On 7 December 2023 the Court of Justice of the European Union (“CJEU”) delivered a landmark judgment in OQ v Land Hessen (SCHUFA Holding), concerning the interpretation of ‘automated decision-making’ (“ADM”) under Article 22 GDPR. The decision will likely have direct implications for credit scoring agencies. However, it may also affect service providers using automated processes to generate risk-based scores (or other outputs) which are relied on when making decisions which significantly impact individuals.
The case was first referred to the CJEU by the Administrative Court in Wiesbaden, Germany, after a German resident (referred to as ‘OQ’ in the judgment) made an application to exercise her rights under Article 15(1)(h) GDPR to receive information about the ADM processes which had used her personal data.
The company in question, SCHUFA AG Holding (“SCHUFA”), is a German credit reference agency who provides credit information in the form of predictions of future behaviour of individuals to financial institutions. SCHUFA used OQ’s personal data to produce a ‘score’ indicating her creditworthiness which it then shared with a German bank. On the basis of the score provided by SCHUFA, the German bank rejected OQ’s application for a loan.
In response to OQ’s request for further information, SCHUFA provided her with the score and broadly described the methods used to calculate it. However, citing trade secrecy, it refused to disclose the specific elements taken into account for the calculation and their relative values.
SCHUFA argued that its activities of scoring did not constitute ADM as it was ultimately the German bank who made the decision to reject the loan application, and that SCHUFA’s role was to produce an automated score for OQ.
Automated decision-making under GDPR
As a reminder, Article 22(1) GDPR provides individuals with a negative right – “not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.”
Under Article 15(1)(h) GDPR individuals who are subject to ADM also have a ‘right of access’ meaning they can request from data controllers “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing”. This was the essence of OQ’s original application.
There are some exceptions to the general prohibition on ADM in Article 22 GDPR, where the ‘decision’ in question is: (i) necessary for the performance of a contract between the data subject and controller; (ii) is authorised by the national law of an EU member state and where safeguards are put in place; or (iii) based on consent from the data subject.
Findings of the CJEU
The Court applied a broad interpretation of ‘decision’ in Article 22 GDPR when assessing whether SCHUFA had undertaken ADM. It concluded that although SCHUFA did not itself make the decision to reject the loan application, in providing the credit score, it played a “determining role”’ in the ultimate outcome, which was enough to constitute the making of a decision. In his Opinion, the Advocate General clarified that the broad scope of a decision means it can include “a number of acts which may affect the data subject in many ways”.
An additional factor was that SCHUFA was in a better position to comply with its information obligations under Article 15(1)(h) GDPR as the German bank would not have any details about the functioning of the automated processes used to generate the score.
Similarly, the CJEU interpreted the last limb of Article 22(1) GDPR broadly by concluding that the negative credit score produced by SCHUFA affected OQ “at the very least[…]significantly”.
What are the implications of SCHUFA for businesses?
The effect of the CJEU’s broad interpretation of ‘automated decision-making’ within the context of Article 22 GDPR means that a wider range of automated processes may be caught. Moreover, such processes do not have to form the basis of direct decision-making and can therefore cover many players in the supply chain, so long as they play a determinative role in the final decision, whoever that is made by.
Businesses using automated processes to make decisions should reassess their practices to ensure they are aligned with GDPR requirements and adjust them where necessary. It is not just credit agencies that will be affected: the implications will span across a range of sectors, e.g. healthcare, insurance, employment etc., wherever businesses are using algorithms as a basis for making decisions which significantly impact individuals in line with Article 22(1) GDPR. It also points to the value of businesses being able to provide clear, human-understandable information about their data processing methods, to be equipped for when individuals exercise their rights to enquire and challenge decisions based on ADM affecting them.
The timing of the judgment is very apt, published just one day before the EU AI Act was agreed (which we wrote about here). AI systems which determine access to public services are categorised as ‘high risk’ under the EU AI Act, requiring strict requirements relating to risk management e.g. conducting a fundamental rights impact assessment. The combination of the decision in SCHUFA and the relevant provisions of the AI Act reinforces the restrictive approach when it comes to ADM.
While the judgment comes from the CJEU and considered provisions of the GDPR, UK businesses should note that UK GDPR closely mirrors the EU Regulation. It is therefore possible that UK courts would take a similarly broad approach to the interpretation of Article 22 UK GDPR. Businesses should also acknowledge the extra-territorial effect of the EU GDPR, which captures many UK-based businesses operating in the EU and would therefore be directly impacted by the CJEU judgment.