Violating the EU’s General Data Protection Regulation can prove to be an expensive mistake. One direct bank recently had to learn this the hard way, having been issued with a 300,000 euro fine.
The General Data Protection Regulation – or “GDPR” for short – is certainly no toothless paper tiger, a fact an increasing number of businesses come to learn when they are asked to pay up for failing to comply with its provisions. Indeed, the authorities are required to impose fines that have an appreciable impact, notes commercial law firm MTR Legal Rechtsanwälte, whose team of legal experts includes IT law and data protection specialists.
The case at hand saw Berlin’s Commissioner for Data Protection and Freedom of Information (BlnBDI) impose a fine on a bank over a lack of transparency in connection with automated decisions, i.e., decisions made by an IT system on the basis of algorithms and without human intervention. According to the GDPR, these kinds of mechanisms are subject to special transparency obligations, which the bank in question failed to comply with.
More specifically, the case was the result of a loan application that had been processed by the bank on the basis of algorithms. The applicant was required to provide information about their occupation, income, and their particulars, among other things. Taking into account all this information as well as other data, the automated response of the algorithm was to reject the application without a detailed explanation. This was met with surprise by the customer, who had a regular source of high income and a good credit rating in Germany. He would for this reason go on to inquire with the bank about why his application had been rejected.
However, the bank only provided general information about the scoring procedure without addressing the individual case. This left the customer unable to fathom which information and factors had informed the decision to assign him a negative credit rating and reject the application. He subsequently took his complaint to the BlnBDI, which ruled in his favor.
Businesses need to be able to transparently substantiate automated decisions. The bank ought to have provided information about the main reasons underlying the rejection, when, in fact, the data protection authority found that the bank had failed to provide this information transparently even after having been requested to do so. According to the BlnBDI, this meant that the bank had infringed Art. 22(3), Art. 5(1)(a), and Art. 15(1)(h) of the GDPR.
Those concerned can turn to the IT and data protection law experts at MTR Legal Rechtsanwälte for advice.
Get in Contact!