ECJ judgment on SCHUFA score – what companies now need to consider
Many companies rely on a person’s credit score from German credit rating institution SCHUFA to assess whether they can trust such person’s willingness and ability to pay and whether they should enter into a contractual relationship with the person. After all, this score is calculated based on a large number of characteristics and information on a person. However, in a judgment handed down on 7 December 2023 (judgment of 7 December 2023 - C-634/21), the European Court of Justice (ECJ) expressed doubt as to whether it is permissible under data protection law for credit information agencies to calculate a score which companies will later use as the sole basis for their decisions. Credit rating agencies’ business models are therefore under great strain, which may also have an impact on companies who rely on them.
Background
In a decision issued on 1 October 2021, Wiesbaden Administrative Court referred two questions to the ECJ for a preliminary ruling, which essentially concerned the permissibility of SCHUFA scores and business decisions based on them under data protection law.
The reference for a preliminary ruling was based on the following case: The claimant applied for a loan, which her credit institution refused to grant her on the basis of her SCHUFA score. SCHUFA, which joined the proceedings, had transmitted this score, which was calculated on the basis of certain characteristics, to a credit institution wishing to assess the claimant’s creditworthiness.
The claimant then requested SCHUFA to provide her with data access and erase the personal data it had registered about her. In response to that request, SCHUFA only informed the claimant of her personal score and outlined the general methods for calculating scores. Moreover, referring to trade secrecy, it refused to disclose which specific information was used for calculating her score and how the information was weighted. The claimant then lodged a complaint against the refusal with the Hessian Commissioner for Data Protection and Freedom of Information, but this was unsuccessful. She subsequently brought an action before Wiesbaden Administrative Court, which initially referred the matter to the ECJ. In essence, the administrative court wished to know whether the automated establishment of a probability value in relation to a person’s ability to fulfil their future payment obligations (score) constituted automated decision-making within the meaning of Article 22(1) of the General Data Protection Regulation where this score had been transmitted to a third party (in this case, the credit institution) and the latter had used that score for deciding on the establishment, implementation or termination of a contractual relationship with the data subject.
ECJ: SCHUFA scoring can be an automated decision within the meaning of Article 22(1) of the General Data Protection Regulation
The ECJ has now ruled that the creation of such a score by a credit rating agency can constitute automated decision-making under Article 22 GDPR if the decision of a third party draws strongly on this score.
Article 22(1) GDPR confers on data subjects the right not to be subject to a decision solely based on automated processing that produces legal effects concerning them or similarly significantly affects them. According to the ECJ, the term “decision” is to be interpreted broadly so that it can also include the result of the calculation of a person’s future solvency as a probability value (score). The ECJ stated that the automated creation of this score at least also “significantly affects” the data subjects to the extent that the actions of third parties draw strongly on this score. For example, loan applications are frequently rejected by banks due to a score being insufficient.
According to the ECJ, such an approach safeguards the GDPR’s increased requirements for the lawfulness of automated decision-making, which are intended to protect data subjects from the particular risks of such data processing. Especially in cases where three stakeholders are involved, there would otherwise be a risk of a gap in legal protection. If the establishment of the score were only to be considered a preparatory act for the actual “decision” (e.g. by a bank) within the meaning of Article 22(1) GDPR, the establishment of the score would not have to fulfil the special requirements of Article 22(2) –22(4) GDPR for automated decision-making. This would also mean that data subjects were deprived of the opportunity to obtain meaningful information pursuant to Article 15(1)(h) GDPR about the logic involved in and the significance of processing. They would not be able to assert their right to information against the relevant credit rating agency (in this case SCHUFA) while third-party companies would simply not have the requested information.
Applicability of section 31 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) left open
German data protection law does in fact contain a provision that allows scoring and credit reports for the protection of trade and commerce (section 31 BDSG). However, the ECJ left open whether this provision was suitable as a legal basis within the meaning of Article 22(2)(b) GDOR for a decision based solely on automated processing. In order for this to be the case, the provision would have to fulfil the requirements in the GDPR for a national derogation. The German courts will now have to examine whether this is the case.
Storage of data from public registers
The ECJ also ruled on 7 December on two further requests for preliminary rulings from Wiesbaden Administrative Court in connection with data processing carried out by SCHUFA. The subject matter of these proceedings (joined cases C-26/22 and C-64/22) was whether credit information agencies are permitted to store data from public registers. Specifically, SCHUFA had stored information on discharged bankrupts for three years and thus for longer than the six-month period for which the data was simultaneously stored in the public insolvency registry. The ECJ has now ruled that this violates the General Data Protection Regulation. It was of the view that a discharge from bankruptcy was of existential importance for a data subject and that therefore such data should not be stored by private credit information agencies for any longer than the German legislature allowed for the public register. It therefore held that to this extent data subjects had the right to have this data erased by credit information agencies. Furthermore, the ECJ was of the opinion that it was for the referring court to examine whether or not the parallel storage of this data in the databases of credit information agencies was even permissible before the expiry of the (statutory) six-month period.
Consequences of the scoring judgment for companies
In order to protect themselves and act in compliance with data protection regulations, companies should now urgently review the basis on which they make their decisions to enter into contracts with individuals and the role SCHUFA scores play in this. It is likely that SCHUFA will contact companies again and impose requirements on their use of scores or request them to make certain declarations. This had already happened in the past in anticipation of today’s ECJ judgment. We would be happy to advise companies on the options available to them for responding to the rulings.