Europe’s Highest Court Compels Disclosure of Automated Decision-Making “Procedures and Principles” In Data Access Request Case

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a ruling about the requirements on data controllers to respond to data access requests regarding an automated decision-making system. In particular, the CJEU interpreted the meaning (under Article 15(1)(h) GDPR) of the phrase “meaningful information about the logic involved” in automated decision-making. Importantly, the ruling also separately addressed how to balance data access rights with the protection of the controller’s trade secrets, when the protection of trade secrets is invoked under Article 15(4) as a reason not to disclose a copy of personal data in an access request.

Background

The ruling involves a challenge in an Austrian court about automated credit assessment. The dispute was about a person who was denied a contract or its extension by a mobile phone operator, which required a monthly payment of 10 EUR. The denial was based on an automated credit assessment by Dun & Bradstreet (a business data analytics company), which found the customer lacked sufficient financial creditworthiness.

The Austrian court determined that Dun & Bradstreet violated the GDPR by not providing the customer with "meaningful information about the logic involved" in the automated decision-making process. Following this decision, the customer sought enforcement of the judicial decision in another Austrian court (Verwaltungsgericht Wien).

This Austrian court referred the case to the CJEU for guidance on interpreting the GDPR's right of access and the extent to which such right might be limited by the protection of trade secrets, as harmonised by Directive 2016/943.

Interpretation by the Court of Justice

“Meaningful information about the logic involved” in automated decision-making

Article 15 of the GDPR sets forth the data subject’s right of access to certain information from a controller. In particular, a data subject has the right to “confirmation as to whether or not personal data concerning him or her are being processed.” If so, the data subject is also entitled to access additional information regarding the data processing, including (under Article 15(1)(h)) “the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, ‘meaningful information’ about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

In examining Article 15(1)(h) of the GDPR, the CJEU interpreted the term "meaningful information” broadly (by reference to the – complementary – slightly different language versions) as to include all relevant information about the use of personal data by automated means to achieve a specific outcome. This includes an explanation of the actual procedures and principles used to achieve a specific result, like a credit profile. This interpretation should enable individuals to effectively exercise their rights to obtain certain safeguards of their rights and interest (e.g. human intervention) when they are subject to automated decision-making, but also to express their point of view and to contest the resulting decision under Article 22(3) GDPR.

The data subject has a “genuine right” to an explanation as to the functioning of the mechanism, in a “concise, transparent, intelligible and easily accessible form.” The mere communication of a complex mathematical formula, such as an algorithm, or the detailed description of all the steps in automated decision-making do not meet these requirements.

Instead, the controller should find straightforward ways to explain the rationale or criteria used in making the automated decision. The controller must describe for the data subject the procedures and principles actually applied, in such a way that the individual can understand which personal data were used in the automated decision (including the personal data generated by the controller, i.e. the credit profile). One way to meet these requirements is to inform the individual how changes in their personal data might have led to a different outcome.

In conclusion, the CJEU stated that the right of access allows the individual to request the controller to explain the procedures and principles applied in the automated decision-making, including profiling. This explanation must be provided in a concise, transparent, intelligible, and easily accessible form, detailing how personal data were used to achieve a specific result, such as a credit profile.

Tension between the right to access and the protection of trade secrets

Dunn & Bradstreet challenged in court an order by the Austrian data protection authority requiring the company to disclose “meaningful information about the logic involved” in the credit scoring decision on the basis that such information was a protected trade secret.

Article 15(4) of the GDPR provides indeed that the data subject’s rights to obtain a copy of their personal data “shall not adversely affect the rights and freedoms of others,” and trade secrets (within the meaning of point 1 of Article 2 of Directive 2016/943) might serve as a basis to limit the data subject’s rights under Article 15(4).

The CJEU acknowledged that the right to data protection is not absolute and must be balanced with other fundamental rights, in accordance with the proportionality principle (recital 4 GDPR). The right of access should furthermore not negatively impact the rights or freedoms of others, including trade secrets or intellectual property, particularly the copyright protecting software (recital 63 GDPR).

The CJEU ruled, however, that these considerations should not lead to a complete refusal to provide information to data subjects and a “balance should be struck” between the right of full and complete access to personal data and the rights or freedoms of others.

In practice, where the right to access to a data subject’s personal data would lead to an infringement of rights or freedoms of others (e.g. third party personal data or trade secrets), the controller must disclose the allegedly protected information to the court or supervisory authority so they can decide to which extent the data subject is entitled to access their personal data, thus balancing the rights and interests at issue.

The CJEU does not expect the controller to proactively disclose its trade secrets to the data subject, who exercises their right to access. However, if the controller wishes to rely on the protection of its trade secrets (such as the profiling algorithms) to deny full access to the personal data, that controller may have to explain to the court or the supervisory authority how the personal data would reveal or infringe its trade secrets. Moreover, based on the right of defense, the data subject will request access to such information so they she can defend its position before the court or the supervisory authority. While the disclosure of information protected under intellectual property rights or trade secrets is not uncommon before civil courts (e.g. within a confidentiality club), this may prove more challenging for data protection authorities.

Conclusion

The implications of this ruling for organizations are significant. Companies must be prepared to provide a clear and concise description of their automated decision-making process to inform data subjects of how decisions about them are made, including the personal data involved in the automated process. This case provides further motivation for having a data governance regime that anticipates a requirement to describe the automated process to non-technical persons such as a (potential) customer. Additionally, data controllers must be aware of the limitations of invoking Article 15(4) of the GDPR to refuse compliance with a data subject’s access request and the possibility of disclosing proprietary information to a supervisory authority or court for a balancing of the controller’s interests against those of the data subject.

Crowell & Moring’s international team of privacy and data protection attorneys are available to provide additional guidance.