On 7 Dec., the Court of Justice of the European Union issued its judgment in the SCHUFA case (case C-634/21). The CJEU ruled a credit reference agency engages in automated individual decision-making when it creates credit repayment probability scores as a result of automated processing and when lenders rely heavily on these scores to establish, implement or terminate contracts.

This means the obligation to comply with Article 22 of the EU General Data Protection Regulation falls on the credit reference agency rather than just on the lender. Article 22 only allows the use of automated individual decision-making in limited situations, e.g., contractual necessity, specific justifications under EU or member state law, or explicit consent. Where individual decision-making is allowed, protections — including ensuring that individuals can obtain human intervention, express their views and challenge decisions made about them — must be in place. Regulators and other stakeholders have stated the decision will have ramifications for all automated decision-making services and providers offering predictive artificial intelligence tools.

In our view, this is an overstatement. It overlooks the fact that the decision is specific to situations in which provider's input could significantly affect individuals and is heavily weighted. The decision could have implications for organizations other than credit reference agencies if they provide critical decision-making support.

On the same day, the CJEU also issued a decision in joined cases C-26/22 and 64/22, relating to the retention of insolvency data by credit reference agencies in line with a data protection authority-approved code of conduct. In these cases, the CJEU considered the extent to which credit reference agencies could retain insolvency data once it had ceased to be available in a public register. The CJEU also commented on how the right to object to legitimate interests-based processing and erasure interact, and held that data subjects have a right to a full judicial review of decisions by DPAs. Courts are not restricted to a more limited, process-oriented review of whether a DPA has received a complaint, investigated it, and communicated the outcome to the complainant.

Case 1: When does a preparatory act itself become an automated individual decision?

Credit bureau SCHUFA provides credit information about individuals to lenders using a probability-based scoring system. An individual, OQ, was denied credit after SCHUFA supplied credit information about her. OQ made an access and erasure request and, while it provided data, SCHUFA refused to provide details on how it determined the score, citing trade secrets. OQ lodged a complaint with the Hamburg DPA, the Commissioner for Data Protection and Freedom of Information, which rejected her claim. OQ appealed the decision, and the Administrative Court handling the appeal referred the case to the CJEU for a ruling on whether the SCHUFA scoring system constituted an automated individual decision under Article 22(1) of the GDPR.

Preparatory acts can be decisions under Article 22(1)

Article 22 of the GDPR provides that automated individual decision-making can only be used in certain situations. Outside these situations, such decisions are prohibited. Where automated individual decision-making is allowed, safeguards must be in place. The CJEU rejected SCHUFA's argument that it was only engaged in preparatory acts and that any decisions were taken by the lender. Instead, the CJEU held that the company itself was engaging in automated individual decision-making.

The CJEU highlighted three conditions for automated decision-making: a decision must be made, it must be based solely on automated processing, including profiling, and it must produce legal effects concerning the individual or otherwise produce an equivalent or similarly significant effect in its impact on the individual. According to the CJEU, all of these conditions were met in this case.

The CJEU noted the concept of decision is broad and includes acts that may affect the individual in various ways, including the calculation of a credit score. It also noted the calculation of the creditworthiness score would have significant effects. The court stated this was clear from the question posed by the referring court, which said lenders would rely heavily on the score. Based on the factual conclusions of the court, it can be deduced that when a consumer submits a loan application to a bank, a low probability value results in the bank rejecting the loan request in nearly all instances.

The implication is that if a credit reference agency or other similar provider-issued score is not relied on heavily by those taking the end decision, for example if lenders attach significant weight to other factors, then the issuing of the score would not be covered by Article 22. In the authors' experience, credit reference agency contracts typically insist lenders should not base a decision solely on the score and should consider other factors before issuing a score. The CJEU's decision, therefore, is based on a questionable premise. This will cause a lot of uncertainty and make the judgment difficult to apply. This is already apparent. For example, the HmbBfDI and other commentators stated the decision can be more generally applied to AI-based decision-making systems. But this does not consider whether these "decisions" are just one nondeterminative factor in the end decision by the party dealing with the data subject.  

Risk of gaps in protection

The court underlined that if SCHUFA was not subject to Article 22, it would not be obliged to provide the individual with meaningful information about the logic involved in the decision. The CJEU noted the lender would likely not have this information and would be unable to provide it to the individual. This would leave a gap whereby the individual was not effectively protected. This risk explains the broad approach taken by the CJEU; there may be scope to differentiate situations that would not pose this risk.

Impact of Article 22 application

The CJEU said, where Article 22 is applicable, it prohibits decisions from being taken on an automated basis unless an exception applies. The exceptions allow automated individual decision-making solely where:

  • The decision is necessary to enter into or perform a contract between the data subject and a controller.
  • It is authorized by EU or member state law, meeting certain requirements.
  • The data subject gave explicit consent.

In this case, the referring court concluded the only applicable derogation would be EU or member state law, so the CJEU did not consider this further. This aspect of the decision is also likely to generate questions. It is clear why consent would be problematic, as an individual who did not give consent would likely experience detriment, which would mean consent was not freely given and so not valid. However, arguments that the decision is necessary for the lender and data subject to conclude a contract could be made.

In line with Recital 71, the CJEU noted suitable measures to safeguard the rights and freedoms of individuals must always be taken. These measures include the right to human intervention, the right to express one's point of view and the right to challenge the decision, although the latter is only mentioned in Article 22, where decisions are necessary for a contract or taken with the data subject's consent. The safeguards should also include using appropriate mathematical or statistical methods, implementing technical and organizational measures to minimize the risk of error, and taking account of risks, including discrimination.

Impact on German law

Paragraph 31 of the German federal law on data protection sets out rules for the use of credit scores but not the creation of scores. The CJEU noted the referring court was to determine if these rules could amount to a member state law authorizing the use of automated individual decision-making, i.e., an exemption from the prohibition under Article 22. When considering this, the CJEU noted any processing of personal data for an automated individual decision must also have a lawful basis for processing under Article 6 of the GDPR, and it was not open for member states to introduce new conditions under Article 6. When the lawful basis for processing is legitimate interest, the controller wishing to rely on this basis must conduct a balancing test to determine whether the interests or rights and freedoms of individuals outweigh the interests of the controller. The CJEU said member state law could not definitively prescribe the outcome of this balancing test.

Case 2: Rights to object, codes of conduct, retention of insolvency data

In joined cases C-26/22 and 64/22,UF and AB were subject to insolvency proceedings in Germany. They obtained an early discharge of their debts. Under German law, the public register discontinued publication of information about the proceedings after six months. SCHUFA retained the data for three years, in line with a code of conduct for credit reference agencies approved by the competent DPA. UF  and AB asked SCHUFA to delete the data. When it refused, citing the code of conduct, they complained to the Hessian Commissioner for Data Protection and Freedom of Information, which refused to order SCHUFA to delete the data. UF and AB brought proceedings against the DPA in court, which referred a number of questions to the CJEU.  

For how long can SCHUFA retain insolvency data? What′s the role of a code of conduct?

German law provides that information is to be made public in the insolvency register for a period of six months. The CJEU noted German law determined that, after this period, the interests of individuals should take precedence over the interests of the public to have access to information about insolvencies. As German law already determined the interests of data subjects should prevail after six months, private sector interest in access to the information could not justify a longer retention period.

The proceedings also raised the question of whether it was appropriate for SCHUFA to retain a copy of the insolvency information during the initial six-month period on the basis that the information could be accessed from the insolvency register during this period. The CJEU noted this was a matter for the referring court to decide.

SCHUFA's retention of insolvency records was in line with a code of conduct, which had been approved by the competent DPA. However, the CJEU noted a code of conduct could not have the effect of making lawful something that is actually unlawful.

Right to object to processing and erasure

The CJEU confirmed the right to erasure under Article 17 applies, i.e., where personal data has been unlawfully processed. This would, therefore, apply to the retention of data beyond the six months during which it was available in the public insolvency register.

The CJEU restated the individual's right to object to processing under Article 21, where the lawful basis for processing is Article 6(1)e or f, and noted the controller must cease to process the personal data after a data subject objects, unless the controller can demonstrate compelling legitimate grounds to continue processing which would override the data subjects' interests. If the controller fails to provide this proof, the data subject can also ask for the data to be erased, under Article 17.

Article 21 provides that a data subject has the right to object "on grounds relating to his or her particular situation." Interestingly, the CJEU does not reference this phrase. Instead it seemingly rewrites the GDPR to describe a general right that applies in all situations.

Individuals have a right to a full judicial review of the decision of a DPA

Lastly, the Hessian Commissioner for Data Protection and Freedom of Information argued that UF and AB did not have the right to a full judicial review of the authority's decision. Instead, the authority argued the GDPR grants individuals a more limited right to confirm whether the DPA handled the complaint, investigated it and confirmed the outcome to the complainant. The CJEU rejected this, concluding data subjects have the right to a full judicial review of a decision by a DPA.