On 26 August, the EDPS published his Opinion on the European Commission’s proposed Directive on consumer credits. The proposal aims to modernise existing consumer credit rules to address changes brought about by digitalisation and other market trends, such as the increased use of online sales channels or new forms of consumer credits, for example short-term high-cost loans.
The EDPS considers that the Proposal has a clear impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, in particular the provisions concerning creditworthiness assessment and personalised offers on the basis of automated processing.
In his Opinion, the EDPS supports the Proposal’s aim of strengthening consumer protection and recalls the relationship of complementarity between consumer and data protection.
Wojciech Wiewiórowski, EDPS, said: “The use of personal data has a decisive impact on one’s ability to obtain fair access to credit. Creditworthiness assessments are necessary in the interest of both creditors and consumers, and it is crucial that appropriate safeguards are in place to ensure that individuals’ personal data are effectively protected. In this sense, data protection also means consumer protection.”
The EDPS invites the legislator to pursue further harmonisation and consumer protection by further specifying the categories of data that may and may not be used to assess creditworthiness. In this regard, the EDPS supports the prohibition of processing social media data and health data for this purpose, as outlined in the Proposal. At the same time, the EDPS recommends extending such prohibition to the use of any special categories of personal data under Article 9 of the GDPR, as well as information concerning individuals’ online browsing behaviour.
The EDPS considers that the requirements, role and responsibilities of credit databases or third parties providing ‘credit scores’ should also be addressed. The Proposal should harmonise the categories of information that can be contained in databases for creditworthiness assessment and specify when these databases should be consulted.
When the creditworthiness assessment involves the use of profiling or other automated processing of personal data, consumers should always receive meaningful prior information and be able to request a human assessment.
In case of personalised offers on the basis of automated processing, creditors should be required to provide clear, meaningful and uniform information about the parameters used to determine the price. These parameters should also be clearly delineated by the Proposal.
Having regard to the Proposal for an Artificial Intelligence Act, the EDPS recommends ensuring that the relevant consumer credit and data protection rules are integrated into the (third-party) conformity assessment process prior to any CE marking of AI systems for creditworthiness assessment.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725 which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.