Dun & Bradstreet: A Pyrrhic Victory for the Contestation of AI under the GDPR

Dun & Bradstreet: A Pyrrhic Victory for the Contestation of AI under the GDPR external link

The Law, Ethics & Policy of AI Blog, 2025

Abstract

The CJEU’s ruling in Dun & Bradstreet clarifies how the GDPR’s ‘right to an explanation’ should enable individuals to contest AI-based decision-making. It states that explanations need to be understandable while also respecting trade secrets and privacy concerns in a balanced manner. However, the Court excludes the disclosure of in-depth technical information and also introduces a burdensome balancing procedure. These requirements both strengthen and weaken the ability of individuals to independently assess impactful AI systems, leading to a pyrrhic victory for contestation.

Links

https://www.law.kuleuven.be/ai-summer-school/blogpost/Blogposts/dun-bradstreet-a-pyrrhic-victory-for-the-contestation-of-ai-under-the-gdpr

ai, GDPR, Privacy

Bibtex

Online publication{nokey,
	title = {Dun & Bradstreet: A Pyrrhic Victory for the Contestation of AI under the GDPR},
	author = {Metikoš, L.},
	url = {https://www.law.kuleuven.be/ai-summer-school/blogpost/Blogposts/dun-bradstreet-a-pyrrhic-victory-for-the-contestation-of-ai-under-the-gdpr},
	year = {2025},
	date = {2025-03-25},
	journal = {The Law, Ethics & Policy of AI Blog},
	abstract = {The CJEU’s ruling in Dun & Bradstreet clarifies how the GDPR’s ‘right to an explanation’ should enable individuals to contest AI-based decision-making. It states that explanations need to be understandable while also respecting trade secrets and privacy concerns in a balanced manner. However, the Court excludes the disclosure of in-depth technical information and also introduces a burdensome balancing procedure. These requirements both strengthen and weaken the ability of individuals to independently assess impactful AI systems, leading to a pyrrhic victory for contestation.},
	keywords = {ai, GDPR, Privacy},
}

De Commissie Persoonsgegevens Amsterdam: adviesmodel voor complexe gegevensverwerkingen door overheden? download

Janssen, H.

Privacy & Informatie, iss. : 1, pp: 1-2, 2025

Links

Privacy&Informatie_2025_1

Persoonsgegevens, Privacy

Bibtex

The Right to an Explanation in Practice: Insights from Case Law for the GDPR and the AI Act external link

Metikoš, L. & Ausloos, J.

Law, Innovation, and Technology , pp: 1-36, 2025

Abstract

The right to an explanation under the GDPR has been much discussed in legal-doctrinal scholarship. This paper expands upon this academic discourse, by providing insights into what questions the application of the right to an explanation has raised in legal practice. By looking at cases brought before various judicial bodies and data protection authorities across the European Union, we discuss questions regarding the scope, content, and balancing exercise of the right to an explanation. We argue, moreover, that these questions also raise important interpretative issues regarding the right to an explanation under the AI Act. Similar to the GDPR, the AI Act's right to an explanation leaves many legal questions unanswered. Therefore, the insights from the already established case law under the GDPR, can help us to understand better how the AI Act's right to an explanation should be understood in practice.

Links

AI Act, case law, GDPR, Privacy

Bibtex

Article{nokey,
	title = {The Right to an Explanation in Practice: Insights from Case Law for the GDPR and the AI Act},
	author = {Metikoš, L. and Ausloos, J.},
	url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4996173},
	doi = {https://doi.org/10.1080/17579961.2025.2469349},
	year = {2025},
	date = {2025-03-13},
	journal = {Law, Innovation, and Technology },
	pages = {1-36},
	abstract = {The right to an explanation under the GDPR has been much discussed in legal-doctrinal scholarship. This paper expands upon this academic discourse, by providing insights into what questions the application of the right to an explanation has raised in legal practice. By looking at cases brought before various judicial bodies and data protection authorities across the European Union, we discuss questions regarding the scope, content, and balancing exercise of the right to an explanation. We argue, moreover, that these questions also raise important interpretative issues regarding the right to an explanation under the AI Act. Similar to the GDPR, the AI Act\'s right to an explanation leaves many legal questions unanswered. Therefore, the insights from the already established case law under the GDPR, can help us to understand better how the AI Act\'s right to an explanation should be understood in practice.},
	keywords = {AI Act, case law, GDPR, Privacy},
}

Annotatie bij EHRM 9 maart 2023 (LB / Hongarije) download

Dommering, E.

Nederlandse Jurisprudentie, iss. : 15, num: 144, pp: 3352-3354, 2024

Abstract

Openbaar maken persoonsgegevens wegens belastingschuld. Bescherming persoonlijke data. Belang van toetsing in individuele gevallen. Margin of appreciation. Schending van art. 8 EVRM. Grote Kamer.

Links

Annotatie_NJ_2024_144

Human rights, Privacy

Bibtex

The Right to Root: Constructing a Claim to Control Devices from the Right to Privacy download

van Daalen, O.

JIPITEC, vol. 14, iss. : 4, pp: 580-593, 2023

Abstract

Empowering people with digital tools has been an enduring ideal throughout the history of computing. In some of the earlier visions, this was not only a matter of making life easier, it was also a matter of people gaining control over their digital tools. One solution to this problem which has been suggested is to provide users with a manual override to gain full control over a device, something called gaining 'root' - hence the 'Right to Root'. Yet, there are no policymakers who have seriously treated this as a possibility. For people pushing this right at a policy level, it would therefore be helpful to know whether this Right to Root can be constructed from human rights. In this article, I explore the European human rights-based arguments for a Right to Root, focusing on the right to privacy under the European Convention for Human Rights and the Charter of Fundamental Rights. I first discuss the origins of this ideal of gaining control over your own devices. I then show how users over the years have gained less control and how the RIght to Root could enable them to regain control. I then explore how the Right to Root could be constructed from the right to privacy under the Convention and the Charter, by understanding it as a way to protect the values of autonomy, self-determination and seclusion. I conclude that a Right to Root can be grounded in the human right to privacy, but that further research is necessary to balance it with other interests, such as cybersecurity, traffic safety, health and intellectual property.

Links

JIPITEC_2023_4

Privacy

Bibtex

Article{nokey,
	title = {The Right to Root: Constructing a Claim to Control Devices from the Right to Privacy},
	author = {van Daalen, O.},
	url = {https://www.ivir.nl/publications/the-right-to-root-constructing-a-claim-to-control-devices-from-the-right-to-privacy/jipitec_2023_4/},
	year = {2023},
	date = {2023-12-12},
	journal = {JIPITEC},
	volume = {14},
	issue = {4},
	pages = {580-593},
	abstract = {Empowering people with digital tools has been an enduring ideal throughout the history of computing. In some of the earlier visions, this was not only a matter of making life easier, it was also a matter of people gaining control over their digital tools. One solution to this problem which has been suggested is to provide users with a manual override to gain full control over a device, something called gaining \'root\' - hence the \'Right to Root\'. Yet, there are no policymakers who have seriously treated this as a possibility. For people pushing this right at a policy level, it would therefore be helpful to know whether this Right to Root can be constructed from human rights. In this article, I explore the European human rights-based arguments for a Right to Root, focusing on the right to privacy under the European Convention for Human Rights and the Charter of Fundamental Rights. I first discuss the origins of this ideal of gaining control over your own devices. I then show how users over the years have gained less control and how the RIght to Root could enable them to regain control. I then explore how the Right to Root could be constructed from the right to privacy under the Convention and the Charter, by understanding it as a way to protect the values of autonomy, self-determination and seclusion. I conclude that a Right to Root can be grounded in the human right to privacy, but that further research is necessary to balance it with other interests, such as cybersecurity, traffic safety, health and intellectual property.},
	keywords = {Privacy},
}

Annotatie bij Hoge Raad 15 september 2023 download

Dommering, E.

Nederlandse Jurisprudentie, iss. : 1, num: 6, pp: 195-196, 2024

Links

Annotatie_NJ_2024_6

AVG, Privacy

Bibtex

Annotatie bij Hof van Justitie van de Europese Gemeenschappen 4 mei 2023 (F.F. / Österreichische Datenschutzbehörde) download

Dommering, E.

Nederlandse Jurisprudentie, iss. : 1, num: 1, pp: 8-10, 2024

Links

Annotatie_NJ_2024_1

Inzagerecht, Persoonsgegevens, Privacy

Bibtex

Annotatie Hof van Justitie van de EU 28 april 2022 (Meta Platforms Ireland / Bundesverband der Verbraucherzentralen und Verbraucherverbände) download

Dommering, E.

Nederlandse Jurisprudentie, iss. : 21, num: 194, pp: 3621-3623, 2023

Links

Annotatie_NJ_2023_194

Facebook, Persoonsgegevens, Privacy

Bibtex

Gemeentelijke grip op private sensorgegevens: Juridisch kader voor het gemeentelijke handelingsperspectief bij de verwerking van private sensorgegevens in de openbare ruimte download

Janssen, H., Verboeket, L.W., Meiring, A., van Hoboken, J., van Eechoud, M., van den Brink, J.E., Ortlep, R. & Bodó, B.

2023

Links

Gemeentelijke_grip_op_private_sensorgegevens

handhaving, Privacy, sensoren, Surveillance

Bibtex

Personal Data Stores and the GDPR’s lawful grounds for processing personal data

Janssen, H., Cobbe, J., Norval, C. & Singh, J.

2019

Abstract

Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.

Links

DOI: https://doi.org/10.5281/zenodo.3234902

Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency

Bibtex

Conference paper{nokey,
	title = {Personal Data Stores and the GDPR’s lawful grounds for processing personal data},
	author = {Janssen, H. and Cobbe, J. and Norval, C. and Singh, J.},
	doi = {https://doi.org/10.5281/zenodo.3234902},
	year = {2019},
	date = {2019-05-29},
	abstract = {Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.},
	keywords = {Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency},
}