In C-203/22, Dun & Bradstreet Austria, the Court of Justice of the European Union delivered an important decision on algorithmic transparency.
1. The facts of the case
CK (hereinafter also referred to as the “data subject”) requested a contract extension from its telephone provider. The telecom company contacted Dun & Bradstreet (also “D&B”), a credit rating agency, which, in turn, gave a negative prognosis on CK’s financial reliability. The data subject’s request was, therefore, rejected.
The decision surprised CK. The contract extension only amounted to about EUR 10 per month, certainly within their financial reach. They had never had financial problems, so the decision sounded unreasonable.
The data subject presented the matter before the Austrian data protection authority, which directed D&B to provide CK with insights into the underlying logic of the automated decision-making process. In the subsequent appeal before the Bundesverwaltungsgericht (Federal Administrative Court of Austria), D&B raised several defences, including the existence of alleged trade secrets protecting its software.
The Austrian court rejected this position and held that D&B had violated Article 15(1)(h) GDPR. More precisely, the company had failed to provide “CK with meaningful information about the logic involved in the automated decision-making based on personal data concerning CK, or, at the very least, [failed] to give a sufficient statement of reasons as to why it was unable to provide that information” (paras. 17-18).
The decision was not appealed and became final. Therefore, CK requested the City Council of Vienna to enforce the judgment, i.e. order to release the information. The Viennese public officials refused to proceed. They argued, in essence, that the operative part of the judgment did not provide clear instructions about the enforcement order. In other words, it was unclear which specific information had to be obtained from the controller.
CK brought an action against the decision of the City Council of Vienna before the Verwaltungsgericht Wien(Administrative Court, Vienna, Austria) which, in turn, referred six questions to the CJEU. The CJEU regrouped the questions into the following two main points:
(i) on the definition of “meaningful information” and “logic involved” under Article 15(1)(h) GDPR in the case of automated decisions under Article 22 GDPR; in other words, whether there is a right to an explanation of the algorithmic decision;
(ii) on the limits of such a right with respect to two specific opposing interests: the controller’s trade secrets and the personal data of third parties.
2. The CJEU decides on algorithmic transparency
With this decision, the CJEU provides clear guidance on algorithmic transparency and balancing of opposing interests. There was indeed a pressing need for it, as indicated by the tumultuous doctrinal debate that offered a wide range of viewpoints.
(i) On the existence of a right to an explanation of the algorithmic decision
The Court confirms the right to explanation of automated decision- making under the GDPR. To do so, it essentially employs two arguments.
Firstly, the Court draws attention to the wording of Article 15(1)(h) GDPR.
The judges first focus on the expression “meaningful information”. The English term “meaningful”, they observe, has different equivalents in other language versions of the GDPR. For example, the Dutch “nuttige” and the Portuguese “ùteis” emphasise the functional aspect of information. The Romanian version focuses on relevance (“pertinente”). The Polish and Spanish versions, on the other hand, refer to the importance of the information (“istotne” and “significativa”). Finally, the English and German versions (respectively “meaningful” and “aussagekräftig“) lean towards the idea of good intelligibility (para. 40). Such linguistic variety must be valued and considered in interpreting the GDPR. More precisely, “the various meanings set out in the preceding paragraph are complementary” (emphasis added) (para. 41). Accordingly, “meaningful” always means – or implies – that the information provided under Article 15(1)(h) must be, at the same time, functional, important, relevant, and intelligible.
The Court then shifts its focus onto analysing the phrase “logic involved”. Here again, the judges use the different language versions of the GDPR. This time the Court refers to the Czech and Polish versions, in which the expression is respectively translated with the terms “postupu” and “zasadi”, i.e. “procedures” and “principles”. The Court concludes as follows: the “logic involved” referred to in Article 15(1)(h) “covers all relevant information concerning the procedureand the principles” (emphasis added) of a “specific result” (paras. 42-43).
Secondly, the Court uses a teleological argument in support of the previous interpretation (para. 50).
The judges recall the functional value of Article 15 GDPR. The right of access is an essential tool enabling the data subject to verify the lawfulness of the processing. The Court recalls its own case law for which the right of access is “necessary to enable the data subject to exercise” its right to rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), objection to processing (Art. 21), court action (Art. 79) and right to compensation (Art. 82) (paras. 53-54).
At this point, an innovative element comes into play. For the first time to our knowledge, the CJEU goes a step further and expressly adds to the rights listed in the preceding paragraph also the rights foreseen under Article 22(3) GDPR. In other words, the right of access under Article 15(1)(h) GDPR is instrumental “to effectively exercise the rights conferred on him or her by Article 22(3)” (para. 55). Conversely, the Court continues, it would be impossible for an individual subject to automated processing or profiling to express their views on the decision and effectively challenge it, as required by Article 22(3) GDPR (para. 56).
Pursuant to Art. 12(1) GDPR, the explanations must be provided in a concise, transparent, intelligible and easily accessible manner. In this respect, and here comes another relatively new element, the Court clarifies that the complexity of the automated processing operations does not justify the lowering of this transparency threshold (para. 61).
Finally, the Court sides with the data subject, requiring the controller “to explain in a concise, transparent, intelligible and easily accessible form the procedure and principles pursuant to which the result of the ‘actual’ profiling was obtained” (para. 65).
(ii) On the relationship between the explanation of the algorithmic decision and other protected interests. Trade secrets and personal data of third parties
In the first part of the decision, the Court confirms the right to an explanation of automated decision-making. The explanation must put the data subject in a position to effectively understand it, express their point of view, and contest it. This implies a disclosure by the controller, the extent of which depends on the type of decision a data subject intends to contest.
For example, the problem may lie in how a calculation is made, so the controller shall disclose something about its algorithm. In other cases, problems may stem from the type of data processed. If the data subject wants to find and contestthat discrimination, the disclosure may involve the personal data of third parties.
The second part of the ruling explores the relationship between the right to explanation and two conflicting interests, trade secrets and personal data. The decision, however, does not provide much guidance.
The Court recalls its own precedent, Norra Stockholm Bygg, C-268/21 (para 58). In that case, the CJEU had already accepted that a national court may authorise full or partial disclosure of third parties’ personal data in favour of a complainant. On one condition, such disclosure had to be necessary to ensure the effectiveness of rights guaranteed by Article 47 of the EU Charter of Fundamental Rights.
The Court expressly states that this precedent “can be fully transposed” to the case at hand. Accordingly, if Article 47 EU Charter so requires, third-party personal data and controller’s trade secrets “must be disclosed to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to personal data concerning him or her” (para. 74).
Regrettably, the decision merely states that the balancing must be carried out on a case-by-case basis (para. 75).
3. Final remarks
Dun and Bradstreet is an important ruling.
We appreciate the literal interpretation based on the different language versions of the GDPR. This approach, which respects the principle of equality of the languages of the Union, clarified the expressions “meaningful information” and “logic involved”. Should the Court consistently adopt such multi-lingual approach in the future, there might be interesting novelties ahead.
The teleological argument should also be welcomed. It is consistent with existing case law and even goes a step further, establishing the principle of algorithmic transparency in the GDPR. For the first time, it expressly links the right of access to the rights to react to automated decisions, enshrined in Art. 22(3) GDPR. Whenever the GDPR grants a right, be it a judicial remedy (Art. 79 and 82), or against the controller (16, 17, 18, 21 and, from now on, 22), that right must be effective in accordance with Art. 47 Charter. The disclosure to which the controller is bound must, therefore, comply with this standard, subject to appropriate balancing.
We also want to briefly discuss para. 61 of the ruling, where the Court states that the complexity of the processing is not a valid excuse for not providing the information in the manner specified by Article 12 GDPR. We wonder what should be done when the processing is so intricate that it cannot be explained in an understandable manner. This is not a theoretical scenario given the inherent complexity of certain AI systems. Could we reasonably conclude that if the processing is not explainable, it should be simplified or even interrupted? The implications of this assumption may have far-reaching consequences.
Finally, some uncertainty persists regarding the practical methods of disclosure. The Austrian courts had requested clarifications on whether a “black-box” system was necessary or appropriate to provide access to the parties while simultaneously safeguarding the controller’s trade secrets or third parties’ personal data. The Court did not provide specific guidance on this matter, merely stating that the DPA or the court in charge would determine the appropriate information to disclose to the data subject. In this regard, further elaboration could have been beneficial.