Germany’s proposed revision of its Federal Data Protection Act (BDSG) would allow automatic credit scoring, a widespread practice in the EU but one which is currently in legal limbo.
The revision could be finalised in the next couple of weeks and looks likely to pass, according to Johannes Müller, policy officer at German consumer protection organisation Ververbraucherzentrale Bundesverband (vzbv), which supports the bill.
Under the General Data Protection Regulation (GDPR), fully automated decisions that “significantly affect” a data subject are banned, but automated credit scoring remains widely used.
In December, the Court of Justice of the EU (CJEU) ruled that automatically generating a report that recipients will attribute a “determining role in the granting of credit” can be considered an illegal automated decision.
The ruling puts third-party credit scoring providers in “an impossible situation” since they cannot know in advance how customers will use their reports, Enrique Velázques, director of the Association of Consumer Credit Information Suppliers (ACCIS), told Euractiv.
Germany’s revision would allow scoring conditional on satisfying certain transparency and data use requirements.
“It’s progress because it excludes specific data categories from scoring” and will help consumers understand “how their behaviour affects the score,” said Müller.
A patchy fix
Not everyone is keen on the German approach as introducing safeguards “doesn’t hurt, but doesn’t add much,” Marco Blocher, data protection lawyer at NGO Noyb, the European Center for Digital Rights, told Euractiv.
Much, if not all, of the data that the bill excludes from processing for credit scoring should already be illegal to use, so several of the new measures “just repeats the obvious,” he said.
GDPR prohibits personal data processing by default but lists specific circumstances under which it is allowed.
One of these legal grounds is “legitimate interest,” a concept that allows data processors to conduct such activities, provided they are not “overridden” by the data subjects’ rights. Users must be informed of such processing, and member states cannot pass legislation interfering with this balancing test.
But Blocher thinks the German revision could do just that, formalising the processing of certain types of personal data without balancing the processors’ business interests and user rights.
“If the German legislator says I can use [a type of data] for scoring, I can certainly collect it beforehand,” he said will be the credit bureaus’ argument, thus opening the floodgates to data collection without balancing the firms’ interest with the user’s rights.
Müller does not see this as a problem. He said that GDPR contains a clause allowing member states to permit automated decisions, and since companies already rely on legitimate interest, the revision would reduce their problematic data use.
Legal uncertainty across Europe
Automatic credit scoring companies have increased in Europe despite member states’ different legal regimes.
Some data protection authorities, like the Italian DPA, are looking into how to interpret the CJEU ruling, whereas others have yet to process it.
For Blocher, the very business model of credit scoring agencies is “extremely problematic.”
The whole premise is that they automate what would otherwise be manual work, saving costs and time.
“Our automated credit decisioning tools help you lower manual review costs,” writes Experian.
“Credit checks in real-time, without disrupting the customer journey,” writes SCHUFA.
Despite selling these products on claims of automation, Experian and SCHUFA aim to pass on the decision to use these scores to their clients, who shouldn’t “draw strongly” on the score, they told Euractiv.
However, when SCHUFA asked its customers to confirm this, one called it “absurd,” given their reliance on the score, Süddeutsche Zeitung reported.
Hungry for data
The more data the credit agency has, the better credit scores it can deliver, so it may be incentivised to augment its data collection.
However, according to Blocher, in Germany, less than ten per cent of the population produces payment failure data that can be unproblematically used for credit checks.
Therefore, he said, most credit agencies collect additional financial and non-financial data from third parties and public directories without informing or gaining consent from the data subjects.
“CRIF solutions allow the process automation and decisions related to the entire loan experience [..] thanks to a wide dataset of proprietary and public data”, writes CRIF.
The company told Euractiv that it only uses accessible data under all applicable laws and Codes of Conduct.
SCHUFA has “access to a wealth of information that cannot be researched in public directories,” It uses contractual behaviour data regarding current accounts, credit cards, leasing agreements, loans, and mail-order accounts, in addition to payment failure data.
The need for a common approach
Despite the disagreements, Blocher and industry representative Velázques concur that harmonising European rules is the way forward.
The Commission’s second review of GDPR implementation, published on 25 July, found serious enforcement issues and varying interpretations among European data protection authorities and mentioned automated decision-making as an example of diverging practices.
However, the Commission did not recommend a review of the regulation, merely its better and more harmonised enforcement.
[Edited by Eliza Gkritsi/Alice Taylor-Brace]