Does your mobile provider also know more about you than you do?

It could be, according to the case Dun & Bradstreet Austria (C-203/22 summary)

Imagine your mobile phone and network contract are terminated from one day to another, out of the blue. You find yourself without a subscription and no access to the internet from your phone. As this is 2025, life is suddenly a bit more complicated, but you still carry on with your day, maybe on your work wifi or on the network of the public transport on the way home.

Then you get home, you take a breath, and start wondering: so what happened actually? Did I forget to pay my bills? Is there some administrative mistake? Can I make a new contract, or do I now have to get another provider? Why did this happen to me in the first place? Did someone press the wrong button?

This is what happened to “CK”, a lady from Austria, whose identity remains hidden by the Court of Justice of the EU (“CJEU” or “Court”)¹. Her mobile phone contract - worth around 10 euros (or ~11 dollars) - was refused. Later on, she found out that

she was refused because of an automated credit assessment by an Austrian data analytics company, Dun & Bradstreet.

Wait - how was that company involved? Why did they do a credit assessment? When did she agree to this? Isn’t the GDPR supposed to prevent exactly this type of cases?

A long way to learn the reasons

CK decided to file a complaint at the Austrian data protection authority. It ordered the data analytics company to give “meaningful information about the logic involved” that led to this decision. However, the company refused to give information, claiming that this would reveal trade secrets. These two arguments led to a litigation spanning more than 6 years so far.

The Court was asked to clarify what is exactly meant by meaningful information: should that include only the input data, e.g. date of birth, address, sex, or a bit more specific information, not necessarily personal data, such as:

• a copy of all (even pseudonymised or anonymised) information to check compliance with the GDPR,

• the parameters used to calculate the rating,

• what influences this calculation,

• where do the parameters come from,

• an explanation why CK received a certain rating and what other consequences this may have,

• listing of other potential profile categories (para. 33 of the decision, 1st question from the Austrian court).

While the Court did not specify which of the above should be shared exactly, it did confirm that CK has the right to have an answer to her questions:

“it is apparent (…) that, where the data subject is the subject of a decision which is based solely on automated processing and which significantly affects him or her, that data subject must have the right to obtain an explanation of that decision” (para. 50).

The Court also concluded that meaningful information should include “real, tangible examples” (para. 45), and it also implies that this explanation should have been provided in the company’s privacy notice in the first place (para. 46). The Court also emphasised that the explanation should come in a “concise, transparent, intelligible and easily accessible form”, i.e. its description of its credit profile must be made easy to understand (para. 50).

This clarification from the company shouldn’t be “necessarily a complex explanation of the algorithms used or disclosure of the full algorithm” (para. 60). This means that you shouldn’t be required to have a PhD in mathematics to understand why your mobile phone contract was denied. The Austrian court also correctly pointed out that the company should explain what would happen if a different dataset was included in the same model: would that lead to a different result (para. 62)?

Can a company really deny explanations on a scoring model due to trade secrets?

The GDPR does accept certain cases where the right of access can be restricted, but it has to be for quite severe reasons, such as national security or criminal investigations. Another important condition is that such a restriction has to respect he essence of fundamental rights, and it has to be necessary and proportionate in a democratic society - which should hardly be the case when it comes to a scoring model of a data analytics company.

In any case, the GDPR indeed allows for restricting the right of access when this is necessary for “the protection of (…) the rights and freedoms of others” (Art. 23(1)(i) GDPR), “including trade secrets or intellectual property and in particular the copyright protecting the software” (point 69 or Recital 63 GDPR).

We don’t get a definitive answer on this by the Court: they concluded that the Austrian courts or authorities should balance the interests of CK and the company in this case.²

So why was CK rejected by the phone provider actually?

Even CK herself doesn’t know at this point, and the litigation continues in Austria. Although hopefully she has found another provider in the meantime, the questions are still there:

• Why does a telecommunication provider have to assess the creditworthiness of its customers?

• Why do they deny services, even if for such a small amount?

• How do you justify a legitimate interest for doing so?

• Why is it so difficult to have an explanation about an otherwise simple decision?

Lastly - leading to more philosophical questions - how can we morally justify having such a nuanced profile about a person? How can we allow that automatic decisions are made by machines that are so much impacting our day-to-day life? And even if this could be to our benefit, can’t we get at least a simple explanation?

To close this chain of thoughts, I’d refer back to the GDPR on this:

“The processing of personal data should be designed to serve mankind.” (Recital 4)

___________________________________________________________________________

If you’d like to learn more about automated-decision making in the context of banks too, I recommend my previous article on this:

1

The complete decision (Case C-203/22) is available here.

2

Another great summary of the case on the European Law Blog by Stefano Rossetti is available here.