Skip to main content

Credit institutions, watch new case law on credit scoring

On December 7, the CJEU issued a landmark ruling prohibiting automated credit scoring using algorithms by bringing it within the scope of the special protection of Article 22 GDPR. This provision prohibits the use of personal data for “fully automated decisions that produce legal effects or a significant adverse effect” on data subjects.

What is a “fully automated decision producing legal effects or significant adverse effect” ? It is a decision regarding a person (a “data subject”), made through algorithms, without any human participation in the process. A decision produces a legal effect when it impacts the rights and freedoms of the person. A decision can also have a significant impact, similar to a legal effect, when it has the consequence of influencing the person’s environment, behavior, choices or leading to a form of discrimination. This
would be the case, for example, of a decision that impacts someone’s financial situation or results in higher rates.

The credit agency industry has so far argued that the credit score was not an “automated decision” as the final decision was still taken by the company (using the score). The CJEU had a more extensive interpretation of article 22 GDPR relying in particular on recital 71 of the GDPR which shows a “broad
scope of the concept of ‘decision'” :

“The concept of ‘decision’ within the meaning of Article 22(1) of the GDPR is thus, as the Advocate General noted in point 38 of his Opinion, capable of including a number of acts which may affect the data subject in many ways, since that concept is broad enough to encompass the result of calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future.”

It follows that automated credit scoring is now prohibited for credit agencies throughout the EU unless (i) data subjects had given their explicit consent and (ii) are able to express their point of view and contest the decision (as provided by article 22 GDPR).

As GDPR is indirectly applicable in Monaco to EU residents via its extra-territorial scope (article 3), this interpretation could have an impact on the credit institutions of the Principality.

If your bank uses credit scoring, do not hesitate to contact DL Corporate & Regulatory to check if your practice is still legal an effective.