15.02.2024

Credit scoring from the CJEU perspective

At the end of last year, the Court of Justice of the European Union ("CJEU") delivered a landmarkjudgment[1] on the interpretation of Article 22 of the General Data Protection Regulation (GDPR), focusing on decisions based solely on automated processing and which significantly affect the data subject. The analysis of the European Court's considerations highlighted a number of practical consequences, of interest to both credit assessment providers and credit institutions, as well as consumers.

1) The CJEU's considerations

In Case C-634/21, the CJEU examined the practices of the German company SCHUFA Holding AG, where a consumer (OQ) was refused credit on the basis of a score determined by the assessor. OQ requested that SCHUFA send him information on the personal data recorded and to delete some of the data allegedly incorrect.

In response to this request, SCHUFA informed the OQ of its score and outlined how the scores were calculated. However, invoking commercial secrecy, it refused to disclose the various pieces of information taken into account for this calculation and their weighting. Finally, SCHUFA pointed out that it merely passed on the information to its contractual partners and that it was they who took the actual contractual decisions.

In this context, the German court made a reference for a preliminary ruling. The key issue concerned Article 22 GDPR, namely whether the score provided by SCHUFA constituted an automated individual decision and whether that decision produced legal effects on the data subject or significantly affected him or her and therefore whether SCHUFA should have shared more details about the rationale behind the decision.

Pursuant to Article 22 GDPR, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or significantly affects him or her. Par. 2 of the same Article provides for a number of exceptions, in particular where: (a) the decision is necessary for the performance of the contract between the data subject and a data controller; (b) the decision is authorized by the law of the Union or of the Member State to which the controller is subject and there are safeguards to protect the data subject; and (c) the decision is based on the data subject's explicit consent. Even in such situations, controllers are obliged to provide human intervention and a way for the data subject to express an opinion or contest the decision.

In terms of the key elements of the judgment, the European court ruled as follows:

-The broad scope of the concept of 'decision' is confirmed by Recital 71 GDPR. This concept is broad enough to include the calculation of a credit score on the basis of a probability value;

- a probability value affects the data subject at least to a significant extent, since in the case of a loan application by a consumer to a bank, an insufficient probability value leads in almost all cases to the bank refusing to grant the requested loan;

- by calculating a credit score, a credit reference agency takes an automated individual decision when a third party relies "conclusively" on this probability value to establish, execute or terminate a contractual relationship with the person concerned.

2) Credit score in Romania

Scoring is a selection method based on a statistical analysis of the applicant's demographic data or payment history (in the case of those who have had access to credit in the past). The system assesses each of the applicant's traits based on personal data and assigns points, creating an estimated risk profile. Based on this profile, the bank can make the decision to grant or refuse the loan.

There are a number of private entities in Romania that provide both consumers and credit institutions with credit score assessments. Among the best-known providers of credit assessments is Bureau de Credit, a private company that manages a database on the lending activity of participating financial banking institutions. The database can be consulted by bank and non-bank credit institutions, insurance companies and debt collectors.

In the process of analyzing an application, the credit institution requests the Credit Bureau to issue a Credit Report. Among the personal data processed are:[2] data relating to the employer, data relating to the credit products applied for/granted, data relating to events occurring during the course of the credit product, data relating to relationships with other accounts, data relating to insolvency, etc.

The FICO Score, a number between 300 and 850, obtained from a statistical process that processes the information recorded by Participants in the Credit Bureau System and indicates the likelihood that the person concerned will in the future pay his installments on time, may also be used in the assessment activity.

Therefore, the evaluation mechanisms are similar for all operators, and the interpretation of the European Court is also relevant for Romanian score providers.

3) Implications of the judgment

With regard to the content of the protection, according to Art. 22 paras. (2) and (3) of the GDPR, appropriate measures must be laid down to protect the rights, freedoms and legitimate interests of the data subject. Even in cases of exception, the controller must take measures to protect at least the data subject's right to obtain human intervention, to express his or her point of view and to contest the decision.

In addition, as the CJEU has pointed out "in the case of an automated decision such as the one provided for in Article 22(1) of the GDPR, on the one hand, the controller is subject to additional information obligations under Articles 13(2)(f) and 14(2)(g) of the Regulation. On the other hand, the data subject has the right to obtain from the controller, pursuant to Article 15(1)(h) of that Regulation, inter alia, relevant information from the controller on the logic used and on the significance and the expected consequences of such processing for the data subject."

The judgment is in line with the CJEU's approach of interpreting the GDPR as broadly as possible in favor of the individuals whose personal data are processed, with strong consumer law overtones present. This concerns contractual relations in general, and not necessarily the specifics of the loan contract process. In this regard, it has been judiciously pointed out that the CJEU 's interpretation "has wide-ranging consequences beyond credit assessment, affecting sectors such as health, insurance and employment, where AI-driven decision-making is essential"[3].

Although the judgment has wide-ranging implications, it should not be drawn from the outset that all automated scoring systems immediately fall under Article 22 GDPR. On the contrary, it will have to be verified on a case-by-case basis how and to what extent the score has influenced the decision of the credit institution (or, more broadly, the decision of the contractor considering the score).

The stakes of characterizing such pre-contractual scoring operations as automated individual decisions should not be neglected. If a creditor gives decisive weight to factors other than the credit score provided, then the issuance of the score will not benefit from the protection of Article 22 GDPR. It has been pointed out that "itis usually stated in contracts concluded with credit assessment providers that creditors should not base a decision solely on this score and should consider other factors before concluding or not concluding the contract."[4] The CJEU's interpretation is therefore based on a questionable premise, which could cause much uncertainty and possible difficulties in applying the judgment.

In this context, guidance by the personal data supervisory authority on the meaning of the phrase "depends in a decisive way on this value" could be of particular use.

An article signed by Oana Zamă, Partner - ozama@stoica-asociatii.ro - and Mircea Vasile, Junior Lawyer - mvasile@stoica-asociatii.ro - STOICA & Asociații

[1] CJEU, Case C-634/21 SCHUFA Holding (Scoring), delivered on December 7, 2023

[2] Cf. Notice on the processing of personal data in the Credit Bureau System

[3] https://www.williamfry.com/knowledge/ecj-says-no-in-schufa-case-new-decision-on-automated-decision-making/

[4] Key takeaways from the CJEU's recent automated decision-making rulings, Ruth Boardman, Bird & BirdPartner, Co-head, International Data Protection Practice