CJEU – Emmanouil Savoidakis

Unraveling Automated Decision-Making: Schufa’s Impact and Implications

On December 7 2023, the Court of Justice of the European Union (CJEU) delivered its judgment in the Schufa case, involving Schufa AG, Germany’s leading credit rating agency, holding data on nearly 70 million individuals.

Schufa provides credit scores that are relied upon by financial service providers, retailers, telecom companies, and utility firms. In a recent case, a German resident had their loan application rejected by a bank based on a credit score assigned by Schufa.

The individual contested this decision, seeking information about Schufa’s automated decision-making processes under Article 15(1)(h) GDPR, which grants the right of access to such information.

Schufa argued that it was not responsible for the decision itself, asserting its role was limited to producing an automated score, leaving the actual decision to the third-party bank.

However, the court disagreed with Schufa’s stance. It held that the creation of the credit score is a relevant automated decision under Article 22 GDPR, challenging the belief that only the ultimate decision-maker, i.e. the bank, engages in automated decision-making.

The court rejected Schufa’s argument; It held that the creation of the credit score itself constitutes a relevant automated decision under Article 22 of the GDPR. In its judgment, the court considered the score’s “determining role” in the credit decision, adopting a broad interpretation of the term ‘decision.’

Companies employing algorithms for risk scores or similar outputs, such as identity verification and fraud detection, may be concerned about the potential impact of this judgment. Many businesses assume customers bear regulatory risks associated with decisions based on their outputs. However, careful consideration is necessary to distinguish business models from those in the Schufa case.

For example, companies should assess the extent to which customers rely on the provided output when making decisions. If the output is one of many factors considered, and especially if it holds moderate significance, exceptions to Article 22 GDPR (explicit consent or contractual necessity) should be explored.

Companies must further evaluate if the ultimate decision has a legal or comparatively significant effect. In cases where the decision’s impact is limited, exceptions under Article 22 GDPR may apply.

Schufa judgment coincides with the conclusion of the trilogue process around the EU AI Act, making it especially relevant for businesses developing AI-enabled solutions in high-risk areas, like credit decisions. The ruling is poised to influence practices in the evolving landscape of automated decision-making within 2024, as this remains an uncharted aread for the national and EU legislator.

Administrators of Facebook Fan Pages, Beware!

Have you set up a fan page on Facebook for your enterprize or to boost your fan base? The European Court of Justice has some news for you.

As you may know, administrators of Facebook fan pages can obtain anonymous statistical data on visitors to their fan pages via a function called “Facebook Insights”, which Facebook makes available to them free of charge under non-negotiable conditions of use. The data is collected by means of cookies, which are active for two years and are stored by Facebook on the hard disk of the computer or on another device of visitors to the fan page. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed every time the fan pages are opened.

By decision of 3 November 2011, a local German supervisory authority in Schleswig-Holstein, ordered Wirtschaftsakademie, a fan page administrator, to deactivate its fan page.

According to the supervising authority, neither Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data.

Wirtschaftsakademie brought an action against that decision before the German administrative courts, arguing that the processing of personal data by Facebook could not be attributed to it, and that it had not commissioned Facebook to process data that it controlled or was able to influence. Wirtschaftsakademie concluded that the Unabhängiges Landeszentrum should have acted directly against Facebook instead of against it.

It is in that context that the European Court of Justice was asked to interpret Directive 95/46 on data protection. The Court delivered Judgment in Case C-210/16, whereby it observed that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.

Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of manging or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. In particular, the Court noted that the administrator of the fan page can ask for demographic data (in anonymised form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers.

According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.

The Court further stated that, where the supervisory authority of a Member State (in this case, the German supervisor) intends to exercise with respect to an entity established in the territory of that Member State (in this case, Wirtschaftsakademie) the powers of intervention provided for in Directive 95/46, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State (in this case, Facebook Ireland), that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

The above judgment comes to reiterate that there must be no gaps in responsibility under data-protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law.

Such a joint responsibility is particularly important with regard to a controller’s information obligations: transparency is required for the processing of data concerning all users, whether they are member of Facebook or non-members.

Charging customers above basic telephone rate

In a question referred to the European Court of Justice for preliminary ruling, the Court was called to interpret Directive 2011/83/EU on consumer rights. Under that directive, the Member States must ensure that where a trader operates a telephone line for the purpose of being contacted in relation to contracts concluded with consumers, consumers are not to be bound to pay more than the basic rate for calls to that line. However, the concept of a “basic rate” is not defined by the above directive.

The ruling came after Zentrale zur Bekämpfung unlauteren Wettbewerbs Frankfurt am Main, a German association for combating unfair commercial practices, requested an injunction from Landgericht Stuttgart, ordering comtech GmbH, a German company selling electrical and electronic equipment to discontinue extra-charging customers for telephone after-sales services, a commercial practice deemed unfair.

In its judgment of 2 March 2017, the Court’s answer was that the concept of ‘basic rate’ must be interpreted as meaning that call charges relating to a contract concluded with a trader to a telephone helpline operated by the trader may not exceed the cost of a call to a standard geographic landline or mobile telephone line.

According to the Court, in everyday language ‘the basic rate’ refers to the standard cost of a call. Both the context in which that concept occurs in the directive and the purpose of that directive, namely to ensure a high level of consumer protection, confirm that the concept must be understood in that ordinary sense of the term.

To permit traders to charge rates higher than that of a standard call would result to discouraging consumers from using a telephone helpline in order for them to obtain information in relation to the contract, or from asserting their rights, in particular, relating to a guarantee or withdrawal.

Directive 2011/83/EU has been transposed into Greek law by virtue of Joint Ministerial Decision Ζ1-891/2013, pursuant to which a new Article 4e was added to Law 2251/1994 on Consumer Protection. Citing the relevant provision of the directive, Article 4e stipulates that “where the trader operates a telephone line for the purpose of contacting him by telephone in relation to concluded contracts, the consumer, when contacting him is not bound to pay more than the basic rate“. The Greek legislator has introduced, however, a sole exception, further providing in Article 4e that “the first subparagraph enters into force without any prejudice to the right of telecommunications service providers to charge for these calls“.

The CJEU judgment might be a good opportunity for us to reevaluate the relevance and justification of an exception favoring Greek TSPs.

Generalized data retention not compatible with EU law

In 2006 the EU issued its Data Retention Directive. According to that Directive, EU Member States had to store electronic telecommunications data for at least six months and at most 24 months for investigating, detecting and prosecuting serious crime.

The directive was invalidated by the CJEU with its Digital Rights Ireland judgment in 2014, where it held that the directive provided insufficient safeguards against interferences with the rights to privacy and data protection.

In the aftermath of the above judgement, two references for a preliminary ruling were made to the Court, in relation to the general obligation imposed, in Sweden and in the UK, on providers of electronic communications services to retain their clients’ data.

In its eagerly anticipated Judgment in Joined Cases C-203/15, C-698/15, the Court ruled that EU law precludes a general and indiscriminate retention of traffic data and location data by the national legislation of the member-states. Targeted retention of data may only be allowed as a preventive measure, said the Court, when this is solely for the purpose of fighting serious crime. Even in this exceptional case, however, such retention should be limited to what is strictly necessary, with respect to the categories of the retained data, the means of communication affected, the duration and the persons concerned.

Finally, the Court held that access of national authorities to the retained data must be subject to certain conditions, including prior review by an independent authority and the data being retained within the EU.

In Greece, Law 3917/2011 that transposed the Data Retention Directive is still in force and obliges providers of electronic communications services to identify and retain the source, destination, date, time, duration, type and equipment of a communication for 12 months. The list of data retained only excludes the content of the information communicated and may easily identify a wide ambit of the citizens’ social interactions, a situation that leaves their data vulnerable to uses potentially detrimental to privacy or, more broadly, fraudulent or even malicious.

The recent CJEU judgment is expected to trigger some activity at both a judicial and legislative national level, leading to the annulment and/or amendment of the relevant law. This amendment, however, should be effected in such a way that public safety is efficiently safeguarded, whereas at the same time no compromises are made to the rights of natural persons with regard to the processing of their personal data.