On February 27, 2025, the CJEU delivered an important judgment on
the interpretation of Article 15(1)(h)
and Article 22 of Regulation (EU) 2016/679 on General Data Protection
(GDPR) in C-203/22 CK Magistrat der Stadt Wien v Dun
& Bradstreet Austria GmbH.
The facts
The mobile phone operator refused CK’s request
to conclude or extend the mobile telephone contract for a monthly payment of a
mere EUR 10. The refusal was justified with CK not passing a
creditworthiness check with the credit reference agency D & B,
which carried out an automated assessment. Unsurprisingly, CK was unhappy with
the decision; her credit score was good. She brought the matter to the Austrian
data protection authority and, with this, started a long way to the preliminary
reference, going through various instances and avenues for protection.
The referring court raised several questions,
which the CJEU grouped into essentially two questions:
The
first question
Must Article 15(1)(h) be interpreted as
meaning that, in the case of automated decision-making, including profiling,
within the meaning of Article 22(1), the data subject may require the
controller to provide, ‘meaningful information about the logic involved’ in the
decision making, which would mean an exhaustive explanation of the procedure
and principles actually applied in using personal data to obtain a specific
result, in this case, a creditworthiness assessment.
According
to Article 15 (h), the data subject has the right to obtain from the
controller confirmation as to whether his/her personal data is being processed,
information on the use of automated decision-making where applicable, including
profiling, referred to in Article 22(1) and (4), and meaningful
information about the logic involved, as well as the significance and
the envisaged consequences of such processing for the data subject.
Article 22
provides that the data subject shall have the right not to be subject to a
decision based solely on automated processing, including profiling, and that
certain data enlisted in Article 9(1) GDPR such as racial or ethnic origin,
religious beliefs cannot be considered in data processing.
Profiling, in this context, means automated processing of personal data, consisting of using personal data to analyse
or predict the consumer's economic situation.
In
its analysis, the CJEU first turned to a literal interpretation of the wording
of Article 15 (h) and concluded that the concept of ‘meaningful information’
under that provision may have various meanings in different language versions
of GDPR, which should be taken to be complementary to each other. In addition,
the ‘logic involved’ in automated decision-making, which constitutes the
subject matter of ‘meaningful information’ is capable of covering a wide range
of ‘logics’ concerning the use of personal data and other data with a view to
obtaining a specific result by automated means. The CJEU held, that the
provision covers all relevant information concerning the procedure and
principles relating to the use, by automated means, of personal data with a
view to obtaining a specific result.
The CJEU next
turned to contextual analysis of the concept of
‘meaningful information about the logic involved’, within the meaning of
Article 15(1)(h). In this analysis the CJEU looked at the Guidelines on
automated individual decision-making and profiling for the purposes of
Regulation 2016/679 and other provisions of the GDPR providing information
duties of data controllers. The CJEU concluded that information duties
relate to all relevant information that should be provided in clear, concise,
transparent, intelligible and easily accessible form, using plain and clear
language
Finally,
the CJEU looked at the purpose of the provision, asserting that the purpose of
the data subject’s right to obtain the information provided for in
Article 15(1)(h) is to enable him or her to effectively exercise the
rights conferred on him or her by Article 22(3), namely, the right to
express his or her point of view and to contest the relevant decision. This, in
turn, requires the right to obtain an explanation of the decision.
The CJEU
then concluded that under Article 15(1)(h) the
right to obtain ‘meaningful information about the logic involved’ in automated
decision-making must be understood as a right to an explanation of the
procedure and principles actually applied in order to use, by automated means,
the personal data of the data subject with a view to obtaining a specific
result, such as a credit profile. In order to enable the data subject to effectively
exercise the rights conferred on him/her by the GDPR and, in particular,
Article 22(3), that explanation must be provided by means of relevant
information in a concise, transparent, intelligible and easily accessible form.
Notably, the court further provided guidance on what is considered to be
‘meaningful information about the logic involved’ in automated decision-making.
The procedures and principles actually applied must be explained in such a way
that the data subject can understand which of his/her personal data have
been used in the automated decision-making and the extent to
which a variation in the personal data taken into account would have led to a
different result. The requirements of Article 15(h) cannot be met
by the mere communication of a complex mathematical formula, such as an
algorithm, or by the detailed description of all the steps in automated
decision-making since neither of those would constitute a sufficiently concise
and intelligible explanation.
Second
legal question
Another
important contribution of the present judgment is the consideration of the
relationship between Article 15(1)(h) and Directive 2016/943 on trade
secrets, given that D&B argued that the logic of their automated
decision-making, including what information is considered in which way, is a
trade secret and should, therefore, not be disclosed.
The CJEU
highlighted that the protection of personal data is not an absolute right.
Restrictions are possible of the scope of the obligations and rights provided
for in, inter alia, Article 15 of the GDPR, but only when such a
restriction respects the essence of the fundamental rights and freedoms and is
a necessary and proportionate to safeguard the protection of the rights and
freedoms of others. However, the result of any consideration on the limits of
the protection of personal rights should not be a refusal to provide all
information to the data subject.
The CJEU
concluded that Article 15(1)(h) must be interpreted as meaning that, where
the controller takes the view that the information to be provided to the data
subject is a trade secrets, within the meaning of point 1 of
Article 2 of Directive 2016/943, that controller is required to provide
the allegedly protected information to the competent supervisory authority or
court, which must balance the rights and interests at issue with a view to
determining the extent of the data subject’s right of access provided for in
Article 15 of the GDPR.
Our analysis
This decision is significant in addressing the
long-standing problem of the lack of transparency in automated decision-making
by credit reference agencies, an important
problem
in the EU. Given that in most countries we have access to our credit reports we
can know what data is considered in their decision making in producing a credit
score and a credit report, however, credit reference agencies have refused disclosing
the way this data is processed, the logic behind their decision making, in what
way and to what extent various data is considered (weighted) in their decision making.
Although based on this decision, consumers
are still not entitled to get hold of that information directly, but a first
step has been made by mandating disclosure to the relevant authority who then
makes a decision on whether or not to disclose it to the consumer, balancing
the rights and interests of the two parties. This and other judgments of the
CJEU (see C-634/21
SCHUFA Holding) may be gradually bringing transparency into this traditionally
very untransparent area.
As credit reference agencies nowadays use artificial
intelligence for automated decision-making, the judgment is relevant for advancing
transparency considerations of AI systems.
Finally, given that the judgment tackles the
operation of credit reference agencies, which are frequently used by creditors
to assess the affordability of loan applications, it is relevant for
responsible lending rules in Directive 2023/2225 on consumer credit (CCD2),
which in Article 18 refers to creditworthiness assessment based on automated processing
of personal data.
