Today the ECJ ruled in two proceedings (C-634/21 and joined cases C-26/22 and C-64/22) on legal issues relating to business practices in credit scoring by credit agencies.
According to the court, the calculation of the score value by the credit already constitutes a prohibited automated decision-making process in individual cases if the customers of the credit agency rely significantly on this score when making their decisions. The Wiesbaden Administrative Court must now clarify whether German law provides a permissible exception for scoring.
Furthermore, a credit agency may not process data from publicly available sources for longer than the data in this source is still available. And finally, the content of all decisions by data protection supervisory authorities can be fully reviewed by the courts.
Background
The subject of the joined cases C-26/22 and C-64/22 is the question of whether a credit agency may collect information from publicly available sources for scoring purposes on the basis of its legitimate interest and continue to store and process this information even after it has been deleted from the public source. Scoring refers to a mathematical-statistical procedure to predict the probability of a natural person's future behavior. The court also had to clarify whether data subjects who have lodged a complaint with a data protection supervisory authority can defend themselves against the content of a decision made by the supervisory authority or only against the fact that an authority does not take action in response to their complaint.
The subject of proceedings C-634/21 is the question of whether or not the score calculated when granting credit already constitutes automated decision-making within the meaning of Art. 22 GDPR. The court also had to clarify whether or not the legal basis for credit scoring under German law is compatible with the GDPR.
The decision
In the joined cases C-26/22 and C-64/22, the ECJ ruled that credit reference agencies must delete personal data that they collect from public registers if this information is no longer available in the public registers after a period of time. According to the ECJ, such storage of data by the credit reference agency can only be based on the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. However, the ECJ has concerns as to whether such a "shadow database" with information from the public register (in this case insolvency announcements) is in line with the principle of data minimization. In any case, after six months, when the information is deleted from the public register, the entries in the credit agency must also be deleted, according to the ECJ. The referring administrative court in Wiesbaden will have to conclusively examine whether the credit agencies are allowed to maintain such shadow databases at all or whether it is permissible to keep the data in the public registers alone.
Furthermore, the ECJ has ruled that data subjects who lodge a complaint with a data protection supervisory authority can also have the content of the supervisory authority's subsequent decision reviewed by a court. However, the supervisory authorities have broad discretion as to what measures they take in response to a complaint against controllers or processors. In this respect, judicial review is limited to cases in which supervisory authorities do not exercise their discretion.
In Case C-634/21, the ECJ ruled that scoring constitutes automated decision-making in individual cases. It was previously disputed whether the decision-making process was carried out by the credit agency that calculates the score or by the customer of the credit agency, who uses the score to make a decision, for example, on whether to grant or refuse a loan. The ECJ located the decision-making process at the credit agency itself, at least if the customer of the credit agency makes its decision dependent on the result of the score calculation. Without a corresponding legal basis that expressly permits such automated decision-making, the credit agency would have to obtain express consent for a score calculation in the absence of a contract with the data subject. The Wiesbaden Administrative Court must now clarify whether the German regulations in Section 31 BDSG can constitute such a legal basis.
Impact of the decisions on practice
The ECJ's decisions have several relevant consequences that go beyond the credit sector:
- The calculation of scores by credit agencies in its current form will no longer exist in future. Processes that are based on score values (such as the selection of payment methods, etc.) must be reviewed and adapted.
- Companies' own scores must be checked for their specific effects. If decisions are largely based on these scores, which have a significant impact on the data subject, then the calculation of the score is already an impermissible automated decision-making process.
- The data used to calculate the score must be checked for legality, regardless of whether automated decision-making is involved. In the case of negative features in particular, it must be checked whether there is still a legitimate interest in continuing to use them.
- Consents that are intended to secure the decision on the basis of a score value must be checked for legality. Consent to automated decision-making is only effective if the correct decision is covered by the consent, i.e. the score calculation, if applicable.
- Score values that are no longer up to date or where there is a risk that they were calculated illegally must be deleted.