What Constitutes "Meaningful Information" About Automated Decision-Making?

Have you ever asked yourself this question? Probably you have if you are a controller using automated decision-making (including profiling) and you have had to respond to data subject access requests (DSARs).

Where automated decision-making is within scope of a DSAR, the controller must provide meaningful information about the context of the automated decision-making, including the logic involved as well as the significance and consequences of the decision. The processing leading to automated decisions is technical and often complex, but as noted in regulatory guidance on automated decision-making and profiling, "complexity is no excuse for failing to provide information to the data subject".

With this in mind, we have considered the recent Opinion of Advocate General in Case C-203/22 which concerns the interpretation of Articles 15 and 22 GDPR in the context of automated creditworthiness assessments. (It should be noted that we are still awaiting the CJEU's decision, which could change some of the points below).

Key take-aways from AG's Opinion

1) The level of detail required for meaningful information about the logic of automated decision-making

• Enabling the exercise of data subject rights. The concept of "meaningful information" is functional, as such information must enable data subjects to exercise their GDPR rights, including these related specifically to automated decision-making, i.e. to obtain human intervention, to express their point of view, and to contest the decision. Controllers should be guided by this function when determining what constitutes meaningful information about the logic of automated decision-making.
• Accessible form. Despite the technicality, the information must be intelligible, concise and formulated in clear and plain language.
• Comprehensible and significant. The explanation needs to make a complex technical process intelligible to data subjects with no technical expertise. It must be comprehensive and significant enough to enable them to verify whether the decision is based on accurate data and to exercise their rights.
• No need to disclose the algorithms. There is no requirement to disclose the algorithms. The controller can, however, provide technical information on the algorithms used, on a voluntary basis, in addition to meaningful non-technical explanations.

2) The limits to the scope of "meaningful information" due to the rights of others, including the protection of trade secrets

• The controller's right to the protection of trade secrets under the Know-How Directive, and the obligation to protect third parties' data, justify limiting the scope of information that needs to be provided.
• The tension between the right to meaningful information and the protection of the rights of others could be resolved by the controller disclosing the relevant information to the competent supervisory authority or court, for them to weigh up the conflicting interests and determine the scope of meaningful information required.
• In practice, the risk of infringing trade secrets in this context is limited, given that the right to information does not extend to technical information such as algorithms.