On 26 August, the EDPS published his Opinion on the European Commission’s proposed Directive on consumer credits. The proposal aims to modernise existing consumer credit rules to address changes brought about by digitalisation and other market trends, such as the increased use of online sales channels or new forms of consumer credits, for example short-term high-cost loans.
The EDPS considers that the Proposal has a clear impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, in particular the provisions concerning creditworthiness assessment and personalised offers on the basis of automated processing.
In his Opinion, the EDPS supports the Proposal’s aim of strengthening consumer protection and recalls the relationship of complementarity between consumer and data protection.
Wojciech Wiewiórowski, EDPS, said: “The use of personal data has a decisive impact on one’s ability to obtain fair access to credit. Creditworthiness assessments are necessary in the interest of both creditors and consumers, and it is crucial that appropriate safeguards are in place to ensure that individuals’ personal data are effectively protected. In this sense, data protection also means consumer protection.”
The EDPS invites the legislator to pursue further harmonisation and consumer protection by further specifying the categories of data that may and may not be used to assess creditworthiness. In this regard, the EDPS supports the prohibition of processing social media data and health data for this purpose, as outlined in the Proposal. At the same time, the EDPS recommends extending such prohibition to the use of any special categories of personal data under Article 9 of the GDPR, as well as information concerning individuals’ online browsing behaviour.
The EDPS considers that the requirements, role and responsibilities of credit databases or third parties providing ‘credit scores’ should also be addressed. The Proposal should harmonise the categories of information that can be contained in databases for creditworthiness assessment and specify when these databases should be consulted.
When the creditworthiness assessment involves the use of profiling or other automated processing of personal data, consumers should always receive meaningful prior information and be able to request a human assessment.
In case of personalised offers on the basis of automated processing, creditors should be required to provide clear, meaningful and uniform information about the parameters used to determine the price. These parameters should also be clearly delineated by the Proposal.
Having regard to the Proposal for an Artificial Intelligence Act, the EDPS recommends ensuring that the relevant consumer credit and data protection rules are integrated into the (third-party) conformity assessment process prior to any CE marking of AI systems for creditworthiness assessment.
Source: European Data Protection Supervisor