Justice / Opinion
November 07, 2024

The opinion of Advocate General (AG) de la Tour in CK v Dun & Bradstreet Austria published in September 2024 brings some much awaited clarity into the debate about the interpretation of the data subject’s right to access ‘meaningful information about the logic involved’ in automated data processing (Article 15(1)(h) GDPR). In an earlier case concerning an automated creditworthiness assessment, OQ v Schufa Holding, AG Pikamäe’s opinion already gave a hint regarding the scope of this right. However, since the main question in that case did not pertain to interpreting Article 15(1)(h) GDPR, the CJEU refrained from weighing in on this subject in its final judgement. This time around, we can expect the CJEU to formulate its stance on the matter whether or not it corresponds to the opinion of the AG.

But even on its own, AG de la Tour’s analysis about Article 15(1)(h) GDPR provides a welcome level of detail at a time when algorithmic – or automated – decision-making is a growing trend across industries. Meanwhile, stakeholders are in disagreement over how much decision subjects should know about the algorithmic decision-making processes affecting them. That is so regardless of the extensive body of academic literature on the subject of a GDPR ‘right to an explanation’, which further highlights the relevance of this AG opinion.

The case

At the heart of this request for preliminary ruling is the refusal of an Austrian mobile phone operator to conclude a 10 EUR per month phone contract on the grounds that the applicant lacked sufficient financial creditworthiness. When the applicant, relying on article 15(1)(h) GDPR, turned to the credit assessment provider to help her understand her credit rating, she received little information. The information she did receive indicated a rather decent credit rating that was contradictory to her being refused a 10 EUR per month phone plan. The credit assessment provider refused to give any further information, leading the applicant to initiate the case now facing the CJEU.

The domestic court has submitted two main questions to the CJEU. First, how to interpret the controller’s obligation to provide ‘meaningful information about the logic involved’ in automated decision-making established in article 15(1)(h) GDPR? Second, to what extent can the controller rely on the protection of the rights or freedoms of others, e.g., the protection of a trade secret, as a basis for limiting access to the information to which the data subject is entitled?

This contribution is dedicated to analysing the AG’s opinion with regard to the first of these questions because of its topicality. According to article 15(1)(h) GDPR, the data subject has the right to obtain from the controller information about the existence of automated decision-making, including profiling, referred to in article 22(1) and (4) GDPR. At least in those cases, this right entails that meaningful information is provided about the logic involved, as well as the significance and the envisaged consequences of the processing of personal data for the data subject. In tackling this provision, AG de la Tour starts where AG Pikamäe left off in his opinion in OQ v Schufa Holding (para 58) stating that ‘the obligation to provide “meaningful information about the logic involved” must be understood to include sufficiently detailed explanations of the method used to calculate the score and the reasons for a certain result’. He then proceeds to offer an in-depth and systematic interpretation of article 15(1)(h) GDPR.

The link between Articles 15(1)(h) and 22 GDPR

AG de la Tour starts to unpack Article 15(1)(h) GDPR by determining the purpose behind the right of access to information. He highlights that the general purpose of the right to obtain information under Article 15 GDPR is to enable the data subject to effectively exercise his or her other rights enshrined in the GDPR (see also FT v DW, para 73). According to AG de La Tour, the right of access contained in Article 15(1)(h) ‘must enable [the data subject] to exercise the rights conferred on him or her by Article 22 of the GDPR’ (para 47). Article 22(3) GDPR foresees at least three concrete rights that should be provided to subjects of decisions based on solely automated data processing: the right to obtain human intervention on part of the controller, to express his or her point of view and to contest the decision. Thus, in interpreting the scope of article 15(1)(h) GDPR, the aims pursued by Article 22 GDPR play a central role: to protect data subjects from the threats related to solely automated decision-making and enable them to exercise their related rights (para 51).

The functional understanding of meaningfulness encompasses both form and substance

Much alike the characterisation given to the term ‘meaningful’ by Selbst and Powles in 2017, AG de la Tour calls for a functional understanding of what constitutes ‘meaningful information about the logic involved’ in Article 15(1)(h) GDPR (para 64). Considering the purpose of this provision, he outlines what a functional understanding of ‘meaningful information’ means in terms of both form and substance.

When it comes to form, AG de la Tour offers a rather eloquent account of the existence of a ‘right to explanation’ in the GDPR. He affirms that a data subject has ‘a genuine right to an explanation as to the functioning mechanism involved in automated decision-making of which that person was the subject and of the result of that decision’ (para 67). He considers the explanation an inherent part of the right of access to information as it ensures the meaningfulness of the provided information for two reasons. First, an explanation makes the information provided to the data subject intelligible for them. In other words, the explanation helps to ensure that the information provided under article 15(1)(h) GDPR is concise, easily accessible, easy to understand and presented in clear and plain language. Second, the explanation provides a contextualised understanding about how the data subject’s personal data is being processed. Therefore, even though article 15(1)(h) GDPR enshrines on data subjects the right of access to ‘meaningful information’, this right of access necessarily presupposes the ‘right to an explanation’. We can thus conclude that an unintelligible and decontextualised account of information cannot be considered ‘meaningful’ information from the perspective of the data subject and the aim of the provision.

Having confirmed the existence and contours of the right to an explanation, AG de la Tour proceeds to offer some guidance on the substantive quality expected from this explanation. The explanation should enable the data subject to objectively verify the ‘consistency and causal link between, on the one hand the method and criteria used, and on the other hand, the result arrived at by the automated decision’ (para 68). Therefore, the information provided should allow the data subject to check the accuracy of the information being processed as well as verify whether the information could, by applying the automated processing method described by the controller, lead to the specific result concerning them. AG de la Tour nevertheless finds that the right enshrined in article 15(1)(h) GDPR does not require the disclosure of the algorithm to the data subject. After all, the algorithm is likely so complex that it cannot be understood by someone lacking the necessary technical expertise (para 72).

Reconciling contradictory explanation demands

Regardless of the many clarifications offered, the reader of this AG opinion is left to ask how to reconcile the proposed requirement for the form of the explanation – concise, easy to understand explanations expressed in clear and plain language – with the substantive requirement that the information must provide an ‘objectively verifiable consistency and causal link’ between the method and criteria used for processing and the automated result. One possibility discussed in the opinion is giving the data-subject anonymised examples of similar processing operations by way of comparison (para 78). This resembles the case-based reasoning methodology used to make sense of complex algorithms by offering comparable cases as reference points for specific outcomes (Watson 1999). Although such examples would arguably enable the data subject to better contextualise the information provided, they may fall short of the criterion of objective verifiability of a specific result concerning the data subject since they are not linked to that specific decision. This criterion might also be difficult to meet when using complex algorithms where interpretability and accuracy are often at odds with each other. There, one can only speak of improving, as opposed to achieving, the interpretability of an algorithm (Adadi & Berrada 2018).

This tension between the requirements to the form and substance of an explanation is perhaps starker for consequential decisions such as credit assessments or administrative decisions concerning benefit distribution, permit allocation etc, than for decisions about targeted advertisements or song recommendation. The potential effect of the CJEU establishing an objective verifiability criterion could be that such consequential decisions will in the future be made with algorithms that are either less complex or interpretable-by-design. Should the explanation for a complex algorithm be unable to meet the objective verifiability criterion, that can theoretically be compensated for by the data subject’s right to obtain human intervention on behalf of the controller (Article 22(3) GDPR). This, however, is not really a solution to the observed tension; at best, it is a work-around.

A clear conceptualisation of the right to explanation

If the CJEU were to stand by AG de la Tour’s analysis, three clear answers could be given to questions about the GDPR right to explanation that so far have been subject to speculation.

First, it could be ascertained whether the right to an explanation really forms part of the GDPR and, if so, where it derives from (see e.g., Wachter et al. 2017, and Selbst & Powles 2017). So far, theories about the source for this right span across Articles 13(2)(f), 14(2)(g), 15(1)(h) and 22(3) and recital 71 GDPR. AG de la Tour’s opinion convincingly argues that the right to an explanation is implicit in the right to access information established in Article 15(1)(h) GDPR. The latter, in turn, is inextricably linked with Article 22 GDPR. Thus, the CJEU could hold that the right to explanation arises out of the combination of these two provisions.

Second, the CJEU could definitively answer the question whether data subjects are entitled to explanations concerning only the functionality of automated systems, or also to information about the reasons why a specific decision has been arrived at (see e.g., Edwards & Veale 2018). The answer was already suggested in the opinion of AG Pikamäe in OQ v Schufa Holding and has now been echoed by AG de la Tour: the explanation should include information concerning the functionality of the automated system as well as the reasons for a certain result.

Third, the CJEU could provide an answer to what should be understood as ‘meaningful information about the logic involved’ in automated decision-making (see e.g., Custers & Heijne 2022). The AG opinion outlines that this information should be accessible, sufficiently complete and contextualised, include details about the process that led to the automated decision, and contain the reasons for the outcome of the decision (para 76). He further offers a yardstick for measuring whether the information provided in accordance with article 15(1)(h) GDPR is in fact sufficient. As that yardstick, he proposes that the information should enable to objectively verify the consistency and causal link between the logic involved in the automated processing and the result arrived at by the system.

Thus, AG de la Tour’s opinion offers quite some clarity about questions that have circled the academic debate regarding the existence and boundaries of the right to an explanation in the GDPR. Hopefully, when writing the judgment, the CJEU will make use of the arguments put forward by AG de la Tour as well as clarify what to make of the inherent tension between the requirements established for the form and substance of explanations due under Article 15(1)(h) GDPR.

This article was first published on The Digital Constitutionalist on November 6, 2024.

More results /

/ health
From dialogue to decision

By Leonie Westerbeek • November 22, 2024

Discriminerende algoritmes

By Corien Prins • May 18, 2021

/ media
Content moderation and platform observability in the Digital Services Act

By Charis Papaevangelou • Fabio Votta • May 29, 2024

Journalism in the age of AI, platformisation, and regulation

By Agustin Ferrari Braun • Charis Papaevangelou • May 27, 2024

Subscribe to our newsletter and receive the latest research results, blogs and news directly in your mailbox.

Subscribe