The credit agency CRIF collects personal data from millions of people in Austria and assesses their creditworthiness with a score between 250 and 700. For most people, this score is based on just a few pieces of information, such as address, age and gender. If the score is too low, those affected are unable to sign contracts with many companies, such as mobile phone providers like Magenta and Drei, electricity providers like Verbund, and banks like Volksbank Wien. All of this happens behind peoples' backs and, in our opinion, probably violates the GDPR. This affects virtually everyone living in Austria. We want to scientifically examine CRIF's score and its significance – and assess the options for a potential class action lawsuit. If you're living in Austria, we need your help!
Background: What is CRIF? CRIF is one of the two major credit agencies in Austria. The company collects vast amounts of personal data from millions of people to calculate a ‘creditworthiness score’. In other words, CRIF has built up a kind of national register in which almost everyone in Austria is listed, but very few people know about it. The score, which ranges from 250 to 700, often determines who gets contracts and who doesn't. For most people, this score is calculated based solely on age, gender and address. Tests conducted so far suggest that the score depends primarily on the address. In our view, this makes the scientific value of the score questionable. CRIF has not yet published any data for the scientific validation of the score. For example, a luxury penthouse and an apartment with an old tenancy agreement could be located in the same building. It is also possible for the same person to receive extremely different scores depending on the delivery location of an order – which of course has nothing to do with the person's objective ability to pay.
CRIF customers get delivered your data. CRIF sells the calculated creditworthiness score to a large number of companies. These include banks such as Volksbank Wien, Erste Bank, Raiffeisenbank and Oberbank, energy providers such as Verbund, mobile phone providers such as Magenta and Drei, and online shops such as Zalando. It is unclear to what extent CRIF's customers are aware of how these scores are calculated. Customers usually use this score to decide whether to enter into a contract with a person or whether to allow them to order on invoice. Finding out to what extent the score is the sole or decisive factor is also part of our project. If the personal score is too low, mobile phone contracts or energy supply contracts have often been automatically rejected in the past. Sometimes, purchase on account is simply refused and you have to pay in advance. In theory, a poor score could also lead to higher costs for loans if a bank employee were to be influenced by the score when assessing risk.
Max Schrems, Chairman of noyb: "CRIF has built up a kind of private register containing the data of almost everyone in Austria. This data is then used to calculate what we consider to be a questionable “score” for each person, which is then sold to other companies."
CRIF: Only payment data for 10%, but scores for everyone. CRIF itself states that it only has actual payment history data for around 10% of the population. This includes reports from debt collection agencies about payment problems. For the remaining 90% of the population, CRIF mostly calculates the score based solely on age, gender and address. However, CRIF goes even further: For individuals who cannot be found in the database at all, a score is still calculated – according to CRIF, based solely on the data in the request.
Max Schrems, Chairman of noyb: "There is a suspicion that CRIF is fabricating scores out of thin air – with very real consequences for those affected. CRIF could simply say 'we have no information on this person' – but it prefers to sell a score anyway. The biggest factor in all tests to date is the address. The score goes up slightly with age, and women are scored better than men."
Potentially unlawful data sources. We have reason to believe that this practice is unlawful – and that CRIF has collected the data unlawfully. For example, a large proportion of the information used for credit scores comes from the address publisher AZ Direct, which, according to Section 151 of the Austrian Commercial Code, may only pass on this information for marketing purposes. The principle of purpose limitation is set out in Article 5 GDPR. Nevertheless, the data of millions of Austrians has been sold to CRIF for €120,000 per year for years and, in our view, has been misused. The Austrian data protection authority has already confirmed in an earlier noyb case that a large part of the CRIF database is not legally compliant. However, this decision is not yet final, as CRIF has lodged an appeal. A supreme court ruling is therefore still pending. For other reasons, too, noyb believes that the data processing is likely to be unlawful. For example, CRIF has not obtained the consent of the data subjects (except in exceptional cases) and invokes a ‘legitimate interest’ to accumulate data on almost everyone in Austria.
Incorrect scores can have massive consequences. We know of numerous individual cases in which people have been denied contracts due to incomprehensible scores that have nothing to do with their payment behaviour. Comparisons between known scores are also questionable. For example, a 19-year-old doing mandatory civil service was rated rather high, while well-paid university employees were rated rather poorly. The late Dietrich Mateschitz (formerly Austria's richest man) was still alive in a test query of the database and had a score below the Austrian average. Finally, ‘Peter Pan’, ‘Jesus Christ’ and countless ‘Mustermänner’ can be found in the database. Also, addresses are often out of date – which raises questions about the quality of the data. The score for the same person can even vary by 150 points simply by using a different address when signing a contract. The effects can range from rejected mobile phone or energy contracts to theoretically higher interest rates on loans. Often, those affected are not even aware that a CRIF score is involved in the background.
Max Schrems, Chairman of noyb: ‘In some individual cases, it is clear that the score is objectively wrong – often with massive consequences for those affected. However, in order to scientifically verify whether the score is structurally correct or incorrect, we need data from thousands of affected individuals.’
Step 1: Scientific review through ‘data donations’. noyb wants to get to the bottom of CRIF's non-transparent and possibly illegal business practices. As a first step, we are therefore looking for people living in Austria who would like to help us with this project by making a ‘data donation’. This means that, with the participants' consent, we will obtain a copy of their data from CRIF. Together with a university, we will then compare their score with their actual income situation and also with the data of other participants. This will allow us to check whether the CRIF score is statistically correct. The costs for this will be covered by noyb.
Max Schrems, Chairman of noyb: "We want to examine these questionable scores using scientific methods. With just a few clicks, you can instruct us to retrieve and evaluate the data."
Step 2: Possible class action lawsuit. At the same time, we are investigating whether CRIF is violating the GDPR. In many respects, decisions have already been made by the data protection authority or the courts – even if these are often not yet legally binding because CRIF has appealed against them. If noyb finds sufficient evidence of GDPR violations, a class action lawsuit will be filed against CRIF and possibly some of its business partners in a second step. In this case, those affected could also be entitled to compensation. Amounts between €200 and €1,000 per person are common. With millions of people affected in Austria, this could quickly become the largest class action lawsuit in the country. Such a class action lawsuit would then have to be joined separately.
Max Schrems, CEO of noyb: "There are already several decisions and judgments that have found CRIF's behaviour to be unlawful. Even if these cases have not yet been finally decided, this is a good basis for a class action lawsuit. We hope to be able to file a lawsuit this year. A class action lawsuit against CRIF and its partners would probably be the largest class action lawsuit ever filed in Austria. We estimate that millions of people are affected."
Join us for free! We are looking for people from all over Austria in different age groups, with different incomes and genders. People with similar life situations are also particularly interesting. For example, people who live in the same household, are of a similar age – and actually only differ in terms of their gender.
So if you live in Austria and have 5 minutes, quickly click through the registration form and find out what data has been collected about you. By participating, you will also help us gather evidence. We will take care of the rest. Of course, there is no cost to you. Thank you very much for your support!
Who is noyb? noyb is a non-profit association and is carrying out this research and enforcement project at no financial risk to you. We are recognised by the Austrian government as a qualified entity and can therefore bring class action lawsuits (‘collective actions’).