On December 7, 2023, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued its opinion on the impact of the Court of Justice of the European Union's (CJEU) decision, in case C-634/21 OQ v Land Hessen and joint cases C-26/22 and C-64/22 UF/AB v Land Hessen, in regards to credit scoring practices of SCHUFA Holding, on artificial intelligence (AI) applications. In particular, the CJEU's decision categorized Schufa's credit scoring practice as an 'automated individual decision' under Article 22 of the General Data Protection Regulations (GDPR).

The HmbBfDI stated, among other things, that AI systems, similar to credit agencies, are often used to develop a preparatory basis for decision-making and computer-generated suggestions could be classified as independent according to the CJEU's standards, if they play a significant role in the decision-making process. The HmbBfDI further added that according to the ruling, AI-based assessments must be linked to a human assessment. This poses challenges for users because the person making the final decision needs expertise and enough time to be able to question the machine's preliminary decision. The HmbBfDI noted that this challenge can only be met through close human control of AI training and that the decision-making processes of an AI can often only be understood and influenced in the development phase. Therefore, the HmbBfDI specified that developers must create transparency, and it is the task of the users to familiarize themselves with how it works and to check it in each case. Finally, the HmbBfDI stated that if this distinction between humans and machines is not successful, assessments of individuals by AI are only permissible within the narrow limits of Article 22 of the GDPR.

You can read the press release here.