CJEU: preparatory acts can be automated individual decisions

The CJEU recently ruled on the question of whether a credit rating agency that shares a probability score with its clients, who then determine on the basis of the score whether or not a loan is granted, engages in automated individual decision-making. The ruling confirms that preparatory acts can be automated individual decisions.

Article 22 GDPR stipulates that automated individual decision-making can only be applied in certain situations. Outside of these situations, such decisions are prohibited. Automated individual decision-making occurs when three conditions are met: (i) a decision is made; (ii) the decision is based solely on automated processing, including profiling; and (iii) the decision produces legal effects for the individual or otherwise has an effect that is equivalent or of comparable significance in its impact on the individual. According to the CJEU, all of these conditions were met in this case.

The CJEU noted that the concept of decision is capable of including a number of acts which may affect the data subject in many ways, including calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future. The CJEU rejected the credit rating agency’s argument that it only carried out preparatory actions and that any decisions affecting the data subject were taken by the lender. Instead, the CJEU ruled that the credit rating agency itself was engaged in automated individual decision-making.

The ruling potentially has far-reaching consequences for all automated decision-making services and providers that offer predictive artificial intelligence tools. Even if these providers do not themselves make decisions that directly affect individuals, they must take into account that their services might still be regarded as automated individual decision-making within the meaning of Article 22 GDPR.

In view of the ruling of the CJEU, there seem to be at least three conceivable arguments on the basis of which, in the absence of specific national legislation, these services do not fall under the general prohibition of Article 22 GDPR.

First, an important factual assumption underlying the CJEU ruling seems to have been that the lenders in question relied heavily on the credit score. A low credit score almost automatically led to a rejection of the loan application. The judgment might have been different had the credit score been one of many factors on the basis of which the lender made a decision. For service providers who do not want to fall under the regime of Article 22 GDPR, it is therefore important to consider how critical their input is for the decision-making of their clients and to make contractual agreements to the effect that clients are not allowed to base their decisions solely on their input.

Second, one of the exceptions to the ban on automated individual decision-making concerns decision-making that is necessary for entering into, or performance of, a contract between the data subject and a data controller. Arguably, the decision taken by the credit rating agency on the data subject’s credit score is an act that is necessary for the lender and the data subject to conclude a loan contract.

Third, yet another argument could be that the service provider provides the services on behalf of the client in the sense that the former qualifies as a data processor and no longer as a data controller. In that case, the obligations regarding automated individual decision-making would appear to rest solely with the client.

To what extent and under what precise circumstances the arguments outlined above are tenable and sufficient to escape the regime of Article 22 will have to be determined in future case law as these questions were not addressed by the CJEU in the current case. In the meantime, credit rating service providers and providers of similar services are advised to carefully review their contractual arrangements and to closely monitor developments in this area.

If you have any questions, please contact Jeroen van Helden.