Data Protection Insider, Issue 104

22. December 2023  |   by DPI Editorial Team
Data Protection Insider, Issue 104 - DPI3

– CJEU: Credit Scoring Constitutes Automated Decision-Making

On 7th December, the CJEU ruled that credit scoring constitutes automated decision-making in the sense of Article 22 (1) GDPR in OQ v Land Hessen. As to the facts of the case, the applicant in the main proceedings, OQ, was refused a loan by a credit institute because of a negative credit rating by SCHUFA Holding which carries out creditworthiness checks and transmits these to credit institutes such as banks. The applicant requested information on how the creditworthiness profile was created, but received only limited information, as SCHUFA claimed that the rest constitutes a trade secret, and also because the actual decision on granting or refusing a loan is taken by the credit institutes which receive the detailed information by SCHUFA. Eventually, the dispute reached German courts, which asked the CJEU whether the credit rating of an individual, transferred by SCHUFA to banks, falls under the definition of an ‘automated individual decision-making’ within the meaning of Article 22 (1) GDPR. In its ruling, the CJEU answered the question in the affirmative. To reach its conclusion, it analysed separately the meaning of the following three concepts, which constitute the conditions for the applicability of Article 22 (1) GDPR, and concluded that they are fulfilled in casu: (1) ‘decision’, (2) ‘‘based solely on automated processing, including profiling’’, and (3) a decision which produces ‘’legal effects’’ or which has a significantly similar effect. As to the first condition, the CJEU ruled that the concept of a ‘decision’ has to be given a broad meaning, referring also to ‘a number of acts which may affect the data subject in many ways, since that concept is broad enough to encompass the result of calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future.’ As to the second condition, the CJEU ruled that the credit scoring performed by SCHUFA is clearly an act of ‘profiling’. Third, as to the concept of a ‘legal effect’, the CJEU ruled that ‘in circumstances such as those at issue in the main proceedings, in which the probability value established by a credit information agency and communicated to a bank plays a determining role in the granting of credit, the establishment of that value must be qualified in itself as a decision producing vis-à-vis a data subject ‘legal effects concerning him or her or similarly significantly’ affecting the data subject ‘within the meaning of Article 22(1) of the GDPR’. Finally, the CJEU recalled that the profiling in casu is in principle prohibited by the GDPR, unless one of the exceptions under Article 22(2) GDPR applies. It focused especially on the possibility that national law provides a legal basis for the profiling (Article 22 (2) (b) GDPR), referring to Article 31 BDSG (Federal German Data Protection Act) and expressed some doubts whether it can constitute such a legal basis and whether the profiling in question complies with Articles 22(2)(b) and (4) and Articles 5 and 6 GDPR.

 

– CJEU on Data Breaches and Damages –

On 14th December, the CJEU ruled that a data breach does not automatically mean that the controller implemented insufficient technical and organisational measures and that the fear of misuse of the leaked personal data may be enough to constitute ‘non-material damage’ under Article 82 (1) GDPR in VB v Natsionalna agentsia za prihodite. As to the facts of the case, the applicant in the main proceedings, VB, was one of those affected by a hack of the IT systems of the Bulgarian tax authority, following which the personal data of about 6 million individuals was leaked. VB requested compensation for the leak of their data and eventually the dispute resulted in several preliminary ruling questions to the CJEU concerning, essentially, two sets of questions, namely the concepts of appropriate technical and organisational measures (TOMs) and data breach, on one hand, and the question of compensation under the GDPR, on the other hand. The CJEU provided the following five clarifications. First, the CJEU ruled that the unauthorised disclosure of or access to personal data are not sufficient to determine that the controller did not implement adequate TOMs. Second, the CJEU established that under Article 32 GDPR, ‘the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.’ Third, the CJEU confirmed that under the principle of ‘accountability’, the controller bears the burden of proof that they have taken the necessary security measures and an expert’s report does not constitute sufficient proof. Fourth, the CJEU confirmed that the controller must pay damages under Article 82 (3) GDPR where the controller is responsible for the damages which occurred, even where the damage is the result of a ‘third party’ unlawfully gaining access to the personal data in question. Fifth, the CJEU established that ‘Article 82(1) of the GDPR must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision.’

 

– CJEU Repeats: Non-material Damages Do Not Require a ‘De Minimis threshold’ – 

On 14th December, the CJEU ruled that for an individual to be entitled to non-material damages, no ‘de minimis threshold’ has to be met, but that the affected individuals need to demonstrate that they have suffered from the negative consequences of the unlawful processing of their data in VX, AT v Gemeinde Ummendorf. As to the facts of the case, the applicants in the main proceedings had their personal data published by the municipality of Ummendorf without their consent. They claimed damages under Article 82(1) GDPR. Their request was dismissed, because German law requires a certain minimum threshold for the suffered damages to be met and which was not fulfilled in casu. The dispute resulted in a preliminary ruling question on the interpretation of the concept of non-material damages under Article 82(1) GDPR. The CJEU ruled that the concept has an autonomous meaning under EU law and repeated that it has previously ruled that Article 82(1) GDPR does not require that the damage suffered reaches a certain minimum threshold, as long as damages have been suffered. In casu, the Court ruled that ‘although there is nothing to preclude the publication on the internet of personal data and the consequent loss of control over those data for a short period of time from causing the data subjects ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, those persons must also demonstrate that they have actually suffered such damage, however minimal’ and that this damage ‘differs from the mere infringement of the provisions of that regulation.’

 

– CJEU Rules on the Concepts of Controller and Processor – 

On 5th December, the CJEU ruled in the case of Nacionalinis visuomenės sveikatos centras. In essence, the case concerned a corona tracking app, which was developed by a company working on the instructions of a Lithuanian government body. Whilst the app was put into operation and actually collected personal data – including sensitive personal data – the app was eventually never acquired by the Lithuanian government. Whilst the acquisition process was started, it was then subsequently terminated. The Lithuanian Data Protection Authority fined the government body for a violation of a number of GDPR provisions, as well as the company, as a joint controller. The government body objected and suggested that the company should be regarded as the sole controller, whilst the company argued that it was only acting as a processor. In this regard, a number of questions were referred to the CJEU, which the CJEU then bundled into four sets of considerations:

  • Does Article 4(7) mean ‘an entity which has entrusted an undertaking with…development’ of an app ‘may be regarded as a controller…although that entity has not…performed any…processing operations, has not expressly agreed to the performance of specific operations…or to that…application ‘being made available to the public, and has not acquired the’ app?
  • Do Articles 4(7) and 26(1) mean ‘the classification of…joint controllers requires…an arrangement…regarding…determination of the purposes and means of…processing…or…an arrangement laying down the terms of…joint control’?
  • Does Article 4(2) mean ‘that the use of personal data for the purposes of the IT testing’ of an app constitute ‘‘processing’ within the meaning of that provision’?
  • Does Article 83 mean ‘(i) an administrative fine may be imposed…only where…the controller has intentionally or negligently committed an infringement referred to in paragraphs 4 to 6…, and (ii) such a fine may be imposed…in respect of processing operations performed by a processor’?

The Court decided:

  • Article 4(7) means ‘an entity which has entrusted an undertaking with’ development of an app ‘and which has…participated in the determination of the purposes and means of…processing…may be regarded as a controller…even if that entity has not…performed any processing…, has not expressly agreed to the performance of specific operations for…processing or to that…application being made available to the public, and has not acquired the’ app ‘unless, prior to that application being made available to the public, that entity expressly objected to such making available and to the resulting processing of personal data’.
  • Article 4(7) and Article 26(1) mean ‘the classification of…joint controllers does not require…an arrangement…regarding the determination of the purposes and means of…processing’ or ‘an arrangement laying down the terms of the joint control’.
  • Article 4(2) means ‘the use of personal data for…IT testing of’ an app ‘constitutes ‘processing’…unless such data’ have been anonymised or are ‘fictitious data’.
  • Article 83 means ‘(i) an administrative fine may be imposed…only where…the controller has intentionally or negligently committed an infringement’ under ‘paragraphs 4 to 6’, and ‘(ii) such a fine may be imposed…in respect of…processing…performed by a processor…, unless…that processor has carried out processing for its own purposes or has’ acted in ‘a manner incompatible with the…arrangements for…processing…determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented’.

 

– CJEU Rules on Fines for Legal Persons – 

On 5th December, the CJEU ruled in the case of Deutsche Wohnen SE v. Staatsanwaltschaft Berlin. In terms of the facts, the case essentially concerns the data processing activities of Deutsche Wohnen, a real estate company. The company was found, in 2017, by the Berlin Data Protection Authority, to have been storing documents on tenants with no justification. The company were asked to delete these documents. However, after a back and forth with the Data Protection Authority, the company was found, in 2019, to still be retaining the documents. Accordingly, the ‘authority imposed…an administrative fine of EUR 14 385 000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1)…. By that decision, that authority also imposed 15 other fines…of between EUR 3 000 and EUR 17 000 in respect of the infringement of Article 6(1)’. Deutsche Wohnen appealed this decision, and the national court ‘closed the proceedings without taking further action, holding that the decision at issue was vitiated by such serious defects that it could not serve as a basis for the imposition of a fine’. In doing so, the court pointed to provisions in German law relevant to Article 83(4)-(6) GDPR, according to which ‘a finding of an administrative infringement can be made only against a natural person and not against a legal person’. In addition, the court observed that ‘only the actions of representatives of the legal person or of members of bodies thereof can be attributed to that legal person’ and that, whilst national law does make it possible, ‘subject to certain conditions, to initiate independent proceedings for an administrative fine against a legal person, the fact remains that, also in those circumstances, it is necessary that a finding of an administrative infringement can be made against the members of bodies or representatives of the legal person concerned’. The Staatsanwaltschaft then brought an appeal against this decision. In this regard, two questions were referred to the CJEU:

  • Do Articles 58(2) and Article 83(1) to (6) GDPR preclude ‘national legislation under which an administrative fine may be imposed on a legal person…as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person’?
  • Does Article 83 mean ‘an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6)’?

In this regard, the Court concluded:

  • Articles 58(2) ad 83(1)-(6) preclude ‘national legislation under which an administrative fine may be imposed on a legal person…as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person’.
  • Article 83 means ‘an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) thereof’.

 

– CJEU Rules on Private Credit Agencies – 

On 7th December, the CJEU ruled in the case of UF, AB v. Land Hessen. In terms of the facts, UF and AB ‘were granted early discharge from remaining debts by judicial decisions…. In accordance with Paragraph 9(1) of the Insolvenzordnung and Paragraph 3(1) and (2) of the InsoBekV, the official publication of those decisions on the internet was discontinued after six months’. SHUFA, a private credit information agency, however, retained this information for a period of three years, in line with practices outlined in a relevant Code of Conduct. The plaintiffs complained to the Hessian DPA that SHUFA should delete the information. The DPA, however, found SHUFA’s practices in order and dismissed the complaint. The plaintiffs then challenged the DPA’s decision before court, where the DPA claimed: i) that the right of complaint in Article 77 is merely a right of petition – and thus that there could only be judicial review of the handling of the complaint, but not of the substance of the DPA’s decision; and ii) that the duration of storage of data was congruent with the purposes of storage, and that, in the absence of specific legislation, Codes of Conduct were relevant in specifying storage duration. In this regard, several questions were referred to the CJEU, which the CJEU bundled into three sets of considerations:

  • Does Article 78(1) mean ‘judicial review of a decision on a complaint taken by a supervisory authority is limited to the question whether that authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation, or whether that decision is subject to a full judicial review, including the power of the court seised to require the supervisory authority to take a specific measure’?
  • Does Article 5(1)(a), in conjunction with 6(1)(f) preclude private credit agencies from ‘retaining, in their own databases, information from a public register relating to the grant of a discharge from remaining debts in favour of natural persons, and in deleting that information after a period of three years, in accordance with a code of conduct within the meaning of Article 40…whereas the period of retention of that information in the public register is six months’?
  • Do Articles 17(1)(c) and (d) mean a ‘private credit information agency which has acquired information relating to the grant of a discharge from remaining debts from a public register is obliged to delete that information’?

The Court came to four conclusions:

  • Article 78(1) means ‘a decision on a complaint adopted by a supervisory authority is subject to full judicial review’.
  • Article 5(1)(a), in light of 6(1)(f), precludes a private credit agency from ‘retaining, in their own databases, information from a public register relating to the grant of a discharge from remaining debts…in order to be able to provide information on the solvency of those persons, for a period extending beyond that during which the data are kept in the public register’.
  • Article 17(1) means ‘the data subject has the right to obtain from the controller the erasure of personal data…where he or she objects to the processing pursuant to Article 21(1)…and there are no overriding legitimate grounds…justifying, exceptionally, the processing in question’.
  • Article 17(1)(d) means ‘the controller is required to erase unlawfully processed personal data as soon as possible’.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview