GDPR Decision On Automatic Decision-Making And Right Of Access - Otomatik Karar Alma Ve Eri?im Hakk? ?le ?lgili Karar

Summary of the Case: The Amsterdam District Court temporarily restricted a Twitter user's account following a post by the former Twitter user. The court considered this decision as automated decision-making under the GDPR. In his defense, X argued that the user, a journalist, wanted to write an article about X's systems and therefore abused his right of access. The court ordered X to respond to the access request within one month and provide information about automated decision-making. Otherwise, it imposed a fine of €4,000 per day.

Olay?n ?zeti: Amsterdam B?lge Mahkemesi, eski ismiyle Twitter kullan?c?s?n?n g?nderisi üzerine, kullan?c?n?n hesab?n? ge?ici olarak k?s?tlad?. Mahkeme bu karar? GDPR uyar?nca otomatik karar alma olarak de?erlendirdi. X savunmas?nda, gazeteci olan kullan?c?n?n X’in sistemleri hakk?nda makale yazmak isteyecedi?ini ve bu nedenle eri?im hakk?n? k?tüye kulland???n? ileri sürdü. Mahkeme ise, X’in eri?im talebine bir ay i?inde yan?t vermesini ve otomatik karar alma hakk?nda bilgi sa?lamas?n? emretti. Aksi halde günlük 4.000 Euro para cezas? belirledi.

On October 11, 2023, on platform X, the data subject's account was temporarily restricted because he had posted a message containing the word “child pornography”. The tweet read:

“The chats of hundreds of millions of people will soon be scanned to identify a relatively small number of offenders, no matter how bad they are. Harsh criticism of Europe's plans against child pornography: 'Not proportionate'” [link to a newspaper article].

The controller automatically detected the post as potentially violating their policy. The shadowban meant that the data subject's account and posted messages temporarily did not appear in searches or on the timeline of other users. The controller did not notify the data subject of the shadowban. The data subject only found out through other users that told him they could not find his account. Subsequently, the data subject did an access request on 13 October 2023, to, amongst other things, understand what the shadowban entailed and why this happened. On 16 October 2023, the controller lifted the restriction after an additional review. This was also not communicated to the data subject. On 14 November 2023, the controller responded to the access request, and referred to various sections of their privacy policy in response to the data subject's questions. On 17 November 2023, the data subject initiated proceedings by application (“verzoekschriftprocedure”) at the District Court of Amsterdam (“Rechtbank Amsterdam”). The data subject requested the court to order the controller to respond to his access request under Article 15 GDPR, and his request for information on automated decision-making under Article 22 GDPR. The data subject also requested the court to impose a penalty of € 4.000 on the controller for every day it did not comply.

The controller argued that they complied with the data subject’s access request by referring to their privacy policy. Moreover, the controller argued that the data subject is a journalist and pursuing a PhD in automated decision-making and may want to write articles about the controller’s systems and thus is misusing their right to access. The controller further argued that they did not provide full access due to trade secrets and fears that the data subject will make these secrets public. Lastly, the controller argued that there was no automated decision-making when shadowbanning users, as the parameters of the detection system are determined by humans. On 12 January 2024, the data subject received a letter by the controller which provided information about the imposed shadowban.

On the abuse of right to access

The court held that the data subject does not have to explain the motivation of their access request. A data subject may abuse this right to access, however, it is up to the controller to prove this. The court dismissed the controller’s argument as there was no proof that the data subject had ulterior motives for the access request. Furthermore, it is clear that being a journalist was not be the only reason why the data subject did an access request.

Response to access request was not transparent or concrete

The controller’s only response within a month was a general message that only referred to specific parts of the Privacy Policy. The court found that this did not comply with the GDPR, as it did not extend on how the data subject’s personal data was processed. The response only provided the data subject with information on how the controller may process personal data. This did not allow for the data subject to understand how the controller processed the data subject’s personal data and whether this is lawful. It also forced the data subject to search for answers, rather than providing a clear overview. The court held that the controller so far had not given a clear overview of the data subject’s processing of their personal data.

The court took into account the CJEU judgement in C-33/22 - ?sterreichische Datenschutzbeh?rde and held that the controller cannot suffice with a summary of personal data without providing any context on the basis on which it was processed, as the controller did in its letter of 12 January 2024. The court held that the controller needs to provide a full and true copy of the document containing the personal data that has been processed.

The court dismissed the controller’s argument on trade secrets as it did not substantiate its respective claim, or explained why certain personal data of the data subject could not be shared. The court held that the controller could not hide behind 'trade secrets' and thus evade its obligations under GDPR.

Access to information on automated decision-making regarding the shadowban

The court dismissed the controller’s argument that their system to shadowban users is not automated decision-making. The court held that it is not about whether the system is made by people, but whether there is human intervention in the decision-making.

The court found that the automated decision-making significantly affected the data subject. The data subject used the account for his profession as a journalist and being shadowbanned affected his employment. Moreover, by being connected to child abuse, the controller could have notified an American organisation which would have led to not being allowed to travel to the US.

The court held that under Article 13 GDPR and Article 14 GDPR, the controller should have pro-actively provided transparent information on the automated decision-making. The controller should have notified the data subject on the shadowban and inform him about the next steps and possible consequences. This would have also allowed the data subject to appeal this decision.

The court further held that the controller should have at least provided information about the automated decision-making, its underlying logic, its importance and its expected impact on the data subject when the data subject made an access request and asked for information on the existence of automated decision-making under Article 15(1)(h) GDPR. By only providing information on this, three months after the access request, the controller was too late. The court further held that the information provided was unclear and did not allow the data subject to verify the lawfulness of the processing.

The court held that although the controller has the responsibility to protect its platform and is allowed to shadowban users, it does need to provide information surrounding this and cannot hide behind ‘trade secrets’.

On the specifics of the access request

The court dismissed the controller’s argument that it does not use reputation scores and labels for accounts as there was clear proof it did. The court therefore held that the controller needs to provide access on the reputation scores and labels they use on the accounts of users.

The court further held that the controller needs to provide access on the processing of personal data in the context of their system "Guano", which provides a chronological overview of all actions taken on an account. The court dismissed the controller’s argument of business secrecy, as the access is about the processing of personal data.

Conclusion

Thus, the court held that the controller’s response to the access request was insufficient. The court ordered the controller to respond to the access request within a month and provide information on the various categories of personal data concerned and the automated decision-making. Moreover, the court held that the controller had to provide specific information on reputation scores, labels and their system Guano. The court imposed a penalty of € 4.000 per day for non-compliance.

If you are interested in the topic of automated decision-making, you can find the Berlin DPA's fine against the Bank for automated decision-making by clicking here.

source: https://gdprhub.eu/index.php?title=Rb._Amsterdam_-_742407_%2F_HA_RK_23-366&mtc=today&utm_source=substack&utm_medium=email

?lgili ki?i ,11 Ekim 2023'te, X platformunda, "?ocuk pornografisi" kelimesini i?eren bir mesaj g?nderdi?i i?in, veri sahibinin hesab?n? ge?ici olarak k?s?tlam??t?r. Tweet ??yleydi:

"Yüz milyonlarca insan?n sohbetleri yak?nda, ne kadar k?tü olursa olsun, nispeten az say?da su?luyu tespit etmek i?in taranacak. Avrupa'n?n ?ocuk pornografisine kar?? planlar?na y?nelik sert ele?tiri: 'Orant?l? de?il'" [bir gazete makalesine ba?lant?].

Veri Sorumlusu, g?nderinin politikalar?n? ihlal etme potansiyeli ta??d???n? otomatik olarak tespit etti. G?lge yasak, veri sahibinin hesab?n?n ve g?nderdi?i mesajlar?n ge?ici olarak aramalarda veya di?er kullan?c?lar?n zaman ?izelgesinde g?rünmedi?i anlam?na geliyordu. Veri Sorumlusu, veri sahibini g?lge yasa?? konusunda bilgilendirmemi?tir. Veri sahibi bunu yaln?zca kendisine hesab?n? bulamad?klar?n? s?yleyen di?er kullan?c?lar arac?l???yla ??renmi?tir. Daha sonra, veri sahibi 13 Ekim 2023 tarihinde, di?er ?eylerin yan? s?ra, g?lge yasa??n neyi gerektirdi?ini ve bunun neden oldu?unu anlamak i?in bir eri?im talebinde bulunmu?tur. 16 Ekim 2023 tarihinde, Veri Sorumlusu ek bir incelemenin ard?ndan k?s?tlamay? kald?rm??t?r. Bu durum veri sahibine de bildirilmemi?tir. 14 Kas?m 2023 tarihinde, Veri Sorumlusu eri?im talebine yan?t vermi? ve veri sahibinin sorular?na yan?t olarak gizlilik politikas?n?n ?e?itli b?lümlerine at?fta bulunmu?tur. 17 Kas?m 2023 tarihinde, veri sahibi Amsterdam B?lge Mahkemesi'nde (“Rechtbank Amsterdam”) ba?vuru yoluyla (“verzoekschriftprocedure”) i?lem ba?latm??t?r. ?lgili ki?i mahkemeden, Veri Sorumlusunun GDPR Madde 15 kapsam?ndaki eri?im talebine ve GDPR Madde 22 kapsam?ndaki otomatik karar alma sürecine ili?kin bilgi talebine yan?t vermesini talep etmi?tir. ?lgili ki?i ayr?ca mahkemeden, uymad??? her gün i?in Veri Sorumlusuna 4.000 Avro ceza uygulanmas?n? talep etmi?tir.

Veri sorumlusu, gizlilik politikalar?na at?fta bulunarak veri sahibinin eri?im talebine uyduklar?n? savunmu?tur. Ayr?ca, veri sorumlusu, ilgili ki?inin bir gazeteci oldu?unu ve otomatik karar verme alan?nda doktora yapt???n? ve veri sorumlusunun sistemleri hakk?nda makaleler yazmak isteyebilece?ini ve bu nedenle eri?im hakk?n? k?tüye kulland???n? ileri sürmü?tür. Veri sorumlusu ayr?ca, ticari s?rlar nedeniyle tam eri?im sa?lamad?klar?n? ve veri sahibinin bu s?rlar? kamuya a??klayaca??ndan korktuklar?n? ileri sürmü?tür. Son olarak, veri sorumlusu, tespit sisteminin parametreleri insanlar taraf?ndan belirlendi?inden, kullan?c?lar? g?lge yasaklarken otomatik bir karar verme olmad???n? savunmu?tur. 12 Ocak 2024 tarihinde, veri sahibi veri sorumlusu taraf?ndan uygulanan g?lge yasak hakk?nda bilgi veren bir mektup alm??t?r.

Eri?im hakk?n?n k?tüye kullan?lmas? üzerine

Mahkeme, veri sahibinin eri?im talebinin gerek?esini a??klamak zorunda olmad???na karar vermi?tir. Bir veri sahibi bu eri?im hakk?n? k?tüye kullanabilir, ancak bunu kan?tlamak kontrol?rün sorumlulu?undad?r. Mahkeme, veri sahibinin eri?im talebi i?in art niyetli oldu?una dair herhangi bir kan?t bulunmad??? i?in kontrol?rün argüman?n? reddetmi?tir. Ayr?ca, veri sahibinin eri?im talebinde bulunmas?n?n tek nedeninin gazeteci olmas? olmad??? da a??kt?r.

Eri?im talebine verilen yan?t ?effaf veya somut de?ildi

Kontrol?rün bir ay i?inde verdi?i tek yan?t, Gizlilik Politikas?n?n yaln?zca belirli b?lümlerine at?fta bulunan genel bir mesajd?. Mahkeme, veri sahibinin ki?isel verilerinin nas?l i?lendi?ini kapsamad??? i?in bunun GDPR'ye uygun olmad???na karar vermi?tir. Yan?t, veri sahibine yaln?zca kontrol?rün ki?isel verileri nas?l i?leyebilece?ine ili?kin bilgi sa?lam??t?r. Bu, veri sahibinin, kontrol?rün veri sahibinin ki?isel verilerini nas?l i?ledi?ini ve bunun yasal olup olmad???n? anlamas?na izin vermemi?tir. Ayr?ca, a??k bir genel bak?? sa?lamak yerine, veri sahibini cevap aramaya zorlam??t?r. Mahkeme, kontrol?rün ?u ana kadar veri sahibinin ki?isel verilerinin i?lenmesine ili?kin net bir genel bak?? sunmad???na karar vermi?tir.

Mahkeme, ABAD'?n C-33/22 - ?sterreichische Datenschutzbeh?rde karar?n? dikkate alm?? ve kontrol?rün 12 Ocak 2024 tarihli mektubunda yapt??? gibi, hangi temelde i?lendi?ine dair herhangi bir ba?lam sunmadan ki?isel verilerin bir ?zetini sunmakla yetinemeyece?ine karar vermi?tir. Mahkeme, kontrol?rün i?lenen ki?isel verileri i?eren belgenin tam ve ger?ek bir kopyas?n? sunmas? gerekti?ine karar vermi?tir.

Mahkeme, ilgili iddias?n? kan?tlamad??? veya veri sahibinin belirli ki?isel verilerinin neden payla??lamayaca??n? a??klamad??? i?in kontrol?rün ticari s?rlara ili?kin argüman?n? reddetmi?tir. Mahkeme, kontrol?rün 'ticari s?rlar?n' arkas?na saklanamayaca??na ve b?ylece GDPR kapsam?ndaki yükümlülüklerinden ka?amayaca??na karar vermi?tir.

G?lge yasa?? ile ilgili otomatik karar alma sürecine ili?kin bilgilere eri?im

Mahkeme, kontrol?rün kullan?c?lar? g?lgeleme sistemlerinin otomatik karar verme olmad??? y?nündeki argüman?n? reddetmi?tir. Mahkeme, sistemin insanlar taraf?ndan yap?l?p yap?lmad???n?n de?il, karar alma sürecinde insan müdahalesinin olup olmad???n?n ?nemli oldu?una karar vermi?tir.

Mahkeme, otomatik karar vermenin veri sahibini ?nemli ?l?üde etkiledi?ini tespit etmi?tir. ?lgili ki?i hesab?n? gazetecilik mesle?i i?in kullanmaktad?r ve g?lge yasakl? olmas? i?ini etkilemi?tir. Ayr?ca, ?ocuk istismar? ile ba?lant?l? olmas? nedeniyle, kontrol?r bir Amerikan kurulu?una bildirimde bulunabilirdi ve bu da ABD'ye seyahat etmesine izin verilmemesine yol a?abilirdi.

Mahkeme, GDPR Madde 13 ve GDPR Madde 14 uyar?nca, kontrol?rün otomatik karar verme konusunda pro-aktif olarak ?effaf bilgi sa?lamas? gerekti?ine karar vermi?tir. Kontrol?r, veri sahibini shadowban konusunda bilgilendirmeli ve onu sonraki ad?mlar ve olas? sonu?lar hakk?nda bilgilendirmeliydi. Bu ayn? zamanda veri sahibinin bu karara itiraz etmesine de olanak tan?yabilirdi.

Mahkeme ayr?ca, veri sahibi bir eri?im talebinde bulundu?unda ve GDPR Madde 15(1)(h) kapsam?nda otomatik karar vermenin varl??? hakk?nda bilgi istedi?inde, kontrol?rün en az?ndan otomatik karar verme, bunun alt?nda yatan mant?k, bunun ?nemi ve veri sahibi üzerindeki beklenen etkisi hakk?nda bilgi vermesi gerekti?ine karar vermi?tir. Kontrol?r, bu konuda yaln?zca eri?im talebinden ü? ay sonra bilgi sa?layarak ?ok ge? kalm??t?r. Mahkeme ayr?ca, sa?lanan bilgilerin belirsiz oldu?una ve veri sahibinin i?lemenin yasall???n? do?rulamas?na izin vermedi?ine karar vermi?tir.

Mahkeme, kontrol?rün platformunu koruma sorumlulu?una sahip olmas?na ve kullan?c?lar? g?lgelemesine izin verilmesine ra?men, bununla ilgili bilgi vermesi gerekti?ine ve 'ticari s?rlar?n' arkas?na saklanamayaca??na karar vermi?tir.

Eri?im talebinin ayr?nt?lar?na ili?kin olarak

Mahkeme, denetleyicinin hesaplar i?in itibar puanlar? ve etiketleri kullanmad???na dair argüman?n?, kulland???na dair a??k kan?tlar oldu?u i?in reddetmi?tir. Bu nedenle mahkeme, kontrol?rün hesaplarda kulland??? itibar puanlar? ve etiketlere eri?im sa?lamas? gerekti?ine karar vermi?tir.

Mahkeme ayr?ca, kontrol?rün, bir hesap üzerinde ger?ekle?tirilen tüm eylemlere kronolojik bir genel bak?? sa?layan “Guano” sistemi ba?lam?nda ki?isel verilerin i?lenmesi konusunda eri?im sa?lamas? gerekti?ine karar vermi?tir. Mahkeme, eri?imin ki?isel verilerin i?lenmesiyle ilgili olmas? nedeniyle, kontrol?rün ticari gizlilik argüman?n? reddetmi?tir.

Sonu?

Bu nedenle mahkeme, kontrol?rün eri?im talebine verdi?i cevab?n yetersiz oldu?una karar vermi?tir. Mahkeme, kontrol?rün eri?im talebine bir ay i?inde yan?t vermesini ve ilgili ?e?itli ki?isel veri kategorileri ve otomatik karar verme süreci hakk?nda bilgi sa?lamas?n? emretmi?tir. Mahkeme ayr?ca, kontrol?rün itibar puanlar?, etiketler ve bunlar?n sistem Guano'su hakk?nda spesifik bilgi sa?lamas? gerekti?ine hükmetmi?tir. Mahkeme, uyumsuzluk i?in gün ba??na 4.000 € ceza uygulam??t?r.

Otomatik karar alma konusu ilgilinizi ?ektiyse, Berlin DPA'in Banka'ya otomatik karar alma nedeniyle kesti?i cezaya buraya t?klayarak ula?abilirsiniz.

Kaynak: https://gdprhub.eu/index.php?title=Rb._Amsterdam_-_742407_%2F_HA_RK_23-366&mtc=today&utm_source=substack&utm_medium=email