On the 7th of December 2023, the Court of Justice delivered a landmark judgment for the protection of the right to data protection against automated credit scoring (Schufa Holding C-634/21). The cases concerned the compatibility of data processing by SCHUFA, a German credit agency, with the GDPR and the rights to privacy and data protection. In the first case on Article 22 GDPR, the Court of Justice held that credit scoring is an automated decision as it has a determining role in granting credit.
Background
SCHUFA Holding AG, Germany’s leading credit rating agency, uses proprietary algorithms to assign credit scores to individuals. These scores significantly impact one’s ability to secure loans, mortgages, and other financial services, affecting their daily lives and economic opportunities.
In this case, the applicant contested SCHUFA’s lack of transparency in calculating credit scores, arguing that it violated their rights under the EU’s General Data Protection Regulation (GDPR). The GDPR mandates that individuals have the right to understand and contest decisions made by automated systems, especially when these decisions affect their fundamental rights and freedoms.
Is Credit Scoring an Automated Decision?
Under Article 22 of the GDPR, data subjects have the right not to be subject to solely automated decisions. When automated decisions are exceptionally allowed, according to the conditions set in the second paragraph, the data controller shall implement suitable safeguards for the data subject, such as the right to obtain human intervention, express their point of view, and contest the decision. Additionally, data subjects enjoy transparency rights, such as the right to receive ‘meaningful information about the logic involved’ (Articles 13, 14, 15 of the GDPR).
The key legal question in C-634/22 is whether credit scoring fulfils the three requirements to qualify as an ‘automated decision’.
In answering this questions, the Court of Justice followed the AG Opinion and held that Article 22 GDPR:
Must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.
You can read our case summary and access the full judgment here. For an in-depth analysis, see:
Palmiotto, F.; “‘Scoring’ for Data Protection Rights: The Court of Justice’s First Judgment on Article 22 GDPR (Case C-634/21 and Joined Cases C-26/22 and C-64/22)”, EU Law Live, 09/01/2024, https://eulawlive.com/op-ed-scoring-for-data-protection-rights-the-court-of-justices-first-judgment-on-article-22-gdpr-case-c-634-21-and-joined-cases-c-26-22-and-c-64-22-by/