Update Data Protection No. 137
GDPR: Statement of the Advocate General on SCHUFA Scoring
Several preliminary ruling procedures submitted by the Administrative Court of Wiesbaden are currently pending at the European Court of Justice (“ECJ”), which deal with the application of the GDPR in connection with the scoring procedure used by SCHUFA Holding AG (“SCHUFA”). The Advocate General of the ECJ (“AG”) has recently issued his opinion on the various questions submitted, which – should the ECJ agree with the opinion of the AG – could have far-reaching consequences for credit agencies. The main contents of the opinion of the AG are therefore presented below.
The first of a total of three preliminary ruling procedures (C-634/21) concerns the erasure of an entry by SCHUFA and the granting of access to the data processed by SCHUFA. The lawsuit was brought because the data subject had been refused a loan that he had applied for from a financial institution on the basis of the score created by SCHUFA. The data subject therefore first contacted SCHUFA and requested to erase the concerned entry and provide access to the data concerning them. However, SCHUFA only informed the data subject of the corresponding score and the principles of calculation method, without providing any information which specific information were exactly used for this calculation and on the relevance that was attached to it in that context. SCHUFA justified this by saying that the calculation method was subject to a trade secret. The data subject then lodged a complaint with the Hessian data protection officer (“HBDI”). However, the HBDI refused to take action against SCHUFA, since the scoring by SCHUFA was in line with the requirements of Sec. 31 German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG]. The data subject filed a lawsuit with the Administrative Court of Wiesbaden. The object of the preliminary ruling procedure is specifically whether the automated creation of the credit-score by SCHUFA already constitutes an automated decision within the meaning of Art. 22 GDPR and, if this is not the case, whether the requirements under Art. 6 and Art. 22 GDPR preclude the application of Sec. 31 BDSG.
The other two preliminary ruling procedures (C-26/22 and C-64/22) deal with the question of erasing an entry for a discharge from remaining debts after insolvency from SCHUFA’s databases. SCHUFA records the information available in the public registers of the insolvency courts on the Internet about the discharge from remaining debts and stores it in its own databases for a period of three (3) years, although the entries in the public registers are already erased after six (6) months (see Sec. 3 German Regulation on Public Notices in Insolvency and Restructuring Matters on the Internet [Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren und Restrukturierungssachen im Internet, InsBekV]). The data subject requested SCHUFA to erase the information it had stored for the discharge from remaining debts. SCHUFA rejected the erasure with reference to the lack of applicability of the erasure period of six (6) months. The two data subjects then each lodged a complaint with the HBDI without any success. As a justification for the refusal, the HBDI stated that SCHUFA may continue to store the entries regarding a residual debt exemption even after the entries in the respective public register have been erased. Once the data subjects had brought for an action against the decision of the HBDI, the Administrative Court of Wiesbaden also appealed to the ECJ by way of the preliminary ruling procedure. The Court essentially asked whether the storage of the entries from the public registers for a period of three (3) years by SCHUFA is permissible under data protection law once the storage period applicable to the public register has expired and whether the data subjects can at the same time request the SCHUFA to erase the corresponding entry from the records of SCHUFA.
Applicability of Art. 22 GDPR to the establishment of the Credit-Score
With regard to the first preliminary ruling procedure, the AG first noted that the implementation of the scoring procedure by SCHUFA, including the automated creation of the credit-score, falls within the scope of Art. 22 (1) GDPR.
Scoring is a process that uses a scoring algorithm to provide a credit-score for an individual’s creditworthiness based on certain criteria. The credit-score is a probability about the ability of a data subject to service a loan. SCHUFA does not make public the precise basis for its calculations. However, since the credit-score is calculated automatically using an algorithm, the AG comes to the conclusion that scoring constitutes an automated decision-making process in the form of profiling within the meaning of Art. 4 No. 4 GDPR.
Accordingly, this would constitute an automated individual decision-making subject to Art. 22 (1) GDPR. According to the GA, it is true that the actual decision, which is directly relevant for the data subjects, was made by the respective bank (e. g., decision on whether to accept or reject a loan application based on the credit-score), although other factors could also play a role (e. g. grating collateral). At least in the area of consumer loans, however, the credit-score would play a decisive role, since financial institutions would usually make their decisions largely dependent on the credit-score. The AG refers to the information provided by the referring court. The decision of the respective financial institution was thus predetermined by the credit-score.
Taking the AG’s approach, the consequence is that scoring by SCHUFA – but also by other credit agencies – is only permissible if a legal basis under to Art. 22 (2) GDPR applies, namely: (1) if the data subject has given their explicit consent, (2) if there is a legal provision that regulates the permissibility of automated decision-making or (3) or if the decision is necessary for entering into, or the performance of, a contract between the data subject and the controller. In addition, the data subjects can request information in accordance with Art. 15 (1) (h) GDPR (see below).
Scope of the Right of Access according to Art. 15 (1) (h) GDPR
Data subjects can assert the rights contained in Art. 15 et seqq. GDPR directly against SCHUFA. With regard to Art. 22 GDPR, this includes in particular the right of access to information in accordance with Art. 15 (1) (h) GDPR, according to which SCHUFA must provide meaningful information about the logic involved and the scope and intended effects of this processing.
In the underlying proceedings, SCHUFA refused to disclose concrete information regarding the calculation method, as it argued that these were a trade secret. This was met with general acceptance by the AG, who concluded that the protection of trade secrets must also be considered adequately within the scope of the right to information. Disclosure of the scoring algorithm without explanation is not necessary, as it was likely to be too complex anyway and of no use to the data subjects.
That said the AG also pointed out that the protection of trade secrets does not per se mean that SCHUFA may refuse to provide any information on the scoring process. On the contrary, at least “a minimum of information must be provided”. This means that SCHUFA must provide sufficiently detailed information of the method used to calculate the credit-score and the factors leading to a certain result. In particular, this should include information on the factors considered in the decision-making process and their weighing at the aggregated level.
Incompatibility of Sec. 31 BDSG with European Law
Another core aspect of the preliminary procedure concerns the issue of whether Sec. 31 BDSG can be considered as a legal basis for the scoring. This is denied by the AG both with regard to Art. 22 GDPR (permissibility of automated decision-making) and Art. 6 GDPR (lawfulness of data processing) with the argument that the GDPR does not provide for any opening clauses or exceptions allowing the Member States to enact deviating or specific regulations that allow credit agencies establishing scores under data protection law.
With regard to the incompatibility of Sec. 31 BDSG with Art. 22 GDPR under EU law, the AG states that Art. 22 (2) (b) GDPR specifically allows Member States to adopt individual provisions on automated decision-making. However, Sec. 31 BDSG cannot serve as a legal basis within the meaning of Article 22 (2) (b) GDPR, since this provision has a much broader material scope than Art. 22 GDPR. Sec. 31 BDSG only regulates the use of a score, but not its creation. In addition, the content of the provision is not explicitly limited to automated decision-making within the meaning of Art. 22 GDPR, but basically includes any (non-)automated data processing in connection with the use of a score.
In the opinion of the AG, Sec. 31 BDSG cannot serve as a legal basis within the meaning of Art. 6 GDPR in relation to data processing for scoring. The Member States may adopt their own legal basis for data processing (Art. 6 (2) and (3) GDPR). However, as clearly indicated by the wording of these provisions, the retention or introduction of specific provisions is only permissible in the cases mentioned in Art. 6 (1) (c) and (e) GDPR. In the opinion of the AG, Sec. 31 BDSG is not such a provision, since it does not establish a legal obligation or a task in the public interest.
Based on the approach of the AG, the admissibility of the scoring is based exclusively on Art. 22 and Art. 6 GDPR, but not on Sec. 31 BDSG.
Inadmissible Storage of Data from Public Registers by SCHUFA
With regard to the second preliminary ruling procedure, the AG clearly concluded that the current practice of SCHUFA for storing data from public registers (here: data on the discharge from remaining debts) is not compatible with the principles set forth in the GDPR, in particular the principles of purpose limitation and data minimalisation, and, in addition, it lacks of a suitable legal basis.
This assessment is supported by the fact that the discharge from remaining debts is intended to enable the beneficiary to participate in economic life again. Therefore, the data on the discharge from remaining debts is erased from the respective public register after 6 months. However, this objective would be undermined if credit agencies were allowed to store such data even after it has been erased from the public register and then use it as a negative factor in scoring (e. g. when scoring creditworthiness or solvency).
In this respect, the AG concludes that SCHUFA is not entitled to continue storing the recorded data in its own databases once they have been erased from the public register. SCHUFA were required to erase all impermissibly stored data. Accordingly, the data subjects would also have the right to obtain from SCHUFA the erasure of the inadmissibly stored data in accordance with Art. 17 GDPR.
Conclusion and Outlook
It remains to be seen whether and to what extent the ECJ will follow the opinion of the AG. The ECJ often agrees with the position of the AG. However, this is not guaranteed in every case.
Should the ECJ agree with the opinion of the AG, this will in all likelihood have far-reaching consequences for all credit agencies as they would have to provide detailed information on the scoring methods they use. In this case, it cannot be ruled out that more procedures against SCHUFA or other credit agencies will follow (e. g. if the scope of the information provided is not sufficient or the weighting of certain factors in the scoring is not comprehensible).
Furthermore, the credit agencies would have to revise their data protection compliance documentation, such as privacy policies, records of processing activities and data retention and deletion concepts. In particular, the data retention and deletion concept would have to be revised with regard to the data obtained from public registers in order to ensure storage in compliance with the data protection laws. Otherwise there could be requests for erasure and possibly even claims for damages by data subjects affected, as well as supervisory measures and, in the worst case, even the imposition of administrative fines.
In addition, there could also be consequences for financial institutions. If they use their own scoring procedures, the AG’s opinion regarding scoring can also be applied to them, so that the financial institutions may have to adapt their internal processes. Therefore, financial institutions should take the AG’s opinion as an opportunity for reviewing their own scoring procedures and identifying any need for adjustments in order to be well prepared in the event of a corresponding decision by the ECJ.