ECJ: Credit rating agencies must justify decisions on request
Companies may not simply reject customers with reference to insufficient creditworthiness. They must explain how the automated decision was made.
Meeting of a chamber with five ECJ judges.
(Image: Gerichtshof der Europäischen Union)
The ECJ has clarified how the "meaningful information" required under the General Data Protection Regulation (GDPR) on automated decisions based on score values should be structured (Case C-203/22). Credit agencies, such as Schufa in Germany, calculate these scores, which are then used by companies such as banks or mobile phone providers to decide whether to conclude a contract.
Explain comprehensibly
The GDPR stipulates that credit agencies must provide data subjects with information about how the values are calculated. Until now, it was unclear what specific information had to be provided. According to the ECJ ruling on Thursday, scoring procedures and their principles must be described in such a way that data subjects can understand which of their data was used in the automated decision-making process and how.
The decision of the European judges is based on a case from Austria: A mobile phone operator refused a woman a mobile phone contract that would have resulted in a monthly payment of ten euros, citing a lack of creditworthiness as the reason. The company only referred to an automated credit check by the credit agency Bisnode Austria (now Dun & Bradstreet, D&B). In the subsequent legal dispute, the Austrian Federal Administrative Court ruled that D&B had not adequately explained the automated decision and had therefore violated the GDPR. Nevertheless, D&B did not disclose any further information and referred to the data already disclosed and stored about the but-not-customer. This certified very good creditworthiness. The reason for the rejection of the ten-euro contract remained a mystery, so the woman turned to the Vienna Administrative Court to enforce the ruling on transparency.
The Administrative Court then asked the ECJ what specific information D&B had to provide. The ECJ now emphasizes that transparency and traceability are important to be able to challenge an automated decision if necessary. Information on the extent to which deviations in the personal data taken into account would have led to a different result is potentially sufficient. The disclosure obligation does not necessarily include the algorithm itself: This is because the GDPR requires "the communication of meaningful information about the logic involved, not necessarily a detailed explanation of the algorithms used or disclosure of the algorithm as a whole."
Sensitive information
D&B insisted on the confidentiality of its business secrets and any protected third-party data. The ECJ does not accept this across the board. It emphasized that the Austrian regulation, which "generally" excludes business or trade secrets from the right to information, is inadmissible. This is because it violates the GDPR. Austria will therefore have to repeal or amend Section 4 (6) of the Data Protection Act.
If such sensitive information comes into play, the controller does not have to provide this data directly to the data subject, but to the competent supervisory authority or court. This authority should then weigh up the conflicting rights and interests to determine the scope of the data subject's right to information. The appropriate part of the data is then forwarded from there to the data subject.
The German Schufa welcomes the ruling, as it helps to make scoring easier to understand. The credit agency feels vindicated in its transparency offensive.
(ds)
