The Court of Justice of the European Union (CJEU) issued a landmark SCHUFA case or judgement (OQ v Land Hessen) on automated decision-making (ADM) and EU data protection about credit scoring. On 7 December 2023, it ruled that companies may not decide on the creditworthiness of a data subject solely on the basis of an automated credit scoring, especially if the score is ascribed a decisive role in the granting of credit.

Who should care about this judgement and why?

  • Credit bureaus or scoring agencies: Organisations that assess creditworthiness must adapt their practices to comply with GDPR requirements, ensuring they do not solely rely on ADM.
  • Other service providers using ADM: will likely need to review their processes accordingly.
  • Financial service and credit providers: Banks and other companies relying on credit scoring for lending decisions need to adapt their practices to ensure they do not base their decisions solely on scores calculated by ADM and that this is documented through appropriate processes.
  • Data protection authorities: Regulatory bodies will be informed by the court’s interpretations of GDPR, helping them enforce compliance and guide organisations on best practices for data handling in credit assessments.
  • Consumers: Subjects of credit scoring can claim their right not to be subject to a decision based solely on automated processing.
  • Legal practitioners: Lawyers and legal advisors specialising in data protection, consumer rights, and financial services will find the case significant for understanding EU data law.

What could you do about the SCHUFA case?

  • Review data practices: Assess and audit current data handling and (automated) processing practices to ensure compliance with the GDPR.
  • Enhance transparency in how scoring algorithms operate and the need for agencies to provide data subjects with clear information about their data usage.
  • Be aware of your right not to be subject to a decision based solely on automated processing when being scored regarding creditworthiness.
  • Protect data and gover AI by joining our programmes.
  • Sign up to our newsletter to keep up to date with the developments around Data Protection and AI.

Our insights on OQ v Land Hessen

The CJEU strengthens EU data protection by interpreting the GDPR in favour of data subjects, even though several national jurisdictions hold different opinions. Now, it is clear that ADM should not be used solely if the output is a credit scoring. The CJEU argued that a credit scoring similarly affects a crucial decision, even though a decision is not been made by the credit bureau itself. The credit score affects the lending decision by a third party who relies on the credit score. That is why in principle a solely automated credit score is prohibited under the GDPR.

The judgement again highlights the importance of responsible use of AI, which is found in an ADM process. Solely automated decisions always pose a higher risk if not audited by a human. Therefore, it is consistent that the court widened the applicability of the GDPR to ensure those high risks do not affect the decisions of third parties, which are crucial for a data subject.

Overall, the CJEU reinforced the principle that individuals must be protected under GDPR while recognising the need for credit agencies to operate effectively.

Digest

The CJEU answers in its judgement a preliminary question posed by a German court (VG Wiesbaden, the Administrative Court in Wiesbaden) about the interpretation of Article 22 GDPR (‘Automated individual decision-making’). The VG Wiesbaden needs to decide whether a German resident known as ‘OQ’ could claim information under his access right regarding the automated decision-making processes using personal data. SCHUFA Holding, a German credit rating agency, performs this ADM scoring process.

The court ruled that although the credit scoring agency itself does not decide on the granting of a loan, Article 22 applies to this case. That is because in practice, those credit scores play a decisive role in the lending decision of banks or similar companies relying on credit scoring.

Consequently, a solely automated decision regarding the creditworthiness of a data subject is not compliant with the GDPR. Nevertheless, Member States of the EU could implement national exemptions to this principle. Furthermore, the judgement poses additional information obligations for ADM processes in credit scoring.

Order of SCHUFA case

The CJEU ordered that we must interpret Article 22(1) of the GDPR as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning their ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

The case is ongoing as the court handed it back to VG Wiesbaden to decide if a German national exemption allows credit scoring based solely on an automated decision.

Details of CJEU Case C-634/21, SCHUFA case, OQ v Land Hessen

  • Universal citation/case number: C-634/21
  • Full name: EJEU, Judgment of the Court (First Chamber) of 7 December 2023 (request for a preliminary ruling from the Verwaltungsgericht Wiesbaden — Germany) — OQ v Land Hessen.