1 min

According to ECJ, scoring algorithms in breach of GDPR

Giving “scoring algorithms […] decisive role” in contractual decision-making deemed illegal.

Digital Sovereignty - December 22, 2023

On December 7, 2023, the European Court of Justice (ECJ) handed down its first decision involving the GDPR’s article on automated individual decision-making. The ruling thus enacts a ban on individual scoring algorithms if they play a “decisive” part in contractual decisions.

The dispute involved SCHUFA, Germany’s largest private credit bureau. The latter scores its customers according to their solvency; the rating plays a crucial role in loan grants. The ECJ ruled that the use of personal data violated the GDPR, and was thus illegal.

The decision makes it clear that the GDPR only authorizes the use of automated scoring in three cases: with the explicit consent of individuals or through contractual and/or legal obligation. Commercial or “legitimate interests” therefore do not constitute grounds for this practice.

The ruling will have significant consequences on the many services that resort to scoring algorithms, particularly in insurance and credit. In France, the national benefits office (CNAF) has been using this particular type of automated algorithm since 2010. It is particularly used to trigger home checks in cases of suspected fraud. The ECJ’s judgment may lead to its ban.

Send this to a friend