noyb.eu filed a GDPR complaint against the credit rating agency "CRIF", who is active in over 28 countries. CRIF assigned a "score" of exactly 446 out of 700 possible credit points to a debt-free electricity customer with a well-paid permanent job. This is astonishing as CRIF emphasised several times that it did not know the person concerned and did not have any data stored on him. The score was calculated out of nowhere. However, the consequence was very real: the electricity company refused to sign a contract with him.
- Download: German Complaint to the Austrian Data Protection Authority (PDF)
- Download: English Machine Translation of the Complaint (PDF)
Like a magician with a rabbit, CRIF has conjured “creditworthiness” out of thin air.
An electricity customer wanted to sign a new electricity contract. The energy supplier unexpectedly refused to sign the contract. The reason: his credit rating was too low - rather surprising given his income and profession, which should be more than sufficient to pay for electricity. In response to further inquiries, it was explained that his CRIF credit score would only be 446 points, while the minimum requirement for an energy contract was 650 points. The customer then approached CRIF and requested access to his information in accordance with Article 15 GDPR. CRIF responded by claiming it has not stored any personal data on him as the consumer. The negative score must therefore have come out of nowhere.
"CRIF's response is astounding. How can an exact credit rating score be calculated if no data are allegedly stored on the person? It seems that CRIF calculated a razor-sharp score of 446 points from the mere request data, i.e. name, address and date of birth. Whoever lives at the wrong address or has the wrong date of birth will not get an electricity contract. "It's probably fairer to close your eyes and pick a random number between 1 and 700." - Alan Dahi, privacy lawyer for noyb.eu
Data processing has to follow certain principles according to the GDPR. One of these is the principle of data correctness, or accuracy - personal data must be correct in content. Arbitrary “voodoo” scores that stigmatise customers and exclude them from electricity supplies are clearly illegal.
"If a person is actually not stored in the CRIF database, the result would have to be "Person unknown", not 446. A score without a basis is inherently incorrect and thus a violation of the GDPR". - Alan Dahi, privacy lawyer for noyb.eu
Trade secret? Electricity customer is in the dark.
CRIF refused to explain how the credit score had been calculated, despite repeated requests - although according to the GDPR, every person concerned has a right to know the logic behind such calculations. This was justified with the blanket claim that CRIF’s decision making process was "a trade secret"; however, such a “secret” that can leave affected electricity customers literally sitting in the dark.
"First, consumers can no longer conclude contracts because completely illogical assessments are invented. Then you can't even know how these evaluations are made. The consumer becomes a pawn in an algorithm." - Alan Dahi, privacy lawyer for noyb.eu
No electricity - and no responsible person
The electricity supplier cited the CRIF credit score, which was too low, as the only reason why it was not possible to supply energy and submitted the credit report obtained from CRIF as evidence. The customer was not given the opportunity to prove that his creditworthiness was in fact impeccable and still obtain an electricity contract. However, when asked, CRIF stated that no credit assessment had been carried out by CRIF. The decision on whether to conclude the contract would be made solely by the electricity supplier.
Complaint filed, with a potential fine of up to €20million
Due to the lack of information and the obviously incorrect data, noyb has filed a first complaint with the competent Austrian data protection authority.
"We have requested that the data protection authority closely examine the processing operations by CRIF. The authority can prohibit these types of arbitrary credit rating decisions and also impose a penalty for them. This should make false evaluations less likely." - Alan Dahi.
noyb takes credit agencies into focus
Credit rating agencies sometimes have great power over consumers and have so far shown little responsibility in exercising this power. Often they follow national traditions instead of the GDPR, which has been in force throughout Europe since 2018. Not only is the quality of the calculations often questionable, it is even unclear on what basis private companies such as CRIF or the Schufa in Germany give themselves the right to create large databases on the finances of millions of Europeans.
"We honestly do not see any basis for these companies to create a data collection on the finances of every citizen. The complaint against CRIF is therefore only a first step. Over the next few months and years, we will examine the whole industry piece by piece and Europe-wide and conduct appropriate GDPR proceedings". - Alan Dahi, privacy lawyer at noyb.eu
