On March 16, 2023, the Court of Justice of the European Union (“CJEU”) ruled that credit reporting agencies or any company that uses an automated process to determine a consumer’s creditworthiness, which ultimately effects the consumer’s ability to obtain a loan or suffer some other significant effect, has engaged in profiling under the EU’s General Data Protection Regulation (“GDPR”). According to a non-binding opinion by Advocate General Priit Pikamäe, consumers have a right to review the information and processes involved in automated decision-making concerning their credit as well as “meaningful information about the logic involved,” including the methods used to calculate the score and reasons for the result – information that would enable the consumer to challenge the result. In other words, the GDPR provides consumers in the EU with “the ‘right’ not to be subject to a decision based solely on automated processing, including profiling.”
The case that led to this decision involves a German citizen who contacted the Data Protection and Freedom of Information Commission for Hesse (“HBDI) regarding the protection of her personal data. The citizen was denied a loan based on an automated report provided by SCHUFA Holding AG, a private credit reporting agency. When the citizen asked SCHUFA to erase this information and provide her with access to the data, the company only provided her with her credit score and an outline of the principles behind the calculation. SCHUFA claimed that it was unable to provide the citizen with the calculation method or the specific data used to determine her score because the requested information was a trade secret.
The CJEU also reviewed two other cases from the Administrative Court of Wiesbaden in which two German citizens had petitioned the HBDI regarding SCHUFA’s inability to delete record entries related to debt that had been discharged during insolvency proceedings – debt that had been deleted from public registers within six months. While SCHUFA informed the citizens that it had updated its databases with information related to the early discharges, it was not able to delete the entries from their records for a period of three years. These cases were referred to the CJEU regarding the legal nature of the supervisory authority’s decision and the scope of the judicial review for these decisions as well as the lawfulness of the storage of the personal data.
The Advocate General held that cases such as these were subject a full substantive judicial review because they involve a legally binding decision of a supervisory authority. The Advocate General also determined that it was unlawful for a private credit agency to store personal data regarding discharged debt that had been erased from public registers and confirmed that citizens with such concerns have the right to obtain assistance from the controller to have their personal data erased without undue delay.