Privacy & Cybersecurity Law Blog

On December 7, 2023, the Court of Justice of the European Union (“CJEU”) ruled that credit scoring constitutes automated decision-making, which is prohibited under Article 22 of the EU General Data Protection Regulation (“GDPR”) unless certain conditions are met. In a case stemming from consumer complaints against German credit bureau SCHUFA, the CJEU found that the company’s reliance on fully automated processes to calculate creditworthiness and extend credit constitutes automated decision-making which produces a legal or similarly significant effect within the meaning of Article 22 of the GDPR.

Article 22 prohibits the use of personal data for fully automated decision-making that results in a legal or “similarly significant” effect to data subjects, unless the data subject consents to the automated processing or certain other conditions (including being necessary for the performance of a contract) are met.

The CJEU’s decision rejected SCHUFA’s view that credit scoring does not constitute decision-making because any adverse effect to the data subject is produced by the independent decisions of the entity using the score. Instead, the court took the position that a credit agency’s calculations of creditworthiness count as automated decision-making under Article 22 if a third party “draws strongly on that [score] to establish, implement or terminate a contractual relationship.”

The CJEU tasked the Administrative Court of Wiesbaden in Germany, where the case originated, with determining whether German federal law contains a GDPR-compatible exception to the prohibition on automated data processing. If the court finds no applicable exceptions, credit scoring agencies in the EU will have to obtain consumers’ express consent before calculating their creditworthiness, and provide consumers with an opportunity to object to a credit score.