Simon Coulthard December 11, 2023
The European Court of Justice (ECJ) has ruled that the data practices of SCHUFA Holding AG - a leading German consumer credit reporting company - may contravene the EU General Data Protection Regulation (GDPR).
This decision has far-reaching implications, placing pressure on businesses to align credit decision-making practices with GDPR requirements.
Our advanced website intelligence solution will enable anyone to grow their website quickly, while protecting visitor data rights. Sign up for free today, remove your ugly cookie banner, and supercharge data collection!
SCHUFA is Germany's largest credit agency. It holds records on 68 million people and six million companies, and carries out 165 million credit checks every year. It's short for Schutzgemeinschaft für allgemeine Kreditsicherung, which roughly translates to “general credit protection agency.”
SCHUFA rates creditworthiness with a system known as scoring, which refers to a mathematical-statistical procedure that predicts the probability of a person's future behavior. The company uses data on payment history, which it receives from companies belonging to the credit protection network.
This all happens behind the scenes, and without the express permission of data subjects, making this ECJ case important to the wider credit agency industry, financial services, and beyond.
A low SCHUFA score acts as a barrier to many essential services in German life. It can, for instance, stop people being able to rent an apartment, get a credit card, or sign up to a broadband contract.
Last week (7th December), the ECJ passed a ruling on two proceedings (C-634/21 and joined cases C-26/22 and C-64/22) that have implications on the business practices around scoring by credit agencies. It focused on two main legal issues regarding SCHUFA:
The ruling against SCHUFA arose from a dispute between the company and an individual (OQ) who was denied credit based on their credit rating. OQ requested all the data held by SCHUFA on them and to erase some allegedly incorrect information. In response, SCUFA refused to disclose what information was used to calculate their credit score and weighting.
Central to this case was the question of whether SCHUFA's processes for creating consumer credit scores constitute an "automated decision" under Article 22 of the GDPR. There was also the issue of accountability since it's not SCHUFA themselves that makes the decision, but instead the third-party companies that people apply to.
Given this, the case was referred to the ECJ by the Administrative Court of Wiesbade for a preliminary ruling, and particularly in regard to the rights and protections afforded to individuals against automated decision-making and profiling under GDPR.
The ECJ ruled that the prolonged retention of data relating to approving a discharge from debt violates GDPR. It ruled that it is "contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register [being six months]".
And after this point, credit agencies can only continue storing this data if they can prove legitimate interest as per Article 6 Paragraph 1 GDPR.
It stated that data subjects have the right to have their data deleted on request, and that SCHEFA is then obliged to act on this request and to delete this data as soon as possible.
The court also ruled that a credit agency is not allowed to process data from publicly available sources for longer than the data is still available from this source.
The ECJ held that SCHUFA's credit rating system constitutes an "automated individual decision" which is, “prohibited in principle by the GDPR, in so far as SCHUFA's clients, such as banks, attribute to it a determining role in the granting of credit.”
Put another way, the court has ruled that any type of automated scoring is illegal if it significantly impacts the lives of data subjects - as is the case with credit scoring.
The court also ruled that thee Wiesbaden Administrative Court (ACW) must now clarify whether German law provides a permissible exception for scoring. This court is part of the German judicial system and specializes in handling cases related to administrative law.
And if this was the case, the ECJ declared that the ACW had to check whether the requirements laid out by the GDPR had been met, for instance that individuals were made aware of their right to object to an automated decision and to get a human decision instead. It also stated that credit agency data subjects had the right to receive a justification for their credit rating on request.
Secondly, the ECJ also underlined that responsibility of national courts to conduct a "full review" of any legally binding decisions of their data protection authority.
This decision is the first ruling on on automated individual decision-making since GDPR arrived back in 2018, and it has far-reaching implications that go beyond SCHUFA and the wider credit scoring industry:
TWIPLA is a leading provider of privacy-first analytics, with a complete web intelligence solution of advanced features. Our platform complies with every data laws by default, enabling 2.5 million users to collect more data, with higher accuracy of insight, and without needing a cookie a consent banner.
Gain World-Class Insights & Offer Innovative Privacy & Security
Keep pace with the world of privacy-first analytics with a monthly round-up of news, advices and updates!