The European Data Protection Supervisor (EDPS) has invited the European Commission to clarify its proposal for a directive on consumer credit to ensure the limited and appropriate use of consumers’ personal data and guarantee fair access to credit for all Europeans.
Although it welcomed the aim pursued by the proposal, the EU privacy watchdog gave its recommendations on the Commission’s proposal for a directive on consumer credits in an opinion published on Thursday (26 August).
The opinion argues that a stronger, clearer framework should be implemented when it comes to credit assessment, at a time when new lending platforms have started to dig into non-traditional sources, like social media data or consumer browsing history, to build credit scores.
“These alternative data, combined with the use of automated tools (algorithms), raise
questions about the relevance of data, privacy, fairness, and exclusion”, the European Consumer Organisation BEUC warned already in 2019 in its review of the current consumer credit directive the new proposal is aiming to replace.
The Commission’s proposal will oblige creditors, credit intermediaries, and providers of crowdfunding credit services to assess the creditworthiness of the consumers and inform them “when they are presented with a personalised offer that is based on profiling or other types of automated processing of personal data”.
Whenever that’s the case, consumers will have the right to obtain a “clear explanation” of this assessment and some “human intervention” from the lender to review the decision.
In any event, the assessment is to be carried out from “relevant and accurate information on the consumer’s income and expenses and other financial and economic circumstances which is necessary and proportionate”.
The text redirects to the European Banking Authority Guidelines on loan origination and monitoring to define which categories of data may be used. Data found on social media platforms or health data, including cancer data, are in theory not to be processed.
The EDPS, however, would like the text to “explicitly prohibit the use of any special categories of personal data under Article 9” of the General Data Protection Regulation (GDPR).
It stipulates that “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.
The EU body, at the same time, recommends introducing a clearer indication of the external sources that may be considered as “relevant” when assessing the creditworthiness of consumers.
The EDPS also suggests replacing the term human “intervention” with assessment and calls for a provision to include data quality control procedures.
Finally, the Commission’s proposal recalls that AI systems intended to evaluate the credit score of someone will be classified as “high-risk” under the upcoming Artificial Intelligence Act.
The “high-risk” categorisation includes all procedures meant to grant access to financial resources or essential services such as housing or electricity with automated processes.
These AI applications will be subject to extra safety procedures, transparency requirements and liabilities.
In its opinion, the data watchdog said it would like to see the consumer credit and data protection rules “integrated as part of the (third-party) conformity assessment” that the Artificial Intelligence Act will introduce.
The proposal on consumer credit is now in the hands of MEPs from the European Parliament’s Internal Market and Consumer Protection (IMCO) committee. Leftist lawmaker Kateřina Konečná was appointed as rapporteur last month.
[Edited by Luca Bertuzzi]