German Court asks CJEU to clarify whether calculating consumer credit scores falls within the scope of automated decision-making under GDPR

The case relates to a claim of an individual against the private credit report agency SCHUFA Holding AG (SCHUFA) after the individual was refused a loan based on a low score provided to a bank by SCHUFA. SCHUFA and other credit rating agencies suggest that they merely calculate the scores for evaluation of creditworthiness of individuals, predict, based on this score and other characteristics of the individual, the probability of future behaviour (e.g. the repayment of a loan), and share this information with its clients (such as banks). Credit rating agencies suggest that by calculating the score and sharing it with their clients they merely profile the individuals, and do not adopt any automated decisions in the meaning of Article 22 GDPR, as the actual decisions about individuals are made by their clients.

The individual requested SCHUFA to provide access to information held about her and delete certain entries from its database. SCHUFA informed the individual about her score and provided basic information on the functioning of its score calculation, but did not disclose the details on which data were taken into consideration and how they were weighted claiming that such information is protected as business secrets and thus do not have to be disclosed. The individual complained to the Hessian State supervisory authority (Hessian DPA), which rejected the complaint on the basis that SCHUFA generally complies with Section 31 of the German Federal Data Protection Act (BDSG), regulating the calculation and use of scores in detail, and with pre-GDPR case law and that there is no indication that in the individual case SCHUFA did not comply with these requirements, concluding that the score calculation methodology does not need to be disclosed. The individual initiated court proceedings against the Hessian DPA and SCHUFA. 

The Court considered the case and decided to revert to the CJEU to clarify whether the calculation by credit agencies of an individual’s credit score and disclosure of this score to third parties (such as banks) without further comment or recommendation would fall within the scope of Article 22(1) GDPR. The Court considered it was arguable that the creation of score represented an independent “decision” within the meaning of Article 22 GDPR. It noted that even though a different decision can be, in principle, made by the credit agency’s client (e.g. by a bank, telecommunication provider or a landlord to enter into a contractual relationship with the individual), and that client does not have to make its decision solely dependent on the score value (noting examples when individuals with good score are still refused a loan), in practice the credit scores play a decisive role in granting loans and constructing the loan conditions, and insufficient score values lead to refusals of consumer loans in almost all cases. 

In addition, the Court asked the CJEU to consider whether Section 31 BDSG (regulating the calculation and use of scores in detail) was compatible with the GDPR, noting that by attaching further substantive admissibility requirements to credit scoring, the German legislature stepped outside the boundaries for national derogations available under GDPR for legal bases.

This is the second case relating to SCHUFA that the Court submitted to the CJEU this year. At the end of August the Court submitted a case relating to SCHUFA’s storage of information on discharge of residual debt (case no. 6 K 226/21.WI). The press release of the Court about this case is available here (only in German). Whilst the Hessian DPA seemingly made peace with SCHUFA in recent years, aligning in detail on its credit score calculation methodology and moving away from the pre-GDPR consent requirement for submitting and receiving data from SCHUFA, the Court appears more sceptical. Given the widespread use of SCHUFA scores in day-to-day commerce, the decision by the CJEU and the following decision of the Court will have huge practical implications on contracts in Germany, in addition to clarifying the scope of application of Article 22(1) GDPR.  

Read the Court's press release about the case (only in German) and The CJEU case file (the questions, in full, are not available at the time of issuing this Update).