On December 7, 2023, the Court of Justice of the European Union ("CJEU") issued a landmark ruling against the German credit scoring agency Schufa AG Holding ("SHUFA"), in the framework of automated decision-making pursuant to Article 22 of the General Data Protection Regulation ("GDPR")1.

The SCHUFA decision2 not only enhances the rights of data subjects according to GDPR but also has the potential to influence service providers employing automated processes for generating risk-based scores or other outputs, particularly when such outputs play a pivotal role in decisions significantly affecting individuals. This decision is of interest in Quebec regarding the similar obligation provided by new section 12.1 of the Quebec Act respecting the protection of personal information in the private sector, as amended by the Act to modernize legislative provisions as regards the protection of personal information (together, "Quebec Private Sector Act").

Background of the Decision

From a procedural standpoint, the CJEU has been seized of a preliminary question posed by a German court (the Administrative Court in Wiesbaden), following an application by a German resident known as 'OQ' who sought information under his access right3 regarding the automated decision-making processes using her personal data.

SCHUFA operates as a German credit reference agency, offering credit information that predicts individuals' future behavior to financial institutions. SCHUFA utilized OQ's personal data to generate a creditworthiness 'score,' which was then shared with a German bank. Based on SCHUFA's score, the bank rejected OQ's loan application. When OQ requested additional information, SCHUFA provided the score and outlined the calculation methods broadly. However, relying on trade secrecy, the company refused to disclose specific elements considered in the calculation and their respective values.

Throughout the legal proceedings, SCHUFA argued that its role is limited to calculating and furnishing the credit score to contractual partners. The company further asserted that it does not independently make automated decisions related to credit approval; instead, it leaves such decisions in the hands of contractual partners, such as banks, and acknowledged that the ultimate decision could result in the rejection of a loan.

Definition of Automated Decision-Making

Under Article 22(1) of the GDPR4, individuals have the right not to be subject to a decision solely based on automated processing, including profiling, that has legal effects or significantly impacts him in a similar manner5.

Additionally, under Article 15(1)(h) of the GDPR6, individuals subject to automated decision-making possess a 'right of access,' allowing them to request "meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing." This constituted the essence of OQ's initial application.

This wording is similar to s. 12.1 of the Quebec Private Sector Act which imposes an obligation on any organization to notify individuals when utilizing "information to render a decision based exclusively on an automated processing," either at the time of or prior to the decision. The term "exclusively on an automated processing"7 appears to suggest that it does not cover processing involving human intervention. Similarly to the aforementioned article of the GDPR, this seemingly excludes situations where automated processing serves as a tool to aid a decision-maker. It is worthwhile to note that "a monetary administrative penalty may be imposed [...] on anyone who [...] does not inform the person concerned by a decision based exclusively on an automated process or does not give the person an opportunity to submit observations"8 in contravention of s. 12.1 of the Quebec Private Sector Act.

That being said, contrary to the GDPR, the Quebec legislator did not intend to incorporate the limitations provided for in the GDPR to the right of non being subject to a decision based solely on automated processing9. Indeed, under the GDPR, this right does not apply where the automated decision is: (a) necessary for the performance of or entering into a contract; (b) authorised by the EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) based on the data subject's explicit consent.

Scope of the CJEU Ruling

The judgment specifically addressed whether SCHUFA's scoring qualifies as automated decision-making under Article 22 of the GDPR10.

The CJEU's ruling established that scoring qualifies as "automated individual decision-making"11, especially if the scoring influences a third party's decision to establish or terminate a contractual relationship with the individual.

According to the CJEU, scoring constitutes automated decision-making when customers of SCHUFA, such as banks, base their decisions (e.g., credit approval) solely on the score value. Despite SCHUFA's argument that it did not fall under the scope of Article 22 of the GDPR, as it assisted customers in decision-making without making decisions itself, the CJEU held a different view. It affirmed that the requirements of Article 22(1) of the GDPR were met, as the scoring amounted to automated decision-making with legal effects or significant impact on the data subject.12 The court reasoned that an insufficient score in a consumer credit application would almost invariably lead to the bank rejecting the application, demonstrating a significant impact on the data subject13.

In essence, the Court applied a broad interpretation of 'decision' in Article 22 of the GDPR when assessing whether SCHUFA had undertaken automated decision making. It concluded that although SCHUFA did not itself make the decision to reject the loan application, in providing the credit score, it played a "determining role"' in the ultimate outcome, which was enough to constitute the making of a decision14.

What does the SCHUFA Decision Mean for Businesses Under the Territorial Scope of the GDPR?

The CJEU's expansive interpretation of 'automated decision-making' within the framework of Article 22 of the GDPR holds significant implications. This broad interpretation suggests that a wider array of automated processes may fall under its purview. Notably, these processes need not be the sole basis for direct decision-making; rather, they can encompass various entities in the supply chain, provided they wield a determinative influence on the final decision, regardless of the decision-maker.

Furthermore, we contend that the impact of this ruling extends beyond the banking sector to encompass various related industries such as insurance, employment, and healthcare. In essence, we believe that any utilization of algorithms as a foundation for decisions significantly affecting individuals, as delineated in Article 22(1) of the GDPR, falls under the purview of the judgment. The significance of this decision also lies in the imperative of transparency, emphasizing the necessity for companies employing automated decision-making systems to provide clear and understandable information about their data processing methods.

Moreover, we should consider this decision in the context of the recent approval of the EU AI Act15, which categorizes AI systems assessing the credit score or creditworthiness of individuals as high-risk.16 This classification imposes stringent requirements for risk management, including the mandatory implementation of fundamental rights impact assessments. Therefore, the confluence of the SCHUFA decision and the relevant provisions of the AI Act underscores a prudent and careful approach towards automated decision-making.

Finally, companies must be aware of the extraterritorial impact of the EU GDPR, encompassing many Canadian-based businesses operating within the EU. Consequently, these entities will be directly affected by the CJEU's ruling.

What about the Quebec Privacy Law Framework?

The key question is whether the Quebec courts or the Quebec Commission d'accès à l'information would interpret Article 12.1 as expansively as the CJEU did with Article 22(1) of the GDPR. Would they consider that even if an individual ultimately approves the loan, the scoring plays a significant role, thus broadening the scope of the "exclusive" criteria?

At this point, neither parliamentary debates nor the recent guidelines from the CAI provide conclusive answers to this question. Furthermore, to date, the Quebec Government has not adopted this approach.17

Nevertheless, it is reasonable to expect that the Pandora's box has been opened, and there is a likelihood that Quebec courts may embrace this expansive interpretation akin to the European stance.

How can Fasken Help with your Canadian Privacy / GDPR Compliance?

If you have any questions or concerns, Fasken is here to help. Please do not hesitate to contact this bulletin's authors if you require assistance with any matters related to Canadian privacy laws or GDPR.

Footnotes

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

2. CJEU, December 7, 2023, C.-634/21, OQ v. Land Hessen, with SCHUFA Holding AG.

3. GDPR, s. 15 (1)

4. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or similarly significantly affects him.

5. It is worthwhile to note that some exceptions exist when the 'decision' is: (i)"necessary for entering into, or performance of, a contract between the data subject and a data controller"; (ii) authorised by Union or Member State law to which the controller is subject to the extent measures to safeguard are implemented or (iii) is based on the data subject's explicit consent.

6. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: h) (h)the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

7. Similarly to the term "solely" under Article 22(1) of the GDPR.

8. s. 90.1 (5) of the Quebec Private Sector Act

9. GDPR, s. 22 (2). See also Article 29 Working Group, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01).

10.nbsp;By its first question, the referring court asks, in essence, whether Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes 'automated individual decision-making' within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

11.nbsp;Para 73 of decision C-634/21

12.nbsp;Para 51 of decision C-634/21

13.nbsp;Para 48 of decision C-634/21

14.nbsp;In his Opinion, the Advocate General clarified that the broad scope of a decision means it can include "a number of acts which may affect the data subject in many ways" (Point 38 of the Opinion of the Advocate General at the sitting on 16 March 2023)

15.nbsp;Artificial Intelligence Act, Text of the provisional agreement, 2 February 2024

16.nbsp;"AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons' access to financial resources or essential services such as housing, electricity, and telecommunication services"

17.Government webpage on Act 25: "A decision based solely on automated processing is one that has been made without any human intervention; for example, an algorithm. This means that no human has exerted significant control over the decision. Therefore, it should be understood, for example, that minor human intervention, i.e., which has no real impact on the decision, integrated into the process does not render Article 65.2 of the Private Sector Act inapplicable."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.