인공지능을 통한 자동화된 의사결정, GDPR 제22조 그리고 유럽연합법원의 Schufa 결정

In its Schufa judgment of 7 December 2023, the Court of Justice of the European Union (CJEU) gave a legal assessment of the use of credit scores calculated using mathematical and statistical methods by the credit rating agency Schufa from a data protection law perspective. In a preliminary reference procedure (Vorabentischeidungsverfahren) brought by the German Administrative Court of Wiesbaden under Article 267 of the Treaty on the Functioning of the European Union, which seeks the interpretation of the applicable European Union law in the case at hand, the Court of Justice of the European Union considered whether the calculation of credit scores by credit rating agencies, which lead to negative assessments of potential clients of credit applicants for credit lending institutions such as banks, and thus to the refusal of potential clients to enter into contracts, constitutes automated individual decision-making, including profiling, within the meaning of Article 22 para. 1 of the General Data Protection Regulation (GDPR), the Data Protection Framework Directive (Datenschutz-Grundverordnung (DSGVO). In the digital society, the freedoms of individuals guaranteed by the Constitution are no longer exclusively violated by the public authorities of the state. Rather, they are threatened by violations by extra-state organisations and institutions, especially by large global digital corporations that are private entities. The European Court of Justice ruled that if a third-party bank strongly uses the probability value of a loan applicant's credit information provided by a credit information agency in the conclusion, performance, or termination of a credit loan contract, it is considered 'automated individual decision-making' under Article 22, Paragraph 1 of the GDPR. Therefore, even if a human act, such as a bank employee or business processing, is ultimately involved, it can be seen as the core content of the European Court of Justice's case law that it is considered to be automated decision-making as long as it has no special meaning. The European Court of Justice ruled that if a third-party bank strongly utilizes the probability value of a loan applicant's credit information provided by a credit information agency in concluding, performing, or terminating a credit loan contract, it constitutes 'automated individual decision-making' under Article 22 Paragraph 1 of the GDPR. Therefore, even if a human act, such as a bank employee or business processing, is ultimately involved, it can be seen as the core content of the European Court of Justice's case law that it constitutes automated decision-making as long as it has no special meaning. The disclosure of the logic applied to the mathematical-statistical method used to calculate the credit score in question in the Schufa decision is precisely a question of recognition of the right to access to important information about the logic involved in decision-making by automated processing, i.e. the right to information (right to explanation) as stipulated in Article 15 Paragraph 1 Letter (h) of the GDPR. There has been a heated debate as to the extent to which Article 15 Paragraph 1 Letter (h) in conjunction with Article 22 GDPR includes the so-called right to explanation, i.e. the duty to provide arguments and explanations (Begründungs- und Darlegungspflicht) regarding the logic used in decision-making by automated processing.