Simon Henseler from the University of Zurich gave a presentation at the end of his research stay on 29.09.2021 on the permissibility of automated credit scoring under data protection law, comparing Swiss and European data protection law.
By way of introduction, Mr. Henseler classified the current practical relevance of credit scoring, which has gained in importance in particular due to the installment payments and similar payment methods frequently offered in online stores. If a customer inquires about such credit, the merchant must be able to make an informed decision about creditworthiness. This is where the credit bureaus come in, and their system works in three phases: First, the credit agency obtains, stores and systematizes the relevant data and uses it to develop a model that can be used to obtain meaningful results about a person’s creditworthiness. If the credit agency then receives an inquiry from a potential lender, this model calculates a credit score, which is made known to the lender in the third phase as the basis for its decision on whether to grant credit.
This was followed by an explanation of the outline of the dissertation by Mr. Henseler. After an overview of the worldwide practice of credit scoring and a more in-depth explanation of the Swiss system, a data protection law examination of the scoring systems then follows as a synoptic comparison between the legal situation under the Swiss DSG and the European DSGVO. In addition to a discussion of the substantive and formal requirements, particularly those relating to the procedure, the focus here is on the permissibility of the current practice under data protection law in accordance with the respective legal systems. In this context, the different approach of the DSG and the DSGVO must be taken into account: While the former provides for permission with a reservation of prohibition, the latter follows the principle of prohibition with reservation of permission. Ultimately, however, the two systems converge again through a justification test that must also be carried out in Swiss law in the event of violations of personal rights through data processing.
After the conclusion of the lecture, there followed a lively discussion between the audience and, in particular, Professor Thomas Hoeren and the lecturer. Here, an intensive exchange took place about the role of the prohibition of automated individual decisions according to Art. 22 DSGVO (if this should be such a prohibition at all) and the new rules of the European Commission for the legally secure use of AI.
We sincerely thank Mr. Henseler for his highly interesting lecture, which was only made all the more insightful by the many thoughtful contributions to the discussion by the audience, and hope that he will have fond memories of his research stay at ITM.