GHAMS - 200.346.613/01

Summary

A Dutch appellate court (GHAMS) ruled that X must grant a data subject access to its internal systems documenting a shadow ban imposed on the user's account after an automated decision flagged a post about combating child abuse imagery. X had appealed the lower court's decision citing trade secrets protection, but the appellate court compelled disclosure of the unredacted "system y" (Guano system) to assess the user's GDPR Article 15 access rights. The court allowed redaction of employee names and timestamps but rejected X's blanket trade secrets defense.

Full text

Help GHAMS - 200.346.613/01: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:36, 21 April 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators334 editsmTag: Visual edit← Older edit Latest revision as of 14:29, 21 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators334 editsm Tag: Visual edit Line 64: Line 64: }}}} A court ordered X (formerly Twitter) to provide access to one of its systems which contains a chronological overview of all actions taken on a user account in relation to an automated decision previously restricting a user’s account on the platform. However, the court allowed for the names of its employees and the timestamps to be redacted from the document.A court ordered X (formerly Twitter) to provide access to a chronological overview of all actions taken in relation to a shadow ban on a user's account following a post by the user regarding combating child abuse imagery in Europe. However, the court allowed for the names of its employees and the timestamps to be redacted from the document. == English Summary ==== English Summary == Line 87: Line 87: The controller appealed the first court’s judgement. In relation to access to its "system y", the controller asked the appellate court to set aside the decision because the controller's "system y" contains trade secret information within the meaning of the Trade Secrets Protection Act, and that this information must also remain confidential to protect the rights and freedoms of third parties. The controller appealed the first court’s judgement. In relation to access to its "system y", the controller asked the appellate court to set aside the decision because the controller's "system y" contains trade secret information within the meaning of the Trade Secrets Protection Act, and that this information must also remain confidential to protect the rights and freedoms of third parties. The appellate court issued an [[GHAMS - 200.346.613|interim order]] in October 2025 with the aim of collecting more information for deciding on the appeal. To this end, it ordered the controller to submit to the court the full, unedited version of its "system y" so that the court may assess if the data subject should have access to the system. The court returned to the case subsequently and issued its judgement on the appeal. The appellate court issued an [[GHAMS - 200.346.613|interim order]] in October 2025 with the aim of collecting more information for deciding on the appeal. To this end, it ordered the controller to submit to the court the full, unedited version of its "system y" so that the court may assess if the data subject should have access to the system. The controller complied and submitted the unredacted version to the court. Subsequently, the court returned to the case and issued its judgement on the appeal. === Holding ====== Holding === Latest revision as of 14:29, 21 April 2026 GHAMS - 200.346.613/01 Court: GHAMS (Netherlands) Jurisdiction: Netherlands Relevant Law: Article 15 GDPR Article 22 GDPR Decided: 14.04.2026 Published: Parties: X International Unlimited Company (Formerly Twitter International Unlimited Company) National Case Number/Name: 200.346.613/01 European Case Law Identifier: ECLI:NL:GHAMS:2026:961 Appeal from: Rb. Amsterdam (Netherlands)10767307 CV FORM 23-13934 Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: dt A court ordered X (formerly Twitter) to provide access to a chronological overview of all actions taken in relation to a shadow ban on a user's account following a post by the user regarding combating child abuse imagery in Europe. However, the court allowed for the names of its employees and the timestamps to be redacted from the document. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts X International Unlimited Company (Formerly Twitter International Unlimited Company) (the controller), formerly Twitter, imposed a temporary restriction ('shadowban') on the account of a user (the data subject) due to the controller’s automated detection system flagging one of the user's posts as potentially violating the controller’s policy against child abuse. The data subject used the words “child pornography” in the post while referring to measures to combat child abuse imagery in Europe. The controller did not notify the data subject of the restriction. The data subject submitted an access request to determine, among other things, the scope and reasons for imposing the restriction. The controller lifted the restriction without informing the data subject and later on responded to the access request referring to its privacy policy. However, the data subject filed a petition in court arguing that the controller failed to respond adequately to his access request. The controller provided the data subject with information regarding the imposed restriction through a letter in January 2024 and in September 2024 provided additional access to documents and information, including to a partially redacted printout from one of its systems. In front of the first instance court, the data subject requested an order requiring the controller to respond to his access request under Article 15 GDPR and to his request for information regarding the automated decision under Article 22 GDPR. The court concluded that the controller must respond to the access request, as well as provide additional information regarding “reputation scores” and labels used for the user's account and one of its systems (“system y“, referred to as the "Guano system" by the first instance court) which contains a chronological overview of all actions taken on a user account, subject to a penalty of €4,000 for each day that the controller fails to comply. The controller appealed the first court’s judgement. In relation to access to its "system y", the controller asked the appellate court to set aside the decision because the controller's "system y" contains trade secret information within the meaning of the Trade Secrets Protection Act, and that this information must also remain confidential to protect the rights and freedoms of third parties. The appellate court issued an interim order in October 2025 with the aim of collecting more information for deciding on the appeal. To this end, it ordered the controller to submit to the court the full, unedited version of its "system y" so that the court may assess if the data subject should have access to the system. The controller complied and submitted the unredacted version to the court. Subsequently, the court returned to the case and issued its judgement on the appeal. Holding The appellate court upheld the contested decision ordering the controller to provide full access to its "system y" to the data subject. The court emphasised that, while the data subject is not required to demonstrate an interest in exercising his right of access, if the controller invokes its own rights and interests or those of third parties in defence against an access request, the court will have to weigh the relative importance of the conflicting interests. Thus, the court assessed both parties' claims and concluded that the data subject must be given access to the content moderation label in the system, the advertising system label, the spam filter label, the account security and safety label, various technical specifications label, the people, teams, and times label without access to specific timestamps and employees' names, and the identification numbers label. However, the court allowed the controller to redact the names of its employees and the exact timestamps of when automated decision-making occurred in relation to the "system y". In this sense, the data sub

Entities