A really interesting judgement out of the European Court of Justice that strengthens the rights of individuals AND sees automated credit scoring in its current form as prohibited.
1) In the first of two cases, a data subject complained that their data wasn’t deleted after being processed, and the data processing authority did not proceed with the complaint and also ruled that it could be challenged in the courts. The ECJ disagreed with this decision and said that Article 78 of the GDPR allows national courts to carry out a full review of DPA decisions.
This ruling sets a precedent for data subjects to have more control over their personal information and strengthens their ability to hold data processing authorities accountable for any mishandling or non-compliance.
2) In the second case, a data subject challenged the automated credit score system in place by a credit agency under Article 22 of GDPR. The article states that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which… significantly affects him or her.”
The ECJ ruled that if a credit agency wants to calculate people’s creditworthiness in the future, it will need express consent from the data subject and a framework for challenging a credit score.
These are very simplified summaries of the judgements, so please read more about them!
By Daniel Whooley
I am just a guy interested in data protection, cybersecurity, politics, environmentalism, urban design, public transport, and history (I have too many hobbies).