Advocate general: German credit agency scoring breaches GDPR

SCHUFA previously indicated that it planned to increase transparency over its scoring methods by publishing a score simulator.

The announcement comes shortly after a CJEU advocate general suggested that the collection and processing of this data may breach the EU’s General Data Protection Regulation (GDPR) in certain circumstances. The Administrative Court of Wiesbaden in Hesse, Germany, has referred three disputes involving SCHUFA to the EU’s highest court, which is expected to issue its judgment in the coming months.

“The advocate general’s opinion is not binding, but it carries significant weight in the final decision of the Court of Justice,” said commercial litigation expert Anna Schwingenheuer of Pinsent Masons. “The case is likely to have significant implications for the use of credit scoring systems across the European Union.”

In his opinion, advocate general Priit Pikamäe said that the creation of score values for creditworthiness violates EU law if it is used as a “decisive basis” for credit decisions. In addition, a credit agency is not permitted to store data from public directories, such as insolvency court registers, for longer than the insolvency court does itself.

SCHUFA is Germany’s leading private credit agency. It claims to have information on six million companies and 68 million individuals. It uses data from a range of sources, including banks, credit card companies and utility providers, to generate a credit score, which is then used by lenders to assess creditworthiness.

However, the system has been criticised for being opaque and difficult to understand, with individuals having limited ability to access or correct the data held by SCHUFA. SCHUFA has not published its algorithm for calculating the score values, which has been classified as a trade secret by the German Federal Court of Justice.

The Administrative Court of Wiesbaden has requested preliminary rulings from the CJEU in relation to proceedings between German citizens and Land Hessen, represented by the Hessian Commissioner for Data Protection and Freedom of Information (HDBI).

In one case, an individual who was denied a credit agreement based on her SCHUFA credit score filed a request for erasure and access to information held by the agency. SCHUFA only provided her with her score and general information on the calculation but refused to disclose which data were used to calculate the credit score and how the data had been weighted. The company invoked business secrets and argued that it did not make automated decisions within the meaning of Article 22 GDPR, but only provided financial institutions with information for their decision-making, so the individual had no right to information about the logic involved under the GDPR.

Commercial litigation expert Johanna Weißbach of Pinsent Masons said: “Article 22(1) GDPR stipulates that decisions which produce legal effects for data subjects may not be taken solely by means of automated processing of data”.

However, advocate general Pikamäe said that the automated creation of a probability value on creditworthiness - the score value - already constitutes a prohibited automated decision, including profiling, which produces legal effects concerning an individual or similarly significantly affects them. This also applies if third parties, such as banks, make the final decision as to whether that person is creditworthy.

The second case concerns the discharge of residual debt after insolvency. German consumer insolvency law gives private individuals the possibility of freeing themselves from their debts within a limited period of time, even if they cannot repay in full. At the end of a successful procedure, there is a so-called ‘discharge’ of residual debt, information on which is published by the insolvency courts. SCHUFA takes this information and enters it into its own databases.

The courts delete the published information after six months. However, SCHUFA did not previously delete it until three years after entry. Two German citizens brought proceedings against Land Hessen, represented by the HDBI, demanding the deletion of an entry relating to discharge from remaining debts from SCHUFA’s records.

Giving his opinion, the advocate general said that the storage of data by a private credit information agency cannot be lawful once the personal data concerning insolvency has been erased from public registers. The aim of the discharge of residual debt is to enable the person concerned to participate again in economic life, an aim which would be thwarted if private credit agencies were allowed to store the data for longer. Those affected would therefore have the right to demand that SCHUFA delete the data immediately.

Schwingenheuer said: “The GDPR is still a rather young regulation, and the CJEU’s decision in this case is another step in the development of case law on the interpretation of its provisions”.

Weißbach added that the CJEU’s decision could impact the financial market more widely. “The CJEU’s ruling, which is expected in the coming months, will not only have an impact on SCHUFA, but on the entire sector of credit agencies and their intersections with other companies. Depending on the outcome of the ruling, companies will have to review their business models and adapt them to be GDPR compliant. This may affect in particular banks and savings banks, but also retailers, mobile phone providers and energy suppliers” said Weißbach.