report-consumer-friendly-scoring
Dieses Dokument ist Teil der Anfrage „Gutachten des Sachverständigenrats für Verbraucherfragen“
126 The legal framework for scoring
tion of factors such as the age of the policyholder has a scarcely any obstacles in the way of the integration of
long tradition. A blanket assessment of the admissibility scoring elements into motor policies. Private health
of scoring in insurance law is therefore precluded and insurance, by contrast, because of its vital importance
would not begin to do justice to the complexity of the to insured persons (Schüffner and Franck, 2018, on
insurance industry (Bitter and Uphues, 2017). section 47 of the Insurance Industry Supervision Act,
point 118) and its socio-political relevance, is enclosed
General legal rules governing the supervision of the in- in a tight regulatory straitjacket. In this area the law as it
surance industry are not fundamental obstacles to the stands leaves little scope for the use of scoring process-
introduction of scoring elements in insurance. Insurers es during the lifetime of a current policy.
can adapt their business activities accordingly. Leasing
of the telematics components that are required for scor- Motor insurance is very largely open to the introduc-
ing purposes cannot, in principle, be regarded as alien tion of scoring processes. The guiding principle of loss
to insurance activities and hence classifiable under sec- indemnification based on collective solidarity is alien
tion 15 of the Insurance Industry Supervision Act as in- to this type of insurance. The terms of insurance are
admissible non-insurance business (Klimke, 2015). The determined by the principle of equivalence, whereby
prohibition of special benefits under section 48b of the the premium is set in relation to the assumed risk. A
Insurance Industry Supervision Act must be observed, de facto ‘solidarity effect’ may be discerned in the fact
but it is not categorically incompatible with scoring el- that, within a period of cover, some people from the
ements in an insurance policy. The special data-privacy pool of policyholders assigned to a particular risk group
rule in section 213 of the Insurance Contract Act (Versi- will incur losses, while others will not. This, however,
cherungsvertragsgesetz) enumerates the sources from amounts to “compensating for random fluctuations in
which an insurer may acquire personal health-related claims experience and over time and not compensating
data about an insured person. These sources are doc- for systematic differences in the gravity of individual
tors, hospitals and other health institutions, care homes risks” (Bitter and Uphues, 2017, pp. 3–4). This solidarity
and nursing staff, other insurers of persons and statu- effect is intensified by the fact that the technical means
tory health insurance funds as well as social insurance of actuarial ‘fragmentation’ (Looschelders, 2015) of the
funds for occupational accidents and public author- body of policyholders into individual risk groups are not
ities. Providers of wearable devices or health apps for yet fully developed. The result is a levelling process be-
smartphones (Adam and Micklitz, 2016, have already tween policyholders with a high probability of loss and
addressed these) are not listed there. That provision, those whose probability of loss is lower, all of whom are
however, is unlikely to be a serious obstacle to the es- lumped together in a single risk group.
tablishment of scoring elements in health insurance,
because first of all the provision is subject to the dispo- In these circumstances it comes as no surprise that no
sition of the parties (Rixecker, 2016, on section 213 of structural legal obstacles to the introduction of telem-
the Insurance Contract Act, point 28) and, secondly, it atics-based pay-as-you-drive tariffs are identified (Klim-
can be plausibly argued that, where an insurer accesses ke, 2015; Schumann, 2017; Koch, 2017, commentary
data generated by wearable devices or apps, the data on the General Conditions for Motor Insurance of 2015,
have not been collected from third parties but from the points 9ff.). One issue could, however, be the compati-
insured person. bility of telematics-based tariffs with the provisions of
insurance contract law on aggravation of risk (sections
This report focuses sharply on motor and health in- 23ff. of the Insurance Contract Act); for more details, see
surance as potential arenas of scoring activity.92This Lüttringhaus, 2018. There are no objections in principle
approach brings the two extremes of the regulatory to the use of telematics data in legal proceedings relat-
spectrum into view. In the case of motor insurance, cur- ing to the occurrence of an insured event (Klimke, 2015).
rent legislation relating specifically to insurance places
92 On scoring, albeit without the use of that term, in life and occupational disability insurance, see Brömmelmeyer, 2017.
The legal framework for scoring 127
Private health insurance is a highly variegated field of a basis for setting the amount of the premium,94 for the
diverse insurance types (full health cover and various first sentence of section 203(1) and the fourth sentence
supplementary policies – see also section 192 of the of section 203(2) of the Insurance Contract Act refer to
Insurance Contract Act), based on differing calculation the provisions of the Insurance Industry Supervision Act
systems (calculation of premiums as for life assurance or on the calculation of premiums. In this respect the pro-
as for indemnity insurance – see Kalis, 2018, section 44, visions establish consistency between the two areas of
points 209ff.) and also performing, to varying extents, a insurance law and transform the stipulations of supervi-
socio-political function. The socio-political significance sory law into insurance contract law (Boetius, 2017, on
is obvious in the case of substitutive health insurance section 203 of the Insurance Contract Act, points 3 and
(section 146 of the Insurance Industry Supervision Act 42). sections 6(1) and 10(1) of the Private Health Insur-
and section 195 of the Insurance Contract Act), which ance Supervision Ordinance (Krankenversicherungsauf-
can take the place of statutory health insurance and sichtsverordnung) contain statutory stipulations on the
must therefore meet special requirements. Here, more calculation of premiums by private insurers. These pro-
than in the other areas of insurance law, attempts to gen- visions rule out consideration of the policyholder’s life-
eralise are thwarted by a wide diversity of conceivable style during the term of a policy as a calculation factor.
insurance products and applications for scoring meth- The amount of the premium is to be based on the poli-
ods. At the heart of the scoring debate is the conception cyholder’s age and the scope of the benefits offered by
of a future in which insurance premiums are linked to the policy (but see section 152 of the Insurance Industry
the policyholder’s scored health-related behaviour. At Supervision Act on the specific rules governing the ba-
least here the existing law on insurance supervision and sic tariff, addressed in Vogt, 2018, on section 203 of the
insurance contracts are erecting effective barriers. Insurance Contract Act, points 11ff.). Previous illnesses
may be factored into the premium by way of risk load-
If health insurance premiums are calculated like those ing (Voit, ibid., point 6); otherwise there is no scope for
for life assurance, which is a prerequisite for the use of customised premiums.
private health insurance as a substitute for statutory
cover (see section 146(1) of the Insurance Industry Su- Consideration should also be given to the second sen-
pervision Act), any adaptation of premiums based on tence of section 194(1) of the Insurance Contract Act.
scoring would come into conflict with section 203 of the That provision specifies that the general provisions on
Insurance Contract Act.93 Paragraph 1 of that provision aggravation of risk in sections 23ff. of the said Act do
definitively determines (Voit, 2018, on section 203 of not apply to health insurance. This exclusion of appli-
the Insurance Contract Act, point 6) which criteria are cability relates not only to health policies with life as-
to be used for the calculation of the premium. Para- surance-type premium calculation, which is already ef-
graph 2, taken in conjunction with the first sentence of fected in accordance with section 203 of the Insurance
section 208 of the same Act, lays down the conditions Contract Act (Kalis, 2017, on section 194 of the Insurance
and the procedure for adjusting premiums. This provi- Contract Act, point 24), but also to health policies with
sion is semi-mandatory (Boetius, 2017, on section 203 premiums calculated in the manner of an indemnity
of the Insurance Contract Act, point 51), meaning that policy. “Changes in the insured person’s state of health
derogation to the detriment of the policyholder is not occurring after the conclusion of the contract do not af-
permitted. Neither in the determination nor in the ad- fect either the promise of performance once it has been
justment of premiums does section 203 of the Insurance made or the amount of the premium” (Kalis, ibid.). Any
Contract Act permit the use of an individual’s health-re- subsequent aggravation of risk is borne by the insur-
lated behaviour or of a score based on that behaviour as er and not the insured (see the Federal Administrative
93 The applicability of section 203 of the Insurance Contract Act, however, does not depend on the private health insurance in question actually meeting the conditions
set out in section 146 of the Insurance Industry Supervision Act; see Voit, 2018, on section 203 of the Insurance Contract Act, point 5.
94 The second sentence of section 203(1) of the Insurance Contract Act, however, provides scope for individualisation, stipulating that, “Other than with contracts in the
basic tariff in accordance with section 152 of the Insurance Industry Supervision Act, the insurer may agree an appropriate risk premium or release from obligation to
effect payment, taking account of an aggravation of the risk insured”.
128 The legal framework for scoring
Court judgment of 5 March 1999 – case 1 A 1/97 – and the
Federal Court of Justice judgment of 9 May 2012 – case 3. Social insurance law and
reference IV ZR 1/11).
statutory health insurance
It is also a plausible assumption that the rule set out
in the first sentence of section 146(2) of the Insurance The system of statutory health insurance is a self-gov-
Industry Supervision Act, taken in conjunction with erning public institution based on the welfare state
section 138(2) of the same Act, precludes certain score- principle. Together with the other branches of the social
based tariffs if they are not self-financing and are there- insurance structure, it serves to protect people against
fore indirectly subsidised by policyholders on the stand- life’s elementary risks and is therefore an instrument of
ard tariff (Brömmelmeyer, 2017). social policy. Its structural hallmark is the principle of
solidarity (Kingreen, 2003). Membership of the statu-
Calculation of contribution rebates on the basis of scoring tory health insurance scheme is prescribed by law for
elements is possible in principle. This is a further develop- many groups of people. As a matter of principle, stat-
ment of those rules of insurance contract law that make utory health insurance contributions are earnings-re-
any non-profit-related premium rebate dependent on lated (German Social Code, Book V, section 241), while
non-recourse to insurance benefits in a previous contribu- benefits are determined by individuals’ medical needs
tion period. (Boetius, 2017, on section 203 of the Insurance (Butzer, 2001, and Kingreen, 2003). Neither at the start
Contact Act, point 322; on the more restrictive conditions of membership nor during it is any risk-weighting of in-
governing statutory health insurance, see section 53(2) dividuals’ premiums permitted.
and (9) of Book V of the German Social Code). The internal
consistency of a regulatory regime that is split in this way, There is little room in such a system for individualised
with stringent requirements for the adjustment of premi- incentive systems based on scoring (see Hesse Regional
ums yet relatively generous scope for scoring in all other Social Court judgment of 4 December 2008, case refer-
respects, is open to criticism. From an economic point of ence L 1 KR 150/08 KL, in the Juris database). Accord-
view, after all, contribution rebates may be deemed equiv- ingly, there are no complex scoring processes in that
alent to an individualisation of premiums. domain at the present time.95 However, the bonus pro-
grammes for health-conscious individuals for which sec-
tion 65a of Book V of the German Social Code provides
(Bundesversicherungsamt, 2016) constitute a system
that should be described as proto-scoring. Within the
system of statutory health insurance, it is an exception
in particular need of legitimisation. The Federal Insur-
ance Office takes a sceptical view of these programmes
on the whole (Bundesversicherungsamt, 2018; see also
section C.III.3 above).
95 This does not say anything about the limits imposed by constitutional law on any attempt to shift the system of social insurance away from the solidarity principle
towards more highly accentuated individualisation. Although the principle of the welfare state that is enshrined in Article 20(1) and the first sentence of Article 28(1)
of the Basic Law requires the creation of social security systems as protection against the vicissitudes of life (Decisions of the Federal Constitutional Court, Vol.
28, p. 324, esp. pp. 348ff., Vol. 45, p. 376, esp. p. 387, and Vol. 68, p. 193, esp. p. 209; see Axer, 2000), this does not bind those systems to the structural principles of
statutory health insurance, which predate the Constitution in any case.
The legal framework for scoring 129
III. Building blocks for
a scoring regime
Our review of the rules relating to scoring in data privacy
law and in sectoral legislation has shown that, while they 1. Regulating the ‘how’ of
do not form a legal regime governing scoring in general,
they are not powerless in the face of the scoring phe-
scoring versus regulating
nomenon. The law as it stands contains instruments with the ‘whether’
which certain social challenges connected with scoring
can be met. The challenges referred to above of mathematical and
statistical quality, transparency and non-discrimination
In this chapter we intend to examine three scoring-re- relate to the phenomenon of scoring when it occurs. We
lated challenges – score quality, transparency of the do not, on the other hand, explore in depth the prelim-
scoring process and non-discrimination – and outline inary question of the legal relationships within which
the extent to which current law sets standards in these scoring is even permissible. The question regarding the
domains. Since these three challenges are not confined ample scope for scoring processes can only be answered
to specific areas of economic activity, such as health in- discretely for specific areas of people’s lives and of eco-
surance, or particular situations with legal implications, nomic activity.
such as the conclusion of sales contracts, we intend to
focus primarily on those rules that address the identi- The regulatory regimes for scoring in the insurance in-
fied problems in the most general form possible. dustry which are outlined above illustrate that provi-
sions in particular areas of activity may be obstacles to
Scoring is a data processing operation, which means the application of scoring methods. Such an obstacle
that the requirements set out in the General Data Pro- to scoring may result from the fact that the criteria gov-
tection Regulation and in the Federal Data Protection erning the way in which private individuals may act and
Act are especially fruitful in achieving regulatory ob- take decisions are set in stone, one example being the
jectives on a broad front. When it comes to protection requirements outlined above for the calculation of pre-
against discrimination, the focus turns to the General miums and premium adjustments in the realm of private
Equal Treatment Act (Allgemeines Gleichbehandlungs- health insurance. The law, however, may also prevent
gesetz). Although its scope is substantively limited (sec- scoring by prohibiting the use of the very knowledge
tions 2 and 19) and many of its legislative details reveal that is obtained from scoring processes. In the areas of
the compromise character of the protection against economic activity that are examined in this report, there
discrimination that has ultimately been achieved, it not are no legislative examples of this type of regulatory
only contains legal definitions of direct and indirect dis- model. It may therefore be expected that, with advances
crimination (section 3(1) and (2)) but is also suitable as in the technological scope for the use of scoring meth-
a model with the aid of which the general review pro- ods and their spread within the economy, the legislature
gramme for the identification of unlawful cases of une- or the judicature – possibly by affirming the horizontal
qual treatment can be explained. effects of the general right of privacy – will clamp down
specifically on the use of scoring methods in principle in
particular cases.
130 The legal framework for scoring
in section 31(1)(2) of the Federal Data Protection Act en-
2. Scoring regulation and sures only a minimum degree of quality. Section 31(1)(2)
specifies that “the data used to calculate the probability
algorithm regulation value” must be “demonstrably essential for calculating
the probability of the action on the basis of a scientifi-
Regulation of the ‘how’ of scoring is part of the con- cally recognised mathematical-statistical procedure”. The
text of the regulation of algorithms, the possibilities of provision thus addresses two distinct problems,96 both
which are the focus of much discussion at the present of which are rooted in the use of the formula “the data
time (see section B.I.4 above). Accordingly, in its report used”, because “the data used” could be intended to re-
entitled Consumer Rights 2.0, the SVRV stated that the fer to the general data categories that are used in the
scoring provision in the Federal Data Protection Act96 calculation of scores, such as ‘age’, ‘number of current
contained a legislative starting point for the regulation accounts’ or ‘address’. Or else the phrase could refer to
of algorithms (SVRV, 2016; see also Härting, 2015). This the input variables that are used to calculate the score
is the basis for the following reflections. for a specific person (‘50’, ‘3’, ‘1 Castle Street’). There are
differences between the regulatory resources which are
The special case of scoring regulation may serve to il- needed to remedy defects in non-case-specific scoring
lustrate how the law can formulate and enforce quali- formulae on the one hand and in input data relating to
ty requirements, as exemplified here by quality assur- individual cases on the other.
ance, and ethical requirements, as exemplified by the
prohibition of discrimination, for algorithms. The study
conducted by the Specialist Group on Legal Informatics 3.1 Accuracy of specific input data
of the German Informatics Society entitled Technische The concern that the data used as input variables for
und rechtliche Betrachtungen algorithmischer Entschei- scoring purposes may not reflect the true factual situ-
dungsfindung (‘Technical and legal reflections on algo- ation (see chapter B.V above) is an aspect of the quest
rithmic decision-making’) – is therefore one of the main to guarantee high-quality data. The problem is of great
sources on which the following remarks are based (cf. practical relevance (see section C.III.3 above). Indeed
also Gigerenzer, Wagner and Müller 2018). the inaccuracy of personal data must be the absolutely
central everyday problem in scoring-related complaints
(Unabhängiges Landeszentrum für Datenschutz Schle-
swig-Holstein and GP Forschungsgruppe, 2014, which
contains reports on credit scoring from several consum-
er advice centres), to go by the statistics from various
3. G
uaranteeing a defined regional consumer advice centres on the main focal
points of their information activity with regard to credit
score quality scoring (see, for example, Verbraucherzentrale Bremen,
2016, Verbraucherzentrale Niedersachsen, 2015, and
Numerous scoring processes serve the purpose of deliver- Verbraucherzentrale Nordrhein-Westfalen, 2018).
ing a particular predictive service. The score is the verdict
on the probability that a person will behave in a certain Ensuring that only correct personal data are processed,
way in the future. This service may be rendered more or however, relates not only to scoring but essentially to
less well. Predictive scoring systems thus have a ‘quality every data-processing operation. It therefore seems to
dimension’ (on the factual situation, see section C.III.3). be an excessively restricted and hence inappropriate ap-
While the legislature is not indifferent to scoring, the re- proach to the problem to address it largely through the
quirement ofscientifically recognised procedure set out clause in section 31(1)(2) of the Federal Data Protection
96 In addition, the requirement of demonstrability is significant in its own right, since it establishes a documentation requirement for scorers; see Bundestag printed
paper 16/10529, p. 16, and Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein and GP Forschungsgruppe, 2014. This aspect is not addressed in the
following paragraphs.
The legal framework for scoring 131
Act which prohibits the processing of inaccurate data that the data used to calculate the score are of direct rel-
(and hence also non-essential data within the meaning evance”). It remains unclear how the catalogue of these
of section 31(1)(2) of the Federal Data Protection Act – data types could ever be reliably defined.
see Overbeck, 2016). In the longer term there will be a
need for a body of law designed to ensure the quality The ‘correlation’ requirement laid down in section 31(1)
of stored data. A normative mooring for such a legal (2) of the Federal Data Protection Act implies that those
regime already exists today in the principle of data ac- who undertake predictive scoring processes must never
curacy enunciated in Article 5(1)(d) GDPR (see Pötters, rely, when designing the process, on statistically unver-
2018, on Article 5 GDPR, point 24). The contours of this ified routine plausibility checks. In this respect, scoring
area of the law and of the obligations that controllers needs “empirical reinforcement”. This requirement is far
have to fulfil with regard to the accuracy of the data they from self-evident, for there is no general obligation on
process, however, have scarcely been developed at all those who enjoy the fundamental right of freedom of ex-
to date (Hoeren, 2016). One legally simple way of over- pression enshrined in the first sentence of Article 5(1) of
coming this problem certainly lies in the rights of data the Basic Law to confine themselves to rationally justi-
subjects to information and rectification (first sentence fied utterances, not even when they are communicating
of Article 16 GDPR; for more details see Domurath and alleged facts. Seen in that light, the rationality require-
Neubeck, 2018). In this respect, however, data privacy ment in section 31(1)(2) of the Federal Data Protection
law suffers from a considerable mobilisation deficit Act already looks like a thoroughly significant legislative
(Härting, 2015; Spindler, Thorun and Wittmann, 2017). intervention, although, given the social significance of
communicated probability scores, a plausible justifica-
tion can be found for it.
3.2 Scientific basis of scoring processes
Section 31(1)(2) of the Federal Data Protection Act pre- That a process is scientific within the meaning of sec-
scribes that scoring processes must meet certain scien- tion 31(1)(2) of the Federal Data Protection Act is not
tific standards (see section B.IV.1 above). With this provi- guaranteed solely by the fact that its predictive perfor-
sion, the legislature excludes at least the use for scoring mance is delivered with a level of reliability appropriate
purposes of data that cannot contribute anything to the to the relevant area of people’s lives. The fact is that any
predictive performance of a scoring process (Domurath process which delivers a better predictive performance
and Neubeck, 2018). Where it is not even possible to than the toss of a coin can be the result of proficient ap-
demonstrate a correlation between a particular type of plication of statistical methods and, as such, constitute a
data and the event whose probability is to be predicted, significant and praiseworthy scientific achievement. But
the use of that type of data would be contrary to sec- it does not answer the question whether the procedure
tion 31(1)(2) of the Federal Data Protection Act. should or should not be applied in a particular area of
people’s lives. Specific quality criteria are not associated
Attempts are sometimes made to frame requirements with the obligation to follow a scientific procedure. In
for the instrumentality of the data that are used which this respect the legal regime covering predictive scoring
go beyond proof of correlation. Formulating these re- has a regulatory void, which becomes particularly strik-
quirements in such a way that they are usable in the ing when contrasted with something like the law gov-
practical application of the law has proved to be a diffi- erning the capital adequacy of credit institutions, which
cult undertaking. This applies, for example, to the case was outlined above (see subsection E.I.3.4. This does not
that is sometimes made for the restriction of usable data mean that section 31(1)(2) of the Federal Data Protection
to those that are “contractually relevant” (Domurath Act is a toothless tiger, but it does have biting inhibitions.
and Neubeck, 2018, cite examples). The types of data in
question are those that influence the probability of the
target behaviour in a particularly direct way (see also
Buchner, 2018, on section 31 of the Federal Data Protec-
tion Act, point 8, who states that such a provision would
require users “to demonstrate plausibly and verifiably
132 The legal framework for scoring
4. G
uaranteeing transparency Article 12 GDPR
and comprehensibility Transparent information,
communication and modalities
The General Data Protection Regulation explicitly
anointed transparency as a principle to which all pro-
for the exercise of the rights of
cessing of personal data must adhere. The third princi- the data subject
ple set out in Article 5(1)(a) GDPR is that personal data
must be “processed in a transparent manner in relation The controller shall take appropriate measures
to the data subject”. This principle of transparency is to provide any information referred to in Articles
developed programmatically in recitals 39, 58 and 60 of 13 and 14 and any communication under Articles
the GDPR. The circuitous wording of the cited sources 15 to 22 and 34 relating to processing to the data
must not obscure the fact that the level of abstraction subject in a concise, transparent, intelligible
of the transparency principle is still considerable. Which and easily accessible form, using clear and plain
precise duties are actually incumbent on the controller language, in particular for any information
in respect of each specific data processing operation re- addressed specifically to a child. (…)
mains uncertain (see above before section E.I.1 and, for
example, Roßnagel, 2018, Wachter, Mittelstadt and Flori-
di, 2017, and Selbst and Powles, 2017). The catalogue
of obligations is fleshed out somewhat in Articles 12 to Article 13 GDPR
15 GDPR.
Information to be provided
where personal data are col-
lected from the data subject
(Article 14 is similar: Informa-
tion to be provided where per-
sonal data have not been ob-
tained from the data subject)
(…) In addition to the information referred to
in Paragraph 1, the controller shall, at the time
when personal data are obtained, provide the
data subject with the following further informa-
tion necessary to ensure fair and transparent
processing:
(…)
the existence of automated decision-making,
including profiling, referred to in Article 22(1)
and (4) and, at least in those cases, meaningful
information about the logic involved, as well as
the significance and the envisaged consequences
of such processing for the data subject.
The legal framework for scoring 133
interest of safeguarding trade secrecy and that of access
Article 15 GDPR to information are balanced in current data privacy law.
Secondly, the General Data Protection Regulation, in
Right of access by the data what are key provisions in terms of scoring transparen-
subject cy, defines the catalogue of obligations
The data subject shall have the right to obtain
incumbent on the controller in a conspicuously unin-
from the controller confirmation as to whether or
formative manner. Article 13(2)(f), Article 14(2)(g) and
not personal data concerning him or her are being
Article 15(1)(h) GDPR each define information about
processed, and, where that is the case, access to
“the logic involved” (la logique sous-jacente; die invol-
the personal data and the following information:
vierte Logik) in automated decision-making within the
meaning of Article 22 GDPR. It might be supposed that,
(…)
in the disciplines in which algorithms feature, the term
‘logic’ related to an algorithm as described from a par-
the existence of automated decision-making,
ticular perspective and that the legislature had made
including profiling, referred to in Article 22(1)
reference to this non-legal term with a view to prepar-
and (4) and, at least in those cases, meaningful
ing it for reception by the legal community (examples of
information about the logic involved, as well as
such processes are described in Klement, 2006, and Ma-
the significance and the envisaged consequences
this, 2017). This supposition is wide of the mark. Math-
of such processing for the data subject.
ematicians, computer scientists and software engineers
have a no less vague notion than legal scholars as to
The provisions prescribe the fulfilment of extensive what the “logic involved” in automated decision-mak-
information obligations to the data subject (WP 29, ing might be.
2018), and give the latter far reaching rights of access
to information, which are also rooted in fundamental The lively debate (see section B.I.3 above) on the disclo-
rights (second sentence of Article 8(2) of the Charter of sure of the attributes used as input variables in Schufa
Fundamental Rights of the European Union). But these credit scores and their weighting is indicative of the lack
provisions likewise leave considerable latitude for the of normative guidance provided by the transparency
application of the law. This has two reasons. regime of the General Data Protection Regulation. If we
assume that the calculation of a Schufa score amounts
First of all, interests that conflict with the principle to decision-making within the meaning of Article 22
of transparency have also been recognised and must GDPR, it is still a moot point which items of information
therefore be taken into account in the interpretation of on the genesis of a score are covered by the description
the neutrally framed terminology of the transparency “the logic involved” (evidence of views on the scope of
regime. Recital 63 makes this clear, stating that “A data the provisions can be found in Wischmeyer, 2018; for a
subject should have the right of access to personal data more restrictive interpretation, see, for example, Paul
which have been collected concerning him or her, and and Hennemann, 2018, on Article 13 GDPR, point 31; for
to exercise that right easily and at reasonable intervals, a broader interpretation, see, for instance, Bäcker, 2018,
in order to be aware of, and verify, the lawfulness of the on Article 13 GDPR, point 54). It is sometimes assumed,
processing. (…) That right should not adversely affect by explicit reference to the Schufa judgment of the Fed-
the rights or freedoms of others, including trade secrets eral Court of Justice, that the obligation to give access to
or intellectual property and in particular the copyright information goes further than the boundaries set by the
protecting the software. However, the result of those current legal position. As Florian Schmidt-Wudy writes,
considerations should not be a refusal to provide all “With regard to the scope of the information on the “log-
information to the data subject.” It is recognisable that ic involved”, it remains to be seen whether the non-dis-
a regulation problem has been identified here but not closure, approved by the Federal Court of Justice, of the
resolved. The General Data Protection Regulation is scoring formula will remain tenable, for without knowl-
unable to establish consensus on the issue of how the edge of the scoring formula, it is scarcely possible for the
134 The legal framework for scoring
data subject to discover and correct errors in the score It is certainly unmistakable that, in its transparency
(…). On the other hand, unrestricted disclosure of the requirements, the General Data Protection Regulation
score may jeopardise the business model of credit ref- follows on from its forerunner in EU law, the Data Pro-
erence agencies (…). tection Directive. This suggests a very cautious interpre-
tation of the transparency requirements set out in Arti-
Because of the analogous application of Article 15(4) cles 13 to 15 GDPR (Wischmeyer, 2018). The information
GDPR, however, and the balance it prescribes with fun- to be disclosed under these provisions would then be
damental rights and freedoms, strict secrecy of scoring kept very general and would be confined to a merely su-
formulae as approved by the Federal Court of Justice perficial presentation of the program functions. On the
will not be maintainable if knowledge of them is es- other hand, this cautious circumscription of the trans-
sential for a data subject to be able to identify flawed parency requirements in data privacy law may reflect
calculations and have them corrected. On the contra- the fact that the question how it is possible in practice
ry, it will depend on the individual case, which means to establish transparency (see section B.I.4 above) is
that in certain cases both the scoring formula and its still under discussion. At the heart of the transparency
underlying parameters may certainly be the subject of debate at the present time is not legal permissibility
a disclosure.” (Schmidt-Wudy, 2018, on Article 15 GDPR, but technical feasibility. (see Selbst and Barocas, 2018,
point 78.3). The cautious way in which the commenta- Burrell, 2016, and Lipton, 2016). The technical-sounding
tor expresses his interpretation of the law, is illustrative but substantively vague description of the transparency
of the strikingly weak normative guidance provided by entitlement, with terms like “the logic involved”, “signif-
Articles 13 to 15 GDPR (but see Heuzeroth and Seibel, icance” and “envisaged consequences”, may therefore
2018). The present legal position is still lagging behind prove to be especially receptive to future developments
the normative guidance provided by section 34 of the in legal scholarship.
Federal Data Protection Act (old version), on the basis
of which the Federal Court of Justice outlined the infor-
mation access claim against Schufa – and that provision
itself is far from unequivocal.
In the light of the above, it is no surprise that the scope
of transparency requirements arising from the General
Data Protection Regulation is a subject of controversy.
The crystallisation point in the debate is the question
whether the GDPR grants the data subject a ‘right of
explanation’ of an automated individual decision. The
object of this discussion, conducted on an internation-
al scale, is to build a bridge between, on the one hand,
the transparency requirements of the General Data Pro-
tection Regulation and, on the other hand, the lively
discussion on ways of making complex algorithmic de-
cision-making systems comprehensible to people (see
section B.I.4 above as well as Gesellschaft für Informa-
tik, 2018, Selbst and Powles, 2017, Selbst and Barocas,
2018, and Wachter, Mittel- stadt and Floridi, 2017).
The legal framework for scoring 135
In the first step, the question to be asked is whether the
5. G
uaranteeing non- motive for the behaviour being tested for conformity
with the law requires attention in the light of anti-dis-
discrimination crimination law. This may be so because one of the
grounds listed in section 1 of the General Equal Treat-
ment Act was a determinant factor for the behaviour
Section 1 of the General Equal in question. Current anti-discrimination law. To take
an example, someone refuses to conclude a contract
Treatment Act Purpose on grounds of the other party’s ethnic origin (see sec-
The purpose of this Act is to prevent or to stop tion 3(1) of the General Equal Treatment Act). Closer
discrimination on the grounds of race or ethnic scrutiny is also called for, however, in the case of modes
origin, gender, religion or belief, disability, age or of behaviour with seemingly innocuous motives if those
sexual orientation. motives are particularly detrimental to any persons on
account of one of the grounds listed in section 1 of the
General Equal Treatment Act. For example, someone re-
fuses to conclude a contract because of the other party’s
Section 3 of the General Equal insufficient knowledge of the German language (see sec-
tion 3(2) of the General Equal Treatment Act). The sec-
Treatment Act Definitions ond step involves an examination of whether reliance
(1) Direct discrimination shall be taken to occur on the suspect ground is justified in the given situation.
where one person is treated less favourably At the end of this examination, it will have been estab-
than another is, has been or would be treated lished whether or not prohibited discrimination has
in a comparable situation on any of the taken place. To discriminate unlawfully, then, means to
grounds referred to under Section 1. (…) act on prohibited grounds (for a detailed treatment, see
Schramm, 2013). Anti-discrimination law is ‘input-fo-
(2) Indirect discrimination shall be taken to occur cused’. Its attention is fixed on the interaction of certain
where an apparently neutral provision, criteri- decision-making criteria and their admissibility. In the
on or practice would put persons at a particu- realm of scoring, this method of applying the law may
lar disadvantage compared with other persons have unwanted results. For instance, a seller declines to
on any of the grounds referred to under do a deal with a prospective buyer because of the lat-
Section 1, unless that provision, criterion or ter’s low score. In so doing, the seller is not acting on
practice is objectively justified by a legitimate the basis of a protected characteristic but simply of a
aim and the means of achieving that aim are score. This ground for refusal does not alter the fact that
appropriate and necessary. the sex of the prospective buyer, for instance, played a
significant role in the calculation of the score. It could
be argued, on the basis of that fact, that this is a case
5.1 Discriminatory acts and discriminatory of unequal treatment requiring attention in the light
effect of anti-discrimination law (Moos and Rothkegel, 2016,
It is difficult for current anti-discrimination law to ac- advance this argument; see also section C.III.5 above).
commodate the problem of discriminatory scoring in its The seller, of course, does not refuse to enter into a con-
conceptual framework (see chapter B.II above), because tract because of the other party’s sex but because of
it typically checks whether the reasons that people or the inadequate score. Although attempts can be made
institutions give for their actions are legitimate from an to bring such cases into the ambit of anti-discrimination
anti-discrimination perspective. Whether a reason for law by means of rules on indirect discrimination, that
an action is objectionable on grounds of incompatibility will not resolve the difficulties.
with anti-discrimination law may be ascertained in the
following two steps:
