The classic business model of credit agencies is under pressure in times of the European General Data Protection Regulation (GDPR). The industry is watching with excitement two proceedings that began on Thursday before the European Court of Justice (ECJ) in Luxembourg. It is about the German Schufa, the notorious “scoring” and the question of how long credit bureaus are actually allowed to keep sensitive data.
The first procedure deals with the question of whether the rejection of an application based on the Schufa score constitutes an automated decision prohibited under Article 22 of the GDPR. In another procedure, the ECJ judges should clarify how long credit bureaus may store an entry about the discharge of a person’s residual debt after personal bankruptcy proceedings. While public registers of debtors delete this feature after six months, it remains in a person’s data record for up to three years at Schufa.
Automated scoring
Before someone receives a loan, concludes a fixed-term contract or can place online orders on account, banks or dealers as well as telecommunications services or energy suppliers often ask credit agencies such as the Schufa about the creditworthiness (creditworthiness) of this person. The Schufa then sends a value called “Score” in addition to all relevant entries in its database. This should reflect the probability of whether the customer will meet his payment obligations or whether there is a risk of default.
The credit bureaus make a trade secret out of the calculation of their score values. The score is calculated from the entries in their database, says Schufa, whereby the score at least contributes to the decision-making process of the lender – and in the case of mobile phone contracts, an order is sometimes rejected if the score is too low.
In the first case, a consumer who had been refused a loan by her bank with reference to a low Schufa score initially requested information from the Schufa. She also asked Schufa to delete the relevant entry. However, the general information that Schufa gave her to calculate the score was not enough for her. Therefore, she complained to the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) – the headquarters of Schufa is in Wiesbaden. He argued that the way Schufa works complies with the Federal Data Protection Act and that there are no indications that it has violated it.
The plaintiff then filed a lawsuit with the responsible Administrative Court (VG) in Wiesbaden. During the proceedings, the Administrative Court made use of its right to appeal to the ECJ for fundamental clarification. Specifically, the judges in Luxembourg should decide whether Schufa violates the ban on automated decisions under Article 22(1) of the GDPR.
Schufa: We only deliver one value
Credit bureaus such as Schufa argue that they only determine a creditworthiness value that they transmit to an inquiring company. This then makes the decision on the basis of further data that it has from its interested customers. The VG Wiesbaden countered that many companies de facto decide according to the automatically determined score of the Schufa – or that it at least plays a decisive role.
The procedure is also indirectly about the right to information under Article 15 GDPR: Currently, those affected can only request information from their bank or their dealer about the procedure they use to make decisions. At this point, however, they must fit partially or completely, since the Schufa does not disclose the calculation formula for the score. The Federal Court of Justice confirmed this in 2014.
In addition, in the event of a decision in favor of Schufa, the VG Wiesbaden wants to know whether their work is profiling – in this case it could be that the Federal Data Protection Act (BDSG) has to be changed, since in this case the European legislator takes precedence has.
Storage period for exemptions from residual debt
The second ECJ procedure, which the Federal Court of Justice is currently negotiating in a similar way, revolves around deletion periods for data on the discharge of residual debt after personal bankruptcies. Every citizen can see such personal bankruptcies in public debtor directories. If the private insolvency proceedings end, for example with a discharge of residual debt, the district courts delete the entry after six months. The problem: The GDPR does not prescribe any deadlines. The Schufa stores them for another three years on the basis of a voluntary agreement between German credit agencies and includes them in the score.
Lower instances – specifically the VG Wiesbaden and the OLG Schleswig – independently decided in 2021 that this was inadmissible. From their point of view, Article 17(1) of the GDPR requires that such entries be deleted at the same time. According to this, an institution must delete data if the processing is no longer lawful, no longer necessary according to the purpose of the processing or must be removed due to the personal situation of the data subject.
Schufa counters this with the legal practice in other European countries, some of which have significantly longer deletion periods (up to 12 years in Ireland). She therefore appealed in this case, whereupon the VG Wiesbaden appealed to the ECJ to clarify the case in principle.
If the arguments of the VG Wiesbaden were right, the Schufa would have to do without a basis for its score calculation. She could continue to create scores, but she would lose an important variable. The result could be scores that actually lend to less creditworthy people – or credit to actually creditworthy people who haven’t gotten credit.
Verdicts are expected later this year or in early 2024.
(mon)
