Unfit for purpose? The legal maze of credit scoring under EU law
摘要
The regulation of automated credit scoring in the European Union is entering a phase of profound transformation. The SCHUFA judgment of the European Court of Justice has significantly broadened the scope of Article 22 of the General Data Protection Regulation (GDPR) by extending its application beyond final decision-makers to include upstream actors—such as credit reference agencies—whose automated scores are used to inform lending decisions. This interpretation raises significant questions about the boundaries of automated decision-making in multi-stage processes and places widely used scoring practices under legal scrutiny. At the same time, the EU's Artificial Intelligence (AI) Act introduces a parallel framework that classifies credit scoring systems as high-risk, imposing far-reaching compliance obligations. These frameworks interact with existing sectoral financial regulation, including the Consumer Credit Directive, Mortgage Credit Directive, and prudential requirements under the Capital Requirements Regulation. This multi-layered regulatory regime creates overlapping, and at times conflicting, requirements for financial institutions, raising serious concerns about legal certainty, operational feasibility, and the future of algorithmic innovation in credit markets. This paper examines the interaction between the GDPR and the AI Act in the context of credit scoring. It demonstrates the limitations of relying on consent or contractual necessity under the GDPR, and argues that targeted amendments to the Consumer Credit Directive and Mortgage Credit Directive are necessary to provide a harmonised legal basis for automated creditworthiness assessments under Article 22(2)(b) GDPR. Alternatively, the European Commission could issue interpretative guidance clarifying the conditions under which sectoral financial legislation satisfies GDPR requirements for automated decision-making. It also identifies ambiguities in the scope of the AI Act—particularly regarding what constitutes an "AI system"—and calls for supervisory guidance to prevent overregulation of well-established statistical models. Building on the European Banking Authority's recent mapping of AI Act obligations against sectoral financial regulation, the paper highlights the risks of fragmented enforcement and institutional divergence, and proposes concrete institutional mechanisms to ensure coordination between data protection and AI authorities, including joint guidance from the European Commission, the European Data Protection Board, and the European AI Office. The paper concludes that safeguarding consumer protection and enabling responsible innovation are not mutually exclusive goals, but that achieving both requires targeted legal reform, interpretative clarity, and regulatory coherence across the EU.