AI Regulation Tracker / Court action
Amsterdam Appeal Court Orders X to Open Its Automated Moderation Records to a User
On April 14, 2026, the Amsterdam Court of Appeal upheld an order requiring X to give a Dutch user access to the automated moderation records behind his shadowban, including the labels its systems attached to his account. The order rests on GDPR access rights, and X's trade-secret and confidentiality defenses mostly failed.
Here is what happened, and what it does and does not mean.
In October 2023, Danny Mekic shared a post on X that linked to a news article from the Dutch public broadcaster NOS about European plans to fight child abuse online. The article text carried the Dutch word for child pornography. X's automated detection flagged the post, and Mekic's account was quietly hidden from search and suggestions, the practice usually called shadowbanning. He was never told. He found out when other users said his account had become hard to find.
He asked X to show him what it held on him and why. X gave him very little. He went to court under the right of access in the EU General Data Protection Regulation. He won at the district court, and X appealed. On April 14, 2026, the Amsterdam Court of Appeal ruled on that appeal.
What the court actually ordered
The court upheld the order that X give Mekic access to the personal data it processes about him. In the operative part of the ruling, it "bekrachtigt de bestreden beschikking," which means it affirms the contested lower-court order, subject to two limited exceptions.
The heart of the disclosure is X's internal moderation record, a system referred to in the case as Guano Notes, which logs the actions taken on an account. Based on the ruling, that record includes the automated labels attached to Mekic's content, such as sensitive-content flags and markings for material considered unsuitable for advertising, along with spam-filter classifications, account-security notes, technical data, and post identifiers. The court decided X had not shown why letting the user see which labels were applied to his own content would give away a genuine trade secret.
The two carve-outs are narrow. X may black out the names of its employees, and it may black out the exact hours, minutes, and seconds of each logged action. It cannot hide the day. As the ruling puts it, "X dient [betrokkene] daarom wel inzage te geven in de dag," meaning X must still give access to the day on which actions were taken. On the substance of what was done to the account and why, the user gets to see it.
X leaned on two arguments to keep the records closed. One was trade secrets. The other was platform confidentiality, including a nod to the confidentiality provision in the EU Digital Services Act. The court found neither strong enough to override the user's access right on these facts, and let the trade-secret defense succeed only on the two minor points above.
One point of precision on the legal basis
It is easy to file this under Digital Services Act transparency, because the underlying dispute is about content moderation and a shadowban. Be careful there. The order to disclose rests on the GDPR right of access and its rules on automated decision-making, which are data-protection provisions, not on a DSA transparency article. The DSA showed up mainly as part of X's confidentiality defense, and that defense mostly failed. So the accurate framing is a data-access ruling that pried open an automated moderation system, decided in the shadow of the DSA rather than under a DSA disclosure duty.
That distinction matters if you are trying to reason about where the pressure is coming from. The lever here is the individual right to see your own data and to understand automated decisions made about you. That right does not care whether the system doing the deciding is branded as moderation, safety, ad targeting, or risk scoring.
Why a US professional should care
X is a US platform. It was compelled by a European court, using a European user's access right, to open the automated records behind a moderation decision. No US filing or US duty changed because of this ruling. What changed is the evidence base for a pattern that keeps repeating.
If your organization runs automated systems that score, flag, label, or restrict people, and those people include users in the EU, then an access request is a live way those systems can be forced into daylight. The defenses a large platform reached for here, trade secrets and confidentiality, did not do much. A court was willing to make X show the labels, the classifications, and the day each action happened. That is the kind of internal record most teams assume stays internal.
For attorneys advising platform, fintech, or AI-product clients, the practical read is to treat automated moderation and scoring logs as potentially disclosable to the individuals they describe, and to build them accordingly. Vague, unexplained labels are exactly what a court took issue with. For finance and compliance leaders watching how automated decision systems get governed, this is one more data point that the transparency pressure on AI is arriving through individual rights, one user at a time, not only through big new statutes.
What to do now
Read the ruling for what it is, a binding order between two parties, not a general rule. Then treat it as a signal. Map where your automated systems attach labels or scores to identifiable people, especially EU users. Ask whether you could explain each label to the person it was applied to, because being unable to explain it was part of why X lost. Keep your moderation and scoring logs in a state you would be comfortable disclosing, minus genuinely sensitive operational details like staff names. And if you change a policy or a control, base that on your own applicable law and your own counsel, not on a Dutch judgment that binds X and not you.
Questions professionals are asking
What did the Amsterdam Court of Appeal actually decide?
On April 14, 2026, in ECLI:NL:GHAMS:2026:961, it upheld an order requiring X to give user Danny Mekic access to the personal data it processes about him, including the internal moderation records behind his shadowban. X may redact only the names of its employees and the exact hours, minutes, and seconds of actions. It must disclose the day and the substance.
Is this a Digital Services Act transparency ruling?
Not exactly. The order to disclose rests on the GDPR right of access and its rules on automated decisions, which are data-protection provisions. The Digital Services Act appeared mainly in X's confidentiality defense, which the court largely rejected. The dispute is about moderation, but the disclosure lever is data-access law.
Does this bind US companies or US filings?
No. It is a binding order between X and one user under EU and Dutch law. It changes no US duty. For US attorneys, CPAs, and finance leaders it is a comparative signal about how automated moderation and scoring systems can be exposed through individual access rights.
Why did X's trade-secret argument mostly fail?
The court found X had not shown why letting a user see which labels were applied to his own content would reveal a genuine trade secret. It allowed redaction only on two narrow points, employee names and precise timestamps, and required disclosure of the rest, including the labels and the day of each action.
Is the case over?
This appeal ruling upholds the disclosure order, so the order stands between the parties. Cassation review at the Dutch Supreme Court remains theoretically available, but the operative effect of the April 14, 2026 decision is that X must grant the access described.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any ruling or requirement applies to your situation with qualified professionals in the relevant jurisdiction.