Press enter to search, esc to close
In the landmark SCHUFA case (case C-634/21), the Court of Justice of the European Union (CJEU) has held that the generation of credit scores by credit reference agencies (CRAs), which are then heavily relied on by lenders in making loan decisions, brings those CRAs within scope of the prohibition on automated decision-making in Article 22(1) of the GDPR.
This is an important decision which has potentially significant impacts for both CRAs and lenders.
SCHUFA AG Holding (SCHUFA) is a German credit reference agency. The applicant, OQ, brought a claim against SCHUFA following a refusal of her loan application by a German bank based on a credit score that was generated and provided by SCHUFA. OQ requested that SCHUFA erase the data entry related to her as well as provide her with access to the same data. SCHUFA simply informed her of the relevant score and provided a broad outline as to how the calculations had been made, but not the specific data used in the calculation (asserting this information was a trade secret). SCHUFA argued that its generation of the credit score did not constitute automated decision-making for the purposes of Article 22 of the GDPR, as the bank was ultimately responsible for making the decision whether to accept or reject OQ’s application.
Article 22 prohibits wholly automated decisions with legal or similarly significant effects, except in certain circumstances, namely where the wholly automated decision is necessary for entering into or performing a contract with the data subject, there is explicit consent from the data subject, or the automated decision making is allowed under EU or national law.
After her claim was initially rejected, OQ appealed and the domestic court in Germany referred the case to the CJEU.
The CJEU ruled that the calculation of credit scores by CRAs such as SCHUFA did, in fact, fall within the definition of “automated individual decision making” under Article 22 of the GDPR.
In reaching its conclusion, the court looked at the three conditions that need to be met for Article 22 to be engaged:
The court also noted that, if SCHUFA was not held to be subject to Article 22, this would leave a gap in protection for the data subject, as SCHUFA would not be obliged to provide the data subject with meaningful information about the logic involved in the decision-making (information which the bank itself would not have).
The upshot of the CJEU’s decision is that SCHUFA was held to be responsible for complying with Article 22 of the GDPR when processing personal data to generate credit scores. It is not clear if any of the exceptions apply in SCHUFA’s case, as the CJEU referred the matter to the German national court as to whether there was a provision within German law that allowed this type of automatic decision making
As the calculation of credit scores by CRAs has been held to fall within the Article 22 prohibition in certain circumstances, CRAs will likely be concerned about the impact of the decision. It appears from the judgment that, in circumstances where a lender does not place significant weight on a credit score when making loan decisions, the credit reference agency’s activities would not be caught by the Article 22 prohibition. Therefore, CRAs will likely want to seek assurance from their lender clients that they do not “draw strongly” on these credit scores in making these decisions, to avoid the prohibition laid out under Article 22(1). If lenders do intend to rely heavily on credit scores, such that Article 22(1) would be engaged, both the lender and the CRA will need to identify an appropriate exemption from the prohibition.
Although the CJEU did not opine on whether any of the exemptions to the prohibition applied in this instance, leaving this instead to the domestic court, explicit consent is likely to be an unrealistic and time-consuming means for CRAs to meet the necessary requirements. Lenders often rely on these decisions being necessary for entering into contracts with the end customer, although the German court does not appear to have considered this in its assessment. This may be due to a quirk in translation; the English language version of Article 22(2)(a) of the GDPR, which provides an exemption to the general prohibition on automated decision-making, differs to the German translation of the GDPR. The English version allows automated decisions that are necessary for the performance of a contract between the data subject and “a data controller”. However, in the German version, the same exemption applies if the contractual relationship is between the data subject and “the controller”. As the there was a direct contractual relationship in place between the data subject and the bank (a controller, albeit not the controller looking to rely on the exemption), if this had happened in the UK, a different interpretation may have been found, presenting an interesting potential diversion between the UK and EU.
The SCHUFA case represents a break with the previous understanding that only the lender relying on a credit score was carrying out automated decision-making and will certainly cause ripples across the financial services sector. Although the decision is an EU decision, the applicable principles are currently the same in the UK.
Authors: Emma Erskine-Fox, Samuel Dunne
For advice on new developments in data protection law and how this might apply to you, please contact our expert Data, Privacy & Cybersecurity team.This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Date published
05 August 2024