Automated decision-making involves using technology tools to make decisions that affect the data subjects by applying complex algorithms, for example through the automatic rejection of an online loan application. In such cases, the exercise of data subjects’ rights is of particular importance. However, you can only exercise this right effectively if you are provided with clear information on the complex logic underlying the automated decision-making. In a recent decision, the CJEU examined the criteria that a controller must meet when providing information to a data subject exercising his or her right of access.
ILF’s Hungarian member, Smartlegal Schmidt&Partners summarizes this issue in the article.
- Facts
An Austrian mobile phone operator refused to conclude a mobile phone contract with a monthly payment obligation of ten euros with the data subject, claiming that the data subject did not have sufficient financial solvency according to an automatic credit assessment carried out by D&B.
After the Austrian data protection authority issued a decision requiring D&B to provide clear information on the logic underlying its automated decision to the data subject, D&B challenged the decision before the administrative court, claiming, inter alia, that it was a business secret.
This court found that D&B had violated the data subject’s right of access by failing to provide him with understandable information or sufficient explanation to enable him or her to understand how the prediction of the likelihood of the data subject’s future behaviour had been made.
After the competent body refused to enforce the above decision, the data subject turned to the administrative court for enforcement of the decision.
The court seized of the data subject’s application considered that it was bound to enforce the decision under Austrian law but considered it necessary to refer the matter to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling on the definition of the specific acts that D&B was bound to perform under that decision.
- Questions to the CJEU
In the present case, the issue was the interpretation of the data subject’s right of access, according to which the data subject has the right to be informed of the fact that automated decision-making is taking place and to receive clear information about the logic used and the significance of such processing and its likely consequences for the data subject.
In essence, the court asked whether the above requirement should be interpreted as meaning that, in the case of automated decision-making, the data subject may ask the controller for an exhaustive explanation of the specific procedures and principles applied and, if so, what criteria must be met by that explanation.
- Decision of the CJEU
On the one hand, the CJEU has established that the right of access to automated decision-making applies to all relevant information concerning the procedures and principles governing the use of personal data in an automated way to achieve a specific result.
On the other hand, the CJEU also stressed that the requirement laid down in the GDPR that the data and information must be provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, also applies to the right of access to automated decision-making.
It is also important that the right of access should enable the data subject to ascertain that the personal data relating to him or her are accurate and are being processed lawfully, since only in possession of such data can the data subject’s rights be effectively exercised.
Indeed, if data subjects were not in a position to understand the reasons for the decision before expressing their views or challenging it, these rights could not fulfil their purpose of protecting data subjects against specific risks to their rights arising from the automated processing of personal data.
In order to enable the data subject to exercise his or her rights effectively, this explanation should be provided in a concise, transparent, intelligible and easily accessible manner, using relevant information.
Neither a mere statement of a complex mathematical formula, such as an algorithm, nor a detailed description of all the steps of automated decision making can meet these requirements, as neither of these methods constitutes a sufficiently concise and comprehensible explanation.
In view of the above, in the case of automated decision-making, the data subject may request the controller to explain the specific procedures and principles applied in using the data in an automated way to achieve a specific result, such as a solvency profile, using relevant information, in a concise, transparent, intelligible and easily accessible manner.
In this article we analysed the judgement C‑203/22 of the CJEU.
Written by dr. Agnes Bartus
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu