The Right to an Explanation in Practice: Insights from Case Law for the GDPR and the AI Act external link

Law, Innovation, and Technology (forthcoming), 2024

Abstract

[This is a pre-publication draft paper, forthcoming in Law, Innovation, and Technology 17.2, October 2025. The final version is subject to further revisions.] The right to an explanation under the GDPR has been much discussed in legal-doctrinal scholarship. This paper expands upon this academic discourse, by providing insights into what questions the application of the right to an explanation has raised in legal practice. By looking at cases brought before various judicial bodies and data protection authorities across the European Union, we discuss questions regarding the scope, content, and balancing exercise of the right to an explanation. We argue, moreover, that these questions also raise important interpretative issues regarding the right to an explanation under the AI Act. Similar to the GDPR, the AI Act's right to an explanation leaves many legal questions unanswered. Therefore, the insights from the already established case law under the GDPR, can help us to understand better how the AI Act's right to an explanation should be understood in practice.

AI Act, case law, GDPR, Privacy

Bibtex

Article{nokey, title = {The Right to an Explanation in Practice: Insights from Case Law for the GDPR and the AI Act}, author = {Metikoš, L. and Ausloos, J.}, url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4996173}, year = {2024}, date = {2024-10-24}, journal = {Law, Innovation, and Technology (forthcoming)}, abstract = {[This is a pre-publication draft paper, forthcoming in Law, Innovation, and Technology 17.2, October 2025. The final version is subject to further revisions.] The right to an explanation under the GDPR has been much discussed in legal-doctrinal scholarship. This paper expands upon this academic discourse, by providing insights into what questions the application of the right to an explanation has raised in legal practice. By looking at cases brought before various judicial bodies and data protection authorities across the European Union, we discuss questions regarding the scope, content, and balancing exercise of the right to an explanation. We argue, moreover, that these questions also raise important interpretative issues regarding the right to an explanation under the AI Act. Similar to the GDPR, the AI Act\'s right to an explanation leaves many legal questions unanswered. Therefore, the insights from the already established case law under the GDPR, can help us to understand better how the AI Act\'s right to an explanation should be understood in practice.}, keywords = {AI Act, case law, GDPR, Privacy}, }

Annotatie bij EHRM 9 maart 2023 (LB / Hongarije) download

Nederlandse Jurisprudentie, iss. : 15, num: 144, pp: 3352-3354, 2024

Abstract

Openbaar maken persoonsgegevens wegens belastingschuld. Bescherming persoonlijke data. Belang van toetsing in individuele gevallen. Margin of appreciation. Schending van art. 8 EVRM. Grote Kamer.

Human rights, Privacy

Bibtex

Case note{nokey, title = {Annotatie bij EHRM 9 maart 2023 (LB / Hongarije)}, author = {Dommering, E.}, url = {https://www.ivir.nl/publications/annotatie-bij-ehrm-9-maart-2023-lb-hongarije/annotatie_nj_2024_144/}, year = {2024}, date = {2024-05-28}, journal = {Nederlandse Jurisprudentie}, issue = {15}, number = {144}, abstract = {Openbaar maken persoonsgegevens wegens belastingschuld. Bescherming persoonlijke data. Belang van toetsing in individuele gevallen. Margin of appreciation. Schending van art. 8 EVRM. Grote Kamer.}, keywords = {Human rights, Privacy}, }

The Right to Root: Constructing a Claim to Control Devices from the Right to Privacy download

JIPITEC, vol. 14, iss. : 4, pp: 580-593, 2023

Abstract

Empowering people with digital tools has been an enduring ideal throughout the history of computing. In some of the earlier visions, this was not only a matter of making life easier, it was also a matter of people gaining control over their digital tools. One solution to this problem which has been suggested is to provide users with a manual override to gain full control over a device, something called gaining 'root' - hence the 'Right to Root'. Yet, there are no policymakers who have seriously treated this as a possibility. For people pushing this right at a policy level, it would therefore be helpful to know whether this Right to Root can be constructed from human rights. In this article, I explore the European human rights-based arguments for a Right to Root, focusing on the right to privacy under the European Convention for Human Rights and the Charter of Fundamental Rights. I first discuss the origins of this ideal of gaining control over your own devices. I then show how users over the years have gained less control and how the RIght to Root could enable them to regain control. I then explore how the Right to Root could be constructed from the right to privacy under the Convention and the Charter, by understanding it as a way to protect the values of autonomy, self-determination and seclusion. I conclude that a Right to Root can be grounded in the human right to privacy, but that further research is necessary to balance it with other interests, such as cybersecurity, traffic safety, health and intellectual property.

Privacy

Bibtex

Article{nokey, title = {The Right to Root: Constructing a Claim to Control Devices from the Right to Privacy}, author = {van Daalen, O.}, url = {https://www.ivir.nl/publications/the-right-to-root-constructing-a-claim-to-control-devices-from-the-right-to-privacy/jipitec_2023_4/}, year = {2023}, date = {2023-12-12}, journal = {JIPITEC}, volume = {14}, issue = {4}, pages = {580-593}, abstract = {Empowering people with digital tools has been an enduring ideal throughout the history of computing. In some of the earlier visions, this was not only a matter of making life easier, it was also a matter of people gaining control over their digital tools. One solution to this problem which has been suggested is to provide users with a manual override to gain full control over a device, something called gaining \'root\' - hence the \'Right to Root\'. Yet, there are no policymakers who have seriously treated this as a possibility. For people pushing this right at a policy level, it would therefore be helpful to know whether this Right to Root can be constructed from human rights. In this article, I explore the European human rights-based arguments for a Right to Root, focusing on the right to privacy under the European Convention for Human Rights and the Charter of Fundamental Rights. I first discuss the origins of this ideal of gaining control over your own devices. I then show how users over the years have gained less control and how the RIght to Root could enable them to regain control. I then explore how the Right to Root could be constructed from the right to privacy under the Convention and the Charter, by understanding it as a way to protect the values of autonomy, self-determination and seclusion. I conclude that a Right to Root can be grounded in the human right to privacy, but that further research is necessary to balance it with other interests, such as cybersecurity, traffic safety, health and intellectual property.}, keywords = {Privacy}, }

Annotatie bij Hoge Raad 15 september 2023 download

Nederlandse Jurisprudentie, iss. : 1, num: 6, pp: 195-196, 2024

AVG, Privacy

Bibtex

Case note{nokey, title = {Annotatie bij Hoge Raad 15 september 2023}, author = {Dommering, E.}, url = {https://www.ivir.nl/publications/annotatie-bij-hoge-raad-15-september-2023/annotatie_nj_2024_6/}, year = {2024}, date = {2024-02-01}, journal = {Nederlandse Jurisprudentie}, issue = {1}, number = {6}, keywords = {AVG, Privacy}, }

Annotatie bij Hof van Justitie van de Europese Gemeenschappen 4 mei 2023 (F.F. / Österreichische Datenschutzbehörde) download

Nederlandse Jurisprudentie, iss. : 1, num: 1, pp: 8-10, 2024

Inzagerecht, Persoonsgegevens, Privacy

Bibtex

Case note{nokey, title = {Annotatie bij Hof van Justitie van de Europese Gemeenschappen 4 mei 2023 (F.F. / Österreichische Datenschutzbehörde)}, author = {Dommering, E.}, url = {https://www.ivir.nl/publications/annotatie-bij-hof-van-justitie-van-de-europese-gemeenschappen-4-mei-2023-f-f-osterreichische-datenschutzbehorde/annotatie_nj_2024_1/}, year = {2024}, date = {2024-02-01}, journal = {Nederlandse Jurisprudentie}, issue = {1}, number = {1}, keywords = {Inzagerecht, Persoonsgegevens, Privacy}, }

Annotatie Hof van Justitie van de EU 28 april 2022 (Meta Platforms Ireland / Bundesverband der Verbraucherzentralen und Verbraucherverbände) download

Nederlandse Jurisprudentie, iss. : 21, num: 194, pp: 3621-3623, 2023

Facebook, Persoonsgegevens, Privacy

Bibtex

Case note{nokey, title = {Annotatie Hof van Justitie van de EU 28 april 2022 (Meta Platforms Ireland / Bundesverband der Verbraucherzentralen und Verbraucherverbände)}, author = {Dommering, E.}, url = {https://www.ivir.nl/publications/annotatie-hof-van-justitie-van-de-eu-28-april-2022-meta-platforms-ireland-bundesverband-der-verbraucherzentralen-und-verbraucherverbande/annotatie_nj_2023_194/}, year = {2023}, date = {2023-07-11}, journal = {Nederlandse Jurisprudentie}, issue = {21}, number = {194}, keywords = {Facebook, Persoonsgegevens, Privacy}, }

Gemeentelijke grip op private sensorgegevens: Juridisch kader voor het gemeentelijke handelingsperspectief bij de verwerking van private sensorgegevens in de openbare ruimte download

Janssen, H., Verboeket, L.W., Meiring, A., van Hoboken, J., van Eechoud, M., van den Brink, J.E., Ortlep, R. & Bodó, B.
2023

handhaving, Privacy, sensoren, Surveillance

Bibtex

Report{nokey, title = {Gemeentelijke grip op private sensorgegevens: Juridisch kader voor het gemeentelijke handelingsperspectief bij de verwerking van private sensorgegevens in de openbare ruimte}, author = {Janssen, H. and Verboeket, L.W. and Meiring, A. and van Hoboken, J. and van Eechoud, M. and van den Brink, J.E. and Ortlep, R. and Bodó, B.}, url = {https://www.ivir.nl/publications/gemeentelijke-grip-op-private-sensorgegevens-juridisch-kader-voor-het-gemeentelijke-handelingsperspectief-bij-de-verwerking-van-private-sensorgegevens-in-de-openbare-ruimte/gemeentelijke_grip_op_private_sensorgegevens/}, year = {2023}, date = {2023-06-30}, keywords = {handhaving, Privacy, sensoren, Surveillance}, }

Personal Data Stores and the GDPR’s lawful grounds for processing personal data

Janssen, H., Cobbe, J., Norval, C. & Singh, J.
2019

Abstract

Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.

Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency

Bibtex

Conference paper{nokey, title = {Personal Data Stores and the GDPR’s lawful grounds for processing personal data}, author = {Janssen, H. and Cobbe, J. and Norval, C. and Singh, J.}, doi = {https://doi.org/10.5281/zenodo.3234902}, year = {2019}, date = {2019-05-29}, abstract = {Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.}, keywords = {Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency}, }

The right to encryption: Privacy as preventing unlawful access external link

Computer Law & Security Review, vol. 49, 2023

Abstract

Encryption technologies are a fundamental building block of modern digital infrastructure, but plans to curb these technologies continue to spring up. Even in the European Union, where their application is by now firmly embedded in legislation, lawmakers are again calling for measures which would impact these technologies. One of the most important arguments in this debate are human rights, most notably the rights to privacy and to freedom of expression. And although some authors have in the past explored how encryption technologies support human rights, this connection is not yet firmly grounded in an analysis of European human rights case law. This contribution aims to fill this gap, developing a framework for assessing restrictions of encryption technologies under the rights to privacy and freedom of expression as protected under the European Convention of Human Rights (the Convention) and the Charter of Fundamental rights in the European Union (the Charter). In the first section, the relevant function of encryption technologies, restricting access to information (called confidentiality), is discussed. In the second section, an overview of some governmental policies and practices impacting these technologies is provided. This continues with a discussion of the case law on the rights to privacy, data protection and freedom of expression, arguing that these rights are not only about ensuring lawful access by governments to protected information, but also about preventing unlawful access by others. And because encryption technologies are an important technology to reduce the risk of this unlawful access, it is then proposed that this risk is central to the assessment of governance measures in the field of encryption technologies. The article concludes by recommending that states perform an in-depth assessement of this when proposing new measures, and that courts when reviewing them also place the risk of unlawful access central to the analysis of interference and proportionality.

communications confidentiality, encryption, Freedom of expression, Human rights, Privacy, unlawful access

Bibtex

Article{nokey, title = {The right to encryption: Privacy as preventing unlawful access}, author = {van Daalen, O.}, url = {https://www.sciencedirect.com/science/article/pii/S0267364923000146}, doi = {https://doi.org/10.1016/j.clsr.2023.105804}, year = {2023}, date = {2023-05-23}, journal = {Computer Law & Security Review}, volume = {49}, pages = {}, abstract = {Encryption technologies are a fundamental building block of modern digital infrastructure, but plans to curb these technologies continue to spring up. Even in the European Union, where their application is by now firmly embedded in legislation, lawmakers are again calling for measures which would impact these technologies. One of the most important arguments in this debate are human rights, most notably the rights to privacy and to freedom of expression. And although some authors have in the past explored how encryption technologies support human rights, this connection is not yet firmly grounded in an analysis of European human rights case law. This contribution aims to fill this gap, developing a framework for assessing restrictions of encryption technologies under the rights to privacy and freedom of expression as protected under the European Convention of Human Rights (the Convention) and the Charter of Fundamental rights in the European Union (the Charter). In the first section, the relevant function of encryption technologies, restricting access to information (called confidentiality), is discussed. In the second section, an overview of some governmental policies and practices impacting these technologies is provided. This continues with a discussion of the case law on the rights to privacy, data protection and freedom of expression, arguing that these rights are not only about ensuring lawful access by governments to protected information, but also about preventing unlawful access by others. And because encryption technologies are an important technology to reduce the risk of this unlawful access, it is then proposed that this risk is central to the assessment of governance measures in the field of encryption technologies. The article concludes by recommending that states perform an in-depth assessement of this when proposing new measures, and that courts when reviewing them also place the risk of unlawful access central to the analysis of interference and proportionality.}, keywords = {communications confidentiality, encryption, Freedom of expression, Human rights, Privacy, unlawful access}, }

Fundamental rights assessment of the framework for detection orders under the CSAM proposal download

CSAM, Data protection, Freedom of expression, Privacy

Bibtex

Report{nokey, title = {Fundamental rights assessment of the framework for detection orders under the CSAM proposal}, author = {van Daalen, O.}, url = {https://www.ivir.nl/publications/fundamental-rights-assessment-of-the-framework-for-detection-orders-under-the-csam-proposal/csamreport/}, year = {2023}, date = {2023-04-22}, keywords = {CSAM, Data protection, Freedom of expression, Privacy}, }