What is automated decision-making? This is what the CJEU is asked in case C-634/21. In an Opinion delivered today, Advocate General Pikam�e proposed an answer.
Art. 22 GDPR says that a data subject [DS] can only be subject to a decision based solely on automated processing that produces legal effects concerning him/her or �similarly significantly affects� him/her where that is (i) necessary for (entering into / performing) a contract with the DS, (ii) authorised by law or (iii) covered by the DS�s explicit consent.
Here, a market information company [= provider] provided a credit score to a financial institution [= customer], which then decided whether to grant the DS a loan.
1. �Legal effects�, effects �similarly significant�?
AG Pikam�e says that while the GDPR does not define the terms �legal effects� or �similarly significant�, �only effects with a serious impact will be covered� [para. 34]
The AG adds: the processing of a credit application comes before conclusion of a loan agreement, so refusal of the application may have “legal effects” for the DS (= affects the chance to have a contract). Refusal can also impact the DS�s financial situation => “similarly” affecting [para. 35]
2. A �decision� that is �based solely on automated processing�?
Is the scoring itself a decision, or is that the decision to grant or not a loan? Points 42-52 are worth the read. In short:
42: crucial question = whether the decision-making procedure is such that the provider�s scoring predetermines the customer�s decision to grant or refuse credit
43: �decisive factor” = effect that the ‘decision’ has on the DS. A bad score can have “adverse effects” => it could be a decision if a customer attaches primary importance to it in the decision-making process (the DS is affected from the stage of the assessment of his creditworthiness by the provider and not only at the final stage of the refusal of credit). Then the customer �merely applies the result of that assessment to the specific case�.
44: �necessary that the automated processing remains the only element� justifying the customer’s handling of the application – e.g. if even though there is human involvement, the human is not able to change the outcome. Internal rules can play a role here.
45: Important to determine in practice to which extent the customer is bound by the provider�s scoring
46: here, the referring court suggested that while the third party should not in theory make its decision dependent on the score alone, “as a general rule, it does so to a large extent”. For instance, while granting a loan might require meeting additional requirements, “in any event in the field of consumer lending, [�] an insufficient score will lead to the refusal of a loan in almost all cases, even if an investment appears to be otherwise profitable”.
=> 47: impression that the provider�s score generally tends to predetermine the customer�s decision on whether to grant credit to the DS
privacy data protection
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗