If a company starts a transparency offensive whose business is based on the greatest possible opaqueness, then this usually has more to do with external pressure than with internal insight. Schufa, Germany’s best-known credit agency, surprised the public last year with a simulator that was supposed to make the famous scoring system comprehensible. Of course, Schufa has by no means revealed its magic formula, which it uses to calculate the creditworthiness of bank customers and consumers. Rather, the action should appease the critics who have long accused the credit agency of secrecy. Schufa is currently facing additional headwind: “We will immediately examine how transparency in credit scoring can be increased for the benefit of those affected,” says the coalition agreement, for example.
Now the wind could intensify. This Thursday, the European Court of Justice (ECJ) in Luxembourg is hearing two cases on the subject of Schufa. Judgments are not expected until spring, but the questions are tough. “The procedures could give an impetus to enact new regulations that ensure more transparency,” says Dieter Kugelmann, data protection officer in Rhineland-Palatinate.
From a purely formal point of view, the Schufa does not decide whether someone is creditworthy
The triggers are two submission orders from the administrative court in Wiesbaden, the seat of the credit agency. A plaintiff wants to enforce the deletion of what she believes to be false entries about her creditworthiness. The administrative court saw reason to have a delicate issue clarified by the ECJ. According to Article 22 of the European General Data Protection Regulation (GDPR), everyone has the right “not to be subjected to solely automated processing – including profiling”. Certain exceptions to this are possible, but the general rule is: a person has to decide, not the computer.
There is no question that a lot, if not everything, is highly automated at Schufa. You don’t know exactly because the procedure for determining the scoring value is protected as a trade secret, as the Federal Court of Justice decided in 2014. But it is clear that algorithms are used here that calculate credit ratings from various characteristics of potential debtors.
However, from a purely formal point of view, it is not the Schufa itself that considers the fate of bank customers and consumers. “Important to know: Schufa itself does not make any decisions,” says its privacy policy. It makes the score values available to its customers, i.e. the banks for granting loans, the dealers for their customers, the telecommunications companies for the conclusion of mobile phone contracts. They then decide if someone is credit or contract worthy. At least in theory.
In practice, on the other hand, the number that Schufa supplied is the only thing that matters – at least that’s what the administrative court thinks. Of course, “purely hypothetically” a “human-driven individual case decision is still possible at this stage,” writes the court. In practice, however, this decision is “determined to such a significant extent by the score value transmitted by credit agencies that it also has an impact on the decision of the third party responsible.” The decisive factor is therefore the score value, not the clerk. And this is exactly what the GDPR wants to protect against: “The person concerned should not be at the mercy of an exclusively technical and opaque process,” the court concludes – and insists on transparency and fairness.
It remains to be seen whether the ECJ will pick up the ball from Wiesbaden. In the so-called recitals of the GDPR, it sounds more like the European legislator sees the score value as mere preparation and not yet the decision itself. On the other hand, the ECJ has distinguished itself for years with a very data protection-friendly line. There would definitely be a verdict in the interests of the people who have so far been a little helpless in the face of the Schufa scoring – possibly a reason for the traffic light coalition to revise the German regulations.
The second Luxembourg procedure illustrates the uncanny power of Schufa data. There it is about the discharge of residual debt after bankruptcy. The insolvency courts make this information public, but delete it after six months. Can the Schufa simply continue to store this circumstance, which is quite existential for those affected, for up to three years? As a kind of in-house bankruptcy data retention? Here, too, the administrative court put a big question mark.