News
CJEU RULING IN THE MATTER OF “SCHUFA” NOT ONLY AFFECTS CREDIT SCORING (C-634/21)
In December 2023, the European Court of Justice (CJEU) had to decide yet another case that will have a significant effect beyond the core facts of the case. The ruling will likely affect not only credit scoring agencies but every sector and controller that works with some probability analysis to predict and ultimately influence data subjects’ decisions or may legally affect them otherwise.
1. CASE FACTS
SCHUFA Holding AG (“SCHUFA”) is a private credit agency based in Wiesbaden, Germany. The company’s core business is to assess the creditworthiness of natural persons and legal entities based on millions of data and provide its contractual partners with a prognosis on the probability of future payment behavior of a person in the form of a ‘Score.’ The establishment of Scores (‘scoring’) is based on the assumption that, by assigning a person to a group of other persons with comparable characteristics who have behaved in a certain way, similar behavior can be predicted.
The case originally started with a natural person (“data subject”) being refused a loan by a bank presumably due to a negative credit score provided by SCHUFA. The data subject therefore made a request according to Art 15 and 17 GDPR to SCHUFA to get information on the personal data stored and to erase some of its personal data which allegedly was incorrect. In response, SCHUFA informed the data subject of its score and outlined, in broad terms, the methods for calculating the scores but refused to disclose how the calculation was made, referring to ‘trade secrecy’. Lastly, SCHUFA stated that it limited itself to sending information to its contractual partners, and it was those contractual partners who made the actual contractual decisions. The data subject then filed a complaint with the competent supervisory authority, the Hessian Commissioner for Data Protection and Freedom of Information (Hessischer Beauftragter für Datenschutz und Informationsfreiheit), which also did not react to the data subject’s expectations, so he appealed to the Administrative Court of Wiesbaden.
The Administrative Court of Wiesbaden found that the question of whether the automated establishment of a probability value concerning the ability of a data subject to get a loan in the future already constitutes a decision based solely on automated processing, including profiling, according to Art 22 GDPR, was a question of fundamental legal importance. The Administrative Court of Wiesbaden therefore issued a request for a preliminary ruling to the CJEU according to Art 267 Treaty on the functioning of the European Union (“TFEU”) to clarify how Art 22 GDPR should be interpreted in this case.
2. HELD
According to the decision of the CJEU, the applicability of Art 22 GDPR is subject to three cumulative requirements, namely:
- there must be a ‘decision’;
- such decision must be based solely on automated processing, including profiling; and,
- it must produce legal effects concerning the interested party or similarly significantly affect a data subject.
The term ‘decision’ is not defined by the GDPR. Nevertheless, the CJEU states that it is apparent from the wording of Art 22 GDPR and Recital 71 of the GDPR, that ‘decision’ not only refers to acts which produce legal effects concerning the person at issue but also to acts which similarly significantly affect that person. Therefore, the broad scope of a decision within the meaning of Art 22 GDPR includes the result of calculating a person’s creditworthiness in the form of a probability value regarding that person’s ability to meet payment commitments in the future.
According to the CJEU, profiling within the meaning of Art 4 no. 4 GDPR is a sub-case of Automated Decision Making (“ADM”) pursuant to Art 22 GDPR. The activity of SCHUFA would clearly fall under profiling within the meaning of Art 4 no. 4 GDPR and therefore the second requirement of Art 22 GDPR is met.
As regards, thirdly, the condition that the decision must produce ‘legal effects’ concerning the person at issue or affect him or her ‘similarly significantly’, the CJEU held that it was apparent from the very wording of the first question of the Administrative Court of Wiesbaden, that the action of the third party to whom a Score is transmitted from SCHUFA draws strongly on that value. Thus, according to the findings of the referring court, in the event where a loan application is sent by a consumer to a bank, an insufficient Score leads to a refusal of the loan applied for in almost any case. Therefore, the establishment of a Score by a credit agency must be qualified as a decision producing legal effects concerning the data subject or similarly significantly affecting him or her.
However, the CJEU did not leave it at that; it also ruled that any automated decision-making is always associated with profiling and vice versa. Otherwise, according to the CJEU, there would be a risk of circumventing Art. 22 GDPR and, consequently, a legal loophole by excluding the usage of a third-party score to make own decisions from the scope of Art 22 GDPR.
What the CJEU has not conclusively ruled on is the question of when a decision similarly significantly affects a data subject. But since the ruling is held very broadly and loan decisions of banks highly depend on scores by credit agencies, this question will likely come up sooner or later.
3. CONSEQUENCES OF THE RULING
However, the ruling of the CJEU in the case of SCHUFA does not only affect credit scoring but also some other areas like certain practices of marketing and e-commerce as well as artificial intelligence (“AI”).
Art 22 GDPR determines a mandatory ban on processing personal data, as soon as the three requirements mentioned above are met, with an exhaustive list of exceptions in its paragraph 2. All these exceptions include appropriate measures to safeguard the rights and freedoms as well as legitimate interests of data subjects, either by law or the controller. This means, that every practice that works with the analysis of consumer behavior (profiling and therefore ADM), which is somehow connected to decision-producing legal effects concerning the data subject or similarly significantly affecting him or her, is not allowed. As we do not know when the threshold of significance within the meaning of Art 22 GDPR is met, this could also mean that customer segmentation falls in the scope of Art 22 GDPR.
Customer segmentation, for example, tries to predict consumer behavior of different groups of customers based on the analysis of personal aspects to adapt marketing measures accordingly. This leads to some kind of probability value (Score) as to how likely it is for a person of a certain group of customers to buy a certain product or service, which ultimately may (significantly?) affect a person regarding a purchase.
This could also apply to affinity analysis in a similar way. For this analysis, a large amount of data is analyzed with regard to correlations between different factors. It is used in the diagnosis of illnesses but also in shopping basket analysis, which ultimately aims to affect buying and usage behavior. So again, this procedure works with probability values like customer segmentation and credit scoring and may significantly affect a person’s buying behavior if marketing measures are adapted solely based on that Score.
Finally, it is worth mentioning artificial intelligence in this context. Since AI always works with probabilities, it is often used to analyze human aspects and behavior, i.e., profiling according to Art 4 no. 4 GDPR. Therefore, this kind of AI has to comply with Art 22 GDPR if the results lead to an automatic decision having legal effects concerning the data subject or similarly significantly affecting him or her. Finally, according to the latest draft of the AI Act, an AI system shall always be considered high-risk if the AI system performs profiling of natural persons. Therefore, it is subject to strict transparency requirements. In the context of the SCHUFA ruling and the above, this will likely become a big question mark in the implementation of the AI Act in the following years.
Article provided by INPLP member: Stephan Winklbauer (aringer herbst winklbauer rechtsanwälte, Austria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Februar 2025
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010