Signing a mobile phone contract is quick these days. Some can still be carried away in the shop, others shrink at the discount campaign on the Internet. One click here, one tick there. Millions of people in Germany are likely to have signed such a contract in recent years. What many people did not know: German credit agencies such as Schufa or Crif Bürgel have also saved the contract data.
According to research by NDR and Süddeutscher Zeitung However, credit agencies have been collecting this data since 2018 without obtaining consumer consent. This can affect all German consumers who have signed a mobile phone contract in the past four years. Many, presumably millions, of innocent citizens who have paid their bills have very likely ended up in the databases of the credit bureaus. Data protectionists consider this to be “inadmissible”.
Some German credit agencies not only saved the data, but also incorporated it into so-called scores. Such scores play a role in hundreds of thousands of decisions in Germany every year. Do I get a contract? Or can I buy something here on account? The credit agencies asked are silent about who actually used this information for scoring. Only the credit agency Infoscore Consumer Data says it has not saved such data. Competitor Crif Bürgel emphasized that cell phone contract data was not used to assess creditworthiness.
Since 2018, the credit agencies have been collecting a lot of data without having explicit consent
Klaus Müller, board member of the Federation of German Consumer Organizations (VZBV), thinks this practice is difficult. He explains that the credit bureaus can use the data to predict how everyone will behave. “This makes me much more transparent than I have ever been,” warns Germany’s top data protection officer. “This is a development that we consumer advocates find wrong, which we reject and which, in our opinion, is not covered by the General Data Protection Regulation in this form.”
The Data Protection Conference (DSK) also sees it this way and is strengthening consumer rights in a current resolution. On a few pages she declares the behavior of the credit bureaus in the past four years as “inadmissible”. She justifies this with the fact that through this practice “large amounts of data about normal everyday processes in economic life would be collected and processed” – and without any reason whatsoever.
The decision affects data that has been stored since summer 2018. It was previously clearly regulated that credit agencies needed the consent of the consumer in order to store such data. When the General Data Protection Regulation (GDPR) came into force, many credit agencies apparently shied away from implementing the now higher requirements for such consent, as a spokesman for the state data protection officer in North Rhine-Westphalia explains. Instead, the credit agencies collect a lot of data without a clear consent and claim that they have a “legitimate interest” in the data.
The decision of the DSK could mean that exactly this interest did not exist, the storage may not continue as it is and the data collected so far even have to be deleted.
The credit bureaus are unanimous against this decision. Inquiries from NDR and SZ answered the members of the association “Die Wirtschaftsauskunfteien e.V.” only occasionally and referred instead to the joint statement. It says that without data, such as a mobile phone contract, a credit check would be “unnecessarily difficult”. In particular, “financially weaker people” would benefit from the processing of data, such as migrants, young consumers and often senior citizens.
What the credit bureaus do with the data was apparently unclear even to experts for a long time
Consumer advocate Müller opposes this, saying that this is where the goat is turned into a gardener. The argument to do something good for financially weaker people would only be “instrumentalized” here for a practice that pursues completely different interests. “This line of argument is wrong, we don’t share it. We can’t see any evidence for it either,” says Müller. Instead, he is concerned that the credit bureaus will evaluate people in this way and that they will no longer receive contracts in the future, for example because they like to change contracts or often get discounts. “This is a wrong way – and it has nothing to do with the mantle of mercy.”
Müller clearly differentiates between negative and positive data. Negative data is data that arises when a consumer fails to pay for a loan, for example. There could be important reasons for this storage. For positive data, however, Müller sees it fundamentally differently. Positive data is information about the fact that someone even has an account with a cell phone company, even if they pay all their bills on time. They are called positive data because they should prove a positive relationship, for example a cell phone contract that is regularly paid for. According to data and consumer advocates, there is no guarantee that they will have a positive impact on the score.
What the credit agencies actually do with this data was apparently unclear even to experts for a long time. It was heard from circles of the state data protection agencies that they were “disappointed” by the rather intransparent behavior of the credit agencies. They only disclosed at the last minute that they also use the data for credit ratings. Previously, the data protection authorities of the federal states assumed that the data would be used by the credit bureaus to find out about fraudsters at an early stage.
There are no concrete next steps. The Hessian Commissioner for Data Protection and Freedom of Information, Alexander Roßnagel, said on request that the credit bureaus are now being asked “to change their data collection and processing processes”. Müller from the VZBV is much more specific. He demands that “this valuable decision” of the data protection conference must now also be enforced. After all, the General Data Protection Regulation is not a toothless tiger.
Müller says that the data, which the data protectionists believe has been wrongly stored, should no longer remain there. “They have to be deleted,” says Germany’s top consumer advocate. It could not be that the data, which might restrict people’s freedoms, simply continue to be stored, although the data protectionists had clearly stated that they were wrongly collected.
A court may have to decide in the coming months whether the data actually needs to be deleted. Until then, data on millions of innocent citizens will probably first be stored by the credit bureaus.