Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Privacy Information Management System (PIMS), urges enterprise leaders to confront an uncomfortable regulatory paradox: the very "right to explanation" that GDPR Article 22 grants to individuals affected by algorithmic decisions is being systematically undermined by the surge in machine learning patents and trade secrecy protections since 2010. A landmark 2022 academic paper by P.B. de Laat reveals that as AI systems grow more sophisticated and commercially valuable, companies gain stronger legal grounds to withhold algorithmic explanations—rendering one of GDPR's most important individual rights effectively toothless. For Taiwanese enterprises pursuing ISO 27701 certification or GDPR compliance, this finding demands an immediate reassessment of how algorithmic transparency is addressed within their PIMS frameworks.
Paper Citation: Algorithmic decision-making employing profiling: will trade secrecy protection render the right to explanation toothless? (P.B. de Laat, OpenAlex — Privacy Information Management, 2022)
Original Paper: https://doi.org/10.1007/s10676-022-09642-1
About the Author and This Research
P.B. de Laat is a senior researcher affiliated with the University of Groningen in the Netherlands, with a sustained academic focus on technology ethics, algorithmic governance, and the intersection of privacy law and artificial intelligence. His work appears in leading European ethics and information technology journals, and this 2022 paper—published in the context of Privacy Information Management research and indexed by OpenAlex—has already accumulated 7 academic citations since its release, reflecting its growing influence in the discourse around algorithmic accountability and GDPR enforcement. De Laat's analytical approach combines rigorous legal text analysis with historical tracing of regulatory and judicial developments, making his conclusions particularly actionable for compliance practitioners rather than purely theoretical. For PIMS consultants and enterprise privacy officers, his work bridges the gap between academic regulatory theory and boardroom-level risk assessment.
The Right to Explanation Under GDPR: A Structural Regulatory Paradox That Threatens Algorithmic Accountability
De Laat's central thesis is as provocative as it is well-substantiated: the right to explanation enshrined in the GDPR is on a collision course with an expanding fortress of intellectual property rights, and there are compelling reasons to believe that intellectual property will win. The paper examines three interconnected dimensions of this conflict: the regulatory framework currently supporting explanation rights, the historical judicial track record on similar rights of access, and the rapidly intensifying landscape of machine learning patents.
Core Finding 1: Judicial History Suggests Explanation Rights Will Be Interpreted Narrowly
GDPR Articles 13 through 15 require data controllers to provide "meaningful information" about the logic of automated decision-making. Article 22 extends this to a full explanation right for fully automated profiling decisions. However, De Laat draws on the work of Wachter et al. (2017) to examine how a comparable right of access under the 1995 EU Data Protection Directive (DPD) was interpreted by European courts. The judicial precedent is sobering: courts consistently held that only the general principles of an algorithm needed to be disclosed, not specific technical details or model parameters. This precedent creates a substantial loophole that organizations can exploit when faced with explanation requests. The pattern suggests that when GDPR's own explanation right is tested in court—as it increasingly will be—history may well repeat itself, with courts deferring to trade secrecy claims over individual transparency rights.
Core Finding 2: The Post-2010 ML Patent Explosion Gives Companies Stronger Legal Shields
Perhaps the most striking empirical observation in De Laat's paper is the documented surge in machine learning patent applications following updated USPTO guidelines around 2010 that clarified when AI and ML inventions qualify for patent protection. Applications related to ML in general, and to "predictive analytics" specifically, grew dramatically in the United States—and European patent filings followed the same trajectory. De Laat's key conjecture is structurally important: the more an algorithmic application combines multiple protected ML assets and finds utility across multiple industry sectors, the higher its commercial value becomes, and therefore the stronger the legal justification for withholding detailed explanations under trade secrecy protection. This creates a perverse incentive structure where the most powerful and widely deployed AI systems—precisely the ones most likely to impact people's lives significantly—are also the ones most legally shielded from the scrutiny that explanation rights were designed to enable.
Core Finding 3: The Regulatory Framework Is Insufficient to Resolve This Tension
De Laat's analysis of the current regulatory landscape concludes that while GDPR currently represents the most significant force pushing for algorithmic explanation rights globally, its mechanisms for resolving the conflict between explanation obligations and intellectual property protections remain underdeveloped. The balancing act required between these competing rights has not been clearly prescribed, leaving significant room for organizations to interpret their obligations narrowly. For enterprises operating under multiple jurisdictions—including Taiwan's Personal Data Protection Act (台灣個資法), which grants individuals the right to inquire and correct personal data under Article 11, but does not yet explicitly address algorithmic explanation rights—this regulatory ambiguity creates both compliance risk and strategic opportunity.
Implications for Taiwan Enterprises Implementing PIMS and Pursuing ISO 27701 Certification
The findings of De Laat's research carry direct and urgent implications for Taiwanese enterprises navigating the convergence of AI adoption and privacy compliance obligations. Three strategic priorities emerge for enterprise privacy officers and PIMS practitioners:
First, DPIA processes must explicitly address algorithmic transparency gaps. Under GDPR Article 35, any processing activity involving automated decision-making or large-scale profiling requires a Data Protection Impact Assessment (DPIA). However, many current DPIA templates used by Taiwanese enterprises focus primarily on data breach risk scenarios, without treating "inability to provide meaningful explanation" as a standalone compliance risk dimension. Given the direction of regulatory enforcement in the EU—and the anticipated trajectory of Taiwan's own Personal Data Protection Act amendments—this gap will increasingly become an audit target. ISO 27701's control framework provides the structural foundation for integrating algorithmic transparency assessment into enterprise DPIA practice.
Second, ISO 27701 implementation must be extended to cover algorithmic governance policy. ISO 27701 is currently the most internationally recognized standard for Privacy Information Management Systems (PIMS), and its control requirements include establishing mechanisms for responding to data subject rights. However, many enterprises treat explanation right response procedures as routine customer service workflows rather than as cross-functional governance challenges requiring coordination between legal, technical, and business teams. De Laat's research highlights that this mischaracterization creates material compliance exposure, particularly in sectors such as financial services, HR technology, and digital marketing where profiling-based decision-making is prevalent.
Third, enterprises should proactively build a documented trade secrecy and explanation balance framework now, before regulatory pressure intensifies. Taiwan's Personal Data Protection Act is expected to continue evolving toward alignment with GDPR standards. Enterprises that invest now in establishing a documented decision framework—defining which algorithmic elements can be explained without compromising legitimate trade secrets, and which require legal justification to withhold—will face significantly lower compliance costs than those who wait for regulatory enforcement to force reactive remediation.
How Winners Consulting Services Co. Ltd. Helps Taiwanese Enterprises Build Algorithmically Compliant PIMS
積穗科研股份有限公司(Winners Consulting Services Co. Ltd.)provides end-to-end advisory services for Taiwanese enterprises seeking to build Privacy Information Management Systems that address the full spectrum of modern algorithmic compliance challenges, including ISO 27701 certification, GDPR compliance architecture, and DPIA execution for AI-driven decision-making environments.
- Algorithmic Decision Scenario DPIA Enhancement: Winners conducts comprehensive DPIA assessments for automated decision-making and profiling workflows, explicitly incorporating "right to explanation fulfillment capacity" as an independent risk dimension. We identify the specific tension points between trade secrecy claims and data subject rights within your organization's particular algorithmic context, and develop proportionate mitigation strategies that satisfy GDPR Article 35 and ISO 27701 control requirements without unnecessarily exposing core intellectual property.
- ISO 27701 Implementation with Algorithmic Transparency Integration: Our ISO 27701 certification advisory program goes beyond baseline control implementation to build enterprise-specific algorithmic governance policies, standardized operating procedures (SOPs) for handling explanation requests, and cross-functional coordination protocols between legal, IT, and business units. This ensures that explanation right compliance is operationally executable, not merely documented on paper.
- Trade Secrecy and Explanation Obligation Balance Strategy: Winners helps enterprises establish a clear internal decision tree and legal positioning framework for navigating explanation requests from regulatory authorities or data subjects. This framework ensures that enterprises can protect legitimate core technical assets while demonstrably meeting the minimum transparency requirements of both GDPR and Taiwan's Personal Data Protection Act—providing defensible compliance documentation that can withstand regulatory scrutiny.
Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) offers a complimentary PIMS mechanism diagnostic to help Taiwanese enterprises establish ISO 27701-compliant privacy management systems within 90 days, with specialized assessment of algorithmic decision-making explanation right compliance risks.
Apply for Free PIMS Diagnostic →Frequently Asked Questions
- Can a company refuse to explain its AI algorithm to a data subject by claiming trade secret protection under GDPR?
- Not categorically, but partial protection is legally defensible. GDPR Articles 22 and 15 require that organizations provide "meaningful information" about automated decision logic—a complete refusal based solely on trade secrecy is not compliant. However, as De Laat's 2022 research demonstrates, judicial precedent from the 1995 EU Data Protection Directive era shows that courts have historically required only the disclosure of general algorithmic principles, not specific technical parameters. This creates a meaningful gray zone that organizations can legitimately navigate. The practical recommendation is to build a "layered explanation framework"—providing externally intelligible decision rationale without exposing core algorithmic architecture—which represents current best practice for balancing GDPR compliance with intellectual property protection. Taiwan's Personal Data Protection Act Article 11 similarly grants inquiry rights that are expected to be strengthened in forthcoming amendments.
- Does GDPR's right to explanation apply to Taiwanese companies that don't have a physical presence in the EU?
- Yes, if your enterprise offers goods or services to EU residents, or monitors their behavior—including through online advertising targeting, e-commerce transactions, or HR systems managing EU-based employees—GDPR's extraterritorial jurisdiction under Article 3 applies regardless of where your company is incorporated or physically located. Many Taiwanese SaaS providers, cross-border e-commerce operators, and B2B service companies fall within this scope. Non-compliance with GDPR's explanation right provisions can result in administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. Winners Consulting recommends that Taiwanese enterprises conduct a GDPR applicability assessment as a first step to defining their specific compliance obligations.
- Does achieving ISO 27701 certification mean a company is fully compl
FAQ
- GDPR第22條的演算法解釋權為什麼會被商業秘密架空?
- 根據2022年學術研究指出,自2010年起美國機器學習相關專利申請數量暴增,企業得以援引智慧財產權與商業秘密保護,合法拒絕揭露演算法運作邏輯。這使得GDPR賦予資料主體要求「有意義資訊」說明自動化決策的權利,在實務執行面臨根本性障礙,形成監管權利與企業財產權之間的結構性矛盾。
- 企業使用AI自動決策或Profiling時需注意哪些GDPR合規風險?
- 當企業採用演算法進行自動化決策或個人分析(Profiling)時,GDPR第13至15條要求提供「有意義的資訊」說明決策邏輯,第22條則賦予資料主體解釋權。然而企業若主張商業秘密保護而拒絕說明,將面臨合規爭議。台灣企業若布局歐盟市場或導入ISO 27701,必須審慎評估演算法透明度與智財保護之間的平衡策略。
- 機器學習專利暴增對企業隱私合規有什麼影響?
- 研究顯示2010年後機器學習專利申請量大幅成長,企業因此擁有更強的法律基礎主張演算法為商業秘密。這對隱私合規產生雙重影響:一方面企業可拒絕向資料主體解釋AI決策邏輯,另一方面監管機構難以有效審查演算法是否符合公平性與透明度要求,使GDPR解釋權在實務上可能形同虛設。
- 台灣企業導入ISO 27701時如何因應演算法透明度要求?
- 台灣企業建立個資管理系統時,應將演算法治理納入隱私影響評估範疇,預先界定哪些決策邏輯屬於可揭露資訊、哪些涉及核心商業秘密。建議建立分層式說明機制,對資料主體提供決策因素概述而非完整演算法細節,同時留存內部文件證明合規努力,以平衡GDPR透明度要求與智慧財產權保護需求。
- 為什麼選擇積穗科研股份有限公司協助此議題?
- 積穗科研股份有限公司(Winners Consulting Services Co., Ltd.)專精 ISO 27701、GDPR、台灣個資法合規,協助企業建立完整個資保護管理系統。
Was this article helpful?
Related Services & Further Reading
Related Services
Want to apply these insights to your enterprise?
Get a Free Assessment