Note: The judgments are not connected to noyb cases
CJEU landmark rulings on “credit ranking” and review of DPAs
The European Court of Justice (CJEU) today issued two landmark judgments in proceedings against the German credit reference agency SCHUFA, which previously enjoyed considerable freedom in Germany. The CJEU confirmed that national courts have extensive powers to scrutinize data protection authorities – thereby strengthening the rights of data subjects. Furthermore, the court ruled that the assignment of automatically calculated credit scores is not in line with the GDPR.
What’s the business of credit ranking? Companies like SCHUFA are so-called credit reference agencies. They collect vast amounts of personal data in order to assign people an alleged creditworthiness. This score is used by banks and companies to assess if someone should get a loan or mobile phone contract.
Background: Data deletion and automated credit scoring. Starting point for the now decided CJEU proceedings were two complaints against SCHUFA before the Hessian Data Protection Authority (HBDI). In one case (joined cases C-26/22 and C-64/22), the data subject had requested the deletion of insolvency data from the SCHUFA database after it had already been deleted from the public insolvency register, where it was taken from by SCHUFA and stored further. The HBDI not only dismissed the case but even argued that the competent court cannot review its decision on the merits. The second case (C-634/21) concerned the question of whether SCHUFA is allowed to automatically issue credit scores at all - or whether this constitutes an "automated decision in individual cases", which is largely prohibited by the GDPR.
The judgment in joined cases C-26/22 and C-64/22 (Link)
Full judicial review of data protection authorities. The CJEU ruling massively increased the pressure on data protection authorities (DPAs). In some EU member states, including Germany, they have so far assumed that a GDPR complaint from data subjects is merely a kind of "petition". In practice, this has meant that despite an annual budget of €100 million, the German DPAs have rejected many complaints with bizarre justifications and GDPR violations have not been pursued. In countries such as Ireland, more than 99% of complaints were not processed and in France any right of those affected to participate in the procedure concerning their own rights was denied. Some DPAs, such as the Hessian authority in the present case, have also argued that the courts are prohibited from reviewing their decisions in detail.
More rights for data subjects. The CJEU has now put an end to this approach. It has ruled that Article 77 of the GDPR is designed as a mechanism to effectively safeguard the rights and interests of data subjects. In addition, the court has ruled that the Article 78 of the GDPR allows national courts to carry out a full review of DPA decisions. This includes the assessment whether the authorities have acted within the limits of their discretion.
Raphael Rohrmoser, lawyer for the plaintiff in this case: "The European Court of Justice has massively strengthened the rights of the data subjects. The storage of data from public registers is no longer permitted than in the register itself."
The judgment in case C-634/21 (Link)
Credit ranking business on shaky ground. But that’s not all. With its judgment in case C-634/21, the CJEU is shaking up the entire business model of SCHUFA (and other credit agencies): the fully automated calculation of supposed creditworthiness using opaque algorithms falls under the special protection of Article 22 GDPR. This provision prohibits the use of personal data for fully automated decisions that have a "significant adverse effect" on data subjects. In other words, decisions of a certain scope should not be made by algorithms alone.
Marco Blocher: "Simply assigning citizens an incomprehensible credit score and then automatically refusing contracts is a thing of the past thanks to the CJEU judgment."
A ban of automated credit scoring. The credit agency industry has so far argued that even a terrible credit score, which would certainly prevent a person from concluding a large number of contracts (such as loans, insurance, rent or electricity supply contracts), is not a "negative decision". According to them, the final decision is made by the company using the score. The CJEU takes a different view and has now ruled that the attribution of creditworthiness can already constitute a decision under Article 22 GDPR. This means that automated credit scoring in its current form is prohibited for credit agencies throughout the EU. If SCHUFA wants to calculate people's creditworthiness in future, it will need their express consent. In addition, it must be possible in for data subjects to challenge a credit score.
Raphael Rohrmoser, lawyer for the plaintiff in this case: "It should not be underestimated that the data subjects can now regularly take legal action against official decisions. This will certainly strengthen the enforcement of GDPR rights."