Agefi Luxembourg - mars 2025

Mars 2025 45 AGEFI Luxembourg Informatique financière By Vincent WELLENS, Avocat à la Cour, Ottavio COVOLO, Avocat à la Cour & Aline BLEICHER, Avocate, NautaDutilh Avocats Luxembourg S.à r.l. D oes the trade secret status of an algorithmprevail over the data protection rights of individuals affectedby an automateddecision-making sys- tem?What is the precise scope and nature of the information thatmust be provided to ensure compliance with theGDPR’s right of access obligations in this respect? These pivotal questionswere addressed by theCourt of Justice of the Euro- peanUnion (“CJEU”) in its deci- sionpublished on 27 February 2025 inCaseC-203/22 ( Dun&Brad- streetAustria ). Against the backdropof rapid technolog- ical advancements in artificial intelligence (“ AI ”) and increasingdemands for trans- parency,theinterplaybetweentheprotec- tionofpersonaldataandthesafeguarding of commercial interests, most notably trade secrets, has reached a critical point. TheCJEUheld that data subjects are enti- tledtointelligibleinformationonhowau- tomated decisions are taken in relation to them. However, when such information includes trade secrets or third-party per- sonaldata,thecontrollerisobligedtopro- vide it exclusively to the competent supervisory authority or court for a bal- ancing assessment between the GDPR rights of data subjects and the protection of trade secrets. Background of the case The dispute originated from a complaint byanAustrianconsumeragainstamobile phone operator that refused to enter into acontract,duetoitsinsufficientcreditwor- thiness.Theoperator’sdecisionwasbased on an automated credit assessment con- ducted by Dun & Bradstreet Austria (“ D&B ”), a credit reference agency. Thedatasubjectsoughtanexplanationon the reasoning behind this automated de- cision-making process, which led to a complaint being filed with the Austrian dataprotectionauthority(the“ DSB ”).The DSB, later confirmed by the Federal Ad- ministrative Court, considered that D&B hadfailedtoprovidemeaningfulinforma- tion as required under the GDPR and or- deredD&B to remedy suchbreach. However, the enforcement of such deci- sionwith the City Council in Vienna was rejectedfindingthatD&Bdidprovidesuf- ficient information. This led to a further claim against the City Council before the administrative court, which referred the preliminary questions to the CJEU. The proceedings were however suspended until the decision in the SCHUFA case – another case of creditworthiness assess- mentsbeforetheCJEU–wasrenderedon 7December 2023. (1) Howshouldprofilingbeexplainedtodata subjects under theGDPR? Thefirst question relates towhether indi- viduals as data subjects may request the disclosureofexhaustiveexplanationsand principles applied in the automateddeci- sion-making process to profile them based on their personal data. “Automated decision-making” broadly covers the ability to make decisions by technological means without human in- tervention, whichmay overlap but is not tobe confusedwith “profiling”, referring to the automated processing of personal data to evaluate or predict aspects of an individual. In the SCHUFA decision, the CJEU highlighted the 3 criterianecessary to the notion of automated decision-making: (1) there must be a decision, (2) based solely on automated processing, includ- ing profiling, and (3) producing legal ef- fects or similarlyaffecting the individual. The main takeaway from that ruling is that profiling used to prepare a decision ultimately taken by a human beingmay still be considered automated where in almost all cases a negative profiling would lead to a refusal, thus broadening significantly the scope of the definition of an “automated decision-making”. Pursuant to the right of access under art. 15 GDPR, data subjects are entitled to re- ceive, i.a., “ meaningful information about the logic involved, as well as the significance, and the envisaged consequences ” of such auto- mateddecision-makingprocessingforthe individual, to be understood in a func- tional manner: the information must be both comprehensible and significant about the subject matter, i.e., how data is used to achieve a specific result (e.g., gen- eratingacreditprofile).Itbeingnotedthat the generated profile by a credit agency willamounttopersonaldatasubjecttothe GDPRand the right of access. Pursuant to the case lawof theCJEU, and inparticulartheSCHUFAdecision,thein- formation to be provided must result in the data subject being in a position to un- derstand the reasons leading to the deci- sion and thereby enabling them to exercise their rights under the GDPR (such as requesting the correction and/or deletion of such data). In the present case, the CJEU further clar- ifiesthattheexplanationmustnotamount tothedisclosureofthealgorithmorthede- tailed functionality thereof, as this would notbecomprehensibleforthedatasubject. Rather, the CJEU advises explaining the extent towhichavariation in thepersonal datatakenintoaccountwouldhaveledto a different result (e.g., whether a factor such asmonthly incomewould affect the scoreintheend).Itwillbeuptocontrollers tobalancethegiveninformation,tobesuf- ficientlycomprehensiblewhilstremaining completedespitethecomplexityoftheau- tomateddecisionmaking. What about the trade secrets of my algo- rithm? The secondkey issue that has been raised in this procedure is the balance between dataprotectionrightsandotherrights,no- tably intellectual property protection and the freedom to conduct business. Whilst recognising that the right to data protec- tion is not absolute, the CJEU rejected the viewthatcontrollersmayinvoketradese- cret protection towithholdall relevant in- formation. Instead, if a controller claims that the requested information includes protected trade secrets or third-partyper- sonaldata,itmustbedisclosedexclusively tothecompetentsupervisoryauthorityor court for consideration, which will then determine, ona case-by-casebasis, the ex- tent of the information that shouldbedis- closed, thereby effectively balancing the datasubject’srighttounderstandthepro- cessing of their personal data against the needtoprotectsensitivecommercialinfor- mation (citing its own case lawregarding the similar defences under the GDPR against suchdisclosure). The importance of this point is evidenced by the associationNone of Your Business (“ NOYB ”), founded by privacy activist Max Schrems, filing a complaint against Swedbank the same day as the com- mented decision. The complaint was di- rected against the refusal of the bank to answer adata access request in relation to its automated interested calculation method.JustlikeinthecommentedCJEU decisionthebankrefusedtogivemorein- formation in this respect on thebasis of its trade secrecy. (2) From a procedural standpoint, this is yet another step in the broader trend of such reasoningonthedisclosureoftradesecrets in legal (and similar) proceedings. The FrenchCourt of Cassation rendered a de- cision on 17 February 2025 finding that a court confrontedwith a piece of evidence potentially coveredby trade secrecymust analysewhethersuchevidenceisessential to prove the allegations and whether this would result in a disproportionate in- fringement on the property rights of the relevant party. (3) This further underlines the need for con- trollers not only to anticipate data access requestsingeneralgiventheirbroadscope and limited timeframe for responding to them,butalsoprepareinadvancedetailed explanations regarding their automated decision-makingprocesses.Suchexplana- tionmust include the right amount of rel- evant information, whilst ensuring no disclosure of trade secrets (at the risk oth- erwise of losing such protection over the disclosed information). How does all of this affect my AI strategy? The current ruling acquires even greater significanceinlightofthewidespread,and sometimesevendailyuseofAI,whichwill likelyamounttoautomateddecisionmak- ing under the GDPR. The decision does not cite but echoes several provisions of theRegulation(EU)2024/1689onAI(“ AI Act ”), one of whose primary objectives is tomitigate discrimination and bias in the deployment of high-riskAI systems. Art.86oftheAIActstipulatesthatanyin- dividual adversely affected by a decision basedon the output of ahigh-riskAI sys- tem in Annex III (thus including recruit- ment and creditworthiness processes) is entitledtoreceive“ clearandmeaningfulex- planations of the role of the AI system in the decision-making procedure and the main ele- ments of the decision taken ”. However, it should be noted that this right applies onlytotheextentthatitisnotalreadypro- vided for by another EU law; in other words, where the AI makes a decision based on personal data, the individual shouldmaketheirrequestpursuanttothe GDPR, and not the AI Act. This being said, in light of data protection supervi- sory authorities inheriting competences for supervisingAI applications, it is likely thattheAIActandtheGDPRwillreceive a coherent enforcement. In this context, it is imperative for all enti- ties involved in thedeployment ofAI sys- tems to review their contractual arrangements with their AI service providers to ensure that they can obtain and, in turn, supply the necessary infor- mation to meet the transparency and ac- countability requirements under the AI Act and theGDPR. Themainkey takeawayof this decision is thereinforcementoftheentities’legalobli- gation of accountability, i.e., the ability to evidenceinwritingtheircompliancetosu- pervisory authorities and prevent com- plaintsfromclientsthroughpre-prepared holisticexplanationsandresponses.How- ever, this regulatory trend adds to the al- ready burdensome nature of the European regulation in theAI sector, par- ticularly when compared to the trends in otherjurisdictionstoregulatemorelightly (through codes of conducts) or even de- regulatingthedeploymentofAIsolutions. 1)SCHUFAHoldingandOthers,7December2023, C-634/21. 2)NOYB, Swedbankrefusestransparencyinautomatic interestcalculation ,27February2025,Availablehere: https://lc.cx/mkJePS 3)Cass.fr.,Com.5févr.2025,F-B,n°23-10.953 Some “meaningful” hints from the Court of Justice of the European Union How to explainAIs and automated decisions to individuals L e 11mars, la Luxexpo a vibré au rythme de l’innovation avec les Future ReadyDays, un événement incontournable dédié à la digitalisation des PME. Organisé en collaboration avec le ministère de l’Économie, la House of Entrepreneurship de la Cham- bre de Commerce et la Chambre desMétiers, cet événement a plongé les participants au cœur des avancées de l’intelligence arti- ficielle et de la cybersécurité, des piliers essentiels pour la compéti- tivité des entreprises. La journée a débuté sous le signe de la vi- sion et du dynamisme avec les interven- tions de Lex Delles, ministre de l’Économie, des PME, de l’Énergie et du Tourisme, Stéphanie Damgé, directrice Entrepreneurship à la Chambre de Com- merce, et TomWirion, directeur général delaChambredesMétiers.Leurmessage était clair : accompagner les PME luxem- bourgeoisesdans leur transformationnu- mérique est une priorité stratégique. 300 participantsonteul’opportunitéd’assister à des conférences impactantes, notam- ment celle de Butzi, conférencier interna- tional et expert en innovation, qui a subjugué l’audience avec son approche dynamique et immersive sur “La magie de l’IA”. Avec un mélange d’exemples concrets et d’interactions, il a démontré commentl’intelligenceartificiellepeutêtre unformidablelevierdecréativitéetd’effi- cacité pour les entreprises. PierreAntoineDhonte(UFO²Consulting) etYannFerguson(Inria-LaborIA)onten- suite partagé des conseils pratiques et des insights inédits sur l’utilisation de l’IA et les impacts surprenants de l’intelligence artificielle sur le monde du travail. Alors que les cybermenaces évoluent rapide- ment, Christophe Bianco (Cyber Digital Solutions Business Line) et Luc Cottin (R Secure,CISOoftheYear2024)ontlivrédes clés essentielles pour comprendre et anti- ciper les nouvelles menaces liées à l’IA. Descyberattaquessophistiquéesauxstra- tégies de défense innovantes, les partici- pants ont découvert comment sécuriser leurs entreprises face à des risques en constante évolution. Une table ronde animée par Emmanuelle Ragot,Attorney at LawetNon-Executive Board Member, a offert un espace d’échangeprivilégiéentreexpertsetentre- preneurs. Paul Bisenius (Menuiserie Fel- lens), Fabrice Reynders (BTB Europe, partenaire Kardex) et l’expert David Alexandre (Intellectual Property & Tech- nology) ont partagé leurs expériences sur la transformation digitale et l’automatisa- tiondes processus de leurs entreprises, il- lustrant avec brio comment l’IA peut ré- volutionner des secteurs traditionnels. Cettematinée riche en échanges et en dé- couvertesaconfirmél’intérêtcroissantdes PMEpourl’intégrationdel’IAetlerenfor- cementdeleurcybersécurité.Avecuneau- dience engagée et des interventions marquantes, les FutureReadyDays s’im- posentcommeunrendez-vousincontour- nablepourlesentrepreneursvisionnaires. Lors de l’événement, Stéphanie Damgé a souligné l’engagement de la Chambre de Commerceàaccompagnerlesentreprises luxembourgeoises dans leur transforma- tionnumérique.Elleadéclaré:“LaCham- bre de Commerce continuera à soutenir activement les entreprises luxembour- geoises dans cette transition digitale, en leur proposant des formations ciblées, conseilsd’expertsetdispositifsconcretsde financement,pourqu’ellespuissenttrans- formercesdéfisenvéritablesopportunités decroissance.Préparerl’avenirnumérique de nos entreprises, c’est aussi préserver leursécurité,garantirleurrésilience,etren- forcer leur capacité d’innovation dans un monde en constantemutation.” Source :ChambredeCommerce Les PME face aux défis du digital ©CC,MECO