Introduction

The Court of Justice of the European Union (CJEU) has issued a significant ruling regarding the use of automate [3]d credit scoring in determining a data subject’s creditworthiness. This decision mandates that companies must ensure compliance with the General Data Protection Regulation (GDPR) by incorporating genuine human involvement in credit assessments, rather than relying solely on automated decision-making processes.

Description

The Court of Justice of the European Union (CJEU) has ruled that companies cannot determine a data subject’s creditworthiness solely through automated credit scoring [1], particularly when such scores are critical in credit decisions [1]. This judgement necessitates that credit bureaus and scoring agencies align their practices with GDPR [1], ensuring that automated decision-making (ADM) is not the sole basis for credit assessments [1]. Financial institutions [1], including banks [1] [2], must document their lending processes to demonstrate that decisions are not exclusively reliant on automated scores [1].

On 7 December 2023 [3], the CJEU clarified that the automated calculation of a credit score can be classified as automated decision-making under Article 22(1) of the GDPR if it serves as a decisive factor in a credit institution’s loan approval process [3]. The ruling emphasizes the necessity of genuine human involvement in decision-making processes; it is insufficient for a human to merely endorse machine-generated recommendations without thorough examination [3]. Without authentic human decision-making [3], the process may still be deemed automated [3].

The ruling clarifies that data protection authorities will utilize the court’s interpretations of GDPR to enforce compliance and guide organizations in handling data for credit assessments [1]. Consumers are empowered to assert their right against decisions made solely through automated processing [1], as Article 22 of the GDPR grants data subjects the right to avoid solely automated decisions that significantly affect them and result in legal consequences [2]. The scope of such decisions is interpreted broadly [2], and individuals do not need to invoke this infringement themselves [2].

Legal professionals focusing on data protection [1], consumer rights [1], and financial services will find this case pivotal for navigating EU data law [1]. The judgement underscores the need for responsible AI use in ADM [1], highlighting the risks associated with unmonitored automated decisions [1]. The CJEU addressed a preliminary question from a German court regarding Article 22 [1], confirming that credit scoring agencies’ automated probability assessments constitute ‘automated individual decision-making’ when third parties depend on these scores for contractual decisions [1]. Consequently [1], automated creditworthiness assessments must comply with GDPR [1], although EU member states may introduce national exemptions [1].

The ruling indicates that the automated generation of credit scores falls under the wide application of Article 22 [2], which prohibits such decisions in principle [2], with exceptions existing for decisions necessary for a contract, authorized by law [2], or based on explicit consent [2]. The judgement also imposes new information obligations for ADM in credit scoring [1], and the EU’s AI Act categorizes various AI systems [2], including those assessing creditworthiness [2], as “High Risk AI systems.”

The implications of the Schufa judgment will be significant in the realm of automated decision-making, and future case law and developments regarding § 31 BDSG will be closely monitored [3]. The case remains active as the CJEU has referred it back to the German court to determine if a national exemption permits credit scoring based solely on automated decisions [1]. This ongoing legal discourse may lead to domestic legislation that could create exceptions allowing automated decision-making under specific circumstances [2], potentially restricting the use of ADM by governments and corporations unless explicitly authorized or consented to [2].

Conclusion

The CJEU’s ruling has profound implications for the financial sector and data protection landscape within the EU. It reinforces the necessity for human oversight in automated processes, ensuring that credit assessments are fair and transparent. This decision will likely influence future legal frameworks and practices, prompting organizations to reevaluate their reliance on automated systems and prioritize compliance with GDPR standards. The ongoing legal discussions may also shape national legislation, potentially introducing specific exemptions or restrictions on automated decision-making.

References

[1] https://www.michalsons.com/blog/schufa-case-oq-v-land-hessen-automated-decision-making/76054
[2] https://www.judiciary.uk/speech-by-the-master-of-the-rolls-ai-and-the-gdpr/
[3] https://www.activemind.legal/guides/automated-decision-making-ai/