Yesterday, the Court of Justice of the European Union (CJEU) gave judgment in Dun & Bradstreet Austria, ruling that data subjects have a right to meaningful information about the logic involved in automated decision making with significant effects.
Although it remains to be seen how the decision will be implemented in practice, it is likely to have a significant impact on financial institutions and corporates that use automated processes as part of their decision making.
The CJEU’s guidance
In the ruling, which essentially affirms the Attorney General’s opinion, the CJEU confirmed that the mere communication of an algorithm does not constitute a sufficient explanation of how the personal data is used.
Instead, controllers must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in the automated decision making.
The CJEU also stated that where a data controller takes the view that the information to be provided contains protected data of third parties or trade secrets, the information must be provided to a competent authority or court to undertake a balancing act between the right of the data subject to understand the use of their personal data and the right to protect commercially sensitive data or trade secrets, or another individual’s personal data.
Protecting trade secrets
Whilst undertaking a case-by-case balancing act seems a pragmatic approach in theory, significant questions remain - particularly from parties interested in protecting their trade secrets - around how this will operate in practice. These include:
- who is the competent authority or court for a global business;
- the scope of disclosure required;
- whether the competent authority or court is equipped to safeguard the trade secret and how they will do this; and
- what assurances can be given, if any, prior to disclosure.
What’s more, there is a question as to whether the competent authority or court has the technical expertise to understand the trade secret and undertake an informed assessment. If a decision ordering disclosure is made, can any data controller resisting disclosure of the trade secret appeal the decision and how do the rights of the data subject inter-play?
It remains to be seen how the decision will be implemented in practice and where the balance will tip.
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2025-01-31-09-50-30-486-679c9ce6297114335f254be7.jpg)
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2025-02-28-11-52-14-568-67c1a36ee61f8dd384d3694f.jpg)
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2025-02-25-12-58-20-619-67bdbe6ccf55e00d88a8addd.jpg)
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2025-02-24-15-01-40-318-67bc89d4d971877f2f234aec.jpg)