Schufa ruling sets a precedent: GDPR complaint due to denied power supply

The Austrian data protection organization Noyb (none of your business) has filed data protection complaints against the Kreditschutzverband aus 1870 (KSV) and the state-owned electricity provider Unsere Wasserkraft. The reason is the fully automated rejection of an application for electricity supply by Unsere Wasserkraft based on an "inadequate credit rating".

According to Noyb, this happened to an Austrian. He ordered electricity online from Unsere Wasserkraft, a provider owned by the province of Styria. After a few minutes, the company welcomed the new customer by email – but just one minute later, the cancellation email arrived: Due to an inadequate credit rating, no contract would be concluded after all.

The short period of time proves that this decision was made fully automatically, emphasizes Noyb. No one at the company could have dealt with the application. This is precisely what is legally required: Article 22 of the EU General Data Protection Regulation (GDPR) expressly prohibits automated decision-making, including profiling, unless there is consent or a legal basis for it – but this must be balanced with the rights of the data subject.

If the payment probability scoring is used "significantly" for a decision, it is not only this decision, but the previous scoring itself that is considered an automated decision within the meaning of Article 22 GDPR. This was recognized by the ECJ in its Schufa ruling in December. Consumers "must have the opportunity to involve a real person in the case of a fully automated decision, to present their own point of view and to challenge the automated decision", concludes Noyb lawyer Martin Baumann.

Who is responsible?

The Austrian concerned had to get electricity elsewhere, but did some research and found out that KSV had calculated an incorrect credit score for him. The provider has since improved the score. In principle, however, KSV believes that the probabilities it calculates have no significant influence on the decisions of KSV customers. The provider has also secured itself accordingly in its contractual provisions: KSV customers must guarantee to comply with data protection regulations and to indemnify KSV.

The KSV terms and conditions also state: "Score values can support contractual partners in any decision-making process as to whether a contractual relationship is established, continued or terminated and can be included in risk management, whereby the risk assessment of a possible default and the assessment of creditworthiness is carried out by the direct (potential) business partner."

Conversely, Unsere Wasserkraft refers to the creditworthiness score provided by KSV, says Noyb. To ensure that the person concerned is not caught between two stools, Noyb supports him in his complaint to the Austrian data protection authority against both companies at the same time. One or both are alleged to have violated Articles 13, 14, 15 and 22 GDPR. Noyb is calling on the DPA to prohibit KSV from profiling as long as it is not ensured that the ratings are only used for permitted applications.

heise online has given both companies in question the opportunity to comment and will supplement this article accordingly.

(ds)