DATA PROTECTION
EU Court of Justice: in the automated assessment of creditworthiness, the data subject has the right to be explained how the decision against him or her was taken.
In Austria, a mobile phone operator refused to conclude a contract to a customer on the ground that she was not sufficiently solvent. The operator relied in that regard on an assessment of the customer's creditworthiness, which had been carried out by automated means by Dun & Bradstreet Austria, a company specialising in the provision of such assessments.
The contract would have involved the payment of 10 euros per month. In the ensuing dispute, an Austrian court held, in a final decision, that Dun & Bradstreet Austria had infringed the General Data Protection Regulation (GDPR). Dun & Bradstreet Austria did not provide the customer with 'meaningful information on the logic used' in the automated decision-making process in question. At the very least, that company did not state sufficient reasons for the reason why it was unable to provide that information.
The court seised by the client for the purposes of enforcing that judicial decision asks what Dun & Bradstreet is specifically required to do in that regard. It therefore asked the Court of Justice to interpret the GDPR and the Trade Secrets Directive.
In the judgment in Case C-203/22 (Dun & Bradstreet Austria), according to the Court, the controller must describe the procedure and principles concretely applied in such a way that the data subject can understand which of his or her personal data has been used, and how, in the automated decision-making process. In order to meet the requirements of transparency and intelligibility, it might be appropriate, in particular, to inform the data subject of how a change in the personal data taken into account would lead to a different outcome. The simple communication of an algorithm would not, on the other hand, be a sufficiently concise and understandable explanation.
The data controller, in the event that it considers that the information to be provided contains protected data of third parties or trade secrets, must communicate such allegedly protected information to the competent supervisory authority or court. They are required to weigh up the rights and interests at stake in order to determine the extent of the data subject's right of access to that information.
The Court states in that regard that the GDPR precludes the application of a national provision which normally excludes the right of access in question where that right of access would compromise a business secret of the controller or of a third party.
The contract would have involved the payment of 10 euros per month. In the ensuing dispute, an Austrian court held, in a final decision, that Dun & Bradstreet Austria had infringed the General Data Protection Regulation (GDPR). Dun & Bradstreet Austria did not provide the customer with 'meaningful information on the logic used' in the automated decision-making process in question. At the very least, that company did not state sufficient reasons for the reason why it was unable to provide that information.
The court seised by the client for the purposes of enforcing that judicial decision asks what Dun & Bradstreet is specifically required to do in that regard. It therefore asked the Court of Justice to interpret the GDPR and the Trade Secrets Directive.
In the judgment in Case C-203/22 (Dun & Bradstreet Austria), according to the Court, the controller must describe the procedure and principles concretely applied in such a way that the data subject can understand which of his or her personal data has been used, and how, in the automated decision-making process. In order to meet the requirements of transparency and intelligibility, it might be appropriate, in particular, to inform the data subject of how a change in the personal data taken into account would lead to a different outcome. The simple communication of an algorithm would not, on the other hand, be a sufficiently concise and understandable explanation.
The data controller, in the event that it considers that the information to be provided contains protected data of third parties or trade secrets, must communicate such allegedly protected information to the competent supervisory authority or court. They are required to weigh up the rights and interests at stake in order to determine the extent of the data subject's right of access to that information.
The Court states in that regard that the GDPR precludes the application of a national provision which normally excludes the right of access in question where that right of access would compromise a business secret of the controller or of a third party.
