Case C‑634/21
OQ
v
Land Hessen
(Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden)
Judgment of the Court (First Chamber) of 7 December 2023
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 22 – Automated individual decision-making – Credit information agencies – Automated establishment of a probability value concerning the ability of a person to meet payment commitments in the future (‘scoring’) – Use of that probability value by third parties)
1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Remedies – Judicial remedy against a decision on a complaint taken by a supervisory authority – Judicial review – Scope – Limits – None
(European Parliament and Council Regulation 2016/679, Art. 78(1))
(see paragraph 34)
2. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Right of the data subject not to be subject to a decision based solely on automated processing – Automated individual decision-making – Concept – Automated establishment by a credit information agency of a probability value concerning the ability of a person to meet payment, used by third parties – Included – Conditions
(European Parliament and Council Regulation 2016/679, recital 71 and Arts 4(4) and 22(1))
(see paragraphs 43, 46-50, 60-63, 73, operative part)
3. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Right of the data subject not to be subject to a decision based solely on automated processing – Exceptions – Adoption of a decision based solely on automated processing authorised under the law of a Member State – Obligation to comply with the conditions and requirements provided by that regulation – Verification a matter for the national court
(European Parliament and Council Regulation 2016/679, recital 71 and Arts 5, 6 and 22(2) to (4))
(see paragraphs 53-55, 64, 67-70, 72)
Résumé
SCHUFA Holding AG, a private company under German law, provides its contractual partners with information on the creditworthiness of persons. To that end, it assigns to each person a score, which it establishes based on certain characteristics of that person, on the basis of mathematical and statistical procedures. Scoring seeks to predict the future behaviour of a person, such as the repayment of a loan, by assigning him or her to a group of other persons with comparable characteristics.
After having been the subject of negative information established by SCHUFA and transmitted to a credit institution, OQ was refused, by that institution, the granting of a loan. OQ applied for SCHUFA to give her access to the data concerning her and to erase the data which was allegedly incorrect. SCHUFA, however, only sent her score to her and, in broad terms, the methods for calculating that score, referring, for the remainder, to trade secrecy.
OQ then lodged a complaint against SCHUFA before the HBDI, (1) the German supervisory authority, which was rejected by the latter on the ground that SCHUFA’s activity complied with the German legislation governing the terms of use of a probability value relating to creditworthiness.(2)
Hearing an appeal by OQ against the decision of the HBDI, the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany) asked the Court of Justice for an interpretation of the provisions of the GDPR (3) covering the right of the data subject not to be subject to a decision based solely on automated processing, including profiling.(4)
In its judgment, the Court interprets, for the first time, the provisions of the GDPR relating to the sensitive area of decisions based solely on automated data processing. In this context, it decides on the question of whether the automated establishment by a credit information agency of a probability value concerning the ability of a person to meet payment constitutes automated individual decision-making and therefore falls within the scope of application of those provisions.
Findings of the Court
First of all, the Court finds that the three cumulative conditions of applicability of the provisions of the GDPR which govern the right of the person not to be the subject of a decision based solely on automated processing, including profiling, are met in the present case.
As regards the first condition, relating to the existence of a decision, the Court specifies that the concept of ‘decision’ has a broad scope and may encompass the result of calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future.
Concerning the second condition, according to which the decision must be ‘based solely on automated processing, including profiling’, it is common ground, according to the Court, that the activity of the company in question meets the definition of ‘profiling’ (5) and therefore that that condition is met in the present case. In addition, the referring court explicitly refers to the automated establishment of a probability value based on personal data relating to a person and concerning that person’s ability to repay a loan in the future.
As regards the third condition, according to which the decision must produce ‘legal effects’ concerning the person at issue or affect him or her ‘similarly significantly’, the Court notes that, in the present case, the action of the third party to whom the probability value is transmitted draws ‘strongly’ on that value. An insufficient probability value leads, in almost all cases, to the refusal of that bank to grant a loan. Thus, that value affects, at the very least, the data subject significantly.
The Court concludes that, in the event that the probability value established by a credit information agency and communicated to a bank plays a determining role in the granting of credit, the establishment of that value must be qualified in itself as a decision producing, vis-à-vis a data subject, ‘legal effects concerning him or her or similarly significantly [affecting] him or her’.(6)
Next, the Court points out that that interpretation, and chiefly the broad scope of the concept of ‘decision’, reinforce the effective protection intended by the GDPR. On the other hand, a restrictive interpretation, according to which the establishment of the probability value must only be considered as a preparatory act and only the act adopted by the third party can, where appropriate, be classified as a ‘decision’, would lead to a lacuna in legal protection. In that situation, the establishment of such a value would escape the specific requirements provided for in the GDPR, (7) whereas that procedure is based on automated processing and produces effects significantly affecting the data subject to the extent that the action of the third party to whom that probability value is transmitted draws strongly on it.
Furthermore, first, the data subject would not be able to assert, from the credit information agency which establishes the probability value concerning him or her, his or her right of access to the specific information, (8) in the absence of automated decision-making by that company. Secondly, even assuming that the act adopted by the third party falls within the provisions of the GDPR which cover the right of the data subject not to be subject to a decision based solely on automated processing, that third party would not be able to provide that specific information because it generally does not have it.
Lastly, the Court notes that the fact that the establishment of a probability value is covered by the provisions of the GDPR governing the right of the data subject not to be subject to a decision based solely on automated processing has the consequence that it is prohibited unless one of the exceptions is applicable and the specific requirements provided for in the GDPR are complied with.
Furthermore, any processing of personal data must, first, comply with the principles relating to the processing of data established by the GDPR and, secondly, in the light, in particular, of the principle of the lawfulness of processing, satisfy one of the conditions of lawfulness.
In this context, the Court notes that the referring court refers to the exception according to which the adoption of the decision based solely on automated processing may be authorised where this is provided for by the law of the Member State. In this respect, it states that it is for that court to verify whether the national legislation governing the terms of use of a probability value relating to creditworthiness can be classified as a legal basis authorising the adoption of such a decision and, if so, whether the conditions of that exception and those of the principles applicable to the processing, laid down in the GDPR, are fulfilled in this case.