DSARs, trade secrets, and automated decision-making: what counts as "meaningful information about the logic involved"?

If an individual is subject to automated decision-making, including profiling, the right of subject access under GDPR includes a right to “meaningful information about the logic involved”. The scope of this obligation is going to become increasingly important as the rise of AI introduces more automated decisions. Many companies are concerned that the obligation will require them to reveal commercially sensitive information about the functioning of their algorithms. An Austrian request for a preliminary ruling currently under consideration by the CJEU asks detailed questions about the extent of the obligation and how it interacts with trade secrets, whilst also illustrating why the right is important.

In this case a consumer, CK, was refused a mobile phone contract costing a mere €10 a month on the basis of an automated credit assessment. CK submitted a DSAR to the agency concerned, Dun & Bradstreet Austria ("D&B"). The information she received gave her “a particularly high credit rating”, notwithstanding that the profile generated for her by D&B's automated assessment “effectively found her to have no creditworthiness whatsoever”. A dispute then ensued about how much information/explanation D&B had to provide about how their system had reached this conclusion, and the Viennese Administrative Court referred a number of very specific questions about what information D&B had to provide to the CJEU, which have now been considered in an A-G's Opinion.  

The subject-matter is similar to that considered by the CJEU in SCHUFA Holding and others, but the referring court explained that SCHUFA did not answer its questions relating to how the resolve the conflict between the data subject's right to protection of his or her personal data and the controller's interest in protecting trade secrets, or the level of detail required of the “meaningful information about the logic involved”.

An expert appointed by the Austrian court had concluded that “only the disclosure of the mathematical formula and the valuation functions of all the values used in that formula would enable CK to understand the profile of her which was generated”, which was necessary in order for her to be able to assert her right under Article 22(3) to challenge the decision. The report also suggested that “in order to enable the accuracy of the minimum information disclosed to be verified, D&B must also draw up and submit, in a relatively complete and detailed manner, and to serve as a basis for comparison, a list of all the information on at least 25 cases of comparable non-anonymised profiling which are contemporaneous with the profile generated in respect of CK and which were established using the same calculation rule”. Clearly this level of detail would be onerous for data controllers generally; D&B argued that in this specific instance it would require it to disclose trade secrets.

“meaningful information”

The A-G's opinion returns on a number of occasions to the Court's view that information required by Article 15 should be provided in a form that is “concise, easily accessible and easy to understand, and formulated in clear and plain language.” The information must also be sufficiently complete and contextualised to enable the data subject to verify both its accuracy and whether there is an objectively verifiable consistency and causal link between the method and criteria used and the result arrived at by the automated process. He notes that an algorithm is likely to be so technical that it could not be understood by someone without technical expertise, so its disclosure is not required by article 15. However the information disclosed should include the method used, the criteria taken into account, and their weighting, so that the process which led to a particular decision is intelligible to the data subject. He notes that the provision of this information is essential to enable data subjects to confirm the accuracy of processing and forms part of the safeguards required by Recital 71 for automated decision-making. The A-G considers that this approach will not put trade secrets at risk, since no technical information has to be disclosed, but in our experience many companies consider the weighting they assign to different factors to be highly sensitive.

Trade secrets vs. data subject rights

Recital 63 of the GDPR states that the right of subject access “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property”, and this seems to have been codified in Austrian law in the form of an exclusion of the right of access where this would compromise a business or trade secret of the controller or a third party. The A-G considers this absolutist approach to be inappropriate, and that there should instead be a balancing exercise on a case-by-case basis. In case of dispute, the information should be disclosed to the competent supervisory authority or court, so that the latter can carry out a balance of the interests involved and determine the extent of the disclosure.

As mentioned above, the referring court raised very specific questions about what information should be made available to the data subject in the main proceedings. In the A-G's view these specific questions were a matter for the national court, as it involved the application of the law rather than its interpretation, so it may be that the CJEU's decision in the case will not provide as much guidance as controllers may be hoping for.