Insight: Algorithmic decision-making employing profiling: will trade

=================================================

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Privacy Information Management System (PIMS), urges enterprise leaders to confront an uncomfortable regulatory paradox: the very "right to explanation" that GDPR Article 22 grants to individuals affected by algorithmic decisions is being systematically undermined by the surge in machine learning patents and trade secrecy protections since 2010. A landmark 2022 academic paper by P.B. de Laat reveals that as AI systems grow more sophisticated and commercially valuable, companies gain stronger legal grounds to withhold algorithmic explanations—rendering one of GDPR's most important individual rights effectively toothless. For Taiwanese enterprises pursuing ISO 27701 certification or GDPR compliance, this finding demands an immediate reassessment of how algorithmic transparency is addressed within their PIMS frameworks.

About the Author and This Research

P.B. de Laat is a senior researcher affiliated with the University of Groningen in the Netherlands, with a sustained academic focus on technology ethics, algorithmic governance, and the intersection of privacy law and artificial intelligence. His work appears in leading European ethics and information technology journals, and this 2022 paper—published in the context of Privacy Information Management research and indexed by OpenAlex—has already accumulated 7 academic citations since its release, reflecting its growing influence in the discourse around algorithmic accountability and GDPR enforcement. De Laat's analytical approach combines rigorous legal text analysis with historical tracing of regulatory and judicial developments, making his conclusions particularly actionable for compliance practitioners rather than purely theoretical. For PIMS consultants and enterprise privacy officers, his work bridges the gap between academic regulatory theory and boardroom-level risk assessment.

The Right to Explanation Under GDPR: A Structural Regulatory Paradox That Threatens Algorithmic Accountability

De Laat's central thesis is as provocative as it is well-substantiated: the right to explanation enshrined in the GDPR is on a collision course with an expanding fortress of intellectual property rights, and there are compelling reasons to believe that intellectual property will win. The paper examines three interconnected dimensions of this conflict: the regulatory framework currently supporting explanation rights, the historical judicial track record on similar rights of access, and the rapidly intensifying landscape of machine learning patents.

Core Finding 1: Judicial History Suggests Explanation Rights Will Be Interpreted Narrowly

GDPR Articles 13 through 15 require data controllers to provide "meaningful information" about the logic of automated decision-making. Article 22 extends this to a full explanation right for fully automated profiling decisions. However, De Laat draws on the work of Wachter et al. (2017) to examine how a comparable right of access under the 1995 EU Data Protection Directive (DPD) was interpreted by European courts. The judicial precedent is sobering: courts consistently held that only the general principles of an algorithm needed to be disclosed, not specific technical details or model parameters. This precedent creates a substantial loophole that organizations can exploit when faced with explanation requests. The pattern suggests that when GDPR's own explanation right is tested in court—as it increasingly will be—history may well repeat itself, with courts deferring to trade secrecy claims over individual transparency rights.

Core Finding 2: The Post-2010 ML Patent Explosion Gives Companies Stronger Legal Shields

Perhaps the most striking empirical observation in De Laat's paper is the documented surge in machine learning patent applications following updated USPTO guidelines around 2010 that clarified when AI and ML inventions qualify for patent protection. Applications related to ML in general, and to "predictive analytics" specifically, grew dramatically in the United States—and European patent filings followed the same trajectory. De Laat's key conjecture is structurally important: the more an algorithmic application combines multiple protected ML assets and finds utility across multiple industry sectors, the higher its commercial value becomes, and therefore the stronger the legal justification for withholding detailed explanations under trade secrecy protection. This creates a perverse incentive structure where the most powerful and widely deployed AI systems—precisely the ones most likely to impact people's lives significantly—are also the ones most legally shielded from the scrutiny that explanation rights were designed to enable.

Core Finding 3: The Regulatory Framework Is Insufficient to Resolve This Tension

De Laat's analysis of the current regulatory landscape concludes that while GDPR currently represents the most significant force pushing for algorithmic explanation rights globally, its mechanisms for resolving the conflict between explanation obligations and intellectual property protections remain underdeveloped. The balancing act required between these competing rights has not been clearly prescribed, leaving significant room for organizations to interpret their obligations narrowly. For enterprises operating under multiple jurisdictions—including Taiwan's Personal Data Protection Act (台灣個資法), which grants individuals the right to inquire and correct personal data under Article 11, but does not yet explicitly address algorithmic explanation rights—this regulatory ambiguity creates both compliance risk and strategic opportunity.

Implications for Taiwan Enterprises Implementing PIMS and Pursuing ISO 27701 Certification

The findings of De Laat's research carry direct and urgent implications for Taiwanese enterprises navigating the convergence of AI adoption and privacy compliance obligations. Three strategic priorities emerge for enterprise privacy officers and PIMS practitioners:

First, DPIA processes must explicitly address algorithmic transparency gaps. Under GDPR Article 35, any processing activity involving automated decision-making or large-scale profiling requires a Data Protection Impact Assessment (DPIA). However, many current DPIA templates used by Taiwanese enterprises focus primarily on data breach risk scenarios, without treating "inability to provide meaningful explanation" as a standalone compliance risk dimension. Given the direction of regulatory enforcement in the EU—and the anticipated trajectory of Taiwan's own Personal Data Protection Act amendments—this gap will increasingly become an audit target. ISO 27701's control framework provides the structural foundation for integrating algorithmic transparency assessment into enterprise DPIA practice.

Second, ISO 27701 implementation must be extended to cover algorithmic governance policy. ISO 27701 is currently the most internationally recognized standard for Privacy Information Management Systems (PIMS), and its control requirements include establishing mechanisms for responding to data subject rights. However, many enterprises treat explanation right response procedures as routine customer service workflows rather than as cross-functional governance challenges requiring coordination between legal, technical, and business teams. De Laat's research highlights that this mischaracterization creates material compliance exposure, particularly in sectors such as financial services, HR technology, and digital marketing where profiling-based decision-making is prevalent.

Third, enterprises should proactively build a documented trade secrecy and explanation balance framework now, before regulatory pressure intensifies. Taiwan's Personal Data Protection Act is expected to continue evolving toward alignment with GDPR standards. Enterprises that invest now in establishing a documented decision framework—defining which algorithmic elements can be explained without compromising legitimate trade secrets, and which require legal justification to withhold—will face significantly lower compliance costs than those who wait for regulatory enforcement to force reactive remediation.

How Winners Consulting Services Co. Ltd. Helps Taiwanese Enterprises Build Algorithmically Compliant PIMS

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）provides end-to-end advisory services for Taiwanese enterprises seeking to build Privacy Information Management Systems that address the full spectrum of modern algorithmic compliance challenges, including ISO 27701 certification, GDPR compliance architecture, and DPIA execution for AI-driven decision-making environments.

1. Algorithmic Decision Scenario DPIA Enhancement: Winners conducts comprehensive DPIA assessments for automated decision-making and profiling workflows, explicitly incorporating "right to explanation fulfillment capacity" as an independent risk dimension. We identify the specific tension points between trade secrecy claims and data subject rights within your organization's particular algorithmic context, and develop proportionate mitigation strategies that satisfy GDPR Article 35 and ISO 27701 control requirements without unnecessarily exposing core intellectual property.
2. ISO 27701 Implementation with Algorithmic Transparency Integration: Our ISO 27701 certification advisory program goes beyond baseline control implementation to build enterprise-specific algorithmic governance policies, standardized operating procedures (SOPs) for handling explanation requests, and cross-functional coordination protocols between legal, IT, and business units. This ensures that explanation right compliance is operationally executable, not merely documented on paper.
3. Trade Secrecy and Explanation Obligation Balance Strategy: Winners helps enterprises establish a clear internal decision tree and legal positioning framework for navigating explanation requests from regulatory authorities or data subjects. This framework ensures that enterprises can protect legitimate core technical assets while demonstrably meeting the minimum transparency requirements of both GDPR and Taiwan's Personal Data Protection Act—providing defensible compliance documentation that can withstand regulatory scrutiny.

Frequently Asked Questions

Can a company refuse to explain its AI algorithm to a data subject by claiming trade secret protection under GDPR?

Not categorically, but partial protection is legally defensible. GDPR Articles 22 and 15 require that organizations provide "meaningful information" about automated decision logic—a complete refusal based solely on trade secrecy is not compliant. However, as De Laat's 2022 research demonstrates, judicial precedent from the 1995 EU Data Protection Directive era shows that courts have historically required only the disclosure of general algorithmic principles, not specific technical parameters. This creates a meaningful gray zone that organizations can legitimately navigate. The practical recommendation is to build a "layered explanation framework"—providing externally intelligible decision rationale without exposing core algorithmic architecture—which represents current best practice for balancing GDPR compliance with intellectual property protection. Taiwan's Personal Data Protection Act Article 11 similarly grants inquiry rights that are expected to be strengthened in forthcoming amendments.

Does GDPR's right to explanation apply to Taiwanese companies that don't have a physical presence in the EU?

Yes, if your enterprise offers goods or services to EU residents, or monitors their behavior—including through online advertising targeting, e-commerce transactions, or HR systems managing EU-based employees—GDPR's extraterritorial jurisdiction under Article 3 applies regardless of where your company is incorporated or physically located. Many Taiwanese SaaS providers, cross-border e-commerce operators, and B2B service companies fall within this scope. Non-compliance with GDPR's explanation right provisions can result in administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. Winners Consulting recommends that Taiwanese enterprises conduct a GDPR applicability assessment as a first step to defining their specific compliance obligations.

Does achieving ISO 27701 certification mean a company is fully compl