On December 7, 2023, the Court of Justice of the European Union (“CJEU”) delivered a landmark decision against SCHUFA Holding AG (“SCHUFA”) that will likely impact how the EU General Data Protection Regulation (“GDPR”) applies to credit scoring agencies. In the decision, OQ v. Land Hessen, the CJEU decided that SCHUFA’s credit scoring qualified as automated decision making (“ADM”) which is subject to Article 22 GDPR.
Background
The case involved a prospective borrower (“OQ”) who exercised her individual rights under the GDPR after a lender denied her loan application based on credit information supplied by a German credit reference agency, SCHUFA. SCHUFA used OQ’s personal data to produce a score indicating the individual’s creditworthiness, which was then shared with the German lender.
OQ made a subject access request pursuant to the GDPR asking for information about SCHUFA’s automated credit scoring process. Specifically, Article 15(1)(h) GDPR allows individuals to request information on ADM to learn “about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” As a recap, Article 22(1) governs automating processing resulting in a decision that “produces legal effects concerning [the data subject] or similarly significantly affects [the data subject].”
SCHUFA denied OQ’s request for this information, citing trade secret considerations. SCHUFA reasoned that it had not performed the type of ADM subject to Article 22(1), but rather merely engaged in “preparatory acts” for the ultimate lending decision. It was the lender, not SCHUFA, who made the decision to reject the loan application and SCHUFA’s role was just to produce an automated score for OQ. Accordingly, SCHUFA argued that it did not have to comply with OQ’s Article 15 request.
What did the CJEU decide?
The CJEU ruled that, contrary to SCHUFA’s reasoning, the agency did make a decision subject to Article 22(1). The Court clarified that because SCHUFA played a “determining role” in the outcome of the financial institution’s denial of OQ’s loan application, SCHUFA indeed constituted a decision maker subject to the relevant GDPR ADM obligations.
Following the decision, the CJEU issued a press release affirming its decision that credit scoring conducted “must be regarded as an [ADM] prohibited in principle by the GDPR” if a third party attributes to the automated process “a determining role in the granting of credit.”
Implications of the SCHUFA Case
The CJEU’s broad interpretation of what constitutes ADM under Article 22 means that, even if a business does not make the final decision affecting an individual, the business may still constitute a decisionmaker subject to the GDPR’s ADM obligations if the business played a “determining role” in the ultimate outcome. Notably, this decision doesn’t just have an impact on credit scoring agencies, but also could affect any service provider using automated processes to generate risk-based scores which are relied when making decisions that significantly impact individuals.
Accordingly, all entities engaging in automated processes that participate in a decision chain should consider whether they have independent obligations to comply with GDPR.