On 25 October 2021, the Wiesbaden Administrative Court (the Court) announced its decision, issued in early October, to submit two questions to the Court of Justice of the European Union (CJEU) concerning the scope of the protections provided for in the Article 22 (1) GDPR against automatic decision-making and profiling in connection with the calculation of an individual’s credit scores (case no.6 K 788 / 20.WI).
The case concerns a claim by an individual against the private credit reporting agency SCHUFA Holding AG (SCHUFA) after the individual was refused a loan based on a low score provided to a bank by SCHUFA. SCHUFA and other rating agencies suggest that they simply calculate scores for assessing the creditworthiness of individuals, predicting, based on this score and other characteristics of the individual, the likelihood of a future behavior (eg repayment of a loan), and share this information with its customers (eg banks). Rating agencies suggest that by calculating the score and sharing it with their clients, they are simply profiling individuals and not making any automated decisions within the meaning of Article 22 GDPR, as the actual decisions about individuals are taken by their customers.
The person asked SCHUFA to give him access to the information held concerning him and to delete certain entries from its database. SCHUFA informed the individual of their score and provided basic information on how their score calculation worked, but did not disclose details of what data was taken into consideration and how it was weighted, claiming that this information is protected as business secrets and must not be disclosed. The person filed a complaint with the Hessian State Supervisory Authority (DPA Hesse), which dismissed the complaint on the grounds that SCHUFA generally complies with Article 31 of the German Federal Law on the Protection of Persons. data (BDSG), regulating the calculation and use of scores in detail, and with pre-GDPR case law and that there is no indication that, in the individual case, SCHUFA did not comply with these requirements, concluding that the methodology for calculating the score does not need to be disclosed. The individual brought legal proceedings against DPA Hesse and SCHUFA.
The Court considered the case and decided to return to the CJEU to clarify whether the calculation by credit agencies of an individual’s credit rating and the disclosure of that rating to third parties (such as banks) without any other comment or recommendation would fall within the scope of Article 22 (1) GDPR. The Court considered that it was possible to argue that the creation of a score represented an independent “decision” within the meaning of Article 22 of the GDPR. He noted that although a different decision can, in principle, be taken by the customer of the credit agency (for example by a bank, a telecommunications provider or an owner to enter into a contractual relationship with the individual), and that this client does not have to make a decision his decision depending only on the value of the score (noting examples where individuals with a good score are always refused a loan), in practice the credit scores play a determining role in the granting of loans and the construction of loan conditions, and insufficient score values ââlead to refusals of consumer loans in almost all cases.
In addition, the Court asked the CJEU to examine whether Article 31 BDSG (regulating the calculation and use of scores in detail) is compatible with the GDPR, noting that by setting other substantive admissibility conditions to credit rating, the German legislator has gone beyond the limits for the national exemptions available under the GDPR for legal bases.
This is the second SCHUFA case that the Court has referred to the CJEU this year. At the end of August, the Court submitted a case relating to the storage by SCHUFA of information on the clearance of the residual debt (case n Â° 6 K 226 / 21.WI). The Court’s press release concerning this case is available here (only in German). While the Hessian DPA has apparently made peace with SCHUFA in recent years, aligning itself in detail with its methodology for calculating the credit score and moving away from the pre-GDPR consent requirement to submit and receive of SCHUFA data, the Court seems more skeptical. Given the widespread use of SCHUFA scores in day-to-day commerce, the CJEU ruling and subsequent court ruling will have enormous practical implications for contracts in Germany, in addition to clarifying the scope of the l ‘Article 22 (1) GDPR.
Read the Court’s press release on the case (only in German) and the CJEU file (questions, in their entirety, are not available at the time of publication of this update).