by Dr. Gerald Trieb and Theodor Paul Mach-Walter//
In the proceedings submitted from Austria, the CJEU had to decide how the right to obtain information by a data subject whose data has been processed using automated decision-making must be fulfilled and which exceptions can be applied in the process. The subject matter of the main proceedings is a complaint by an data subject to the Austrian Data Protection Authority (”Datenschutzbehörde”, hereinafter “DSB”), about a negative credit rating that was automatically generated by the credit rating agency Dun & Bradstreet (hereinafter “D&B”).On basis of the rating the data subject was refused an extension of the mobile phone contract for EUR 10.00 per month. The DSB instructed D&B to provide meaningful information about the logic involved in the automated decision-making process in accordance with Article 15(1)(h) of the GDPR. D&B filed an appeal to the Austrian Federal Administrative Court (BVwG) and essentially argued that it was unable to provide more detailed information due to a protected trade secret (exception according to Sec. 4 Abs 6 Austrian Data Protection Act, hereinafter “DSG”). However, the BVwG upheld the DPA’s decision and confirmed a violation of Article 15 (1)(h) of the GDPR.
The enforcement carried out on the basis of this finding was rejected by the Magistrat der Stadt Wien (municipal authority of the city of Vienna) on the grounds that D&B had already sufficiently fulfilled the obligation to provide information (sic!). The data subject in turn lodged an appeal against this to the Verwaltungsgericht Wien (Vienna Administrative Court). The court subsequently suspended the proceedings and put the following questions to the CJEU for a preliminary ruling:
1. Must Article 15(1)(h) of the GDPR be interpreted as meaning that, in the case of automated decision-making (including profiling) within the meaning of Article 22(1) of the GDPR, the data subject may require the controller to provide, as ‘meaningful information about the logic involved’, an exhaustive explanation of the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile?
2. Must Article 15(1)(h) of the GDPR be interpreted as meaning that where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of the GDPR?
Regarding the first question, the CJEU concludes that “meaningful information about the logic involved” includes all relevant information concerning the procedure and the principles relating to the use, by automated means, of personal data with a view to obtaining a specific result, and that this information must also be provided in a concise, transparent, intelligible and easily accessible form due to the requirement of transparency laid down in Art 12(1) of the GDPR.
The data subject has a right to a comprehensible explanation of how the mechanism works in order to effectively exercise the right to express one’s point of view and the right to challenge the decision in the case of automated processing, as enshrined in Article 22(3) of the GDPR. Neither the mere transmission of a complex mathematical formula (e.g. algorithm) nor the detailed description of each step of an automated decision-making process meets these requirements, as neither is sufficiently precise and comprehensible. In the specific case of a credit rating, the CJEU suggests that the data subject may be informed to what extent a deviation in the personal data taken into account would have led to a different result.
The second question essentially concerns the legally compliant implementation of the right of access under Article 15(1)(h) of the GDPR in the event of a conflict with the rights or freedoms of other persons and trade secrets of the controller. The Austrian regulation of Sec. 4(6) DSG provides an exclusion of information. According to the wording of the law, this exception applies “in der Regel” (which should be translated to “generally” or “normally”) “if the disclosure of this information would jeopardize a trade secret of the data controller or a third party”. In this regard, the CJEU finds that Article 15(1)(h) of the GDPR precludes this national provision, since Sec. 4(6) of the DSG fundamentally excluded the right to information in such a case and was therefore in violation of EU law. Accordingly, Article 15(1)(h) of the GDPR is to be interpreted to the effect that in the event of a conflict, the rights in question are to be weighed against each other and the competent supervisory authority or court is to be provided with the information allegedly protected by the controller in order to enable it to review the balance of interests.
In our view, the CJEU derives the conclusion of a violation of EU law by using a wrong summary (instead of, as he usually does, a translation of the actual wording) of the relevant Austrian provision in Sec. 4(6) DSG, which it adopted from the opinion of the advocate general (Paragraph 95, in the original French version) without itself considering the actual and precise wording of the national provision. In his opinion, the Advocate General concludes that Sec. 4(6) DSG is to be understood as restricting the right of access “grundsätzlich” (which can be translated as “in principle” or “as a general rule” [without excepetions]) if the conditions are met.
However, the referring Austrian court could have possibly averted the present misunderstanding by mentioning Sec 25(3) DSG in its submission request. This provision clarifies that, in the event that a controller invokes a restriction within the meaning of Article 23 of the GDPR, the authority must verify the lawfulness of the confidentiality and can do so by means of a decision. Thus, Austrian law already regulates what the CJEU additionally ruled on the basis of his jurisprudence (see judgment of 2 March 2023, Norra Stockholm Bygg, C268/21. paragraph 58) for cases of respective invocations of controllers.
However, the practical implications will be limited since the outcome of the CJEU is similar to the actual wording of Sec 4 (6) DSG. This will also be the case if, despite the CJEU’s lack of clarity in its wording, the Austrian authorities and courts should no longer apply Sec 4 (6) DSG in accordance with this decision.
Dr. Gerald Trieb is Partner at Knyrim Trieb Rechtsanwälte, Vienna (Austria).
Theodor Paul Mach-Walter studies law at the University of Vienna and is a student assistant at Knyrim Trieb Rechtsanwälte, Vienna (Austria).