Europe-based credit scoring companies are likely to face tighter restrictions under the General Data Protection Regulation (GDPR) following a landmark ruling by the Court of Justice (CJEU). The ruling came in response to complaints against the practices of Schufa, a German credit scoring company. The CJEU’s decision could have broader implications for credit information agencies operating within the European Union.
Key Takeaway
- Credit scoring firms operating in the European Union may face stricter regulations under the GDPR following a ruling by the CJEU.
- The CJEU determined that extended data retention by credit information agencies is contrary to the GDPR, emphasizing the importance of data subjects’ rights and interests.
- Furthermore, the court ruled that credit scoring must be regarded as an “automated individual decision,” potentially requiring explicit consent from individuals.
- The ruling also underscores the need for national courts to exercise full review over DPA decisions and increases the possibility of higher fines for GDPR violations.
Data Retention and GDPR Compliance
One of the complaints considered by the CJEU focused on the extended retention of data by credit referencing firms, specifically related to the granting of discharge from remaining debts. While the German public insolvency register only keeps such information for six months, German credit information agencies are permitted to retain it for up to three years, according to their own code of conduct. The CJEU deemed this practice contrary to the GDPR, emphasizing the importance of the discharge from remaining debts in allowing individuals to re-enter economic life. The court stated that the rights and interests of data subjects should take precedence over the public’s access to this information.
The CJEU also ruled on another complaint regarding the automatic issuance of credit scores by Schufa. It questioned whether Schufa could issue credit scores without obtaining explicit consent from individuals, as required by the GDPR for solely automated decisions that can have legal impacts. If credit scoring is the basis for a bank’s decision to deny credit to an individual, it may violate EU data protection rules.
Impact on Judicial Review of Data Protection Authority Decisions
The CJEU’s ruling also clarified that national courts must be able to exercise “full review” over any legally binding decisions made by data protection authorities (DPAs). This was seen as a significant development by privacy rights group noyb, which has criticized DPAs for their failure to act on complaints. The ruling signals that GDPR complaints should not be treated as mere petitions, and DPAs must ensure that individuals’ rights are effectively safeguarded. The court also confirmed that national courts have the authority to conduct a comprehensive assessment of DPA decisions, ensuring that they act within the limits of their discretion.
Potential Increase in GDPR Fines
In a separate ruling, the CJEU lowered the requirements for imposing fines on legal entities for GDPR breaches. While wrongful conduct is necessary for a fine to be imposed, the court stated that the breach does not have to be committed by the management body of a legal entity, nor does the body need to have knowledge of the infringement. The CJEU further mandated that the calculation of fines should be based on the concept of an “undertaking” under competition law, potentially allowing for fines based on the total worldwide annual turnover of an entire group of companies. Legal experts believe that this ruling could result in significantly higher penalties for GDPR violations.