At the end of last year, the Court of Justice of the European Union (“CJEU”) issued a decision[1] guidance on the interpretation of Article 22 of the General Data Protection Regulation (GDPR), which focuses on decision-making based solely on automated processing and significantly affects the data subject. Analysis of the reasoning of the European Court highlighted a number of practical implications that are of interest to both credit rating providers and credit institutions, as well as consumers.
- Reasoning of the CJEU
In case C‑634/21, the ECJ considered the practice of the German company SCHUFA Holding AG, in the context of which a consumer (OQ) was refused credit on the basis of a valuation determined by an appraiser. The OQ asked SCHUFA to send it information about the recorded personal data and to delete some possibly incorrect data.
In response to this request, SCHUFA informed the OQ of its assessment and explained how the points were calculated. However, citing commercial confidentiality, she declined to divulge the various pieces of information taken into account for this calculation, as well as their weights. Finally, SCHUFA showed that it limited itself to passing on information to its contractual partners and that they made the actual contractual decisions.
In this context, the German court requested a preliminary ruling. The essential issue concerned Article 22 of the GDPR, more precisely if the assessment provided by SCHUFA was an automated individual decision and if this decision had legal consequences for the data subject or if it significantly affects the data subject and therefore whether SCHUFA should have shared more detailed information about the rationale behind the decision.
According to Article 22 of the GDPR, the data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which creates legal consequences for the data subject or which significantly affects him.. Clause 2 of the same article establishes a number of exceptional situations, in particular, when: (a) the decision is necessary for the performance of the contract between the data subject and the data operator; (b) the decision is permitted by Union or Member State law to which the controller is subject and safeguards exist to protect the data subject; and (c) the decision is based on the express consent of the data subject. Even in such situations, operators are obliged to ensure human intervention and the possibility for the data subject to express his opinion or challenge the decision.
Regarding the key elements of the decision, the European Court ruled as follows:
- the broad scope of the concept of “decision” is confirmed by Article 71 of the GDPR. This concept is broad enough to include the calculation of a credit score based on a probability value;
- the probability value affects the data subject at least significantly, because in the case of a consumer’s application for a loan to a bank, an insufficient probability value determines, in almost all cases, the bank’s refusal to grant the requested loan;
- when calculating a credit score, a credit reference agency makes an automatic individual decision when a third party based on “strongly” at this probability value to establish, perform or terminate contractual relations with the data subject.
- Credit score in Romania
Scoring is a selection method based on a statistical analysis of an applicant’s demographics or payment history (in the case of those with previous access to credit). The system evaluates each trait of the applicant according to personal data and assigns points, thus forming a predictable risk profile. Based on this profile, the bank can make a decision to grant or refuse a loan.
In Romania, there are a number of private organizations that provide both consumers and credit institutions with a credit rating assessment. Among the best-known providers of credit scores is the Credit Bureau, a privately held company that manages a database related to the credit activities of participating financial and banking institutions. The database can be used by banking and non-banking credit institutions, insurance companies and collectors.
In the process of analyzing the application, the credit organization applies to the Bureau of credit histories with a request to issue a Credit report. Personal data processed include:[2] data related to the employer, data related to the requested/provided credit products, data related to events that occur during the development of the credit product, data related to other accounts, data related to with insolvency, etc.
In addition, the FICO Score can be used during the evaluation, a number between 300 and 850, obtained as a result of a statistical process that processes the information registered by the participants of the credit bureau system, and indicates the probability that the corresponding person will pay his installments on time in the future.
Thus, the evaluation mechanisms are similar at the level of all operators, the interpretation of the European Court is also relevant for points providers in Romania.
- Consequences of the decision
According to the content of protection, according to Art. 22 par. (2) and (3) GDPR, appropriate measures must be taken to protect the rights, freedoms, and legitimate interests of the data subject. Even in exceptional cases, the controller must take measures to at least protect the right of the data subject to obtain human intervention, express his point of view and challenge the decision.
In addition, as the EU Court noted, “in the event of an automatic decision, as provided for in Article 22(1) GDPR, on the one hand, the operator is subject to additional obligations to provide information in accordance with Article 13(2)(f) as well as Article 14, paragraph (2) subparagraph (g) of this provision. On the other hand, the data subject benefits, in accordance with Article 15 paragraph (1) letter (h) of the mentioned regulation, the right to receive from the operator, among other things, relevant information regarding the logic used and regarding the importance and expected consequences of such processing for the subject data object.”
The decision is consistent with the CJEU’s position to interpret the GDPR as broadly as possible in favor of the people whose personal data is processed, with a strong emphasis on consumer rights. This refers to contractual relations in general, and not to the specifics of the credit agreement process. In this sense, it has been reasonably shown that the interpretation of the CJEU “this has far-reaching implications beyond credit rating, affecting sectors such as healthcare, insurance and employment where AI-based decision-making is essential”[3].
Although this decision has far-reaching implications, it should not be dismissed from the plan conclusion that all automated systems scoring is immediately subject to Article 22 of the GDPR. Rather, it will be necessary to examine in each specific case how and to what extent the assessment influenced the decision of the credit institution (or, more broadly, the decision of the contractor considering the assessment).
The qualification of these pre-contractual evaluation operations as automated individual decisions should not be overlooked. If the creditor gives decisive weight to factors other than the credit assessment provided, then the provision of the assessment will not benefit from the protection of Article 22 GDPR. It was shown that “Contracts with credit score providers usually state that lenders should not make decisions solely on this score and consider other factors before signing or not signing a contract..”[4] Thus, the interpretation of the ECJ is based on a dubious premise, which can cause a lot of uncertainty and possible difficulties in the application of the decision.
In this context, the formulation by the authority responsible for the supervision of personal data of some instructions regarding the meaning of the phrase “depends on this value» can be particularly useful.
The article was signed by Oana Zama, partner – [email protected] – and Mircea Vasile, junior lawyer – [email protected] – STOICA & Asociatii
[1] CJEU, Case C‑634/21 SCHUFA Holding (Scoring), delivered on 7 December 2023
[2] See Information on the processing of personal data in the Credit Bureau system
[3] https://www.williamfry.com/knowledge/ecj-says-no-in-schufa-case-new-decision-on-automated-decision-making/
[4] Key takeaways from recent ECJ rulings on automated decision-making Ruth Boardman, Bird & BirdPartner, Co-Head of the International Data Protection Practice
Source: Hot News
Ashley Bailey is a talented author and journalist known for her writing on trending topics. Currently working at 247 news reel, she brings readers fresh perspectives on current issues. With her well-researched and thought-provoking articles, she captures the zeitgeist and stays ahead of the latest trends. Ashley’s writing is a must-read for anyone interested in staying up-to-date with the latest developments.