Today, noyb lodged a complaint with the Austrian data protection authority against the credit reference agency KSV1870 and the energy supplier ‘Unsere Wasserkraft’. When attempting to conclude a contract with Unsere Wasserkraft, new customers are subjected to a fully automated credit check by KSV without being asked. If you are assigned a supposedly insufficient score, you are rejected by Unsere Wasserkraft without any further verification measures. Such a procedure is unlawful, as the European Court of Justice has now also ruled in a similar case. KSV 1870 and its customers seem to be shifting the responsibility for an individual case review back and forth.
Welcome ... and goodbye! In his search for a new energy provider, the complainant wanted to conclude a contract with ‘Unsere Wasserkraft’. After registering, it only took a few minutes for the company to welcome him as a new customer. However, the joy was short-lived: just one minute later, the provider informed the complainant that no contract would be concluded after all. The reason: an ‘inadequate credit rating’. For further information on the assessment of his creditworthiness, the complainant was simply referred to the creditors' association KSV1870.
Obscure business practices. But what had happened? It was only thanks to his own research that the complainant was able to find out more detailed information: KSV1870 had calculated his credit rating based on a query from Unsere Wasserkraft. The energy supplier then used the supposedly inadequate result as the basis for its decision to reject the complainant as a customer. What makes this procedure so problematic is that the decision was fully automated. This means that at no point were people involved who could have pointed out possible errors. The GDPR makes it unmistakably clear that fully automated decisions with such far-reaching effects (with a few exceptions) are generally prohibited.
Martin Baumann, data protection lawyer at noyb: ‘The GDPR contains clear provisions to protect people from the unlawful use of algorithms. Despite clear case law from the ECJ, many companies continue to ignore these rules.’
Unlawful credit check. In the meantime, the European Court of Justice ( CJEU) has also ruled that such a procedure is unlawful. In its judgement on a case against the German credit reference agency SCHUFA, the CJEU stated: If companies use the result of a credit check as a decisive factor for decisions, this credit check alone is considered a fundamentally prohibited decision in accordance with Article 22 GDPR.
KSV 1870 shifts the problem onto companies. Unfortunately, KSV 1870 does not seem to be interested in the CJEU judgement. Instead of adapting its own procedure, the credit agency falsely claims that the calculated creditworthiness values have no significant influence on the decisions of companies that use precisely this score. As a reminder: Unsere Wasserkraft rejected the complainant solely on the basis of KSV's credit assessment. There was no manual review of the application. Instead of taking care of legally compliant security measures, the companies are blaming each other: KSV 1870 believes that its cooperation partners must check individual cases, but they in turn refer their customers to KSV.
Martin Baumann, data protection lawyer at noyb: ‘In the event of a fully automated decision, consumers must have the opportunity to involve a real human being, present their own point of view and challenge the automated decision.’
Random credit ratings. The current noyb case illustrates once again how important the fundamental right to data protection is for people's everyday lives - and how random credit rating calculations seem to be. In the case now brought forward by noyb, the assessment also appears to be rather ‘creative’: shortly after the complainant objected to his credit rating at KSV, it was suddenly adjusted. Subsequently, a contract with Unsere Wasserkraft would actually have been possible without any problems. In the meantime, however, the complainant had to turn to another energy provider. However, the fact that credit ratings can be modified so easily in individual cases raises doubts as to whether they fulfil the high expectations in terms of accuracy and reliability.
Complaint against KSV1870 and Unsere Wasserkraft. noyb has now lodged a complaint against the credit reference agency KSV1870 and against Unsere Wasserkraft with the Austrian Data Protection Authority (DSB). With their actions, the companies have violated Articles 13, 14, 15 and 22 GDPR. noyb is calling on the DPA in particular to impose a processing ban on KSV with regard to the automatic calculation of creditworthiness scores as long as it is not ensured that these assessments are limited to the few authorised individual cases.