On February 27, 2025, the Court of Justice of the European Union (CJEU) handed down a critical decision with significant implications for businesses engaging in any kind of automatic decision-making (ADM) which affect individuals, including through AI (Case C-203/22 Dun & Bradstreet Austria).
The CJEU’s ruling dispels some previous uncertainty by clarifying (i) what information must an organization disclose to individuals about how an automated decision about them was made under Article 15(1)(h) GDPR, and (ii) whether organisations can invoke the protection of trade secrets to withhold such information.
Background
A credit rating agency issued a negative credit rating to an Austrian individual seeking to enter into a mobile telephone contract. This individual’s negative score, generated through an automatic credit scoring assessment with no human intervention, resulted in the mobile telephone operator refusing to conclude the telephone contract with her.
The individual relied on Article 15(1)(h) GDPR to request from the credit scoring agency “meaningful information about the logic involved” in the automatic decision affecting her. The credit rating agency withheld certain information, on the basis that its algorithm was a protected trade secret.
The resulting dispute reached the Administrative Court of Vienna, which referred the matter to the CJEU for guidance on the scope of the right of access under the GDPR and its interplay with trade secret protection.
The CJEU’s interpretation
- What information must be disclosed to data subjects under Article 15(1)(h) GDPR?
The CJEU ruled that, pursuant to an individual’s GDPR right to obtain “meaningful information about the logic involved” in ADM, the data controller must describe the procedure and principles actually applied in order to use the individual’s personal data for obtaining a specific result, such as a credit profile.
Building its reasoning on a purposive approach, the CJEU stressed that this explanation should enable data subjects to effectively exercise their rights conferred by the GDPR, in particular Article 22(3), to obtain human intervention, express their point of view on the automatic decision and to challenge it.
Crucially, that explanation must be provided in a concise, transparent, intelligible and easily accessible form. The CJEU expanded on the implications of this requirement, by considering that it cannot be satisfied either by the mere communication of a complex mathematical formula, such as an algorithm, nor by a detailed description of all the steps involved in the ADM – that is to say, overly complex explanations which do not allow the data subject to understand the ADM process are insufficient.
Rather, the controller must find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the automated decision. In a credit scoring context, it could be sufficient to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result.
In essence, the CJEU recognised the existence of a genuine right to explanation on the functioning of the mechanism which underpins an automated decision, laying to rest an ongoing debate about the existence of such right.
- How to balance data access rights with the right to non-disclosure of trade secrets?
The CJEU addressed another major concern for businesses: how to protect trade secrets whilst meeting their transparency obligations, as they relate to ADM.
First, the CJEU reiterated, in accordance with previous caselaw, that the protection of trade secrets cannot be used as a blanket defence to avoid providing all information to the data subject. Wherever possible, organisations must choose means of communicating personal data that do not infringe the rights or freedoms of others. If that is not possible, a balance between the right of access and other competing interests (including the protection of trade secrets, IP or third-party data) must be struck to decide what information must be disclosed to the individual.
Of particular relevance, the CJEU went on to add that where the controller wishes to refuse to disclose certain information because it contains protected trade secrets or third-party data, the national court or authority can decide, if the disclosure is likely to result in an infringement of trade secrets, that the allegedly protected information must be disclosed to it. It would then be for this authority to balance the rights and interests in question, in order to determine the extent of the disclosure to the data subject.
Finally, the CJEU found that the Austrian legislation under consideration, which excluded, as a rule, the right of access where it would compromise a trade secret, was contrary to the GDPR.
Key takeaways for companies using ADM
- Enhanced transparency obligations
This ruling confirms that the direction of travel with respect to GDPR compliance continues to be towards greater transparency. Whilst organisations using ADM are not per se expected to reveal their algorithm to data subjects, they must be prepared to explain to individuals how decisions affecting them are taken, such that individuals can understand which of their personal data was used and how, and, if necessary, challenge the automated decisions.
Organisations taking automated decisions should review and carry out adjustments to their internal policies and processes surrounding data access to align with the new transparency obligations. Organisations procuring ADM from third-party vendors should also reassess the contractual protections they seek from such vendors to ensure individuals are duly informed.
- A new competence for national authorities to request protected trade secrets
This ruling makes it clear that a company cannot simply refuse to provide the required information by invoking trade secret protection.
Significantly, the CJEU has also recognised a new competence for national courts and data protection authorities to carry out the balancing assessment between the right of full and complete access to personal data and the rights or freedoms of others. This means that an organisation wishing to invoke trade secret protection when confronted with a data request under Article 15(1)(h) now runs the risk of being required to hand such information to national regulators or courts for such authorities to arbitrate how much of the requested information must be provided to the data subject.
Much remains open about this new competence, including how much information will need to be disclosed to the national authority and what type of procedural, safety and security safeguards and assurances (if any) will be implemented, particularly given the sensitivity of trade secrets.
This uncertainty, coupled with the risk of inconsistent national implementation, weakens the protection afforded to trade secrets and may even deter organisations from relying on it. The ruling makes it all the more strategic to carefully calibrate disclosures such that they provide sufficient explanation whilst carving out protected trade secrets, in order to mitigate risks of having to disclose them to national authorities.
Looking ahead
The CJEU ruling will inevitably shape the outcome of future decision on the matter. Notably, on the very same day this ruling was issued, the non-profit NOYB filed a complaint with the Swedish DPA challenging a Swedish bank’s refusal to disclose the logic behind a mortgage rate calculation on the grounds of trade secret protection.
In the field of AI, the CJEU ruling may also prove relevant for future interpretations of the right to information on decisions taken by high-risk AI systems, which is governed by similar provisions (albeit worded differently) of the AI Act (Article 86(1)) which have recently been referred to the CJEU for a preliminary ruling.
ADM has pervaded business practices across a broad range of sectors in recent years, spanning from mortgage rate fixing, credit rating to automated CV screening and dynamic pricing. As appetite for ADM, including through AI, shows no signs of abating, this decision is poised to have a far-reaching impact.
