European Union: GDPR Alert: Landmark EU Ruling Declares Automated Scoring Systems Using Personal Data Unlawful

In a recent landmark ruling, the Court of Justice of the EU (CJEU) decisively pronounced that decision-making through scoring systems utilising personal data is now deemed unlawful. This historic judgment, the first of its kind under the EU GDPR, holds considerable implications for a wide spectrum of sectors, particularly impacting social security and credit agencies. Gabriela Zanfir-Fortuna, Vice President for Global Privacy at the Future of Privacy Forum, highlighted the significance of the CJEU's decision, clarifying that the EU GDPR inherently prohibits subjecting individuals to automated decision-making with substantial impacts on their lives.

The CJEU's ruling stems from a case involving SCHUFA, Germany's largest private credit agency, which assigns creditworthiness scores to individuals. According to the judgment, SCHUFA's scoring practices violate the EU GDPR if its customers, such as banks, attribute a "decisive" role to it in their contractual decisions. This landmark decision has potential far-reaching consequences, calling into question the legality of similar automated scoring systems employed by institutions like France's National Family Allowance Fund (CNAF).

The CNAF has been using a risk-scoring automated algorithm since 2010, initiating home inspections based on potential fraud suspicions. This algorithm, analysing and scoring 13.8 million households monthly, raises concerns about the impact on people's lives. Bastien Le Querrec from the advocacy group La Quadrature du Net emphasised the significant implications of such scoring systems, suggesting that they should fall within the scope of the CJEU's decision unless specifically authorised by French law and in strict compliance with EU data protection rules.

The EU GDPR provides exemptions for using data mining algorithms in specific cases, such as expressed consent, contractual necessity, or legal obligations. Zanfir-Fortuna explained that the CJEU's decision removes the "legitimate interest" of organisations as a lawful basis to conduct scoring using personal data. Consequently, the court's decision considerably restricts the use of personal data in scoring algorithms across the EU.

This ruling prompts a larger debate on algorithmic transparency, bringing attention to similar risk-scoring algorithms used by various institutions in France, including health insurance, old age insurance agencies, and the employment agency. The legal validity of these algorithms may now be called into question in light of the CJEU's decision.

Looking ahead, the CJEU's decision sets the stage for more stringent regulations under the upcoming AI Act. The Act categorises AI systems determining access to public services as 'high-risk,' subjecting them to a strict regime in terms of risk management and data governance. This development marks a pivotal moment in the legal landscape surrounding automated decision-making and reinforces the need for organisations to reevaluate their practices in line with developing data protection regulations.

Implications for UK Businesses

Businesses operating in the UK leveraging similar automated scoring systems will want to reevaluate their approaches in light of the CJEU ruling. This key moment underscores the importance for UK organisations to proactively adapt their practices, ensuring alignment with evolving data protection regulations particularly in relation to the dynamics of automated decision-making. The changing landscape of data protection in the post-Brexit era further highlights the enduring significance of CJEU rulings for UK businesses. As data remains a critical asset in the digital age, UK organisations must remain attuned to EU legal developments. While the UK charts its independent course, the interplay between domestic legislation and CJEU decisions will shape the contours of data protection compliance.

Notably, the retained UK GDPR closely mirrors the EU GDPR in its foundational principles and protections. The shared commitment to safeguarding individuals' rights and ensuring responsible data handling remains a common thread. UK businesses will accordingly find familiarity in the continuity of key concepts, such as lawful processing, data subject rights, and the emphasis on transparent data practices. This alignment emphasises the ongoing relevance of CJEU rulings, as interpretations by the EU court may continue to influence the data protection framework within the UK.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.