Last week, the Court of Justice of the European Union issued its long-awaited judgment on an issue of significance for organisations using automated technology (including artificial intelligence) to make decisions about individuals: the extent to which individuals must be given information about how those decisions were made.
Automated decision-making, or ADM, is now being used for a wide range of use cases — from credit scoring, to calculating insurance coverage, determining personalised pricing and CV sifting, among many others. Although the technologies that power these use cases often use some form of AI, not all ADM is enabled by AI — and vice versa.
The GDPR specifically applies to ADM in three ways (i.e., beyond the requirements to have a lawful basis for processing, to have conducted data protection impact assessments, and so on).
- Firstly, Article 22 gives individuals the right not to be subject to a decision based solely on ADM (including profiling) that produces legal or similarly significant effects on the individual.
- Secondly, Articles 13(2)(f) and 14(2)(g) require the controller to provide individuals with “information about the existence of automated decision-making, including profiling … [and] … meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject” (i.e., in the controller’s privacy notices).
- Thirdly, Article 15(1)(h) entitles individuals to obtain from the controller, in the context of an access request, information about the existence of ADM (including profiling) and “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”.
In Case C-203/22 Dun & Bradstreet Austria, the CJEU considered the application of ADM to an individual’s Article 15 GDPR access request — in particular, (1) what constitutes “meaningful information about the logic involved” in ADM, and (2) whether the controller is required to provide to the requester with information relating to the organisation’s trade secrets (i.e., relevant algorithm(s), logic decisions or copyright-protected software).
What did the CJEU rule?
- An individual that is the subject of a decision which is based solely on automated processing and which significantly affects the individual must have the right to obtain an explanation of the decision.
- The right to obtain, per Article 15(1)(h) of the GDPR, meaningful information about the logic involved in ADM, entitles the individual to an “explanation of the procedure and principles actually applied in order to use, by automated means, the [individual’s personal data] with a view to obtaining a specific result”.
- This requirement cannot be satisfied either by “the mere communication of a complex mathematical formula”, such as an algorithm, or “by the detailed description of all the steps in automated decision-making, since none of those would constitute a sufficiently concise and intelligible explanation”.
- The information must be provided in a concise, transparent, intelligible and easily accessible form – that is to say, in a way that the individual can understand. Moreover, the complexity of the operations carried out in the context of ADM does not relieve the controller of its duty to provide an explanation about the processing.
- However, the right to personal data is not absolute and must be balanced against other fundamental rights, including the rights of third parties and the controller’s trade secrets and intellectual property.
- Where the information to be provided to an individual under Article 15(1)(h) of the GDPR is likely to result in an infringement of the rights and freedoms of others, such as the controller’s trade secrets, the controller must disclose that information to the competent supervisory authority or court, which must balance the competing rights and interests with a view to determining the extent of the individual’s right of access.
- Where that is the case, the controller must nevertheless explain to the individual the logic behind the ADM — unless such logic is, itself, a trade secret.
What does the case mean?
First and foremost, businesses will be relieved to know that they do not need to disclose trade secrets to individuals who make an access request under Article 15 of the GDPR. Note, however, that the CJEU makes clear that an organisation which chooses not to provide such information to the requesting individual must do so with a supervisory authority or court.
Importantly, the case also serves as a reminder to organisations that do use ADM — or are thinking about doing so — that transparency is king.
As described above, Articles 13(2)(f), 14(2)(g) and 15(1)(h) of the GDPR require the controller to provide individuals with “meaningful information about the existence of automated decision-making, including profiling … [and] … meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”.
The good news for controllers is that how well, or not so well, you provide this information is entirely in your hands. Clearly, a generalised privacy notice may not always be able to contain the specificity of information that you may need to provide in respect of an access request under Article 15 of the GDPR. However, given that the ADM-related wording is identical in Articles 13, 14 and 15, taking the time to draft your privacy notices in a way that is concise, transparent, intelligible and easily accessible will in most cases provide a good point from which to start – and in some cases, may be sufficient to discharge your Article 15(1)(h) obligations altogether.
This is because, generally speaking, people are willing to accept the results of a decision — even where the result is not the one that they wanted — if the process for reaching that decision has been explained clearly and simply ahead of time. Of course, an ongoing challenge is to maximise the likelihood that the relevant individuals actually read your transparency information. Here, one is advised to think creatively; “just-in-time” notices and pop-ups, to name two, can help to bring the relevant information to their attention.
Still, the nature of certain ADM means that it involves denying individuals access to goods, services or other opportunities. And human nature being what it is, some of these individuals will feel aggrieved and (1) make an access request under Article 15 of the GDPR, and/or (2) to seek human intervention or challenge the decision under Article 22(3) of the GDPR. This will, or is likely to, occur irrespective of the strength of your initial transparency information. But at the same time, it will in all likelihood reduce the number of such requests you receive.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.