Article 15(1)(h) of that regulation must have.
59. It is true that it is also clear from that case-law that the personal data of which the controller must provide a copy pursuant to the first sentence of Article 15(3) of that regulation are not to be confused with the information to which the data subject has a right of access pursuant to Article 15(1)(a) to (h) of that regulation. (37)
60. However, there is no doubt, in my view, that the requirement of transparency of the disclosed information, which is laid down in Article 12(1) of the GDPR and on which that case-law is based, applies, by the very terms of that provision, to all such data and information, including those which are linked to automated decision-making.
61. The data subject must therefore, in connection with automated decision-making such as that at issue in the main proceedings, be provided with a copy of his or her personal data undergoing processing which reproduces those data fully and faithfully, in accordance with the first sentence of Article 15(3) of the GDPR.
62. Moreover, it would appear essential that the data subject should be aware of the context in which his or her personal data is undergoing automated processing so that he or she can exercise the rights granted to him or her by the GDPR, including the right to express his or her point of view on an automated decision and to challenge it.
63. That is, furthermore, the very purpose of Article 15(1)(h) of the GDPR, which requires, in essence, that the data subject be informed of the context in which an automated decision was taken, in particular the logic involved in that decision-making.
64. The data subject’s knowledge of that context must enable him or her, through knowledge of the essential elements of the method and the criteria used, to understand the result reached by the automated decision. In short, the process, which is technical in nature, that led to that decision must be made intelligible. Only in that way will the data subject be able to exercise his or her rights under the GDPR, including the right to express his or her point of view on an automated decision and the right to challenge it. The concept of ‘meaningful information about the logic involved’ in automated decision-making must therefore be understood functionally. (38)
65. In that regard, the emphasis placed by the EU legislature on the need for meaningful information is directly linked to the technical nature of the field in question, which makes it necessary to ensure that that information is comprehensible and significant for the data subject. That is a necessary condition to ensure the meaningfulness of that information with a view to enabling that person to effectively exercise the rights guaranteed to him or her by the GDPR. Depending on the language version of Article 15(1)(h) of the GDPR, the emphasis is placed to varying degrees on the ‘comprehensible’ or ‘significant’ nature of the information, that dual meaning being expressed by the term ‘meaningful’ in the English version. (39) It is therefore appropriate, in my view, to adopt an interpretation of the concept of ‘meaningful information’, within the meaning of the latter provision, which makes it possible, in the context of a functional approach, to take account of those meanings, which are complementary.
66. The meaningfulness of the information for the data subject therefore presupposes – as is the case for the copy of the personal data undergoing processing which must be provided pursuant to the first sentence of Article 15(3) of the GDPR – that that information is concise, easily accessible and easy to understand, and that clear and plain language is used. The data subject to whom that information is disclosed must therefore be able fully to understand the information sent to him or her. In those circumstances, it may be necessary to contextualise the data provided in order to ensure they are intelligible.
67. In short, ‘meaningful information’, as required by Article 15(1)(h) of the GDPR, must not only be clear and accessible, but must also be accompanied by explanations to ensure that it is properly understood. That is true a fortiori when it is a question of providing the person concerned with information in a technical field. Accordingly, that provision affords the data subject a genuine right to an explanation as to the functioning of the mechanism involved in automated decision-making of which that person was the subject and of the result of that decision. (40) In that regard, I note that, in accordance with recital 71 of the GDPR, the data subject should be able to ‘obtain an explanation of the decision reached after such assessment’.
68. In addition to those requirements, the data subject must be able to verify the accuracy of the personal data relating to him or her and the information relating to the logic involved in the automated decision-making. It must therefore be possible for him or her to ensure that there is an objectively verifiable consistency and causal link between, on the one hand, the method and criteria used and, on the other, the result arrived at by the automated decision. In other words, the information disclosed must enable that person to check whether it corresponds to the facts, and therefore whether the automated decision in question is actually based on accurate information. (41)
69. I would point out, in that regard, that, as is apparent from the order for reference, the information supplied to CK by D & B does not appear to correspond to reality, since it did not reveal the actual profiling of her carried out. The Court has already emphasised that, in view of the particular risks to data subjects’ rights and freedoms posed by the automated processing of personal data, including profiling, it is important, according to recital 71 of the GDPR, to provide suitable safeguards and to ensure fair and transparent processing in respect of the data subject, in particular through the use of appropriate mathematical or statistical procedures for the profiling and the implementation of technical and organisational measures appropriate to ensure that the risk of errors is minimised. (42)
70. That requirement of accuracy is, in my view, reinforced when one considers, as the Court held in its judgment of 7 December 2023 in SCHUFA Holding (Discharge from remaining debts), (43) concerning the processing of personal data relating to the grant of a discharge from remaining debts, that automated processing such as that at issue in the main proceedings constitutes a serious interference with the fundamental rights of the data subject, enshrined in Articles 7 and 8 of the Charter. The data subject’s personal data are processed with a view to assessing the data subject’s creditworthiness and therefore constitute sensitive information about his or her private life. The processing of such data is likely to be considerably detrimental to the interests of that person by preventing him or her from entering into contractual relations likely to cover his or her day-to-day needs. (44)
71. Accordingly, I consider that ‘meaningful information about the logic involved’ in automated decision-making must enable the data subject to exercise the rights guaranteed to him or her by the GDPR and, in particular, by Article 22 of that regulation. That presupposes, in the first place, that that person can obtain information that is concise, easily accessible and easy to understand, and formulated in clear and plain language on the method and criteria used for that decision. In the second place, that information must be sufficiently complete and contextualised to enable that person to verify its accuracy and whether there is an objectively verifiable consistency and causal link between, on the one hand, the method and criteria used and, on the other, the result arrived at by the automated decision.
72. In the light of the foregoing, I do not consider that Article 15(1)(h) of the GDPR must be interpreted as imposing on the controller an obligation to disclose to the data subject information which, by reason of its technical nature, is so complex that it cannot be understood by persons who do not have particular technical expertise. (45) In my view, algorithms used in automated decision-making constitute such information.
73. Admittedly, it could be argued, on a broad reading of the obligation of transparency, that a review of the way in which personal data are processed by an algorithm requires that the algorithm be disclosed to the data subject. (46) However, I take the view that the raison d’être of that obligation is to enable that person to understand the information disclosed to him or her so that he or she can assert the rights conferred on him or her by the GDPR. From that point of view, explanations that are accessible without requiring particular technical expertise will certainly be more ‘meaningful’ than a complex mathematical formula.
74. In the same vein, I note, as the Guidelines state, that ‘[it can be] challenging to understand how an automated decision-making process or profiling works’. Consequently, ‘the controller should find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the decision. The GDPR requires the controller to provide meaningful information about the logic involved, not necessarily a complex explanation of the algorithms used or disclosure of the full algorithm … The information provided should, however, be sufficiently comprehensive for the data subject to understand the reasons for the decision.’ (47) Thus, ‘the controller should provide the data subject with general information (notably, on factors taken into account for the decision-making process, and on their respective “weight” on an aggregate level) which is also useful for him or her to challenge the decision’. (48)
75. However, as the Article 29 Data Protection Working Party pointed out in its Guidelines, ‘complexity is no excuse for failing to provide information to the data subject’. (49) It follows that the controller cannot rely on the complexity of the information to refuse to fulfil its obligation under Article 15(1)(h) of the GDPR. It falls to the controller to provide information which is both accessible and complete so that the data subject can understand the process that led to the automated decision of which he or she was the subject.
76. I infer from those elements that the controller is not required, under Article 15(1)(h) of the GDPR, to provide the data subject with information of a technical nature which he or she would not be in a position to understand, such as the details of the algorithms used. (50) By contrast, that controller must fulfil its obligation, in each case, to provide that person with both accessible and sufficiently complete information on the process that led to the automated decision in question and the reasons for the outcome of that decision. Thus defined, ‘meaningful information about the logic involved’ in automated decision-making should in particular describe the method used and the criteria taken into account and their weighting. (51) The data subject must therefore be able to understand what information was used in the automated decision-making and how it was taken into account and weighted.
77. It should also be stated that that provision does not, in my view, preclude the controller from deciding, on a voluntary basis, to provide the data subject with information of a technical nature, such as the details of the algorithms used, provided, however, that that communication is accompanied by information that enables that person to understand the process which led to the automated decision and the outcome of that decision.
78. I would add that Article 15(1)(h) of the GDPR should not, in my view, be interpreted as requiring the controller to provide the data subject with personal data relating to third parties, unless this has the effect of infringing the rights of those third parties. However, examples of similar processing operations provided in an anonymised manner, by way of comparison, could enable that person to understand better the automated decision of which he or she was the subject.
79. It is for the national court, on the basis of the foregoing considerations, to determine what information should be made available to the data subject in the main proceedings. In that regard, I doubt that the Court, in its role as interpreter of EU law under Article 267 TFEU, which must be distinguished from the role of applying that law, which is the role of the national court, can go as far in determining the specific nature of that information as that court might wish.
80. Moreover, I would point out that the interpretation which I propose that the Court should adopt of the concept of ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR, permits the conclusion that the EU legislature has already, for the most part, struck a balance between, on the one hand, the requirement of transparency on which that provision is based and, on the other, the protection of the rights and freedoms of others, which includes the protection of trade secrets. In so far as, in my view, that concept should not extend to information of a technical nature, such as an algorithm, which a data subject is not in a position to understand without specific expertise, the right of access guaranteed by that provision should not, in most cases, lead to an infringement of the trade secret on which the controller may legitimately rely. The same applies to the protection of the personal data of third parties, in so far as that concept should not, in principle, extend to such data.
81. That said, it cannot be ruled out that, in certain cases, the right of access guaranteed by Article 15(1)(h) of the GDPR may entail an infringement of the rights and freedoms of others. Such an infringement may be relied on by the controller to justify a refusal to disclose information to the data subject. However, it is possible that the information disclosed may be insufficient to enable its accuracy and consistency with the outcome of the automated decision in question to be verified and that the transmission of additional information for the purposes of such verification may adversely affect the rights and freedoms of others. It is therefore necessary to determine, as the referring court requests, by what mechanisms the rights and interests at issue may then be reconciled.
2. Balancing the rights of the data subject against the rights and freedoms of others
82. I would recall that the referring court wishes to know, in essence, whether and, if so, to what extent the protection of the rights and freedoms of others, such as the protection of a trade secret relied on by the controller, is likely to limit the scope of the right of access available to the individual under Article 15(1)(h) of the GDPR.
83. In that regard, it should be stated at the outset that, pursuant to recital 4 of the GDPR, the right to protection of personal data is not an absolute right and must be balanced against other fundamental rights, in accordance with the principle of proportionality. Thus, the GDPR respects all the fundamental rights and observes the freedoms and principles recognised by the Charter, as enshrined by the Treaties. (52)
84. Moreover, recital 63 of that regulation states that the right of any data subject to access personal data which have been collected concerning him or her ‘should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject.’
85. Article 15(4) of the GDPR provides that ‘the right to obtain a copy [of the personal data undergoing processing] shall not adversely affect the rights and freedoms of others’.
86. Similarly, Article 23(1)(i) of that regulation recalls that a restriction of the scope of the obligations and rights provided for in, inter alia, Article 15 thereof is possible ‘when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard … the protection of … the rights and freedoms of others’. (53)
87. The Court has inferred from those provisions that the right which the data subject is recognised as having to obtain a first copy, free of charge, of his or her personal data undergoing processing is not absolute. (54) In particular, in accordance with Article 15(4) of the GDPR, read in conjunction with recital 63 of that regulation, the right to obtain a copy of personal data undergoing processing referred to in paragraph 3 of that article must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting the software. (55)
88. It follows from those elements that considerations relating to, inter alia, the protection of the rights and freedoms of others would be such as to justify a restriction of the right of access provided for in Article 15(1)(h) of the GDPR, in so far as such a restriction respects the essence thereof and is a necessary and proportionate measure to safeguard that protection, as provided for in Article 23(1)(i) of the GDPR. (56)
89. Considerations relating to the protection of a trade secret within the meaning of Article 2(1)(1) of Directive 2016/943 (57) may be such as to justify a limitation of the right of access provided for in Article 15(1)(h) of the GDPR.
90. It is true that recital 35 of Directive 2016/943 states that the directive ‘should not affect the rights and obligations laid down in Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (58)], in particular the rights of the data subject to access his or her personal data being processed and to obtain the rectification, erasure or blocking of the data where it is incomplete or inaccurate’. That said, the provisions of the GDPR which I have cited above seem to me to militate, in the event of conflict between, on the one hand, exercising the right of access provided for in Article 15(1)(h) of that regulation and, on the other hand, the rights or freedoms of others, in favour of the possibility of striking a balance between the rights in question. (59)
91. Thus, as the Court has already held, wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’. (60)
92. The referring court wishes, in essence, to know what forms such means of communication which respect the rights and freedoms of others in the specific context of Article 15(1)(h) of the GDPR could take.
93. In that regard, I note that the Court has already held that a national court may take the view that the personal data of the parties or of third parties must be communicated to it in order to be able to balance, in full knowledge of the facts and in compliance with the principle of proportionality, the interests involved. That assessment may, depending on the case, lead it to authorise the full or partial disclosure to the opposing party of the personal data thus communicated to it, if it finds that such disclosure does not go beyond what is necessary for the purpose of guaranteeing the effective enjoyment of the rights which individuals derive from Article 47 of the Charter. (61)
94. That case-law may, in my view, be applied to the information referred to in Article 15(1)(h) of the GDPR. In the light of that case-law, I consider that that provision, read in conjunction with recital 63 and Article 23(1)(i) of that regulation, must be interpreted as meaning that, where the information which must be provided to the data subject under the right of access guaranteed by the first of those provisions is likely to result in an infringement of the rights and freedoms of others, in particular because it contains personal data of third parties protected by the GDPR or a trade secret, within the meaning of Article 2(1)(1) of Directive 2016/943, that information must be disclosed to the competent supervisory authority or court so that the latter can weigh up, in full knowledge of the facts and in accordance with the principle of proportionality and the confidentiality of that information, the interests involved and determine the extent of the right of access that must be granted to that person.
95. According to the information provided by the referring court in its request for a preliminary ruling, Article 4(6) of the DSG excludes, in principle, the data subject’s right of access, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party. In that regard, I consider that such a provision cannot replace a balancing exercise which must be carried out on a case-by-case basis by the competent authority or court. Indeed, it seems to me to follow from the case-law of the Court that, where a balancing of opposing rights and interests must be carried out, a Member State may not definitively prescribe the result of the balancing (62) without allowing for a different result by reason of the specific circumstances of the particular case. (63)
IV. Conclusion
96. In the light of all the foregoing considerations, I propose that the Court should answer the questions referred for a preliminary ruling by the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria) as follows:
Article 15(1)(h) of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with recital 63 and Article 23(1)(i) of that Regulation,
must be interpreted meaning that:
– where a data subject is the subject of automated decision-making, including profiling, as referred to in Article 22 of Regulation 2016/679, the ‘meaningful information about the logic involved’ in such automated decision-making to which that person has a right of access relates to the method and criteria used by the controller for that purpose;
– that information must enable the data subject to exercise the rights guaranteed to him or her by Regulation 2016/679 and, in particular, by Article 22 thereof. It must therefore be concise, easily accessible and easy to understand, and formulated in clear and plain language. In addition, the information must be sufficiently complete and contextualised to enable that person to verify its accuracy and whether there is an objectively verifiable consistency and causal link between, on the one hand, the method and criteria used and, on the other hand, the result arrived at by the automated decision at issue;
– however, the controller is not required to disclose to the data subject information which, by reason of its technical nature, is so complex that it cannot be understood by persons who do not have particular technical expertise, which is such as to preclude disclosure of the algorithms used in automated decision-making;
– where the information to be provided to the data subject under the right of access guaranteed by Article 15(1)(h) of Regulation 2016/679 is likely to result in an infringement of the rights and freedoms of others, in particular because it contains personal data of third parties protected by that regulation or a trade secret within the meaning of Article 2(1)(1) of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, that information must be disclosed to the competent supervisory authority or court so that the latter can weigh up, in full knowledge of the facts and in accordance with the principle of proportionality and the confidentiality of that information, the interests involved and determine the extent of the right of access that must be granted to that person.