Data voodoo: Credit ranking agency CRIF creates creditworthiness out of thin air. Data protection authority also demands disclosure of "scoring" logic.
After about a year, the Austrian Data Protection Authority (DPA) finally issued a decision on our first complaint against the credit reporting agency CRIF. CRIF had attributed a negative credit rating to a data subject although the person was unknown to the credit agency. The individual was not given an electricity contract due to allegedly having "poor" credit worthiness.
The Austrian Data Protection Authority (DPA) notes, on the one hand, that CRIF must disclose to the querying companies that the "creditworthiness" was only calculated from address, gender, name and date of birth. In addition, CRIF must (unlike in Germany, for example) explain the scoring to the consumer concerned.
Information insufficient - CRIF must explain how score came about. The data subject had invoked their right of access under Article 15 GDPR to request the processing purposes and recipients of their data. This week, the DPA held that the credit assessment operated by CRIF is considered "profiling" as personal data was assessed and analysed in order to predict the data subject's future likelihood of default. The DPA considers CRIF's activities as a particularly intensive interference with the data subject's data protection rights - as the complainant was attributed a negative score even though they had never caused any real payment history (such as debt collection cases or insolvency proceedings). CRIF had tried to avoid even minimal transparency and had refused any explanation until the end of the proceedings. It refused to provide any explanation as to how the specific score had been arrived at. To no avail - the DSB has now ordered CRIF to provide information. Only the concrete computer logic is protected as a trade secret.
Alan Dahi, Data protection lawyer at noyb: „The decision is an important step towards greater transparency for those affected. Credit bureaus have always made a complete secret of their internal processes, although they like to earn their money with other people's information. Now it is clear: under the GDPR, credit reporting agencies must also explain in an understandable way how the sometimes absurd scores are compiled. We are curious to see how CRIF intends to explain the completely arbitrary score of the person concerned in this case.“
Illegitimate calculation of creditworthiness based on demographic data. In addition, the DPA also criticised CRIF's lack of transparency vis-à-vis its customers. CRIF does not sufficiently disclose that in most cases the creditworthiness score sold is calculated merely on the basis of demographic data such as sex, age and place of residence. For CRIF's customers, therefore, the impression of a poor creditworthiness is created without the person concerned ever having caused negative payment experience data. Ultimately, this can lead to an impairment of economic progress and to discrimination against the person concerned. The DPA therefore decided that, in such cases, CRIF cannot rely on legitimate interests under Article 6(1)(f) of the GDPR, since the interests of the data subject not to be disadvantaged in commercial transactions outweigh the processing interests of CRIF. The company must now comprehensively redesign its credit reports - so that a data subject can fairly explain to CRIF customers why the score given out by CRIF has little to do with reality.
Alan Dahi: „CRIF must indeed disclose to its customers that these are in fact mere voodoo scores, which are calculated without any real creditworthiness data. The score calculated by noyb is not an isolated case. Less than 10% of Austrians actually have negative data according to CRIF's own information - so 90% only have an address, date of birth and name.“
The decision of the Austrian Data Protection Authority is not legally binding. We assume that noyb but also CRIF will challenge parts of the 20+ page decision.