ECJ rules on Schufa scoring – current practices not GDPR-compliant

In two decisions, the European Court of Justice ("ECJ") ruled on 7 December 2023 on SCHUFA scoring and the processing practices of SCHUFA Holding AG ("SCHUFA"). According to the ECJ, the SCHUFA scoring constitutes automated individual decision-making – which is generally not permitted – if SCHUFA customers attribute a determining role to scoring in the context of the granting of credit. The referring court must now examine whether the German Federal Data Protection Act (BDSG) provides an appropriate exception to this. The ECJ also ruled that private credit agencies should not store data relating to the discharge from remaining debts for longer than public insolvency registers.

Background

We have already reported on the facts of the case in detail in our Data Protection Update No. 137, so here are just the key points again in brief:

The ECJ had to rule on a total of three preliminary ruling procedures by the Administrative Court of Wiesbaden.

The first of the three preliminary ruling procedures (C-634/21) dealt in particular with the question of whether scoring by SCHUFA constitutes an automated decision-making within the meaning of Art. 22 GDPR. The score value is based on scoring, a "mathematical statistical method" on the basis of which the probability of future payment behaviour, e. g. the probability of repayment of a loan, can be measured.

In the proceeding, SCHUFA argued that it only calculated the score and makes it available to contractual partners, but that it did not make any automated decisions about granting of credit on its own; instead these decisions would be made by the contractual partners themselves, e. g. banks.

The court also addressed the question of whether the provisions of the GDPR preclude the application of Section 31 BDSG. Section 31 BDSG authorises scoring and credit reports for the protection of commercial transactions. The referring court asked the ECJ several questions in this regard. In particular, it wanted to know whether the creation of the score already constitutes an automated decision-making within the meaning of Art. 22 GDPR if another controller (e. g. the SCHUFA customer) makes the final decision on the granting of credit, and if that is not the case, whether the GDPR precludes the application of Section 31 BDSG.

The two other combined preliminary ruling procedures (C-26/22 and C-64/22) concern the deletion of SCHUFA entries relating to the discharge from remaining debts. SCHUFA stored this information for three years, while public insolvency registers delete it six months after the discharge from remaining debts is granted. The referring court asked whether this was permissible under data protection law and whether the data subjects could also demand that SCHUFA deletes the corresponding entry in the SCHUFA databases once the storage period applicable to the public register has expired.

ECJ on the compatibility of scoring with the provisions of the GDPR (C-634/21)

The ECJ ruled that scoring constitutes an "automated individual decision-making", which is generally not permitted under the GDPR, if the scoring determines whether a third party to whom the score value is transmitted establishes or terminates a contractual relationship with this person. The referring court must examine whether the BDSG contains an effective exception to this prohibition and, if this is the case, whether the general requirements of the GDPR for the processing of personal data are met.

According to the ECJ, scoring constitutes such an automated decision-making if the customers of SCHUFA, e. g. banks, make their decision (e. g. on the granting of credit) solely dependent on the score value.

In the opinion of the referring court, this was the case in the main proceedings. The joined party SCHUFA, on the other hand, argued that it did not fall within the scope of Art. 22 GDPR. Although it assisted its customers in the decision-making process by providing the data, it did not make any decisions itself. The ECJ took a different view, stating that the requirements of Art. 22 para. 1 GDPR were met. The scoring constituted an automated decision-making that has a legal effect on the data subject or similarly significantly affects them. This followed from the referring court's findings of fact, according to which, in the case of a consumer credit application, an insufficient score would in almost all cases result in the bank rejecting the application. Consequently, it would have to be assumed that a score value at least significantly affects the data subject.

The Administrative Court of Wiesbaden must now verify whether the BDSG contains an effective exception to this prohibition in accordance with the GDPR. Art. 22 para. 2 lit. b GDPR allows member states to enact legislation on automated decision-making. Such a regulation could be found in Section 31 BDSG, which must now be assessed for compatibility with Art. 22 GDPR. If the Administrative Court of Wiesbaden were to affirm this, it would have to further examine whether the requirements set out in Art. 5 and 6 GDPR are also fulfilled in the present case.

Unlawful Storage periods in connection with discharge from remaining debts (C-26/22 and C-64/22)

The ECJ also ruled that SCHUFA's previous practice of storing data relating to the discharge from remaining debts from public insolvency registers is not compatible with the GDPR. Private credit agencies such as SCHUFA are therefore not allowed to store data relating to the granting of a discharge from remaining debts for a longer period than public insolvency registers.

Section 3 (1) German Regulation on Public Notices in Insolvency and Restructuring Matters on the Internet (Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren und Restrukturierungssachen im Internet, „InsBekV“) stipulates a storage period of six months for such data in public registers after the discharge from remaining debts has been granted. According to the ECJ, for the storage of data by SCHUFA, this means that after the expiry of the six months, the data subject is entitled to have this data deleted and SCHUFA is accordingly obliged to delete this data immediately. The ECJ justified this by stating, among other things, that the storage and forwarding of this data constituted a serious interference with the fundamental rights of the natural person concerned as enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, the discharge from remaining debts served to enable the debtor to participate in economic life and is of "existential importance". This purpose would be undermined if credit agencies were authorised to store and process such data even after it has been deleted from the public insolvency register, as this data would always be used as a negative factor when assessing the creditworthiness of such a person. 

The admissibility of the parallel storage of data relating to the discharge from remaining debts by SCHUFA within the six-month storage period would be less serious than the storage beyond the six months. However, this storage still constituted an interference with the rights under Articles 7 and 8 of the Charter of Fundamental Rights of the EU. According to the ECJ, the referring court is now required to weigh up the conflicting interests.

Outlook

The judgements of the ECJ are of utmost importance for private credit agencies as well as for their customers. Especially for SCHUFA customers, e. g. banks, online retailers or energy suppliers, the significance of the score value has to be underlined. For them, the SCHUFA-score is often one of the few ways to protect themselves against the risk of non-payment when concluding a contract. If companies rely solely on the score, e. g. when granting credit, this now falls under the prohibition of Art. 22 GDPR.

Companies that rely significantly on the score value when concluding contracts should review their processes now for compliance with Art. 22 GDPR. The Administrative Court of Wiesbaden must still first examine whether national law does not provide a corresponding exception in Section 31 BDSG, which (nevertheless) allows scoring. However, no major surprises are to be expected here: the Administrative Court of Wiesbaden already expressed "serious doubts" regarding the compatibility with EU law in its request for a preliminary ruling. In his Opinion, the Advocate General had also expressed the view that Section 31 BDSG does not constitute a legal basis in line with EU law.

Furthermore, credit agencies shall not store the data for longer than the public insolvency registers. The referring court still has to verify whether these data can be stored in parallel. In a statement on its website, SCHUFA already announced that it had reduced the storage periods for this data to six months immediately following the Advocate General's Opinion in March 2023.