Credit rating agencies operating in the European Union may face tighter restrictions under the bloc’s privacy laws following a ruling issued today by the Court of Justice of the European Communities (CJEU). The referral relates to complaints made against the practices of a German credit rating agency, called Sufabut it could have wider implications for credit reporting agencies operating in the area where the General Data Protection Regulation (GDPR) applies.
A complaint that the CJEU examined focused on a case of “prolonged” data retention by the credit reporting company of information on the granting of discharge of outstanding debts held in the German public insolvency register for only six months. However, a code of conduct for German credit bureaus allows a three-year retention period for their own databases. And the Hesse Data Protection Authority had rejected the complaint about data retention. also seeking to support the local court could not review its decision. The CJEU disagreed.
“The Court considers it contrary to the GDPR for private entities to retain such data for longer than the public insolvency register,” he wrote in a press release for case C-634/21 (plus joined cases C-26/ 22 and C-64/22). “Discharge of remaining debts is intended to enable the data subject to re-enter economic life and is therefore of existential importance to that individual. This information is still used as a negative factor when assessing the creditworthiness of the data subject. In this case, the German legislator provided for the storage of data for six months. It therefore considers that, at the end of the semester, the rights and interests of the data subject prevail over those of the public to access that information.”
“To the extent that the retention of the data is unlawful, as is the case after six months, the data subject has the right to request the deletion of the data and the organization is obliged to delete the data as soon as possible,” the court added.
The CJEU also ruled on a second complaint that seems rather existential for credit rating agencies – as it questions whether Schufa can automatically issue credit scores, given that the GDPR provides protection for individuals subject to solely automated decisions with legal or significant implications for that’s all. So, in effect, they may need to get people’s express consent to rate them.
The Court ruled that Schufa’s credit rating should be regarded as an “automated individual decision”, which its press release notes is “prohibited in principle by the GDPR, to the extent that Schufa’s customers, such as banks, attribute to it decisive role in the granting of credits”.
If this type of credit assessment is the basis for a bank’s decision to, for example, refuse an individual loan, the practice risks breaching EU data protection rules.
Although in this particular case it will be up to the Wiesbaden Administrative Court to assess whether the German Federal Data Protection Act contains a valid exception to the prohibition under the GDPR. And, if so, to check whether the general conditions set out by the GDPR for data processing are met — such as ensuring that individuals know their right to object and request (and receive) human intervention, and are in position to provide meaningful information about the credit score rationale upon request.
“Judicial review” of APD decisions
In another important ruling, the CJEU also made it clear that national courts must be able to exercise what its PR calls “full review” on any legally binding decision of a data protection authority.
Privacy rights group noybwhich has had multiple run-ins with the DPAs over their inability to act on (let alone enforce) complaints, used it as particularly important – calling it “full judicial review” of the DPAs.
“The decision of the CJEU massively increased the pressure on the APD. In some EU member states, including Germany, they have so far assumed that a GDPR complaint by data subjects is simply a kind of “report”. In practice, this means that despite an annual budget of 100 million euros, German DPAs have rejected many complaints with strange justifications and that GDPR violations have not been pursued. In countries such as Ireland, over 99% of complaints were not processed and in France, victims were denied any right to participate in the process regarding their own rights. Some APRs, such as the Hessian authority in this case, have also held that courts are prohibited from reviewing their decisions in detail,” he wrote in a press release responding to the ruling.
“The CJEU has now put an end to this approach. It has been held that Article 77 of the GDPR is designed as a mechanism to effectively protect the rights and interests of data subjects. In addition, the court ruled that Article 78 of the GDPR allows national courts to conduct a full review of DPO decisions. This includes assessing whether the authorities have acted within the limits of their discretion.’
Higher GDPR fines on the way?
The two landmark rulings follow another ruling handed down yesterday by the CJEU (also through, in part, another referral case in Germany), which legal experts suggest could lead to significantly higher penalties for GDPR violations as it reduces requirements for the imposition of fines on legal entities.
Thus, while, in this case (C-807/21), the Court held that unlawful conduct is necessary for a fine to be imposed — that is, that the breach of the GDPR must have been committed “intentionally or negligently” — judges also said that, when the controller is a legal person, it is not necessary that the violation has been committed by its management body, nor is it necessary for that body to be aware of this violation.
They further stipulated that the calculation of any fine requires the supervisory authority to take as a basis the definition of ‘undertaking’ under competition law’ (aka, according to the PR Court, that ‘the maximum amount of the fine must be calculated on the basis of a percentage of the total global annual turnover of the business concerned, taken as a whole, in the previous financial year’ — or, basically, that the revenue of an entire group of companies can be used to calculate a GDPR penalty for an infringement committed by a single unit of this group).
Jan Spittka, a partner at law firm Clyde & Co., predicted that tougher GDPR fines could follow. “The general framework of the decision will make it easier for EU Member States’ data protection supervisory authorities to sanction legal entities and is also likely to lead to significantly higher fines on average,” he suggested in a statement.
“Under this standard, only a detailed and tightly controlled data protection compliance system can put a legal entity in a position to argue that it was unaware of its unlawful conduct in relation to breaches of the GDPR committed by an employee,” he said . “Furthermore, a legal entity can be exonerated if representatives or employees act completely outside the scope of their job description, e.g. when using personal data for private purposes”.
