The credit scoring company must not disclose its algorithm, but must explain it

(Translated by DeepL)

The credit scoring company must explain to the person concerned the procedure and principles applied in practice to establish his or her solvency profile. Furthermore, the company’s business secrecy does not preclude the communication of information to the authority or the court, which must weigh up the interests involved (judgment of the CJEU of 27 February 2025 in case C-203/22).

A mobile phone operator refused to allow an Austrian national (CK) to conclude a mobile phone contract, which would have involved a monthly payment of EUR 10. This refusal was justified on the basis of a negative automated credit rating carried out by the company Dun & Bradstreet (D&B).

Following various proceedings brought by CK against D&B, the Verwaltungsgericht (Administrative Court) of Vienna ruled that CK has the right to receive at least (1) the data that was processed in the context of the constitution of a ‘factor’, (2) the mathematical formula underlying the calculation that led to the ‘score’ in question, (3) the concrete value attributed to CK for each of the factors concerned, and (4) the precision of the intervals within which the same value is attributed to different data for the same factor (interval evaluation or discrete or index/cadastral evaluation). In addition, D&B should also provide a list setting out the scores of other persons for the period covering the six months preceding and the six months following the establishment of CK’s score, and which were obtained on the basis of the same calculation rule.

Before making a final decision, the Verwaltungsgericht referred questions to the CJEU for a preliminary ruling. These seek to clarify (1) whether the data subject has the right to obtain explanations on the procedure and principles applied in practice to establish his or her credit profile and (2) whether business secrecy precludes the communication of information to the authority or the court.

Where a data subject is the subject of an automated individual decision (art. 22 GDPR), he or she has the right to obtain ‘relevant information on the underlying logic’ of the decision (art. 15 para. 1 let. h GDPR).

The CJEU proceeds with a literal, systematic and teleological interpretation of this provision. It notes in particular that this information aims to allow the person concerned to express their point of view on this decision and to challenge it (art. 22 par. 3 GDPR). It concludes that this is a genuine right to an explanation of how the mechanism underlying automated decision-making operates. This right includes an explanation of the procedure and the principles applied in practice to process personal data in order to obtain a specific result, such as a solvency profile.

The CJEU considers that the information must be provided in a sufficiently concise and comprehensible manner. The data controller cannot therefore simply communicate to the data subject a complex mathematical formula, such as an algorithm, or a detailed description of all the stages of an automated decision-making process. The data controller must find simple ways of informing the data subject of the rationale behind the automated decision or the criteria on which it is based. Thus, the information does not necessarily include a complex explanation of the algorithms used or the disclosure of the complete algorithm. In concrete terms, the data controller could inform the data subject of the extent to which a variation in his or her data would have led to a different result.

The protection of trade secrets cannot result in a refusal to communicate anything to the data subject. The controller must transmit the allegedly protected information to the competent authority or court. The latter can then weigh up the rights and interests at stake in order to determine the scope of the right of access.

This decision of the CJEU follows the Schufa judgement (C-634/21), according to which the credit scoring company makes an automated individual decision when conducting a credit check (cdbf. ch/1316/ ; Hirsch Célian, Intelligence artificielle et automatisation des décisions dans le secteur bancaire et financier : application de la LPD et du RGPD, RSDA 2024 115 ff.).

The present judgement provides some clarification on the scope of the duty to explain the automated decision to the data subject. Thus, the complete algorithm does not have to be revealed. In addition, we believe that providing information on data variation and its impact on the result is a good method (see also Wachter Sandra/Mittelstadt Brent/Russell Chris, Counterfactual Explanations Without Opening the Black Box : Automated Decisions and the GDPR, Harvard Journal of Law & Technology, 31 (2), 2018). This case law could also be relevant in the future for determining the scope of the ‘right to an explanation’ of decisions made by high-risk artificial intelligence systems (art. 86 of the AI Regulation).

Swiss law also provides that, in the case of an automated individual decision (art. 21 LPD), the data subject has the right to be informed of ‘the logic on which the decision is based’ (art. 25 para. 2 let. f LPD). As with the GDPR, the information does not aim to disclose the algorithms, which often fall under business secrets (for an in-depth overview of this concept, see Chappuis Grégoire/Kuonen Nicolas, La protection des secrets d’affaires, une mosaïque à synthétiser, SJ 2025 59). Furthermore, given that this right stems from the GDPR and corresponds to it, the Swiss interpretation should in principle be in line with that of the CJEU (on this subject, cf. Hirsch Célian, Le devoir d’informer lors d’une violation de la sécurité des données – Avec un regard particulier sur les données bancaires, thesis, Geneva 2023, p. 130 ff.).