GHAMS - 200.346.613/01

Summary

A Dutch appellate court (GHAMS) ruled that X (formerly Twitter) must provide a data subject access to its automated decision system ('System Y') that triggered a shadowban on the user's account, despite X's claims of trade secret protection. The court ordered disclosure of reputation scores, labels, and the chronological log of account actions, with employee names and timestamps redacted, subject to a €4,000-per-day penalty for non-compliance. This case reinforces GDPR rights to transparency and explanation of automated decisions under Articles 15 and 22.

Full text

Help GHAMS - 200.346.613/01: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:11, 21 April 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators318 editsmTag: Visual edit← Older edit Latest revision as of 08:36, 21 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators318 editsmTag: Visual edit (One intermediate revision by the same user not shown)Line 64: Line 64: }}}} A court ordered X (formerly Twitter) to provide access to a report concerning one of its systems in relation to an automated decision previously restricting a user’s account on the platform. However, the court allowed for the names of its employees and the timestamps to be redacted from the document.A court ordered X (formerly Twitter) to provide access to one of its systems which contains a chronological overview of all actions taken on a user account in relation to an automated decision previously restricting a user’s account on the platform. However, the court allowed for the names of its employees and the timestamps to be redacted from the document. == English Summary ==== English Summary == Line 83: Line 83: In front of the first instance court, the data subject requested an order requiring the controller to respond to his access request under [[Article 15 GDPR]] and to his request for information regarding the automated decision under [[Article 22 GDPR]]. In front of the first instance court, the data subject requested an order requiring the controller to respond to his access request under [[Article 15 GDPR]] and to his request for information regarding the automated decision under [[Article 22 GDPR]]. The court concluded that the controller must respond to the requests and provide specific information regarding “reputation scores”, labels and one of its systems ("system y"), subject to a penalty of €4,000 for each day that the controller fails to comply. The court concluded that the controller must respond to the access request, as well as provide additional information regarding “reputation scores” and labels used for the user's account and one of its systems (“system y“, referred to as the "Guano system" by the first instance court) which contains a chronological overview of all actions taken on a user account, subject to a penalty of €4,000 for each day that the controller fails to comply. The controller appealed the first court’s judgement. In relation to access to its "system y", the controller asked the appellate court to set aside the decision because the controller's "system y" contains trade secret information within the meaning of the Trade Secrets Protection Act, and that this information must also remain confidential to protect the rights and freedoms of third parties. The controller appealed the first court’s judgement. In relation to access to its "system y", the controller asked the appellate court to set aside the decision because the controller's "system y" contains trade secret information within the meaning of the Trade Secrets Protection Act, and that this information must also remain confidential to protect the rights and freedoms of third parties. The appellate court issued an [[GHAMS - 200.346.613|interim order]] in October 2025 with the aim of collecting more information for deciding on the appeal. To this end, it ordered the controller to submit to the court the full, unedited version of its "system Y" so that the court may assess if the data subject should have access to the system. The court returned to the case subsequently and issued its judgement on the appeal. The appellate court issued an [[GHAMS - 200.346.613|interim order]] in October 2025 with the aim of collecting more information for deciding on the appeal. To this end, it ordered the controller to submit to the court the full, unedited version of its "system y" so that the court may assess if the data subject should have access to the system. The court returned to the case subsequently and issued its judgement on the appeal. === Holding ====== Holding === Latest revision as of 08:36, 21 April 2026 GHAMS - 200.346.613/01 Court: GHAMS (Netherlands) Jurisdiction: Netherlands Relevant Law: Article 15 GDPR Article 22 GDPR Decided: 14.04.2026 Published: Parties: X International Unlimited Company (Formerly Twitter International Unlimited Company) National Case Number/Name: 200.346.613/01 European Case Law Identifier: ECLI:NL:GHAMS:2026:961 Appeal from: Rb. Amsterdam (Netherlands)10767307 CV FORM 23-13934 Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: dt A court ordered X (formerly Twitter) to provide access to one of its systems which contains a chronological overview of all actions taken on a user account in relation to an automated decision previously restricting a user’s account on the platform. However, the court allowed for the names of its employees and the timestamps to be redacted from the document. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts X International Unlimited Company (Formerly Twitter International Unlimited Company) (the controller), formerly Twitter, imposed a temporary restriction ('shadowban') on the account of a user (the data subject) due to the controller’s automated detection system flagging one of the user's posts as potentially violating the controller’s policy against child abuse. The data subject used the words “child pornography” in the post while referring to measures to combat child abuse imagery in Europe. The controller did not notify the data subject of the restriction. The data subject submitted an access request to determine, among other things, the scope and reasons for imposing the restriction. The controller lifted the restriction without informing the data subject and later on responded to the access request referring to its privacy policy. However, the data subject filed a petition in court arguing that the controller failed to respond adequately to his access request. The controller provided the data subject with information regarding the imposed restriction through a letter in January 2024 and in September 2024 provided additional access to documents and information, including to a partially redacted printout from one of its systems. In front of the first instance court, the data subject requested an order requiring the controller to respond to his access request under Article 15 GDPR and to his request for information regarding the automated decision under Article 22 GDPR. The court concluded that the controller must respond to the access request, as well as provide additional information regarding “reputation scores” and labels used for the user's account and one of its systems (“system y“, referred to as the "Guano system" by the first instance court) which contains a chronological overview of all actions taken on a user account, subject to a penalty of €4,000 for each day that the controller fails to comply. The controller appealed the first court’s judgement. In relation to access to its "system y", the controller asked the appellate court to set aside the decision because the controller's "system y" contains trade secret information within the meaning of the Trade Secrets Protection Act, and that this information must also remain confidential to protect the rights and freedoms of third parties. The appellate court issued an interim order in October 2025 with the aim of collecting more information for deciding on the appeal. To this end, it ordered the controller to submit to the court the full, unedited version of its "system y" so that the court may assess if the data subject should have access to the system. The court returned to the case subsequently and issued its judgement on the appeal. Holdi

Entities