Share This Article
The CJEU took a rigid position on the potential violation of the GDPR by credit scoring systems that might have impacts on banks, even in the light of the upcoming EU AI Act on artificial intelligence.
In a landmark decision on December 7, 2023, the Court of Justice of the European Union (“CJEU“) issued judgments in case C-634/21|SCHUFA Holding (Scoring) and joint cases C-26/22 and C-64/22| SCHUFA Holding (Discharge from remaining debts). The decision highlights the complex relationship between digital practices, particularly those employed by credit reporting agencies, and the rights and freedoms guaranteed by the General Data Protection Regulation (“GDPR“).
Challenge to the Status Quo
At the heart of the issue are the controversial practices of SCHUFA, a private credit reporting agency under scrutiny for its scoring methodology and prolonged retention of information related to obtaining a release from outstanding debts taken from public records. Several individuals complained about the inability of the relevant data protection commissioner to act in defense of their rights and therefore decided to turn to the Wiesbaden Administrative Court, which then asked the CJEU to identify the scope of the GDPR in the specific matter.
Credit Scoring and its GDPR criticalities
Credit scoring is a process of evaluating and assigning a numerical score to an individual or entity based on various specific factors. In the financial context, credit scoring is a common application. Credit scoring agencies use statistical models to analyze a person’s financial and behavioral data and assign them a credit score. This credit score reflects the likelihood that an individual or business will honor its financial obligations, such as repayment of loans or credit cards. The higher the score and rating, the more likely the individual is to be considered financially reliable.
In the CJEU decision, this practice was considered an automated individual decision, a practice generally prohibited by Article 22 of the GDPR, which provides in its first paragraph the individual’s right “not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.”
Indeed, the court says that if SCHUFA’s clients, such as banks, give scoring a decisive role in approving or not approving credit to data subjects, it falls squarely under the GDPR prohibition. However, the ruling leaves it to the national courts to assess whether there are exceptions under the German Federal Data Protection Act in compliance with the GDPR.
The Prolonged Retention Period of Credit Scores
The CJEU also addressed the issue of prolonged data retention related to obtaining a release from outstanding debts, clearly defining how such practices contradict the GDPR when the identified retention period is exceeded. The importance of this information stems from the actual possibility of individuals to reintegrate into economic life and be able to access credit again, the CJEU in fact reiterated how the use beyond the limits of such data can harm the rights and interests of individuals.
In contrast to the six-month retention period established by the German legislature for the public insolvency registry, SCHUFA, according to its code of conduct, adopts a three-year retention policy on proprietary databases. However, this three-year term was considered to be in violation of the GDPR, as it could not exceed the term set for the public insolvency registry, for which a six-month retention period is stipulated.
The CJEU clarified how the data subject’s rights must prevail upon the expiration of the retention period established by German law for the public insolvency register. Beyond that period, data subjects have the right to prompt deletion, and credit agencies must comply promptly. The ruling places on national courts the task of examining the lawfulness of SCHUFA’s retention of such data for the six months, ensuring a delicate balance between the agency’s interests and the rights of data subjects.
What shall Banks Companies do Next also considering the EU AI Act?
It is worth to say that the position of the CJEU did not ban any credit scoring system, but left to courts to assess whether exceptions apply to the prohibition prescribed by article 22 of the GDPR. These exceptions will become exponentially relevant with the upcoming EU AI Act since, according to the information disclosed on the provisional agreement, artificial intelligence solutions used in the banking sector will require a fundamental rights impact assessment and are likely to fall under the high risk regime.
If you want to know more on the upcoming EU AI Act, you can read the following article “EU AI Act Approved: Everything You Need to Know on the Artificial Intelligence legislation in Europe“.
Authors: Giulio Coraggio and Marco Guarna