How much may an organisation redact in response to an access request? And when does continuity outweigh privacy risks? In this blog we discuss two recent rulings that touch on current developments. First, a judgment of the Amsterdam Court of Appeal, in which X (formerly Twitter) invoked trade secrets in response to an access request in order to shield large parts of internal moderation notes. Next, the DigiD case, in which the preliminary relief judge in The Hague ruled that the State may extend its contract with Solvinity despite concerns about US access to personal data following the takeover by Kyndryl. Notably: shortly thereafter, the government imposed a provisional prohibition on the takeover.
Trade secrets are no carte blanche to refuse GDPR access
Access requests under the GDPR have by now become a daily reality for many organisations. How much really has to be disclosed, particularly when it concerns information that one would rather not make public? A recent ruling of the Amsterdam Court of Appeal provides important guidance on this point.
The case in brief
In October 2023, a user of X saw his account suddenly restricted after posting a message. He was not informed of this by X itself, but found out through others. Understandably, he wanted to know exactly what had happened. He therefore invoked Article 15 GDPR: the right of access to his personal data.
When, in his view, X provided insufficient access, he took the matter to court. The court ruled in his favour and ordered X to provide additional information about the processing of his data, including notes from the internal moderation system Guano (Guano Notes). A penalty payment was attached to that order.
X subsequently released these notes but redacted large portions. The reason: full disclosure would reveal trade secrets concerning content moderation, spam filters and the advertising system. The user did not accept this. X lodged an appeal.
What did the Court of Appeal rule?
The Court of Appeal decided to take cognisance of the unredacted Guano Notes itself. This enabled it to assess concretely, on a section-by-section basis, whether the reliance on trade secrets was justified.
The case law is clear in this respect. Article 15(4) GDPR provides scope to restrict access in order to protect the rights and freedoms of others, including trade secrets. Recital 63 of the GDPR, however, immediately adds that this must never result in the data subject being denied all information. It is therefore a balancing exercise, and that exercise, according to the Court of Appeal, largely came out against X.
As regards of the content moderation labels, for example, X was unable to make clear why showing NSFW classifications (Not Suitable For Work: labels for content that is unsuitable for a professional or public environment) specifically to this user would lead to circumvention of its systems. A general risk was insufficient; concrete indications were lacking. With regard to the advertising system, the Court of Appeal likewise considered the commercial interest in itself insufficiently weighty. The labels in question merely reflected a level of reliability and left the underlying logic of the system untouched: access to them therefore does not entail any real risk.
Something similar applied to the spam filter: it concerned a limited number of labels, partly outdated, and X had not made it plausible that disclosure would lead to a concrete system risk. With regard to the data on account security, an additional factor came into play: the information did not differ materially from what the user already knew, which further reduced the interest in confidentiality. And in respect of the technical data, too, X did not get beyond generalities, without identifying a concrete interest in confidentiality.
On two points, X did prevail. The names of employees were allowed to be omitted: those are personal data of third parties, and the user had moreover indicated that he had no interest in them. The same applied to the exact timestamps of automated actions. The Court of Appeal recognised that insight into the response speed of the systems, in the hands of malicious actors, could lead to abuse by bots. Indication of the day on which an action took place was, in the Court of Appeal's view, sufficient to give effect to the right of access.
For practice
Sooner or later, every controller will be confronted with access requests. This ruling shows that a practice in which broad categories are redacted by invoking confidentiality no longer suffices. The Court of Appeal raises the bar. What did stand up were targeted exceptions for specific data in respect of which X was able to explain concretely why disclosure would cause harm. Consider exact timestamps that provide insight into the response speed of security systems, or names of employees as personal data of third parties.
This begins with documentation: for every redacted item, it must be clear why disclosure poses a concrete risk. That substantiation belongs in the file, not only in a statement of defence. In addition, it is advisable to critically assess whether the information actually qualifies as a trade secret within the meaning of the Trade Secrets Protection Act (Wet bescherming bedrijfsgeheimen, Wbb): only information that is secret, derives commercial value from that fact and is kept secret by the holder by means of reasonable measures falls within that category.
Digital sovereignty vs. continuity: the judge in summary proceedings in the DigiD case
The preliminary relief judge in The Hague recently ruled that the State may extend the agreement with Solvinity, despite concerns about US access to personal data following the takeover by the American company Kyndryl. The GDPR risks are real, but the continuity of digital government carries more weight. Shortly thereafter, the State Secretary nonetheless prohibited the takeover.
Digital infrastructure
Picard is a digital platform on which various government applications such as DigiD and MijnOverheid run. Technical management lies with Solvinity, originally a Dutch IT company. When it became known that the American Kyndryl wished to take over Solvinity, unrest arose. Following the takeover, Solvinity would come within the reach of American legislation with extraterritorial effect, including the CLOUD Act and FISA. Three citizens brought summary proceedings against the State seeking termination of the contract as soon as the takeover became a fact. The preliminary relief judge dismissed all claims.
The privacy-law tension
The heart of the case touches upon an important GDPR issue: what happens to personal data when a processor comes to fall under the jurisdiction of a third country? The CLOUD Act obliges US companies to provide data to US authorities, even where that data is located on European servers.
This is in tension with Article 48 GDPR, which provides that a judgment or decision of a third country requiring transfer may only be recognised where it is based on an international agreement. Such an agreement is lacking between the EU and the US for this type of request.
The claimants argued that the State should have carried out a DPIA and, if the risks could not be mitigated, should have engaged in prior consultation with the Dutch Data Protection Authority. The judge, however, does not reach this substantive GDPR assessment. The claim to postpone the extension fails on practical grounds: postponement would mean that the renewal deadline would be missed, with all the attendant continuity risks.
Schrems II in the background
Although the judge does not refer to it explicitly, the Schrems II doctrine resonates throughout the case. The Court of Justice ruled in 2020 that transfers to the US offer insufficient protection in view of the far-reaching powers of US intelligence services. The situation here is admittedly different, since there is no explicit transfer at issue, but the underlying risk is comparable: access by a government that does not offer an equivalent level of protection.
The State acknowledges this risk and does not dispute that Solvinity could technically access privacy-sensitive data. The controller, after all, remains responsible for ensuring an adequate level of protection, even where the processor changes ownership.
Continuity prevails
The judge emphasises that the State enjoys broad policy discretion. Judicial intervention is only justified in the case of manifestly unlawful conduct. That threshold is not met.
Decisive is that termination of the services provided by Solvinity would lead to disruption of digital government. The State has investigated whether a swift switch to another supplier is possible, but concludes that this is not feasible without unacceptable risks. A responsible transition requires six to eight months. The claimants have not sufficiently substantiated that it could be done otherwise.
The subsidiary claim (termination on the basis of Article 30.3 ARBIT in the event of a change of control) also fails. That provision does indeed offer a ground for termination, but the claimants demand that the State terminate the contract while simultaneously allowing the services to continue. Such a construction requires the cooperation of Solvinity, and whether that willingness exists is uncertain.
The judge finally takes into account that the State is actively working on risk management: investment screening by the Investment Screening Office (Bureau Toetsing Investeringen, BTI), an integral risk assessment by the Economic Security Taskforce, and discussions with Solvinity and Kyndryl on mitigating measures. As long as those processes are ongoing, it cannot be established that the State is acting unlawfully.
Government nonetheless intervenes
Shortly after the ruling, the State Secretary prohibited the takeover of Solvinity by Kyndryl on the basis of the Security Screening of Investments, Mergers and Acquisitions Act (Wet veiligheidstoets investeringen, fusies en overnames). An earlier blog discusses this Solvinity prohibition in detail.
The court's ruling and the government's decision may at first sight appear somewhat contradictory, but in fact they complement each other. The court gave the State leeway to complete the ongoing screening procedures; the State Secretary has made use of that leeway. The result: the contract extension remains in place, but the takeover does not proceed. The acute risk feared by the claimants has thereby been averted by administrative-law means.
Did you find this article helpful?
Take a look at our other case law blogs. Do you have questions or would you like to discuss this further? Please don't hesitate to contact us.
