Businesses must carefully consider implications of European court’s ruling
In a judgment delivered on December 7, 2023, the European Court of Justice (ECJ) held that a credit score issued by the German credit bureau Schutzgemeinschaft für allgemeine Kreditsicherung – better known by its acronym “SCHUFA” – must not be the sole determining factor for assessing creditworthiness (case ref.: C-634/21). While the ruling has been welcomed for its positive impact on consumers, it also has far-reaching implications for businesses, which will need to examine whether their decisions and decision-making procedures surrounding the conclusion of contracts are in line with data protection laws, or whether their current practices potentially violate the provisions of the General Data Protection Regulation (GDPR).
Virtually everyone in Germany has come into contact with SCHUFA, often without realizing. This is because companies commonly turn to credit bureaus for information about an individual’s creditworthiness, e.g., before a bank issues a loan, before cell phone contracts are concluded, when switching energy providers, etc. A poor score can result in the individual being rejected for a contract or a loan. The ECJ has now ruled that this common practice is unlawful in this form and in breach of the GDPR. The ruling has implications for businesses that have made certain decisions on the basis of one of these score values, explains an expert in IT law at MTR Legal Rechtsanwälte.
Score a statement of creditworthiness
The process of generating a credit score involves the use of mathematical and statistical techniques to assess a consumer’s creditworthiness. The worse a person’s score is, the more difficult it is for them to obtain a loan or conclude certain contracts. The judgment in question was the outcome of Wiesbaden’s administrative court – the Verwaltungsgericht Wiesbaden – requesting a preliminary ruling from the Luxembourg court on whether this procedure is lawful. In particular, the ECJ was asked to clarify whether the scoring process violates Art 22(1) of the GDPR, according to which decisions that give rise to legal effects for the person concerned must not be solely the product of automated processing.
The affected individual in this case was a woman who had been denied a loan due to her poor score. She subsequently demanded that SCHUFA delete her credit rating and grant her access to the relevant stored data. But the credit bureau only provided her with her calculated score value and the general principles behind the calculation. It did not provide any further details about the information that informed the calculation.
Unlawful automated decision-making
The ECJ stated that a score should generally be regarded as the product of an unlawfully automated individual decision-making process, as defined in the GDPR, if banks or other companies’ decision to issue a loan or conclude a contract is largely dependent on the score value. Decisions such as these should not be made primarily on the basis of a general and anonymous algorithm. Individual circumstances need to be taken into account as well.
Consumers will be happy with this outcome. Banks and other businesses that have made decisions mainly on the basis of a score, on the other hand, now need to consider how they can ensure that their decisions comply with the GDPR.
The team of legal experts at MTR Legal Rechtsanwälte advises clients on IT law and the General Data Protection Regulation.
Get in contact with one of our team today!