An investigation into data flows at the Austrian credit agency CRIF has shed further light on the matter: most of the address data in the CRIF database comes from address brokers AZ Direct (Bertelsmann Group), Compass-Verlag and DPIT in Vienna. But where do these address traders get their data from? A new noyb evaluation involving more than 2,400 affected individuals shows that they access public registers such as the company and land registers, the register of associations and the Business Information System (GISA) which was introduced in 2015. Compass also lists the chamber of commerce (WKO) as a data source. However, it remains unclear where AZ Direct (CRIF’s largest data supplier) obtains its data. AZ Direct says it does not know where it got the data on 7 million people in Austria.
Data extracted from public registers. The credit agency CRIF obtains most of its address data from the address brokers AZ Direct, Compass-Verlag and DPIT. Thanks to access requests made on behalf of the more than 2,400 participants in the CRIF project, we now know: the three address brokers primarily use public registers such as the Registry of Deeds and company register, the register of associations and the trade register.
Max Schrems, chairman of noyb: “Of course these registers are not actually intended to satisfy the desires of data brokers, but to prove entitlements, ownership and powers of representation.”
Land register, commercial register, ZVR, GISA and WKO. Specifically, Compass-Verlag frequently states that it has obtained data from the commercial register, the register of associations (ZVR) and the trade register (GISA). The Chamber of Commerce (WKO) also appears as a source and apparently passes on data from its own members. Meanwhile, DPIT states that it accesses the land register, the commercial register and the trade register. This means that every self-employed person, every property owner and everyone active in a association was potentially recorded. However, it is not information on property or business activities that is used for credit rating purposes. Instead, only names, dates of birth and addresses are used.
Max Schrems: “Public registers are used as address books, not for their actual purpose of providing economic or legal evidence. In the end, the economically relevant data is not used for credit rating at all – it's only about the master data.”
Government does nothing to combat ‘scraping’ of public registers? Public registers are indispensable in a well-administered state of law (e.g. to check whether someone has a business licence or is the owner of a property). In the past, this had to be done manually. Thanks to digitalisation, most registers are now also available online – but apparently often without sufficient protection against large-scale ‘scraping’. Basic protective measures such as captchas, query limits per IP address, or terms and conditions that clearly stipulate that data may only be used for specific purposes (e.g. to verify a trade, ownership, or power of representation) seem to be lacking.
Max Schrems: "Austria lacks clear technical and legal regulations to prevent mass scraping for other purposes. Anyone who tries to protect their own privacy is currently being “outed” by the state – and companies are collecting this data on a large scale. It is high time that politicians curb this abuse with technical query limits and clear purpose restrictions. We do not maintain the register of associations for the advertising industry or for data traders."
The law is clear: public registers are subject to ‘purpose limitation’. Not only is it obvious that this commercial reuse is not in the public interest, it also violates the GDPR principle of ‘purpose limitation’ in Article 5(1)(b) GDPR. The Austrian Data Protection Authority (DSB) has already decided with regard to the Registry of Deeds that, for example, further processing for advertising purposes violates the GDPR. The well-known CJEU ruling on the ‘right to be forgotten’ also concerned legally published data, which, however, could not simply be reused by Google Search.
Max Schrems: “Just because data is publicly available does not mean it can be used for any purpose. You cannot simply film people on a public street for your own purposes.”
AZ Direct: 7 million data records without a source? Meanwhile, AZ Direct, part of the large German Bertelsmann Group, is revealing a completely different problem: despite its legal obligation to provide information, the address dealer has not disclosed specific data sources for almost any of the 2,400 participants. However, AZ Direct has sold a total of more than 7 million data records to CRIF. It is currently completely unclear where CRIF's largest data supplier obtains its information – which also makes it impossible to exercise one's GDPR rights.
Max Schrems: “It is completely ridiculous that a Bertelsmann subsidiary, which has the private data of 7 million people in Austria, does not know where the data comes from. Currently, a data set containing almost everyone in Austria could come from any source – those affected have no way of checking whether the sources are legal.”
Path to class action lawsuit: Detailed evaluation almost complete. noyb continues to work on a detailed evaluation of the credit scores received from the 2,400 participants. Together with a professor of financial mathematics, the more than 28,000 scores received are being compared with the actual financial data of those affected to find out whether the CRIF scores are statistically sound. Currently, all indications seem to suggest that the CRIF score has little to do with the actual individual financial situation and does not provide a reliable risk assessment for people who always pay their bills. For these 90% of the population, the score is essentially based only on age, gender and address. Further results are expected in the coming weeks. After that, noyb will decide whether to file a larger class action lawsuit against CRIF, which is likely to affect millions of people. In the event of unlawful processing of personal data, each affected person could be entitled to relevant claims for damages.
