Important CJEU ruling on automated decision making and credit scoring under GDPR

On 7 December 2023, the Court of Justice of the European Union ("CJEU") delivered two new judgments on the scope and interpretation of the automated decision-making restrictions under the GDPR.

In the first judgment, the CJEU examined the conduct of the German credit-rating agency Schufa Holding AG ("Schufa") in relation to its use of automated processing, including profiling, to create individual credit scores. These are passed onto third parties, such as banks, to inform credit-related decisions, such as whether to offer loans. The questions raised focused around whether generating such a credit score itself constituted "automated decision-making", which is banned under Article 22 of the GDPR where it has legal or other significant effects, except in limited circumstances.

The case stemmed from a complaint filed by an individual who was refused a loan because of a low credit rating determined by Schufa's credit assessment. When the individual submitted a request for access to, and erasure of, their personal data, Schufa refused. The data subject then appealed this decision.

The CJEU analysed Schufa's credit scoring method, which determines the likelihood of an individual's ability to repay a loan and assessed whether it constituted automated decision-making with legal or other significant effects. The CJEU ruled that calculating credit scores automatically on the basis of probability, which was employed by Schufa, does constitute automated decision-making that is restricted under Article 22. The ruling means that it is not only lenders, but also those responsible for credit scoring that informs lending decisions, that must comply with the strict conditions under which automated decision-making is permitted.

The judgment also has wider implications for organisations producing other forms of risk scoring that are used as the basis for decisions, including through the use of AI. In particular, the judgment acknowledged the influence of AI-driven decision-making systems on individuals' rights and economic opportunities, recognising that these can have highly significant effects on an individual. The CJEU noted that automatic risk scoring can be highly influential on the decision-making process: when "a loan application is sent by a consumer to a bank, an insufficient probability value leads, in almost all cases, to the refusal of that bank to grant the loan applied for". The Court broadened the understanding of "automated decision making" and extended it to encompass multiple AI-driven processes beyond direct decision making; even if such methods are an indirect factor in decisions, they can fall within the scope of the Article 22 ban.

In the second judgment by the CJEU stemming from Schufa's retention of information, the CJEU emphasised the requirement to enable data subjects to exercise their right to object and to obtain erasure of their personal data. The Court ruled that it is unlawful for private agencies to retain data for longer than the time periods provided for in member state laws applicable to public insolvency register data retention. Once information relating to creditworthiness is deleted from the public register, it would be unfair for private entities to continue to use such information to assess an individual's economic situation.  The Court determined that this is essential to allow the individual to "re-enter economic life". Schufa has now shortened its storage period for data held on personal insolvencies from three years to six months.

These judgments have far-reaching implications for multiple sectors beyond credit scoring. Numerous sectors, such as healthcare and employment use AI-powered or other forms of automated decision making as a vital part of their business. The Schufa decisions have shone a light on the applicability of the GDPR's restrictions in doing so. They may result in businesses having to reassess their decision-making safeguards and implement operational and strategic changes as a result.

Now that the CJEU has ruled that automated-decision making was indeed occurring in this case, it is up to the Administrative Court of Wiesbaden in Germany to clarify whether German federal law contains exceptions to the prohibition on automated data processing compatible with the GDPR. In accordance with Article 22, without authorisation under local law, Schufa would have to obtain explicit consent for credit calculations where the decision-making is not necessary in connection with a contractual agreement. Regardless, the Schufa decisions have highlighted that processes for calculating a credit score must be reviewed.

Authors

Katie Hewson

Jenna Franklin

Isabella Clark