Lawyers at Matheson believe a recent decision by the EU’s highest court in a General Data Protection Regulation (GDPR) case involving a credit-reference agency could have wider implications.
Article 22 of the GDPR prohibits organisations from making solely automated decisions that have a legal, or other similar, significant effect on individuals.
The Court of Justice of the European Union (CJEU) ruled that a German credit agency engaged solely in ‘automated individual decision-making’ under article 22 by using automated processing to create credit scores linked to individuals, in circumstances where third-party lenders “drew strongly” on these scores to make lending decisions.
The case arose from a complaint made by a person who was refused a bank loan on the basis of a low credit score that the agency, SCHUFA, supplied to the bank concerned.
A German court referred the case to the CJEU after the consumer appealed a decision by the country’s data-protection authority to uphold SCHUFA’s refusal to disclose certain information to her.
‘Broad interpretation’
In a note on the firm’s website, the Matheson lawyers say that the decision shows that the obligation to comply with article 22 falls on a credit-reference agency, rather than just on the third-party lender who relies strongly on such credit scores to make the ultimate decision on loans.
Noting that this reflects a broad interpretation of article 22, the lawyers point out that any service provider who provides automated decision-making support to a third party could now be caught by this aspect of the GDPR.
They cite recruitment, healthcare, and insurance, as examples of sectors that often rely on AI decision-making.
Legal effect
The Matheson lawyers note, however, that the judgment appears specific to situations where a service provider's input is "strongly" relied upon by a third party to make a decision, and that decision has a legal effect, or other similar significant effect, on an individual.
“If a credit reference agency or other similar provider issues a score that is not relied on heavily by the third party making the end decision – for example, because lenders attach significant weight to other factors – then it is arguable that the issuing of the score would not be covered by article 22 GDPR,” the Matheson lawyers say.
They conclude, however, that providers of services that are relied upon by third party organisations for decision-making purposes will “inevitably be concerned” by the potential ramifications of the decision.