AG opinion: Balancing automated decision-making, trade secrets and EU GDPR

In a recent opinion, Advocate General (AG) Richard de la Tour of the European Court of Justice (ECJ) provided important guidance for companies on balancing transparency requirements under the EU GDPR, with the protection of trade secrets around automated decision-making processes.

The opinion relates to Case C-203/22, where an Austrian individual was denied a mobile phone contract following a fully automated credit assessment. The automated assessment concluded that the individual lacked the financial capacity to pay the €10 monthly fee. To understand the rationale behind the decision, the individual requested meaningful information about the logic involved in the automated processing under Article 15(1)(h) of the EU GDPR. However, the mobile phone company refused, citing the protection of trade secrets under Directive 2016/943 in respect of their AI algorithms. This led to the case being referred to the ECJ for a preliminary ruling.

The AG’s opinion addressed two main points: (i) how much information needs to be disclosed to comply with the EU GDPR’s transparency requirements; and (ii) how to balance this with the protection afforded to companies through trade secrets.

Firstly, the AG emphasised that data subjects have the right to understand the automated decision-making processes that affect them. Under Article 22(1) of the EU GDPR, individuals also have the right not to be subject to decisions based solely on automated processing, including profiling, where those decisions have legal or similarly significant implications for that individual (subject to certain exceptions). Article 15(1)(h) of the EU GDPR requires that data subjects are informed of: (i) the existence of such automated decision-making; (ii) meaningful information about the logic involved; as well as (iii) the significance and envisaged consequences of such processing.

The AG clarified that this information should be concise, easily accessible, and formulated in clear and plain language. It should explain the method and criteria used for the decision in a way that allows the data subject to verify its accuracy and understand the causal link between the method used and the decision reached. Of particular importance, controllers are not necessarily required to disclose complex algorithms or formulas, or at least their technical details, because, by reason of their technical nature, they may not be easily understood by data subjects without technical expertise. The AG also listed out certain information that should be required to fulfil the data subject request, for example: (i) the factors taken into account for the decision-making process; (ii) their respective weight; and (iii) the outcome of the decision and reasons for the outcome.

Secondly, the AG addressed the balance between transparency and the protection of trade secrets. Whilst the AG acknowledged the importance of trade secrets to give organisations a competitive advantage, it emphasised that trade secrets cannot be used to avoid transparency obligations under the EU GDPR. Equally the AG also opined that whilst an individual's personal data protection is a fundamental right, it is not absolute and must be balanced against other rights.

The AG reiterated that refusing to provide any information to a data subject solely to protect trade secrets is not acceptable. Instead, a case-by-case balancing exercise is required, for example, companies should provide general explanations of how their AI systems work without disclosing detailed proprietary algorithms. That said, where the information to be provided to the data subject is likely to result in an infringement of the rights and freedoms of others, in particular because it contains personal data of third parties or a trade secret, that information must be disclosed to the competent supervisory authority or court so that the regulator or court can weigh the interests involved and determine the extent of the right of access that must be granted, in accordance with the principle of proportionality and the confidentiality of that information.

Although AG's opinions are not binding on the ECJ, they are often adopted by the court. Therefore, this opinion offers valuable insights for those companies using automated decision-making and navigating the complex interplay with EU GDPR compliance. By ensuring transparency and balancing it with the protection of trade secrets, companies can build trust with data subjects while safeguarding their innovative processes.