BBanking

ECJ on data processing practices of credit agencies

EuGH zu Datenverarbeitungspraktiken von Wirtschaftsauskunfteien | von Annerton Anwältin Svetlana
0
Shares
0
0
0
0
0
0

Financial service providers rely on the assessment of the creditworthiness of the users of these products for a large number of their products – be it traditional lending or the provision of BNPL products, for example. In doing so, financial service providers often cannot avoid using score values from credit information agencies such as the SCHUFA score. The judgments of the ECJ published on 7 December 2023 in the proceedings on SCHUFA scoring (C-634/21)  and on SCHUFA storage of residual debt discharge data (C-26/22 and C-64/22) put both the business models of the credit information agencies and the products of SCHUFA customers based on them under pressure. This article is intended to provide an overview of the ECJ decisions and which data protection challenges credit information agencies should keep in mind when calculating score values as well as their customers when using them.

1. What is the regulatory background to credit scoring?

Any financial service provider wishing to enter into a contractual relationship with counterparty risk has a legitimate interest in obtaining information about the creditworthiness of its contractual partner in order to decide on the establishment of the contractual relationship on a case-by-case basis. For certain financial products, the institutions are expressly obliged to carry out a credit assessment of the contractual partner, e.g. for property consumer loans and general consumer loans, see Section 18a KWG (German „Kreditwesengesetz“). In addition, the creditworthiness or debt servicing capacity assessment may be a necessary measure to ensure the proper business organisation of the institution, see e.g. Section 25a KWG in conjunction with BTO 1.2 (Requirements for processes in the lending business) MaRisk. Section 18a (3) KWG expressly stipulates in connection with consumer loans that credit institutions may, if necessary, use information from credit information agencies when assessing creditworthiness. At the same time, the use of external credit assessments does not release the institution from the obligation to form its own judgement about the counterparty default risk and to incorporate its own findings and information into the credit decision (point 6, BTO 1.2 MaRisk).

2. What data protection challenges arise when calculating and using score values?

Apart from isolated general regulatory requirements, the credit institutions can decide for themselves which specific information they base their credit assessment on in detail. Such information can be, for example, information on income, expenditure, turnover and other information on the financial and economic circumstances (so-called “positive data”) or information on payment arrears or defaults from previous contractual relationships or insolvency data (so-called “negative data”) of the potential customer.

In addition, individual pieces of information can be automatically processed by credit information agencies on the basis of undisclosed algorithms to create a score value, which then makes a general statement about the probability of future behaviour of the potential contractual partner of the SCHUFA customer (payment forecast), such as the repayment of a loan (so-called “scoring”). This score value can be included by financial service providers in various ways in their own decision-making processes regarding the establishment of a contractual relationship with the person concerned. For example, it can be used as a knock-out criterion or as one of several factors that are weighted differently depending on the risk assessment model of the respective credit institution.

When processing the personal data required to carry out the credit check, both the credit institutions and the credit information agencies are bound by the provisions of data protection law, including the European General Data Protection Regulation (GDPR). This is also clarified, for example, in Section 18a (9) KWG. In particular, those responsible for the processing of personal data associated with the determination and use of the score value require a sufficient legal basis within the meaning of Art. 6 GDPR. Depending on the type of data or the type of processing, data controllers may have to comply with other provisions of the GDPR, in particular Art. 9 and Art. 22 GDPR.

Subject to certain exceptions, Art. 22 para. 1 GDPR prohibits the use of personal data exclusively for automated decision-making which produces legal effects concerning the data subject or similarly significantly affects the data subject. Art. 22 para. 2 GDPR sets out exceptions in which the aforementioned prohibition of automated decision-making does not apply. These can be the consent of the data subject, the necessity for the conclusion of a contract or a national legal exception.

According to SCHUFA’s previous opinion, the determination of the score value alone does not constitute a decision within the meaning of Art. 22 para. 1 GDPR by SCHUFA. It was argued that such automated decision-making could at best constitute a decision by SCHUFA’s customer if, for example, the customer were to refuse to conclude a contract with the data subject solely on the basis of the score value transmitted.

This view was the subject of one of several court proceedings concerning SCHUFA before the Wiesbaden Administrative Court ( C-634/21 ). In these proceedings, the Administrative Court submitted a request for a preliminary ruling to the ECJ on the question of whether the calculation of the score value by SCHUFA in itself constitutes an automated decision within the meaning of Art. 22 para. 1 GDPR.

In addition, the Wiesbaden Administrative Court asked the ECJ to clarify in two further related proceedings ( C-26/22 and C-64/22 ) whether SCHUFA may store information on the granting of residual debt discharge taken from the public insolvency register in its private database for longer than this information may be stored in the public insolvency register under national law. The background to this question was that SCHUFA stored the information on the granting of residual debt discharge in its database for a period of three years, whereas this information is only stored in the public insolvency register for a period of six months after the decision becomes final in accordance with Section 3 (2) InsoBekV (German „Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren und Restrukturierungssachen im Internet“).

3. What has the ECJ currently decided?

In the context of a request for a preliminary ruling, the ECJ does not rule on the legal dispute pending before the referring court. Rather, the ECJ only decides on questions of interpretation of EU law, in this case the GDPR. The national courts of the member states are then bound by the interpretation of the ECJ in their further decisions.

  • ECJ ruling on the SCHUFA score

In the first proceedings submitted by the Administrative Court of Wiesbaden ( C-634/21 ), the ECJ ruled, among other things, that Art. 22 para. 1 GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of Art. 22 para. 1 GDPR, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

The ECJ has interpreted the term “decision” broadly and found that it can encompass several actions that can affect the person concerned in different ways. The term “decision” therefore also includes the result of the calculation of a person’s ability to fulfil future payment obligations in the form of a probability value.

The ECJ considered the fact that the calculation of the score value is based “exclusively on automated processing” to be established by the subsumption of SCHUFA’s activity under “profiling” and, moreover, to be presupposed by the question referred to the Court.

Regarding the requirement that the decision must “produce legal effects” or “significantly affect” the person concerned in a similar manner, the ECJ essentially based its decision on the fact that the first question referred to the Court had already clarified that the actions of the third party to whom the score is transmitted were “strongly” driven by that score. According to the factual findings of the Wiesbaden Administrative Court in the main proceedings, an insufficient probability value led to the rejection of a consumer’s credit application to the bank in almost all cases.

In its press release , the ECJ specifically addressed lending as an application case. It states: “The Court rules that ‘scoring’ is to be regarded as an ‘automated decision in individual cases’, which is prohibited in principle by the GDPR, where SCHUFA’s customers, such as banks, attribute a decisive role to it in the context of granting credit. In the opinion of the Wiesbaden Administrative Court as the referring court, this is the case.”

  • ECJ ruling on the storage period of residual debt discharge in private parallel databases

With regard to information on the granting of residual debt discharge (proceedings C-26/22 and C-64/22 ), the ECJ ruled that it is contrary to the GDPR for private credit information agencies to store  residual debt discharge data for longer than the public insolvency register. In its reasoning, the ECJ pointed out that the German legislator had provided for the data to be stored in the public insolvency register for six months. According to the ECJ, the national legislator had thus made a balancing decision to the effect that, after six months, the interest of the person concerned in being able to participate in economic life again without being exposed to the negative factor of residual debt discharge outweighed the public’s interest in knowing this information. Furthermore, the ECJ followed the Advocate General’s explanations in his Opinion, according to which the discharge of residual debt is intended to enable the debtor to participate in economic life again and is therefore generally of existential importance to him. However, the achievement of this purpose would be jeopardised if credit information agencies were allowed to store data on a discharge of residual debt in order to assess a person’s financial circumstances and use it after deletion from the public insolvency register, as this data would always be used as a negative factor when assessing a person’s creditworthiness.

However, the ECJ left open a further question referred tot he Court as to whether parallel storage of the residual debt discharge at SCHUFA for a period of six months is lawful as such and referred to the findings and balancing of interests still to be made by the Wiesbaden Administrative Court.

4. What are the consequences of the ECJ rulings and for whom are they relevant?

Firstly, the ECJ clarified in the SCHUFA-Score proceedings that the calculation of the score by a credit agency does not always fall under Art. 22 para. 1 GDPR, but only if the score plays a determining role for the SCHUFA customers in their decision on the establishment of a contractual relationship. In cases where this does not apply, the calculation of the score would not be measured against Art. 22 GDPR. Secondly, the ECJ’s decision is closely linked to the findings of the main proceedings in many aspects. Caution and a careful examination of the comparability of the facts is therefore required when transferring the ECJ ruling to other case constellations.

At the same time, the customers of the credit information agencies that use the score value, as well as organisations that create score values for third parties, are required to review their processes relating to the score value and make any necessary adjustments. This may include

  • Examination of the extent to which the use of score values in the business models of credit agency customers corresponds to the actual findings in the initial proceedings, in particular whether the users of the score value take other criteria into account in their decision to conclude a contract and how the individual criteria are weighted. If necessary, the corresponding risk models can be adjusted in order to eliminate the possible relevance of the score value (e.g. waiving the use of the score value as a knock-out criterion or reducing the weighting of the score value in the rating model);
  • Where Art. 22 GDPR applies, verification or assurance of the existence of a sufficient legal basis for data processing, e.g.
    • Consent of the data subject, if applicable (Art. 22 para. 2 lit. c) GDPR);
    • Existence of a GDPR-compliant exemption provision within the meaning of Art. 22 para. 2 lit b) GDPR; It should be noted that the ECJ has not decided whether Section 31 BDSG (German „Bundesdatenschutzgesetz“) constitutes a GDPR-compliant exemption; however, the ECJ has expressed “serious concerns” about this existing German scoring regulation;
    • For SCHUFA customers, it would also have to be checked whether a seperate score-based automated decision is necessary for the conclusion of the contract within the meaning of Art. 22 para. 2 lit. a) GDPR.
  • Granting the concerned data subject the opportunity to lodge a complaint and to present reasons that would be relevant to the decision on whether to conclude the contract, as well as challenging a person on the part of the controller if automated decision-making is based on consent or the need to conclude a contract (Art. 22 para. 2 a) or c) GDPR);
  • Adaptation of data protection information in accordance with Art. 13 and 14 GDPR;
  • Irrespective of the applicability of Art. 22 GDPR, the implementation of the requirements of Section 30 (2) BDSG must also be reviewed in this context; according to this, the person who refuses to conclude a consumer loan agreement or a contract for financial assistance against payment with a consumer on the basis of information from a credit information agency must inform the consumer of this and of the information obtained without delay, unless this jeopardises public safety or public order.

The decision on the storage period of the residual debt discharge may have more far-reaching consequences than it might appear at first glance. It is questionable whether, following the ECJ judgement, the storage period of other negative data at credit information agencies for the purpose of scoring, such as late payment or payment default, must also be assessed differently. On the one hand, it could be argued that less serious financial misconduct such as late payment should not be stored for longer than a more serious insolvency. On the other hand, there are no national regulations on the storage period for this data in public registers. It is also questionable whether negative data other than insolvency is generally weighted lower than residual debt discharge when calculating a score and whether this justifies a longer storage period for other negative data.

In any case, data controllers should take this ECJ ruling as an opportunity to review their respective retention periods for data relevant to creditworthiness and the corresponding erasure concepts.

5. Outlook

The Wiesbaden Administrative Court will now have to examine whether Section 31 BDSG contains an exception to the prohibition in Article 22(1) GDPR that is permissible under the GDPR. If Section 31 BDSG is deemed to be incompatible with EU law, SCHUFA would – according to the ECJ – not only be acting without a legal basis in the case underlying the main proceedings, but would also ipso iure be in breach of the prohibition in Art. 22 para. 1 GDPR. In its statement published on the SCHUFA website, SCHUFA calls on the legislator to “clarify and amend” Section 31 BDSG as part of the upcoming amendment to the Federal Data Protection Act.

In addition, the Administrative Court will have to decide whether and under what conditions data from public registers may be transferred to privately managed databases of credit information agencies.

0
0

Svetlana is lawyer at Annerton Rechtsanwaltsgesellschaft mbH. She advises national and international FinTech companies as well as financial services institutions on issues of IT and data protection law as well as intellectual property law. Her advisory focus is on outsourcing, IT-legal contract drafting and regulatory requirements for payment service providers in the interface area of IT, data protection and financial supervisory law.



By continuing, you accept our privacy policy.
You May Also Like
FFinTech
Zwischen Swipe und Aufsicht Social Commerce boomt – doch rechtlich ist nicht alles erlaubt. Wann Plattformen Zahlungsdienste erbringen und welche Ausnahmen greifen, erklärt der Beitrag. Regulation
Read More
  • 6 minute read

Between swiping and regulation

Social commerce is transforming social media platforms like TikTok into virtual marketplaces—but without a license to provide payment services, legal challenges arise. This article examines how existing payment regulations apply to new platform models and the regulatory tightrope they must walk.
Read More