Data privacy greatly reduces the statistical utility of credit scores, thereby reducing the number of observations available to statisticians to build their credit scoring models on.
The European Artificial Intelligence Act has also classified credit scoring activity as High Risk, which requires establishing special protections (click here to read further: EU Parliament gives final nod to landmark AI law).
On December 7, 2023, the Court of Justice of the European Union (CJEU) considered complaints against a German scoring firm, Schufa – a private company that provides businesses with information on the creditworthiness of consumers by creating a credit score.
In the current case SCHUFA provided a credit institution with a score for the applicant, which served as the basis for the refusal to grant the credit for which the applicant had applied. The applicant then requested for the erasure of the entry concerning her and to grant her access to the corresponding data. However, SCHUFA merely informed her of the relevant score and the broad outline of the principles underlying the calculation method for the score, without informing her of the specific data included in that calculation or of the relevance accorded to them in that context, asserting that the calculation method is a trade secret .
The issue was put to the CJEU, which asked if credit scoring fell under the purview of automated decision making for the purposes of Article 22(1) of the GDPR, where a third party draws strongly on that credit score to reach a decision. CJEU held that only mathematical and statistical procedure was applied by SCHUFA, with no option of individual evaluation and assessment by a human being in establishing the score. Thus it falls under automated decision within the terms of Article 22 GDPR, the CJEU held.
Secondly, it should also be noted that such refusal is likely to have a legal impact on the financial situation of the data subject, altering their status
Further, the method used by SCHUFA provides a score based on certain criteria, as a result of which conclusions can be drawn regarding the creditworthiness of the data subject. Therefore, the CJEU held that creating a credit score can be classified as prohibited profiling under Article 22 of the GDPR.
SCHUFA had refused to disclose to the certain information concerning the applicant and the calculation method on the ground that it was a trade secret. The Court, however, held that the Controllers had an obligation to provide ‘meaningful information about the logic involved’ and that this information must include sufficiently detailed explanations of the method used to calculate the score and the reasons for a certain result. In general, the controller should provide the data subject with general information, notably on factors taken into account for the decision-making process and on their respective weight on an aggregate level, which could also be useful for him or her to challenge any such decision.
Notably, the following rights of the data subject over his personal data were reiterated in this judgement:
1. Rights of the data subject under General Data Protection Regulation or GDPR
a. Right to access his personal data (Article 15)
b. Right to object to processing of his personal data (Article 21)
c. Defined profiling (art 4 predictive analysis based on personal data.)
d. Right to Erasure and rectification of personal data
e. Protection against a sole Automated Decision without human intervention especially, when it produces legal/ significant effects (Article 22(1) read with recital 71)
2. Data controller must ensure (for data processing relating to that of the data subject)
a. Data Subject’s explicit consent for processing for specific purposes or for performance of a contract, or legitimate interests of the controller.
b. Purpose compatibility: As to the purpose the data was initially collected. Any subsequent processing must relate to the initial purpose for which the data was collected.
Source: Barandbench
