The Law and Consumer Credit Information in the European Community: The regulation of credit information systems [1 ed.] 0415460735, 9780415460736, 9780203895603

Citation preview

The Law and Consumer Credit Information in the European Community

Consumer credit information systems are the tools used by the majority of lenders to manage credit risk, with lenders accessing credit reference databases managed by third-party providers to evaluate a consumer’s credit application. So far, the subject of consumer credit reporting has been left to the predominant attention of the economic and business management scholarship, and little or no consideration has been paid to the issue by lawyers. This book aims to rectify this, examining the legal framework and compliance in the European Community (EC) of such consumer information sharing arrangements, which have become increasingly integrated in the credit granting practices of the Member States. The book looks at the laws that surround and affect consumer credit reporting, including bank secrecy obligations. Consumer credit reporting and its relationship to human rights is also explored, as every individual in the EC is entitled to informational privacy. The book asks questions such as to what extent should the privacy of consumers be balanced against the aims and functions of consumer credit reporting, and how do the financial information sharing arrangements comply with the positive law, particularly the European data protection legislation? Federico Ferretti is a lecturer in law at Brunel University, UK. He is also a trained solicitor and barrister of the High Courts of Italy.

The Law and Consumer Credit Information in the European Community The Regulation of Credit Information Systems Federico Ferretti

Published 2008 by Routledge-Cavendish 2 Park Square, Abingdon, Oxon, OX14 4RN Simultaneously published in the USA and Canada by Routledge-Cavendish 270 Madison Ave, New York, NY10016 Routledge-Cavendish is an imprint of the Taylor & Francis Group, an informa business This edition published in the Taylor & Francis e-Library, 2008. “To purchase your own copy of this or any of Taylor & Francis or Routledge’s collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.” © 2008 Federico Ferretti All rights reserved. No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging in Publication Data Ferretti, Federico. The law and consumer credit information in the EC / Federico Ferretti. p. cm. 1. Consumer protection—Law and legislation—European Union countries. 2. Consumer credit—Law and legislation—European Union countries. 3. Data protection—Law and legislation—European Union countries. 4 Privacy, Right of—European Union countries. I. Title. KJE6577.F47 2008 343.2407′1—dc22 2007048905 ISBN 0-203-89560-6 Master e-book ISBN

ISBN13: 978–0–415–46073–6 (hbk) ISBN13: 978–0–203–89560–3 (ebk) ISBN10: 0–415–46073–5 (hbk) ISBN10: 0–203–89560–6 (ebk)

To Stella and Biricchino

Contents

Table of Cases Table of Legislation Abbreviations Acknowledgements

1

xi xiii xv xvii

Introduction

1

Consumer credit reporting in the economy: What is consumer credit reporting, and why is it used?

9

Introduction 9 Consumer credit reporting and Credit Reference Agencies 9 The rationale for consumer credit reporting systems 12 What information is collected, processed and disclosed to third parties? 15 The trends: secondary uses of credit reference data 19 Concluding remarks 29 2

The lack of a legal perspective Introduction 31 Consumer credit reporting in the economic literature 32 Institutional aspects and the literature in regulatory policy 37 Literature in law 40 Information asymmetry and consumers 42 Remarks on the review of the literature 43 The importance of legal research 45 Concluding remarks 47

31

viii 3

Contents Historical background: the cultural framework. A lesson from history?

49

Introduction 49 Historical informal information-sharing mechanisms 51 The origins of credit information-sharing systems: business credit reporting in the US 53 Consumer credit reporting in the US 58 Consumer credit reporting in Europe 65 Lessons for the EC from history? 71 Concluding remarks 74 4

The institutional and legal standing in the EC: Is the EC missing a chance?

77

Introduction 77 European markets in consumer credit 78 Institutional framework 81 European consumer credit reporting markets 85 European cross-border exchange of information 89 Structural impediments for a European single market 92 The legal framework 93 Bank secrecy 94 Data protection 99 Consumer credit laws 103 Concluding remarks: missing a chance? 126 5

Reputation, privacy and the law: What rights and interests are at stake and to what extent are these conflicting?

129

Introduction 129 Reputation 130 The importance of data protection and the reasons for EC legislation 134 Problems relating to the implementation of Directive 95/46/EC 144 Concluding remarks 148 6

Legal compliance: What are the legal mechanisms upon which consumer credit reporting needs to rely? Introduction 151 Data controllers 152 Fair and lawful data processing 154

151

Contents ix Information to be given to data subjects 156 Criteria for making data processing legitimate 161 Specified, explicit and legitimate purposes of data processing and further processing 165 Adequacy, relevancy and reasonableness of data processing 167 Accuracy and updating of the data 170 Data retention period 173 Automated individual decisions 174 Concluding remarks 175 7

Conclusions

177

Introduction 177 Consent model 179 Other concerns 182 Secondary data processing purposes and consumer protection 184 Consent, privacy, EC consumer law and competition: further implications for consumer protection? 190 The paradox of consumer credit reporting systems 195 The European dimension 198 Concluding policy and institutional considerations 204 Appendix: Case studies

209

United Kingdom 209 Italy 213 Lesson from Italy? 223 Bibliography Index

225 239

Table of Cases

European Community Baumbast v R (C-413/99) [2002] ECR I-7091 ................................................... 200 British Leyland plc v Commission (C-226/84) [1986] ECR 3263, [1987] 1 CMLR 185, 623 .................................................................................... 194 Brown v Secretary of State for Scotland (C-197/86) [1988] ECR 3205, [1988] 3 CMLR 403.................................................................................. 199 Carpenter (C-60/00) [2002] ECR I-6279 C-71/02 .............................................. 200 CIA Security International SA v Signalson SA (C-194/94) [1996] ECR I-2230 ............................................................................................. 146 Collins v Secretary of State for Work and Pensions (C-138/02) [2005] QB 145, [2004] 3 WLR 1236, [2004] ALL ER (EC) 1005 ........................ 200, 201 Commission v Italy (C-63/86) [1986] ECR 29, [1988] CMLR 16 ......................... 201 Commission v Netherlands (C-68/89) [1991] ECR I-2637, [1993] 2 CMLR 389 ........................................................................................... 200 ERT v DEP (C-260/89) [1991] ECR I-2925 ...................................................... 147 Faccini Dori v Recreb Srl (C-91/92) [1994] ECR I-3325 ..................................... 147 Fratelli Costanzo SpA v Commune di Milano (C-103/88) [1989] ECR 1839......... 146 Grad v Finanzamt Traunstein (C-9/70) [1970] ECR 825, [1971] CMLR 1 ............ 146 Gravier v City of Liège (C-293/83) [1985] ECR 593, [1985] 3 CMLR 1 ................ 201 Grzelczyk (C-184/99) [2001] ECR I-6193 ......................................................... 201 Hansa Fleisch Ernst GmbH und Co KG v Landrat des Kreises Schleswig-Holstein (C-156-91) [1992] ECR I-5567 ....................................... 146 Hoekstra v BBDA (C-75/63) [1964] ECR 177, [1964] CMLR 319 ....................... 199 Ioannidis (C-258/04) [2005] 3 CMLR 47 ......................................................... 201 Kempf v Staatssecretaris van Justitie (C-139/85) [1986] EC 1741, [1987] 1 CMLR 764 ........................................................................................... 199 Lair v Universität Hannover (C-39/86) [1989] ECR 3161, [1989] 3 CMLR 545 ........................................................................................... 199 Lemmens, Criminal Proceedings against (C-226/97) [1998] ECR I-3711 .............. 146 Levin v Staatssecretaris van Justitie (C-53/81) [1982] ECR 1035, [1982] 2 CMLR 454 ........................................................................................... 199 Luisi v Ministero del Tesoro (C-286/82), [1984] ECR 377, [1985] 3 CMLR 52 ...................................................................................... 200, 201 Mangold v Helm (C-144/04) [2006] 1 CMLR 43............................................... 147

xii Table of Cases Marshall v Southampton and South West Hampshire Area Health Authority (C-152/84) [1986] ECR 723, [1986] 1 CMLR 688 ......................................... 146 Martinez Sala v Freistaat Bayern (C-85/96) [1998] ECR I-2691 .......................... 200 Ministère Public v Even (C-207/78) [1979] ECR 2019, [1980] 2 CMLR 71 ........... 201 Pfeiffer v Deutsches Rotes Kreuz Kreisverband Waldshut eV (C-397/01) [2004] ECR I-8835 ................................................................................... 147 Pubblico Ministero v Ratti (C-148/78) [1979] ECR 1629, [1980] 1 CMLR 96 ....... 146 Reina v Landeskreditbank Baden-Würtemberg (C-65/81) [1982] ECR 33, [1982] 1 CMLR 744.................................................................................. 201 Rikkskatterverket v Soghra Gharehveran (C-441/99) [2001] ECR I 7687 ............. 146 Sabine von Colson and Elisabeth Kamann v Land Nordrhein-Westfalen (C-14/83) [1984] ECR 1891 ....................................................................... 147 Trojani v Le Centre Public d’Aide Sociale de Bruxelles (C-456/02) [2003] C-144/13 ................................................................................................. 200 Unilever Italia SpA v Central Food SpA (C-443/98) [2000] ECR I-7535 .............. 146 Union Royale Belge des Sociétés de Football Association v Bosman (C-415/93) [1995] ECR I-4921, [1996] 1 CMLR 645 ..................................... 201 Van Duyn v Home Office (C-41/74) [1974] ECR 1337, [1975] 1 CMLR 1............. 146 Verbond van Nederlandse Ondernemingen (VNO) v Inspecteur der Invoerrechten en Accijnzen (C-51/76) [1977] ECR 113, [1977] 1 CMLR 413 ........................................................................................... 146 Wachauf v Bundesamt fur Ernährung und Forstwirtschaft (C-5/88) [1989] ECR 2609 ............................................................................................... 147 Watson v Belmann (C-118/75) [1976] ECR 1185, [1976] 2 CMLR 552 ................. 200

United States Beardsley v Tappan, 5 Blatchf, 498 (1867) ......................................................... 57 Eaton v Avery, 83 NY 34 (1880) ...................................................................... 58 Ormsby v Douglass, 37 NY 484 (1868) ............................................................. 57

Other Tournier v National Provincial and Union Bank of England, [1924] 1 KB 461 (UK).............................................................. 95, 98, 211, 212

Table of Legislation

European Community Directive 64/221/EEC OJ L 56 p 0850–0857.............................. 199 Directive 68/360/EEC, OJ L 257 p 0013–0016.............................. 199 Regulation 1612/68, OJ L 257 p 0002–0012.............................. 199 Regulation 1251/70 OJ L 142 p 0024–0026.............................. 199 Consumer Credit Directive 87/102/ EC – OJ L 042, 12/02/1987 p 0048–0053 ............................... 79 First Money Laundering Directive, 91/308/EEC – OJ L 166, 28.6.91 p 0077–0083 .......... 27 Directive 93/96/EC OJ L 317 p 0059–0060.............................. 199 Data Protection Directive 95/46/EC, OJ 1995 L 281 p 0031–0050 ................. 46, 101, 129, 151, 178 Charter of Fundamental Rights of the European Union – C 364 (2000), p 0001–0022 ....................... 101, 137 Second Money Laundering Directive, 2001/97/EC – OJ L 344, 5.7.2001 p 0076–0082 ............ 27 Proposal for a Directive of the European Parliament and of the Council on the harmonisation of the laws, regulations and administrative provisions of the Member States concerning credit for

consumers, COM (2002) 443 final 2002/0222 (COD) (EU) ................................. 122, 185 Modified proposal for a directive of the European Parliament and of the Council on credit agreements for consumers amending Council Directive 93/13/EC, COM (2005) 483 final 2002/0222 (COD) ........................ 124, 185, 186 Directive 2004/38/EC OJ L 317 p 59–60 .................................... 199 Third Money Laundering Directive COM (2004) 448 final ........................................... 27 Committee on Legal Affairs and the Internal Market, P5_TAPROV(2004) 0297 (A5-0224/ 2004 – Rapporteur: Joachim Wuermeling) PE 338.483, ‘European Parliament legislative resolution on the proposal for a European Parliament and Council directive on the harmonisation of the laws, regulations and administrative provisions of the Member States concerning credit for consumers’, COM (2002) 0443 – C5-0420/ 2002 – 2002/0222 (COD) (EU) ........................................ 124 Unfair Commercial Practices Directive 2005/29/EC (2005) OJ L 149/22 ....................... 160, 191

xiv Table of Legislation

EC Treaty, Articles Art 12 (ex 6) .................... 200, 201, 222 Arts 39–42 (ex 48–51) .............. 199, 200 Arts 49–55 (ex 59–66) ..................... 200 Art 81 .................................... 193, 194 Art 82........................................... 194 Art 95........................................... 204 Art 105(5) ..................................... 206 Art 249 (ex 189) ............................. 144

United States Fair Credit Reporting Act (1970), Pub L No 91-508, 84 Stat 1114, codified at 15 USC § 1681(a) ..................... 41, 64, 65, 94 Equal Credit Opportunity Act of 1975, 15 USC § 1691 et seq .................................... 65, 94

International Universal Declaration of Human Rights, 10 December 1948 .......... 136 Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms (ETS No 005) open for signature 4 November 1950, entry into force 3 September 1950 ............................. 45, 100, 136

Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data Convention (ETS No 108), Strasbourg, 1981......................................... 100

Other The Banks Act No 21/1992 Coll of 20 December on Banks (Czech Republic) ........... 98, 104, 129 Legislative Decree No 691 of 17 July 1947 (Italy) ...................................... 213 Legislative Decree No 385 of 1 September 1993 (Italy) ................................ 110, 213 CICR resolution of 3 May 1999, OJ No 158 of 8 July 1999 (Italy) ................................ 110, 213 Legislative Decree No 196/2003 of 30 June 2003 (Italy) ................................ 110, 214 Consumer Credit Act 1974 (UK) ............................ 11, 121, 210 Data Protection Act 1998 (UK)........................................ 121 Banking Code of Practice 2005 (UK) .......................... 121, 209, 210 Consumer Credit Act 2006 (UK) ................................. 121, 186

Abbreviations

ACCIS CEPS CICR CRA DPA DTI EC ECOA ECRI EC Treaty EU FCRA ID card OFT PCR UK US WGCR

Association of Consumer Credit Information Suppliers Centre for European Policy Studies Inter-ministerial Committee for Credit and Savings (Italy) Credit Reference Agency 1998 Data Protection Act (UK) Department of Trade and Industry (UK) European Community/ies Equal Credit Opportunity Act (US) European Credit Research Institute Treaty of the European Communities European Union Fair Credit Reporting Act (US) Identity card Office of Fair Trading (UK) Public Credit Registry United Kingdom United States Working Group on Credit Registries

Acknowledgements

I am grateful to Andrew Campbell and Joan Loughrey for valuable discussions and encouragement. I would also like to thank Simon Davies and Gus Hossein of Privacy International for their professional example. Thanks also to Stefano Stoppani of the IFC – a friend – for lively discussions while having pizzas at the ‘Belle Arti’, and Caralee McLiesh and Darshini Manraj of the World Bank for supplying the legal documents necessary to complete Tables on individual countries. The helpful comments and suggestions from anonymous referees of the Journal of Financial Regulation and Compliance, the European Business Law Review, The Banking Law Journal, Legal Issues of Economic Integration, the European Journal of Law and Economics and the International Journal of Communications Law and Policy are acknowledged. Finally, I would like to emphasise the constant source of encouragement and fountain of emotional support of my family. My special appreciation to Stella, my beloved wife, for her uninterrupted love and support – last but not least for having left the Mediterranean sun for the Atlantic drizzle.

Introduction

This work explores consumer credit information systems as a tool used by lenders to manage credit risk. Such devices have become the instruments most extensively used by the credit industry to underwrite decisions on borrowings or the supply of goods and/or services to consumer customers. Lenders, in fact, access credit reference databases managed by third party providers (the so-called ‘Credit Reference Agencies’) in order to evaluate a consumer’s credit application and his/her creditworthiness. The rapid development and increasing sophistication of information technologies and systems, coupled with the increasing competition between lenders and issues of borrowers’ indebtedness, have made data sharing mechanisms in the credit market a topic of recent interest among academics in a number of disciplines. In particular, economists have long stressed the importance of information in credit markets, and support the development and expansion of data sharing in the financial system in order to meet the problem of asymmetrical information between borrowers and lenders, as well as problems of bad selection by lenders and the risk that arises from personal, as distinguished from physical, characteristics of borrowers that increases the possibility of an economic loss (so-called ‘moral hazard’). In addition, new trends in the use of consumer financial information are beginning to emerge, which make some justification for the expanding use of these data. A recent one, for example, is the use of this information to prevent customers from becoming over-indebted. Thus, the purpose of this study is to take a lawyer’s perspective on the subject-matter, and to identify and examine the legal framework and compliance in the European Community (EC) of such consumer information sharing arrangements, which have become increasingly integrated in the credit granting practices of the Member States. Far from challenging economic theory about the importance of information in credit markets, the basic problem of this work is to gauge how, and to what extent, the application of such a general theory is influenced when individuals/consumers are involved, giving consideration to their rights as recognised in the EC. In particular, as the financial information of individuals

2

Law and Consumer Credit Information in the EC

is at stake, a primary concern is to establish to what extent the right to informational privacy of individuals is respected. In fact, while internationally there is the tendency for more information in the financial dealings of companies to promote transparency, particularly after the corporate scandals of the recent years worldwide, at the same time there is the need for increased privacy protections as regards individuals in an age of ever-advancing sophisticated information technologies. In Europe, informational privacy is an established personality right of every individual that safeguards important civil liberties and values. Actually, it has been elevated as a human right that could be sacrificed or balanced (as the case may be) when in conflict with other prevailing or equal rights, or the general interest. To what extent should the privacy of consumers be sacrificed or balanced vis-à-vis the aims and functions of consumer credit reporting? How do financial information sharing arrangements comply (if they do comply in the first place) with the positive law, particularly the European data protection legislation? Are there any other laws that surround or affect the consumer-reporting sector (including, but not limited to, bank secrecy obligations)? And, finally, are the present arrangements and practices satisfactory to protect consumers in the wider context of the integration of European consumer credit markets and the rules of the Common Market, as well as the recent developments and trends towards a closer European integration? These are the central research questions that this study attempts to answer. The approach that this work takes in order to provide an answer to this set of questions is a theoretical one, valuing most highly the fundamental rights of the individuals at stake, and taking seriously the respect of the positive law regardless of any thoughtful criticism that it may attract. In fact, for instance, it does not propose different or better data protection regimes than the existing one to adjust to the evolution of technologies or new economic theories. Of course, this study does not disregard alternative viable proposals for a specific side regulation of the sector. Likewise, it does not disrespect per se the economic interests of the credit industry. Indeed, it certainly does not intend to endorse any anti-capitalist message, and considers profitability a perfectly legitimate interest to be carried out and ideally achieved. It simply looks at the issue from the perspective of civil liberties, freedom and the respect of rights over profit seeking at all costs and greed, supporting the view that market forces do not necessarily have to override or squeeze the fundamental rights of individuals/consumers. In fact, if credit reports are a valued element for the industry for improving business management efficiency and productivity, i.e. profitability, from the point of view of consumers nowadays more than ever credit reports are becoming the key to access credit, financial services, purchase of costly goods and/or services, insurance, telecommunications, etc. They have become a matter of economic and social inclusion or exclusion of individuals, who are arguably the weaker party in the economic relationship. This seems to be

Introduction 3 too much of an important issue of social justice to be left to market forces. In other words, thus, not only does this research take the perspective of protecting civil rights and liberties, but it is also particularly concerned with problems of distributive justice as a necessary component and rationale for the regulation of the economy. Admittedly, this approach will not result in the best economic interest of the credit industry in the terms presently put forward by the economic and business management theoretical literature. However, the utilitarian interests of business ventures should not suppress or impose the sacrifice of prevailing established rights of individuals and consumers, especially when no evidence of cause and effect is offered by economic theory to justify such an imposition, raising in a lawyer the suspicion of abusive commercial practices – certainly not a novelty in the business-to-consumer domain. Thus, following the increasing literature in economic disciplines on the benefits of consumer information sharing, the real purpose of the research is ultimately to stimulate the intervention of lawyers in the study of the sector, and promote a debate that could look at the issue from a different perspective to be eventually taken to the attention of the competent European policy-makers. Definitely, the subject matter under study should not be left in the exclusive domain and control of economists and lobbyists. Already at this introductory stage, a few major difficulties arise. The first one is that it is very difficult to provide a standard explanation of what exactly constitutes credit reporting and its functions, which organisations are involved, and how they operate. This complexity arises from the fact that credit reporting differs greatly in structure and the way it operates around the world, depending largely on national cultures, jurisdictions, institutional arrangements and the economic and regulatory environment. Another source of difficulty is the inconsistency in the terminology used in the credit industry and in the literature on the subject: ‘Credit Bureau’, ‘Credit Reference Agency’, ‘Credit Reporting Agency or Firm’, and ‘Credit Registry’ are the synonymous terms commonly used by the credit industry to describe either private or public organisations that collect, file, elaborate, disseminate and disclose either business or consumers’ financial data to their members (the lenders). The frequent lack of a clear and precise distinction between business and consumer credit reporting is a further particular source of confusion when trying to identify the role and function of credit reporting systems in the economy and society, the legal environment in which they operate, and the actors involved, thus posing additional terminology overlaps and creating dangerous grey areas. It would be a mistake, in fact, to consider the credit reporting of consumers and businesses the same way, particularly as far as the identification of the legal setting is concerned or when dealing with policy considerations.

4

Law and Consumer Credit Information in the EC

Likewise, for the same purposes of understanding, identification and analysis it is crucial to separate the two main types of organisations involved in credit reporting activities and the different functions that they serve in the economy. On the one hand, there are public organisations involved in the centralisation and reporting of financial information, which are operated or controlled by the State through public institutions, usually central banks or other authorities engaged in banking or financial supervision and regulation. Their task is to monitor the safety and soundness of the financial system as a whole, and they are involved in the prudential regulation that relates to it. On the other hand, there are private companies, most of the time doing business for profit as every other business venture, which operate outside the sphere of the State or other public institutions, and do not have any public function but simply provide services to those financial intermediaries engaged in the provision of credit to their customers. This is done on a voluntary basis to improve credit risk management and profitability. Failure to make this crucial clear-cut separation would result in misleading consequences both in economic and legal terms. Therefore, it will represent a recurring theme throughout this work, worth a repetition every time it appears relevant in order to distinguish the subtle but crucial line that distinguishes credit reporting carried out by either type of organisation. Within private organisations engaged in providing information to financial markets, another crucial differentiation is that between organisations providing credit references in the lender-consumer borrower relationship and the so-called Credit Rating Agencies (like Moody’s, Standard & Poor, Finch). The latter, in fact, are private companies that assess the likelihood of timely payments on securities, rating the creditworthiness of an investment in financial markets and not its economic desirability to investors. Governmental bodies incorporate the ratings of Credit Rating Agencies into supervisory procedures, including for example capital adequacy standards in the context of the supervision of the financial system, nationally and internationally within the Basel Committee on Banking Supervision. Financial regulations and laws impose certain criteria and standards to be met according to ratings that represent a precondition for financial trading in securities.1 All these traits contrast with the credit reporting sector that is the subject matter of this investigation, where no law or regulation compels creditors to obtain a credit report of debtors prior to a transaction, i.e. the underwriting of a commercial contract. As this work is concerned with the legal framework of the reporting of financial information of individuals in consumer credit operations to manage

1 The regulatory incorporation and role of Credit Rating Agencies in the establishment of capital standards in the economy present separate legal features and problems that are alien to the subject matter of this study.

Introduction

5

the lenders’ credit risk, it will deal with the activities, function and regulatory environment of those organisations that mainly serve that particular market, i.e. those private companies providing consumer information services to the credit industry. Since there is no attempt in the industry or in the literature to standardise the term, the word ‘Credit Reference Agency’2 (hereinafter referred to as ‘CRA’) will be used throughout this study to identify such private organisations, as distinguished from the locution ‘Public Credit Registry’ (PCR) that will refer to public institutions supervising the financial system. On occasion, reference to business credit reporting will also be made in order to distinctly distinguish between business and consumer information and address the relevance of such a distinction. In the attempt to answer to the set of questions that it poses, and deliver a legal analysis of the sector, this study is structured as follows. Chapter 1 sets the starting point of the research. It aims to examine what consumer credit reporting is, the actors involved, the problems that it addresses, and the functions in the economy that it purports to reach. Not only will this provide the necessary elements to conduct any legal examination; by ultimately investigating what and whose interests and/or rights (if any) it satisfies, it is set to determine from the outset one of the most critical components that represents a point of reference for, and eventually mark, the entire study of the sector. The interests or rights at stake, in fact, are a central theme in the rationale of any economic activity and legal framework of a sector, especially if conflicting ones emerge. Different actors involved in a business process, in fact, may have different interests and, eventually, different rights. To the extent that these are or may be diverging, the determination of the prevailing interests to be protected or the balance to be struck, as the case may be, constitute a precondition of a legal analysis aiming at assessing the legitimacy of the system or whether the positive law is satisfactory or not. Chapter 2 identifies and critically explores in detail the existing literature on the subject. As well as providing further important knowledge and theories, the explicit objective of this part is to establish to what extent lawyers have contributed with a legal analysis of the sophisticated personal data-sharing mechanisms in the EC, and have considered consumer protection concerns. The aim is to show that too little attention has been paid to this problem by lawyers. It means to serve the double function as a literature review and to highlight the actual significance of the involvement of the legal community in the topic under discussion. Building on the above determinations, Chapter 3 looks at the cultural baggage and comparative dimension of consumer credit reporting through the lens of history. As well as carrying an interest in its own right, this proves 2 Moreover, the term ‘CRA’ is more familiar among Europeans and this work focuses essentially on Europe. Americans, by contrast, would be more accustomed to the term ‘Credit Bureau’.

6

Law and Consumer Credit Information in the EC

useful as a background of the legal framework and it may provide a functional contribution to its setting. The cultural side and ideologies that lie behind credit reporting may offer a perspective of the social acceptance, compatibility and process of legitimisation of the sharing of personal financial information for the purposes that it aims to address, adding further thoughts to its prevailing or succumbing nature vis-à-vis other established societal norms, values and ultimately rights that affect significantly the lives of people in the diverse traditions of the EC. In due course, the cultural argument may prove a further one to induce the competent European authorities to pay attention to activities that interfere with the rights of individuals but fail recognition. The state of affairs of the consumer credit information systems is presented in Chapter 4. It explores the present institutional and legal framework with the particular intention of verifying whether and to what extent there is or could be a European dimension in view to completing a single retail credit market. The legal standing of consumer credit reporting to date is described, both in terms of present cogent law and proposals. Further to its findings, the chapter addresses the question of whether the present debates, negotiations and agenda for a new harmonised European framework under the umbrella of proposals for a consumer credit directive represent the appropriate forum and a timely prospect to regulate the sector, explaining the reasons why failure to do so may represent a missed chance to start thinking about a European regulatory model to support a single credit market where consumers receive adequate protection. Within the identified legal framework, Chapter 5 first evaluates, and then balances, the rights and interests of both lenders and consumers in order to set the priorities, interpretative tools, and methodology to carry on a compliance analysis in the following chapter. To reach this goal, it looks closely at the most relevant issues behind the reporting of consumer financial information, i.e. the prejudicial side of sharing people’s reputation, exacerbated by ever-advancing information technologies and the absence of respect for the privacy of consumers. This is put into context with an analysis of the important concepts and values that the right of informational privacy protects, and the dangers that data protection legislation aims to prevent. By looking at the EC legal framework, EC data protection law sets the benchmark for the compliance analysis of Chapter 6, although the well-known problem of the varying implementation of the directive in the Member States jeopardises its effective application. Nevertheless, national regimes implementing a Community directive should not fall short of the normative standards that it sets, therefore making its provisions the proper paradigm for compliance analysis purposes. Thus, Chapter 6 sets forth the central part of the strict legal compliance analysis, matching the features of consumer credit reporting with the relevant provisions of EC data protection legislation. It aims to examine whether the practice of sharing consumer financial data is legitimate, which legal

Introduction

7

mechanisms and interpretations should be the ones to rely on to ensure lawful processing of personal data, and how this fits with the problems that the credit industry needs to face in the practice of sharing customers’ personal information. The results of the investigation are discussed in the concluding chapter. Following the findings and concerns of the previous analysis, the chapter draws together and discusses the core themes of the entire study to attempt to explain the illegitimacies of the current practices and the paradoxical results that a system complying properly with the law would bring. In an attempt to put forward proposals to remedy a situation that it finds alarming, the study introduces arguments that explain the existence of further legal obstacles, as well as grounds for supplementary future examination in promising unexplored legal territory that ultimately suggest a complete re-think of the sector, starting from the functions of consumer credit reporting and its institutional side. In such an attempt, this concluding section inevitably proposes controversial and provocative proposals/solutions, which serve the purpose of stimulating and promoting debate, particularly among lawyers, indeed the original aim of the research. Finally, the Appendix provides two case studies to show concretely the practical implications of the arguments maintained in the conclusions of the research. The jurisdictions of the UK and Italy have been chosen deliberately. The former is an EC country where credit to consumers is mostly mature and enjoys the longest tradition and cultural acceptance of consumer credit referencing. Moreover, it well represents the typical example of the present omni-comprehensive regulatory scenario across the Community. Italy, by contrast, is the jurisdiction that provides the most recent innovative attempt specifically to regulate the sector, although by means of a binding code of practice within the omni-comprehensive data protection legislation. Whether this could provide an example for the other Member States is considered, albeit the failure to address the essential criticism that this work has attempted to stress arguably makes such an occurrence doubtful.

1

Consumer credit reporting in the economy What is consumer credit reporting, and why is it used?

Introduction What is consumer credit reporting, how does it work, and what functions does it perform? These are the initial basic questions that need to be answered in order to understand the phenomenon in question before making any attempt to identify a legal framework, analyse it, and debate its suitability. The comprehension of the mechanisms, rationale, economics and uses of consumer credit information reporting systems, in fact, represents the starting point for any such study. Equally important, from the initial stage of the investigation, is the identification of the actors involved and an assessment of the relationship between the devices at study and the interests that they aim to satisfy. Thus, in addition to providing a contribution – together with the following chapters – to a profound understanding of the sector, which will serve as a guide for the legal analysis and for any other aspect that will be dealt with in this work, this chapter endeavours to provide an early indication of the interests at stake and for whose direct benefit consumer credit reporting systems are provided. Even in this case, such an evaluation will prove useful later in this study, becoming a central theme every time that conflicting interests are identified. In this latter attempt, this chapter should be read as a beginning that complements the findings and considerations of the next two chapters, that all together will provide the whole picture of the diverse interests of the different actors involved, offering a view as to what extent these coincide or are conflicting and, in this latter case, which one should prevail over the other.

Consumer credit reporting and Credit Reference Agencies CRAs are independent private sector organisations that collect a variety of financial information on individuals. They compile and manage databases on consumers’ financial transactions, borrowings, payment behaviour and other aspects of household finances. This information, together with information from other sources, is disseminated to third-party lender organisations.

10

Law and Consumer Credit Information in the EC

In the context of credit granted to consumers and the underlying information, the term ‘lender’ has a very broad significance. It may be defined as any organisation that can provide credit facilities to consumers in the form of loans, mortgages, hire purchase, supply of goods and/or services billed upon use, etc. They include, for example: banks, building societies, finance houses, leasing and other retail credit companies, telecom and internet service providers, high street retailers, credit card issuers, the home shopping sector, utility companies, estate agents, etc; in short, any legal persons that advance resources to natural persons that will be (re)paid at a later stage. CRAs, in turn, have evolved as organisations providing informationsharing devices in the financial system in order to meet the problem of asymmetrical information between borrowers and lenders. By providing rapid access to standardised information on potential borrowers, they represent the response to the demands for such data from banks and other financial intermediaries. Nowadays, as a result, CRAs represent a very important tool for the assessment of risk management at the decision-making stage of granting credit to consumers, thus becoming one decisive element in such a process. Typically, the process of granting credit begins when a potential customer approaches a credit provider and applies for credit or a service/goods to be paid at a later stage. In the event that the latter agrees to enter the credit agreement, then, such a relationship ends when the last statement of the credit line is paid back in accordance with the same agreement or, in the worst case scenario, when the credit is irrecoverable and/or disregarded following a debt recovery proceeding and a judicial procedure, or the judicial declaration of insolvency of the borrower. The recourse to debt collection procedures and legal actions, however, does not guarantee to lenders the recovery of the debt and, in any event, they are considered an instrument of last resort, as they are perceived to be both costly and time-consuming.1 Thus, risk assessment and applicant screening have become particularly important for the consumer credit industry, which has to deal with a large number of small-sum (often unsecured) credit lines. It is widely agreed, in fact, that in this sector, profitability is only achieved by minimising the risk while ensuring that a sizeable volume of credit lines is granted. Hence, credit grantors consider information about borrowers vital for their risk-assessment purposes.2 Usually, when lenders evaluate borrowers to determine their creditworthiness for credit-risk assessment and management, they interview the applicants and ask them directly for personal information together with the relevant supporting documents. At the same time, they seek and gather information from their own database developed through years of experience and business

1 San José Riestra (2002), 4. 2 Ibid, 3.

Consumer credit reporting in the economy

11

practice in the credit market. Such a source of information, however, is incomplete as it covers a lender’s own past and present customers, but it does not contain data about the same customers’ past and/or present relationship with other institutions nor, what is even worse from the lender’s point of view, information about new (potential) customers and their past and/or present relationship with other providers. Thus, CRAs have emerged and developed in the past few decades in order to supplement comprehensive information about potential new customers. This information is now made available to lenders by CRAs which, thanks also to the development of increasingly sophisticated information technologies, have become decisive active players in the credit market. One of the most important and distinctive features of making loans is that lenders’ consultation of CRAs’ databases, prior to the underwriting of credit, is voluntary and not mandated by law. Also, it must be noted from the outset that the term ‘agency’ (when reference is made to Credit Reference Agencies) or ‘bureau’ (when the locution Credit Bureau is used) are misleading historical ones that have attained the force of custom. In fact, although the terms may suggest a publicly supervised information system, in most cases these organisations are private profitseeking companies that are no more controlled, monitored, or influenced by state-controlled organisations or other public bodies than any other privately owned organisation or business. Nor are they accountable to public bodies, central banks, or other financial service regulators (as the case may be). Hence, from the above, CRAs may be better described concisely as private profit-seeking companies that provide services to lenders compiling databases that the latter can access to help them in evaluating a (potential) consumer’s credit application, ultimately sharing information within the industry about consumer borrowers.3 They provide information to potential lenders about an applicant’s credit records, producing a so-called ‘credit report’ that contains details of the payment and credit history of an individual, his/her financial accounts and the way these have been managed, as well as other information of interest to the credit industry.4 The consumer’s credit data, collected and processed by CRAs, are supplied to the agencies by the lenders themselves, and this builds the CRAs’ databases of information about their customers.

3 In the United Kingdom, for example, of the Consumer Credit Act 1974, s 145(8) defines a Credit Reference Agency as ‘a person carrying on a business comprising the furnishing of persons with information relevant to the financial standing of individuals, being information collected by the agency for that purpose’. 4 A ‘credit report’ is defined as a ‘record or file used by a prospective lender or employer that chronicles the credit standing of a prospective borrower. It is used to help determine creditworthiness of the potential borrower’. See Equifax, Official website, available at http:// www.equifax.co.uk.

12

Law and Consumer Credit Information in the EC

It is relevant to specify that CRAs often claim that the information is supplied by the lenders on a reciprocal basis, i.e. the lenders are able to access the databases only if they contribute to it for the benefit of all the other contributing member lenders.5 However, this mechanism – based on what has been called the ‘reciprocity principle’ – relies on agreements between private parties and there is no ad hoc cogent law or regulation in place to date. As it has been reported in recent years, in fact, a number of lenders themselves have become concerned that such arrangements on ‘reciprocity’ are gradually breaking down. There is considerable doubt concerning the different interpretations of what exactly would constitute the ‘reciprocal supply and use of data’, since personal data are now processed, communicated, and analysed with sophistication that no one imagined when data sharing schemes were first established 25 to 30 years ago.6 The technological change and growth in the number and range of techniques used today, as well as the secondary uses associated with credit reference data, such as consumer risk scoring (including behavioural and sociological customer scoring), loan or mortgage rating, risk screening, monitoring, propensity modelling, debtor tracking and support to debt collection, were not in place when the industry first began to consider data sharing as a valuable instrument built for lending purposes.7 All such uses make it difficult to conceive a contribution of data by lenders on a reciprocal basis every time they take advantage of the information supplied. Finally, it may be worth noting that it is not always easy to draw the line and make a distinction between the use of consumers’ data for actual credit risk management and their use for marketing purposes, nor is there a law or regulation specifically designed to restrict new business sectors or government agencies as potential future data users and suppliers as client members of CRAs. All these examples, in the end, make the real application of the reciprocity principle unlikely, or at least show the conflicting interests of CRAs in abiding by it rigidly.8

The rationale for consumer credit reporting systems The financial industry and the economic literature claim specific justifications for credit reporting systems and their consequent use.

5 Experian, Official Website, available at http://www.experian.co.uk; Equifax, cit at 4; CallCredit, Official Website, available at http://www.callcredit.co.uk. 6 Hurst (1998). 7 For the secondary uses of consumer credit data see section ‘The trends: secondary uses of credit reference data’ below (p 19). 8 For a more detailed discussion about marketing and other third parties using consumer credit data see further below in this chapter, p. 19.

Consumer credit reporting in the economy

13

(a) As mentioned above, the principal use of the CRAs databases is for the assessment of the creditworthiness of credit applicants. CRAs are meant to provide the credit industry and the market with organised information on the performance of borrowers. They gather information on the payment history and accounts of borrowers, and issue a credit report prior to the underwriting of a borrowing or the supply of goods and/or services that would be paid at a later stage. In this respect, CRAs persistently assert that they do not hold blacklists, nor do they provide any opinion about whether or not an applicant should be given credit. They believe that in these circumstances they cannot be held responsible for rejections, as they do not make lending decisions.9 Whether this latter point complies with the positive law is questionable, and will be discussed in detail later in this work. However, what already emerges strikingly here is the contestable nature of the activities of CRAs, which by disowning any responsibility vis-à-vis borrowers are the first ones to acknowledge the limits of their own authority. In this way, they consider themselves simple information providers assuming a role close to that of investigators acting for lenders, and exclude from the start the existence of any market function in the public interest. Accordingly, CRAs are often cited as providing instruments and services in the evaluation of the creditworthiness of an individual applicant and his/ her ability to repay the debt. Credit reporting systems, therefore, provide lenders with credit management tools helping them to master and manage their own business risk, as well as to set loan terms according to the level of risk of the individual borrower as determined by his/her credit history and accounts.10 (b) As this work will report in more detail later in the review of the literature on the subject, economic theory has long stressed the importance of information in credit markets. Theorists have devoted a large body of analytical studies aimed at demonstrating that asymmetric information between borrowers and lenders poses problems of bad debts, moral hazard, and adverse selection.11

9 UK Information Commissioner’s Office, ‘No Credit?’, available at http:// www.informationcommissioner.gov.uk/cms/document/uploads/common%20complaints%20 about%credit%20reference%20file%20information.pdf on 09/08/05; see also the statements of all major European CRAs, for example Equifax, available at http://www. econsumer.equifax.co.uk/consumer/ukforward/ehtml?forward=credu_crscores; Experian, cit at 5; CallCredit, cit at 5; CRIF, Official Website, available at http://www.crif.com. See also ‘Credit explained’ available at http://www.ico.gov.uk/upload/documents/library/data_ protection/practical_application/credit_explained_leaflet_2005.pdf, on 23 January 2008. 10 San José Riestra (2002), 1; Miller (2003a), 2. See also Miller (2003b), 25–79. 11 Stiglitz and Weiss (1981); Berger and Udell (1995).

14

Law and Consumer Credit Information in the EC

In summary, the theory suggests that a lack of information on borrowers can prevent the efficient allocation of credit in a market, and that one way in which lenders can improve their knowledge of borrowers is through their observation of clients over time.12 A study commissioned and published by the World Bank stresses that: since one of the best predictors of future behaviour is past behaviour, data on how a potential borrower has met obligations in the past enables lenders to more accurately evaluate credit risk, easing adverse selection problems. At the same time, credit reports strengthen borrower discipline and reduce moral hazard, since late or nonpayment with one institution can result in sanctions by many others. . . . A borrower’s ‘good name’ (reputation collateral) provides an incentive to meet commitments much the same way as does a pledge of physical collateral, thus reducing moral hazard.13 As the theory goes on, CRAs play a pivotal role as a borrowers’ discipline device as the latter would know that a default in repayment compromises their reputation with all the other potential lenders on the market, resulting in credit with more costly terms or by cutting them off from credit entirely.14 Although lenders lose the exclusivity of data in terms of competition, they would ultimately gain by sharing information as this accumulation of data enables them to distinguish the good borrowers from the bad ones. Information sharing would make it easier to predict with a certain degree of confidence the future payment behaviour of applicants, allowing lenders to attract good borrowers and offering them better terms and conditions, thus promoting market competition that could ultimately result in benefits to consumers.15 Thus, according to the economic literature, the adverse selection problem indicates that should lenders fail to distinguish the good borrowers from the bad ones, all accepted borrowers would be charged an average interest rate that mirrors their pooled experience.16 Therefore, the distinction between good borrowers and bad ones allows lenders on the one hand to offer more advantageous prices to lower-risk borrowers (i.e. those with an immaculate or good credit history) while, on the other hand, higher-risk borrowers are offered higher interest rates or can be rationed out of the market because of the lenders’ unwillingness to offer these borrowers accommodating rates or any credit at all.17 12 Stiglitz and Weiss (1981); Berger and Udell (1995). 13 Miller (2003a), 2. See also Miller (2003b). 14 Jappelli and Pagano (2002); Diamond (1991); Admati and Pfleiderer (2000). See also Jappelli and Pagano (2006). 15 Ibid. 16 Alary and Gollier (2001). 17 Barron and Staten (2000), also in Miller (2003c), 273–310.

Consumer credit reporting in the economy

15

(c) Credit reporting systems are valued as instrumental tools in expanding the breadth and depth of financial markets and in strengthening the financial system. They are reportedly said to: (i) reduce transaction and loan processing costs and the time required to process applications; (ii) improve the lenders’ client portfolio quality by monitoring it and identifying potential problems; (iii) provide cost-efficient standardised and objective criteria for credit analysis; (iv) increase competition in the sector: credit data would promote transparency and reduce the information advantage that a lender has over its existing clients, which in turn could lead both to lower prices offered to consumers and greater access to credit; (v) facilitate distant transactions (for instance, e-finance or internet transactions and banking); (vi) provide opportunities for new financial products to consumers and enable lenders to serve consumers who would be otherwise underserved or ignored (for example, low-income consumers). This, in turn, results in the development and sale of new products, and accurate tailored pricing, targeting and marketing, which ultimately contributes to the lenders’ profitability.18 Ultimately, thus, access to up-to-date, accurate and instant information on potential borrower customers makes it easier and more cost efficient to assess and manage risk, reducing the engagement in bad business and resulting in improved client portfolio quality and profitability.19

What information is collected, processed and disclosed to third parties? The detail of the source and type of information collected and disseminated by CRAs varies from country to country. In general terms, however, it may be synthesised that CRAs store, process, and disseminate consumers’ files containing data on their previous and existing accounts, which normally include detailed information about mortgages, bank accounts, store cards, charge cards, credit cards, loan accounts, and in many jurisdictions even mail order accounts as well as telecom and other utilities accounts. Each file usually contains the name of the borrower, his/her date of birth, current address, previous addresses if any, linked addresses, marital

18 Calari (Vice President, World Bank) (2003), vii; Miller (2003a), 1–2. 19 Ibid.

16

Law and Consumer Credit Information in the EC

and employment status, number of accounts, amounts, types, stage (loan under approval, withdrawn, denied) and terms of the accounts, amount of monthly instalments, amount of residual instalments, historical data, number of defaults, amount of arrears, name of granting institutions, payment history (both regulars and in default), dates. In addition, information relating to people that have a financial relationship with him/her is usually included.20 Each personal file, then, has status codes assigned to it by the lender, showing whether it is up to date, in arrears, by how much in arrears, if the account is in default and how many times the repayment has been late. Closed accounts show the status codes for a variable amount of time prior to closure.21 A survey carried out by the World Bank indicates that a large majority of CRAs worldwide also collect information on taxpayer IDs (75 per cent), loan rating data (70 per cent), and type and value of collateral used to secure loans (around 50 per cent).22 In many cases, there is also a record of the searches on the consumer’s credit files, including the dates and the reason for the search, together with the identity of organisations that have accessed or amended the file. As CRAs rely on the voluntary provision of data by their client members, they also rely on the reporting lending institutions to voluntarily review and correct erroneous data. In addition, CRAs usually independently collect and make use of ‘public record information’ obtainable by law from public sources to integrate each consumer’s file. Such information usually includes data from the following sources: (i) the electoral or voters’ roll, as well as other national directories (which are used to match the address on it with the address provided in the current and previous applications, thus verifying in addition how long the applicant has lived at a given address); (ii) National or county court judgements or decrees (as the case may be) entered for sums of money in the courts, or other competent authorities in the relevant country – in most cases CRAs are informed about judgements as soon as they are entered by the courts; (iii) bankruptcies; (iv) court administration orders.23

20 Credit Report, Equifax, at http://www.econsumer.equifax.co.uk/consumer/ukforeward .ehtml?forward=sp_cr_on, 10 March 2005. See also credit reports from Experian, cit at 5; CallCredit, cit at 5; CRIF, cit at 9. 21 Ibid. In the UK, for example, such amount of time extends up to three years. 22 Miller (2003b), 43. 23 Credit Report, Equifax, cit at 4. See also UK Information Commissioner’s Office, ‘No Credit?’, cit at 9.

Consumer credit reporting in the economy

17

Thus, the CRAs’ databases, integrated with such publicly available information and additional private data from other sources provided by other organisations (which vary according to the country in which they operate), compile additional information referring to an individual forming a single file.24 It has to be additionally pointed out that in some European jurisdictions, CRAs’ databases may also contain in the file of an individual information about one or more persons other than the relevant individual. The circumstances in which information about another person(s) may appear on someone’s credit reference file relate to situations where: (i) the name(s) is(are) the same or similar and the address is the same; (ii) the CRA knows beforehand that such other person’s/people’s information applies to such individual; (iii) those other person(s) has(have) the same surname as such individual and they have been living at the same time either at the current or at any other previous address contained in such individual’s file (this aggregate information enables CRAs to include information on the applicant about family members and their payment history).25 It is worthy of note that it is the duty of the individual to request the CRAs to create a dissociation eventually, if a financial connection does not in fact exist.26 By way of example, the sophistication of today’s information systems has made available to lenders functionalities that provide them with summarised

24 In the UK, for example, information is also provided to CRAs by the Council of Mortgage Lenders’ Repossession Register, which shows whether an individual has had a property repossessed or has given it up voluntarily. Moreover, credit reports may also contain data from the Credit Industry Fraud Avoidance System (CIFAS), which contains information regarding situations which occur when a fraud has been previously detected or it has been attempted. It allows member organisations to exchange details of applications for products or services which are believed to be fraudulent because the information provided by the applicant fails the verification checks (it should be stressed that the information filed may not directly relate to the individual concerned but could indicate that someone else has tried to impersonate him). It is also common to include in the databases information from Gone Away Information Network (GAIN) that contains details of individuals who have moved home leaving behind debts without notifying a forwarding address. See, for example, Credit Report, Equifax, cit at 4. 25 See for example in the UK Callcredit, Consumer Credit Referencing, Compliance Area, ‘Third Party Data (TPD)’, http://callcredit.plc.uk/corporate_scripts/compliance_tpd.asp. See also UK Information Commissioner’s Office, ‘Credit Reference File Info: Common Complaints: Feb. 2000’, available at http://www.informationcommissioner.gov.uk/cms/document/ uploads/common%20complaints%20about%credit%20reference%20file%20information.pdf, on 10 April 2005. 26 Information Commissioner’s Office, ‘Credit Reference File Info: Common Complaints: Feb. 2000’, cit at 25.

18

Law and Consumer Credit Information in the EC

data relating to the same family individuals or aliases who live, or have lived, at the same address declared by the applicant. These databases are normally utilised when a lender has minimal information on the applicant upon which to base the lending decision.27 Information about transient associations (a temporary association between two individuals, for example two students who purchase goods together while at university) may also be in place. To this end, there is a flag in the individual file, which indicates the transient association and, if selected, details of the credit agreement will appear on the applicants’ credit reports individually (although an association will not be created).28 An important distinction to be drawn when referring to the type of data collected and distributed by CRAs is the one between the so-called ‘black’ information and ‘white’ information. ‘Black’ information usually refers to negative consumer data, (information about defaults on payments, delays, delinquencies, bankruptcies, etc). That is, information with a negative connotation on the payment history and the financial behaviour of the data subject. ‘White’ information, by contrast, refers to positive consumer data, i.e. information about the financial standing, payments and other details that do not indicate a default or a late payment. Attempts have also been made to classify ‘off-white’ or ‘grey’ information, which would refer to data on accounts that demonstrate some signs of problems, but have not yet proceeded to the state of being ‘black’, i.e. accounts that are in acceptable time arrears with no warning to the customer being yet issued by the lender.29 All such files, whatever distinction is made and however they are assembled according to the practice in each country, are then made available in the form of a credit report, which is provided to the (potential) lenders for a fee paid to the one or more CRAs that they have decided to interrogate each time someone applies for credit or hire purchase. It has to be added, finally, that CRAs are progressively lobbying for further

27 For instance, CallCredit, a CRA in the UK, reports that if the applicant opts in, information will be returned on same family individuals regardless of whether or not a financial association exists between them and the applicant. Unfortunately, no mention is made about the other family individual being informed and if he/she has provided consent – arguably a very unlikely circumstance. In that latter unlikely event, it would be interesting to see what would be the consequences if such other family individual refuses to provide his/her consent. See Callcredit, Consumer Credit Referencing, Compliance Area, ‘Household Override (HHO)’, http://callcredit.plc.uk/corporate_scripts/compliance_tpd.asp on 10 April 2005. 28 Even under the latter circumstance, no reference is made about the other individual being informed and if he/she has provided his/her consent. See Callcredit, Consumer Credit Referencing, Compliance Area, ‘Transient Associations’, http://callcredit.plc.uk/corporate _scripts/compliance_tpd.asp on 10 April 2005. 29 Howells (1995), 343–359, 344.

Consumer credit reporting in the economy

19

information to be made available, so that ever-increasing amounts of data can be brought into play in lending decisions.30

The trends: secondary uses of credit reference data So far, this work has listed the stated functions and uses relating to what is generally accepted as the core activity conducted by CRAs. As reported, the principal use and function of the CRAs’ databases is to assess the creditworthiness of credit applicants, to create borrowers’ reputation collateral, and to enhance credit risk management. It should be taken into consideration, however, that CRAs take decisive advantage of their ability to provide first-hand information and knowledge by offering additional services to the industry. Such additional services include, among others, credit scoring services (which include scorecard design, development, set-up, analysis and training), consulting, application processing, small business information reports, market and consumer research, debt collection, and marketing services.31 All these services involve the use of credit report data as the basis for their provision. The following are just examples to highlight the increasing trends in the use of CRAs’ databases: (a) Credit scoring CRAs are normally the providers of credit scoring systems to lenders. Credit scoring models, otherwise also known as ‘Scorecards’, may be described as mathematical algorithms or statistical programmes that determine the probable repayments of debts by consumers, thus assigning a score to an individual based on the information processed from a number of data sources and categorising credit applicants according to risk classes. New technological advances have made it possible for lenders to make extensive use of sophisticated credit scoring techniques. Until recently, the decision to grant credit to a particular applicant has traditionally been taken using human judgement to assess the risk of default. Most, if not all, lenders, however, nowadays use credit scoring systems, which give points to various pieces of information on the customer’s application form, such as age, job, income level, marital status, etc, as well as historical data taken from the credit records processed by the CRAs.32 Such practices

30 Bradford (2004), 11; Guardian (30 July 2005). 31 Experian, cit at 5; Equifax, cit at 4; Callcredit, cit at 5; CRIF, cit at 9. 32 The example put forward by the Information Commissioner’s Office explains that ‘if the lenders’ experience has led them to believe that those over 40 are more likely to pay on time than those under 25, the points given will reflect this’. See Information Commissioner’s Office, ‘No Credit?’, cit at 9.

20

Law and Consumer Credit Information in the EC

have developed to the point that a study published by the European Credit Research Institute (ECRI) and the Centre for European Policy Studies (CEPS) affirms that ‘currently, some countries rely more on automated credit-granting systems than on the information supplied by the applicant’.33 It is widely accepted by lenders, in fact, that scoring (potential) customers helps them to predict whether the applicant is an acceptable risk, i.e. credit is normally granted if the score is above the lender’s pass mark, while if the score is below such threshold the applicant is more likely to be turned down (although the credit score that lenders give to the applicant will not form part of the files that the CRAs keep about the data subjects).34 According to L.C. Thomas, credit scoring is simply a classification issue, where lenders use data on previous applicants to determine the features that are useful in predicting whether an individual is or will be a ‘good’ or a ‘bad’ risk.35 Scorecards are typically constructed making use of a diverse range of statistical techniques. Hand and Henley firstly explained that the most commonly used techniques for building scorecards rely on (i) ‘linear probability models’, (ii) ‘logits’, (iii) ‘probits’, and (iv) ‘discriminant analysis’.36 In a subsequent study, Bridges and Disney offer a clarification of the above mentioned techniques; according to the authors: the first three techniques use historical data on credit performance and the characteristics of the borrower to estimate the probability of default. These results are then used to calculate the predicted probability of default for each new applicant. Discriminant analysis differs in that instead of estimating a borrower’s probability of default, it divides borrowers into high and low default-risk classes.37 A newer method of scoring is beginning to be used in the decision-making process. It is based on neural networks consisting of the use of sophisticated technologies and artificial intelligence techniques applied to the modelling of the human brain, the idea of neurons as its building blocks, and the simulation of the way neurons work in the human brain.38 The most important feature of neural networks is their ability to learn. Just like human brains, neural networks can learn by samples and dynamically modify themselves to fit the data presented. Moreover, neural models are able to learn from distorted or incomplete sample data.39

33 34 35 36 37 38 39

San José Riestra (2002), 4. Information Commissioner’s Office, ‘No Credit?’, cit at 9; Warwood (1995). Thomas (2000). Hand and Henley (1997). Bridges and Disney (2001). Ibid; see also Handzic et al (2003), 98–109; Yobas and Crook (2000). Ibid.

Consumer credit reporting in the economy

21

The second most important feature besides learning is that of being capable of generalisation, which is intended as the neural network producing standardised output results for data inputs that were not encountered during training.40 Worryingly, the development of credit scoring techniques is based on the assumption that ‘humans are not good at evaluating loan applications’.41 Scientific literature on the subject widely believes that the reasons for such poor judgemental human capabilities are said to be (i) the large grey area where the decision is up to the officers (cases not immediately obvious for decision making), (ii) humans being prone to bias, for instance in the presence of a physical or emotional condition that may affect the decision-making process, (iii) personal acquaintances with applicants distorting the decisionmaking process, (iv) the difficulty for humans of discovering useful relationships or patterns from data and the knowledge hidden in the same data. Whatever the scoring model used, the lender then decides – in consultation with the service-providing CRA – on a cut-off threshold in line with its acceptable risk level.42 San José Riestra’s ECRI Research Report provides a clear example – reproduced in Table 1.1 below – of a typical scorecard assessment, whereby . . . the fixed cut-off point is the level on the scale of credit scores that corresponds to a particular credit risk, average marginal revenue and average credit loss, below which the credit product in question would generate a financial loss. Based on the degree of risk that it is willing to Table 1.1 Risk of default according to credit scoring Scores

Probability of default*

9 8 7 6 5 4 3 2 1

0.03 to 0.07% 0.09 to 0.3% 0.3 to 1.0% 1.0 to 3.0% 2.0 to 5.0% 3.0 to 7.0% 4.5 to 10.0% 6.0 to 13.0% 7.5 to 17.0%

* Random figures for the example. Source: San José Riestra (2002).

40 Bridges and Disney (2001). 41 Handzic et al (203), 98. 42 Ibid. See also Glorfeld and Hardgrave (1996); Malhorta and Malhorta (2001), at http:// www.efmaefm.org/MalhortaDavinder/MalhortaDavinder1.pdf on 20 July 2005; Bigus (1996); Desai et al (1997).

22

Law and Consumer Credit Information in the EC accept, the credit institution fixes the cut-off level (i.e. companies that might decide not to grant credit for scores lower than 4 will assume a maximum risk of 7%).43

The scores given to an individual may depend upon many factors in his/her personal data. It should be noted from the outset, in fact, that the type of information that can be used to build a Scorecard is not subject to legislation, save for a few exceptions.44 The most obvious example of factors assigning a score to an applicant would relate to such a person’s credit history coupled with other information such as job, time in job, income, financial assets, etc. Interestingly, however, other less obvious elements come into play, such as, for example, the number of changes of address in addition to other account records. In fact, the more times someone changes address, no matter the reason(s), the more it may be likely to lead to a lower score as it is believed that it could signal that the applicant might be unreliable and a high risk.45 Another controversial example of the use of scoring techniques provided by CRAs and used by lenders is represented by assigning points that predict fraud risk to the type of house (owned or rented) by a data subject, as well as the postcode data where the property is located.46 Also an individual’s application for several cards or loans in a short period of time is likely to result in a reduced score.47 Although credit-scoring systems have traditionally been used to predict risk, they are also more and more widely used to assess affordability. In the words of a spokesman of a major multinational CRA, ‘although a prospective borrower may have a range of existing credit facilities all of which are being paid on time, he/she may be so heavily committed that one more facility may result in that individual becoming over-indebted across his/her total borrowings’.48 A study carried out in the year 2002 by the UK Economic and Social Research Council confirms that each adult resident in the UK and the United States is subject to a credit-scoring process at least once a month on average.49 A recent trend practised by most lenders, for example, is the one of scoring their existing customers every month, thus ensuring that they are one of the 43 San José Riestra (2002), 4. 44 For example, in the UK the 1995 Sex Discrimination Act and the 1976 Race Relations Act make it illegal to discriminate on grounds of gender and race in the process of granting credit. A detailed analysis of the relevant data protection legislation and the way it affects credit reporting and scoring will be further developed in Chapters 4, 5 and 6. 45 Warwood (1995), 4; Guardian – Jobs & Money (30 October 2004); see also Equifax, cit at 4. 46 Wilson and Lund (2004); Foss and Bond (2005), 10–23. 47 ‘How Private is My Credit Report’, Privacy Rights Clearinghouse, available at http:// www.privacyrights.org/fs/fs6-crdt.htm on 20 July 2005. 48 Bradford (2004), 11. 49 Economic and Social Research Council (2002).

Consumer credit reporting in the economy

23

first lenders to contact the customers when an early delinquency sets in, not only to renegotiate the repayment but also to better secure the credit and limit exposure.50 (b) Over-indebtedness A further reason for the credit industry’s interest in CRAs is that with their extensive detailed collection of personal data and their ability to share this information, they are considered to provide useful services in the fight against increasing over-indebtedness of borrowing individuals. Over-indebtedness, which should be kept distinct from the legal term of ‘insolvency’ or ‘bankruptcy’, is a very difficult and elusive concept to define. The expression has been given a number of meanings throughout Europe, but its real significance has not been definitively identified, although a number of models have been employed based on objective meters, subjective ones, or a combination of both.51 Nevertheless, it is true that despite failures to find commonly accepted ways of measurement, all studies point to some manifestation of individual financial difficulty and consumer vulnerability to unmanageable debt: an overall deterioration of their [consumers’] and their dependants’ economic situation and will gradually lead to social exclusion, higher cost of living (‘the poor pay more’) and less participation in overall economic development and social progress [emphasis added].52 However, how CRAs could provide a response to a phenomenon that is so hard to define and measure is difficult to conceive. They believe that by sharing information, lenders are able to identify those actual and potential borrowers who, although they fall within the definition of ‘good borrowers’, are already over-committed. In policy terms, the use of credit-reporting 50 Lund (2004). 51 Kempson – who was commissioned by the British Department of Trade and Industry to analyse data with regard to the distribution of consumer borrowing across households, the extent of financial difficulties, and any connection between this and lending practices – concludes that with reference to the meaning of over-indebtedness ‘although it is widely used, there is no generally agreed definition. Indeed, various commentators have interpreted it in quite different ways’: Kempson (2002). The same conclusion has been reached by other publications. See for example DTI (2003); DTI (2005). At European level, research into the phenomenon was seen as a priority as early as 1992 although no policy measures have been implemented since. The European Economic and Social Committee describes overindebtedness as ‘a phenomenon with social, economic, financial, legal (civil and procedural) and . . . political aspects, all of which merit being tackled at Community level’ and acknowledges that no single definition exists. See European Economic and Social Committee (2002). See also European Credit Research Institute (2006). 52 Reifner et al (2003). It is important to note that high levels of debt alone do not necessarily translate into repayment difficulties, whether measured subjectively or objectively. See Jentzsch and San José Riestra (2006).

24

Law and Consumer Credit Information in the EC

systems would underpin lending decisions and confer on the credit industry the tools for responsible lending policies, protecting individuals from running up significant borrowings beyond their means.53 Likewise, despite flaws, when looking at any examination of the problem, consumer protection groups currently agree that full data sharing could represent the way forward to stem the problems of consumer over-commitment by hampering responsible lending practices.54 (c) Marketing Most large organisations now use credit reference data at the marketing stage to screen out prospective customers who have significant levels of defaulted accounts with other lenders.55 As consumers increasingly spread their financial relationships to more than one supplier, most lenders use credit information to assess the risk of new customers and to help decide what products and facilities to offer them. Such segmentation, which could also be used in conjunction with scoring devices, standardises and categorises individual customers according to past behaviour, allowing credit providers to market their products and services accordingly. A recent trend, for instance, is that of setting up businesses whose core activity is that of lending at higher rates to borrowers with poor credit records, also known as ‘subprime lending’.56 (d) Fraud prevention Fraud prevention at the point of credit application is a further recent function of CRAs. Consumer credit data, in fact, can be used alongside the application processing systems to compare a current credit application with previous ones over a number of years by matching the application details. Thus, it would be possible to look for discrepancies and detect omissions, the data an applicant would like not to disclose, or inaccurate or untrue details within the applicant’s history. Similarly, these databases would be used to detect multiple applications in the applicant’s name within the same timeframe, or the use by the applicant of different names for the same banking details or other patterns of (alleged) fraudulent behaviour.57 53 San José Riestra (2002); Bradford (2004); Ironfield-Smith et al (2005). 54 See, for example, House of Commons Treasury Committee (2005); Codacons, ‘Protocollo d’intesa tra Codacons e CRIF’, available at http://www.codacons.it/privacy/pics/ Protocollo_FRODI_CODACONS_CRIF.pdf. 55 Ibid. 56 Ibid. According to The Economist, ‘When the tide goes out’ (24–30 March 2007), 36, interest rates on such loans are usually at least 50% higher than those charged to lenders’ best customers. See also The Economist, ‘The trouble with the housing market’ (24–30 March 2007), 11; The Economist, ‘Cracks in the facade’ (24–30 March 2007), 87–89. 57 Warwood (1995), 4.

Consumer credit reporting in the economy

25

(e) Identity verification of credit applicants Today, the use of the databases of CRAs and highly technological information systems has practical advantages for lenders in the process of verifying people’s identities. Traditionally, undertaking the identity check of an applicant has involved lenders requiring individuals to produce documentary evidence, such as a passport, an identity card (in those countries where ID cards exist), a driving licence, or in countries like the United Kingdom, even a utility bill. Such documents were then examined by a lender’s officer in order to establish that they were genuine and that they related to the individual making the application. Officers, finally, needed to take the evidence of the identity check by photocopying and filing the documents. Thus, in the light of the ease of forging paperwork documents and/or to obtaining real documents fraudulently, as well as the costs and time associated with the training of staff, lenders have currently opted for the electronic verification and the available technologies to identify their customers. Electronic information is now used either alongside paper evidence or, in same case, as a documentary replacement.58 The use of CRAs’ databases enables lenders to check on several sources, thus forming the so-called ‘electronic footprint’ of every individual, which is used to match against the personal data supplied by the applicant. The described verification system is also used for the following purposes of (f) the fight against identity theft, and (g) money laundering. (f) The fight against identity theft The crime of identity theft is on the rise and a growing number of cases have been reported around the world in recent years.59 Using a variety of methods, criminals steal personal data about pieces of individuals’ identities and accounts and use this information to impersonate their victims, spending as much money as possible in as short a time as they can before moving on to someone else’s name and identifying information or otherwise.60 There are two most commonly known types of identity theft: (1) ‘account

58 Molloy (2004), 1; Callcredit, at http://www.callcredit.co.uk/corporate_scripts/ compliance_money.asp on 11 July 2005; Experian, at http://www.experian.co.uk/corporate/ compliance/moneylaundering/index.html on 11 July 2005. 59 Swartz (2005). 60 See Federal Trade Commission, available at http://www.consumer.gov/idtheft on 21 July 2005; Federal Trade Commission, ‘Identity Theft Report Survey’ (September 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf on 21 July 2005; Research Group (2005); UK Home Office, ‘What is being done’ (2004), available at http:// www.identitytheft.org.uk/what-is-being-done.html.

26

Law and Consumer Credit Information in the EC

takeover’ occurs when the fraudster acquires someone else’s credit account information and purchases products and/or services using that person’s existing accounts. Victims normally learn of the account takeover when checking their account statements; (2) ‘application fraud’ occurs when the impostor uses someone else’s identifying information to open new accounts in that person’s name. In this case, victims usually do not learn of the fraud for some time as the account statements are normally mailed to addresses used by the identity thief and there is no record on the accounts effectively in use.61 Lenders, therefore, have to be increasingly vigilant and stringent in their proof of identity procedures. Thus, CRA databases are now widely used as real-time identity fraud detection and prevention automated tools, by matching key personal data provided on credit applications by real-time access into a range of powerful market-leading datasets, including directories and other independent data sources.62 The credit industry believes that the practice described above may prevent the ‘account takeover’ type of identity theft. In the fight against ‘application fraud’, by contrast, the use of credit reports requires the active involvement of customers. CRAs have seized the opportunity to develop a new business-to-consumers market by offering credit reports for a fee, thus allowing and encouraging individuals, who are motivated by their anxiety, to check their own report regularly and catch possible frauds committed in their name.63 It is not the scope of this work to assess the efficacy of credit reporting and the use of CRAs databases in the fight against identity theft and its variants. Besides, it should be noted that, generally, identity fraud victims do not suffer economic losses, which are borne by the financial institution. However, the victims are certainly left with negative information on their credit report and the resulting poor credit scores. These deceptive data may take months or years before being corrected allowing them to regain their financial reputation and standing. In the meantime, such victims have difficulties getting credit, purchasing products and/or services, and even getting employed.64 As a result, the victims of identity theft are often likely to be left suffering unjust prejudices, indirect damages and distress as they find little help from the positive law while they attempt to untie the web of the fraud and clear their name. In fact, there is no law that specifically regulates credit reporting

61 ‘Coping with Identity Theft: Reducing the Risk of Fraud’, Privacy Rights Clearinghouse (2003), available at http://www.privacyrights.org/fs/fs17-it.htm. 62 Experian, at http://www.experian.co.uk/business/products/data/227.html on 11 July 2005; Equifax, at http://www.equifax.co.uk/business_solutions/services/id_verification/index.html on 8 July 2005. 63 Ibid. See also Callcredit, at http://www.callcredit.co.uk/corporate_scripts/identity_theft.asp on 11 July 2005. 64 ‘Coping with Identity Theft: Reducing the Risk of Fraud’, cit at 61, ‘Strategic Play – Experian: Credit where it’s due, New Media Age (28 October 2004, London).

Consumer credit reporting in the economy

27

and credit scoring, setting the framework for and limits in their use, nor is there in place legislation to cope with the actual situation of identity fraud victims. (g) Money laundering In the legislative effort to tackle terrorism and other criminal organisations, the Third Money Laundering EC Directive (amending the Second Money Laundering Directive 200165 and the First Money Laundering Directive 199166) was adopted by the EC in May 2005 in response to the increasing need for the reduction of the financial arrangements of criminal activities and enhanced information-sharing provisions between financial intelligence units across borders.67 A key element of the anti-money laundering controls requires that the newly defined ‘relevant business’ establishes at the beginning of the relationship adequate customer identification procedures, either on consumers or individuals representing a legal person – and maintain a level of confidence that the identity is genuine throughout the lifetime of the relationship.68 CRAs currently provide methods of authenticating identities using electronic data. They validate identities by looking for evidence that an individual exists at a particular address within the vast array of data that they hold and by determining retrospectively the size of the so-called ‘electronic footprint’, thus assessing the level of confidence that the identity exists.69 (h) Governments tapping databases: the example of the United Kingdom In the last few years, Governments have started to make use of CRAs’ databases to overcome contingent situations, such as measures directed to tackle terrorism or other forms of organised crime (notwithstanding how controversial these remedies may seem to many), as well as to maximise the enforcement of, or give execution to, orders issued under the rule of law. Recently, for example, in the United Kingdom at least, it has been reported

65 66 67 68

2001/97/EC – OJ L 344, 5 July 2001, p 0076–0082 91/308/EEC – OJ L 166, 28 June 1991, p 0077–0083. COM (2004) 448 final. The revisited list of the types of business (previously defined in the First Directive as ‘relevant financial business’) to which such legislation is relevant includes banks, building societies and other credit institutions, individuals and firms engaging in regulated investment activities under the relevant national legislation, estate agents, casinos, insolvency practitioners, tax advisers, accountants, company auditors, those providing legal services involving participation in a financial or real property transaction, trust and company services providers, and life and investment related insurance intermediaries. 69 Callcredit, at http://www.callcredit.co.uk/corporate_scripts/compliance_money.asp on 11 July 2005; Experian at http://www.experian.co.uk/corporate/compliance/moneylaundering/ index.html on 11 July 2005.

28

Law and Consumer Credit Information in the EC

that in the attempt to thwart bogus applications for UK passports in an effort to fight terrorism, ‘the data sharing provisions of the draft identity cards bill are to allow the UK Passport Service to tap into the databases of CRAs and other commercial organisations’.70 Thus, the use of credit reference data in the United Kingdom will be a likely part of the new proposed national ID cards, and will be an integral element of ‘biographical footprint checking’ of applications. To this purpose, the UK Passport Service is already engaged in a data-sharing project with a CRA, the Home Office immigration and nationality department, the Department of Work and Pensions and the Driver and Vehicle Licensing Agency.71 Even the Department for Constitutional Affairs in the UK, which also has access to the UK Police National Computer to locate defaulters, has signed a contract to use the database of a CRA to track fine-dodgers. According to a recent report, magistrates will use the 500 million records kept by such CRA to pursue a total of £276m in unpaid court fines in England and Wales.72 (i) Other private transactions Finally, although CRAs are more closely associated with their role in supporting the consumer credit market, in many jurisdictions their use in the economy extends to other private transactions, such as commercial transactions, property rentals, telecom subscriptions, insurance contracts, and employment screening and monitoring. For example, employees’ private lives are increasingly monitored through the use of information held by CRAs (for instance to verify that they live where they declare to live, as well as to verify the data on their curriculum vitae/job application form or their creditworthiness, particularly if they work in the financial services sector).73

70 ‘Topic: Confidence and Data Protection – News and Views’, Privacy and Data Protection (11 March 2004). 71 Ibid. See also Secretary of State for the Home Department by Command of Her Majesty, ‘Legislation on Identity Cards, a Consultation’ (April 2004), available at http:// www.privacyinternational.org/issues/idcard/uk/id-card-draft-404.pdf, 21; Home Office, ‘Identity Cards Bill Regulatory Impact Assessment’, available at http:// www.homeofficeqsi.gov.uk; Molloy (2004). 72 ‘News’, New Law Journal (8 October 2004), 154. 73 In the UK, for example, the Information Commissioner simply advised that businesses should, in addition to providing the workers with the notice that checks are made on them, ensure that if CRAs are asked to provide such information on workers, the agencies must be told of the use to which the information will be put. See Singleton (2003); Leigh-Pollitt (2002); Rosen (2000); Experian, ‘Candidate Verifier’, at http://www.experian.co.uk/business/ products/data/5.html on 11 July 2005. For further information about monitoring in the workplace see the UK Information Commissioner Office, at http:// www.informationcommissioner.gov.uk and http://www.dataprotection.gov.uk/dpr/dpdoc.

Consumer credit reporting in the economy

29

(j) Expanding areas The use of CRAs is expanding further. For example, in the UK a CRA has recently delivered its findings to the Water Industry and Government bodies after conducting pioneering research into water indebtedness. As the company reports, with its comprehensive databases and expertise it ‘was able to help the water industry better understand and profile its own debtor data, building the foundation for future industry research and individual company debtor understanding’.74

Concluding remarks This chapter analysed the phenomenon of consumer credit reporting, with the view to understanding what it is, the reasons for its existence and the way it works. It described the various features of consumer credit informationsharing devices used by the credit industry as tools for credit risk management. It aimed at showing the mechanisms behind its design and how these address the problem for which it has been created. Not only will this be useful in understanding the phenomenon, in order to identify in the following chapters of this study the legal framework in which it operates, but it is also already proving crucial in recognising in whose interest it is used, arguably an important element for further legal analysis. The management of credit risk is an important determinant of the lender’s profitability. In order to minimise risk, consumer borrowers’ past financial behaviour is viewed by credit providers, both as a predictor of future capability and/or willingness to repay debts and as borrowers’ reputation collateral. The credit industry considers the sharing of consumers’ financial data via centralised databases powered by increasingly sophisticated information technologies as a means to improve the quality of credit, and make betterinformed decisions as to the right selection of borrowers and tailored pricing of financial products based on individual risk. In other words, however, it seems that by linking consumer surveillance to central record keeping, the credit industry archives market memory for its own future benefit. What appears particularly relevant for the study that will be carried out in the following chapters of this work, is that consumer credit reporting is not mandated by law or regulation prior to the advancement of credit to

74 Equifax, Press Room, ‘UK Water Industry Benefits from the Power of Equifax Data’, www.equifax.co.uk/our_company/press_room/2004/uk_water.html, on 10 March 2005. It is controversial to note that among the many findings, Equifax emphasised that younger customers were more likely to be debtors than older generations, and that many of the debtors had significant debts elsewhere. The research is also said to reveal that people who live alone are more likely to be debtors than couples.

30

Law and Consumer Credit Information in the EC

consumers, but is a commercial activity in itself carried out by private organisations that provide services for payment in the interest of lenders. Thus, consumer credit risk management in general, and the assessment of the creditworthiness of individual borrowers in particular, are carried out with the objective of maximising the profitability of lenders and shareholder value-added, and there is no public function.75 The general interest in the sector, by contrast, would be present if and to the extent that measures are required and adopted to safeguard the steadiness of the financial system. Indeed, if it is true that loan quality problems may be an important cause of bank failure, and thus for the stability of the whole financial system, this does not seem applicable to retail loan defaults. First of all, this chapter has observed that not all lenders are banks but many of them are commercial organisations doing business as any other commercial organisation. Secondly, at any rate, the number of incidents where retail loan defaults have had serious consequences for a bank is very low, such an occurrence happening only if a number of other factors are present, for example if a bank is overexposed in one area like mortgage lending and property prices collapse at the same time as interest rates rise.76 Banks, in addition, minimise the risk of failure through insurance, credit diversification, asset securitisation, and/or the use of credit derivatives, which are methods developed by the financial industry to reduce the risk exposure of a single organisation by transferring the risk of defaults to the financial markets at the same time creating investment opportunities, i.e. the risk is ultimately assumed by investors.77 The distinction between the supervision of the financial system in the public interest and the assessment of the creditworthiness of individuals for good business will be a central issue throughout this work and will be dealt with in more detail elsewhere. This chapter also aimed to highlight the increasing secondary uses of consumer financial data for purposes that, although related, are different and additional to those for which they were originally employed. This observation is relevant to the coming chapters, in that such further uses of credit reference data show that, in the absence of an appropriate legal framework, there exists almost limitless potential utilisation of CRAs’ databases and services, which – as it will be explained – represents a major cause of concern for consumers.

75 The issue whether consumer credit information systems could also be for the indirect benefit of consumers will be discussed in the next Chapter when reviewing the literature on the subject matter. 76 Hefferman (2005), Chapter 3. 77 Ibid, Chapter 2.

2

The lack of a legal perspective

Introduction As the previous Chapter has illustrated, CRAs have evolved in economic theory as organisations providing information-sharing devices in the financial system in order to meet the problem of asymmetrical information between borrowers and lenders. By making available rapid access to standardised information on potential borrowers, they represent the response to the demands of the market for this type of data, i.e. to the needs of banks and other financial intermediaries. Nowadays, there is hardly a country that does not have a credit information sharing system in place, whilst international organisations such as the World Bank are working to implement at least one in those few emerging economies that still do not have one.1 Such systems have integrated themselves thoroughly in the credit granting practices of Western economies, at times differing from country to country only in some minor aspects.2 The rapid development and sophistication of information systems and highly technological statistical models, coupled with increasing competition between lenders and issues of borrowers’ indebtedness, have made data sharing mechanisms in the credit market a topic of recent interest among academics in a number of disciplines. Thus, the purpose of this chapter is to identify and critically review the existing literature on this specific subject matter in order to better understand the pillars upon which it is based, with the definite objective to explore the extent to which lawyers have provided a legal analysis of such sophisticated systems vis-à-vis the positive law. In this attempt, this chapter ultimately investigates whether the legal community has considered consumer protection concerns, for example by addressing either the privacy or the discriminatory consequences of credit reporting, with a special interest and reference to the context of the EC.

1 See World Bank, http://www.doingbusiness.org/ExploreTopics/GettingCredit/. 2 As of 2003, CRAs operated in all OECD countries but France. See Djankov et al (2005), available at http://www.doingbusiness.org/documents/private!_credit_jan23.pdf.

32

Law and Consumer Credit Information in the EC

As this work will later demonstrate in depth, in fact, legal research seems particularly relevant today not only to give weight to the rights of consumers but also in view of a future single market for consumer credit.

Consumer credit reporting in the economic literature Economic theory has long stressed the importance of information in credit markets. The exchange of financial data and customers’ information sharing devices has been the subject of a large body of academic literature in economics. Theorists have long aimed to show that access to credit is essential for economic development and growth. To this purpose, the subject relating to the effects of asymmetric information and credit rationing in credit markets has been thoroughly analysed. The economic model pioneered by Akelof in 1970, who takes the used car market as an example, is often cited as the first economic study to recognise the issue of quality uncertainty, the importance of trust, and the role of asymmetric information in financial relationships.3 Jaffee and Russell followed in 1976 by prospecting in economic terms that there is a link between the issue of asymmetric information and the problem of credit rationing.4 However, the first generation of theoretical treatment of asymmetric information in credit markets was developed in 1981 by Stiglitz and Weiss, who used the small business credit market as the economic model to understand why is credit rationed.5 Their paper is today considered as incontrovertibly one of the most influential papers on adverse selection in credit markets and the economic basis for the existence and explanation of credit reporting. The findings of the study are best summarised by the authors’ own words: . . . Banks making loans are concerned about the interest rate they receive on the loan, and the riskiness of the loan. However, the interest rate a bank charges may itself affect the riskiness of the pool of loans by either: 1) sorting potential borrowers (the adverse selection effect); or 2) affecting the actions of borrowers (the incentive effect). Both effects derive directly from the residual imperfect information which is present in loan markets after banks have evaluated loan applications. . . . The adverse selection aspects of interest rates are a consequence of different borrowers having different probabilities of repaying their loan.

3 Akelof (1970). 4 Jaffee and Russell (1976). 5 Stiglitz and Weiss (1981).

The lack of a legal perspective

33

The expected return to the bank obviously depends on the probability of repayment, so the bank would like to be able to identify borrowers who are more likely to repay. It is difficult to identify ‘good borrowers’ and to do so requires the bank to use a variety of screening devices. The interest rate that an individual is willing to pay may act as one such screening device: those who are willing to pay high interest rates may, on average, be worse risk; they are willing to borrow at high interest rates because they perceive their probability of repaying the loan to be low. As the interest rate rises, the average ‘riskiness’ of those who borrow increases, possibly lowering the bank’s profits. Similarly as the interest rate and other term of the contract change, the behavior of the borrower is likely to change. For instance, raising the interest rate decreases the return on projects which succeed. . . . [H]igher interest rates induce firms to undertake projects with lower probability of success but higher payoffs when successful. In a world with perfect and costless information, the bank would stipulate precisely all the actions which the borrower could undertake (which might affect the return of the loan). However, the bank is not able to directly control all the actions of the borrower; therefore it will formulate the terms of the loan contract in a manner designed to induce the borrower to take actions which are in the interest of the bank, as well as to attract low-risk borrowers.6 Ultimately, the scholars suggest that the structure of the credit market determines the extent to which either lenders or borrowers benefit from greater transparency of information. While greater access to information should increase the quantity of lending, it may not necessarily reduce the price of loans, unless the credit market is competitive and information can be transferred between lending institutions.7 A second generation of economic literature incorporated these insights. For instance, while Diamond, Campbell and Kracaw – as well as Stiglitz and Weiss – suggest that information may be used for supporting profitable lending, at the same time they all advance the idea that financial intermediaries such as banks are institutions that specialise in the acquisition and dissemination of information – including data monitoring the repayment of loans and other transactions of their customers – thus performing the function of resource allocation in the economy.8 Again, Diamond, Petersen and Rajan – as Berger and Udell, and Peek and Rosengren – have all written about the way that lenders may improve their knowledge of borrowers through their direct observation of clients over time,

6 Stiglitz and Weiss (1981), 393–394. 7 Ibid. 8 Diamond (1984); Campbell and Kracaw (1991); Stiglitz and Weiss (1988), (1992).

34

Law and Consumer Credit Information in the EC

as well as the importance of information that has developed over the course of the banking relationship.9 Other economists have focused their work respectively on the implications of proprietary information for banking competition and on the importance of banks screening customers in order to increase the probability that borrowers do not default strategically.10 Using a pure adverse selection model, in 1993 Jappelli and Pagano analysed the factors that lead to endogenous communication between lenders in a credit market, and first introduced the use of information sharing among creditors via credit registries into economic models. The researchers claim that information sharing is more likely to occur when the mobility of households is high, borrowers are heterogeneous, the underlying credit market is large, and the cost of exchanging information is low. The authors also point out that when safe borrowers are priced out of the market because of adverse selection, information sharing leads to an increase in the volume of lending.11 The study concludes that: . . . lenders can overcome informational asymmetries by exchanging private information about potential borrowers. . . . The incentive to create credit bureaus is greatest, it is argued, where each lender is confronted by large numbers of customers on which it has no previous information, e.g. where borrowers are very mobile. The size of the credit market also increases the incentives to share information.12 Papers by Klein, Vercammen, and Padilla and Pagano offer other pertinent theoretical arguments to understanding the factors that may encourage the implementation of information sharing systems in the credit market. In particular, Klein developed an economic model derived from game theory to argue that credit reporting may act as a borrower discipline device.13 Vercammen, however, cautions that information-sharing mechanisms are not sustainable over time, as the more lenders learn about their borrowers, the more likely it is that the value of negative information is reduced, suggesting that a certain level of adverse selection is required in a credit market in order to give rise to borrower reputation incentives. The reasoning would be that, as credit histories lengthen, lenders become increasingly informed about the types of borrowers with whom they are dealing. The author explains that reputation effects would result most strongly when lenders are the most

9 Diamond (1991); Petersen and Rajan (1994); Berger and Udell (1995); Peek and Rosengren (1995). 10 Dell’Ariccia (2001); Marquez (2002); Khalil and Parigi (2001). 11 Pagano and Jappelli (1993). 12 Ibid, 1,713–1,714. 13 Klein (1992).

The lack of a legal perspective

35

uncertain about a borrower’s type, since it is at this point that the former are most willing to adjust their beliefs when new information is received. Ultimately, thus, Vercammen proposes that policies which restrict the flow of information from borrowers to lenders may be desirable from a social efficiency perspective because such policies would sustain reputation effects.14 Padilla and Pagano, for their part, insist that information sharing affects the lenders’ profits, because credit reporting increases borrower discipline, reducing defaults.15 In a later paper, the same authors focus on the type of information that would need to be shared, namely the relevance of the use of both positive and negative information versus negative information alone. They conclude that borrowers have greater incentive to avoid defaults if only negative information is exchanged.16 Looking at the topic from a different angle, McIntosh and Wydick have recently stated that the overall effect of data sharing and credit reporting systems can be decomposed into a screening effect on the one side, and an incentive effect on the other. Assuming a competitive credit market, the authors argue that credit reporting may improve credit access for the poorest borrowers, as information sharing would lower lenders’ costs through lower default rates, thus adding them to the institutions’ micro-lending portfolios.17 Still, due to the shortage of adequate data sets – which started to become available only by the end of the 1990s – empirical investigations proving the theoretical implications on the value of information sharing in credit markets are limited. It was not until 2002 that Jappelli and Pagano attempted to offer the first empirical work relating to the existence of credit reporting activities in approximately 40 countries around the world and their impacts at the economy-wide level, including volume of credit, price of credit, quality of credit portfolios, and access to credit. The scholars argue that the presence of private CRAs or public credit registries is normally associated with higher levels of lending and lower credit risk. They find no differential effect between private and public institutions on credit market performance, and suggest that public institutions are more likely to be established where creditor rights are poorly protected and there is no pre-existing private credit reporting firms, also indicating that the two may serve some of the same functions.18 Kallberg and Udell, using data from a private American business reporting company, have tested empirically the added value provided by mercantile

14 15 16 17 18

Vercammen (1995). Padilla and Pagano (1997). Padilla and Pagano (2000). McIntosh and Wydick (2004). Jappelli and Pagano (2002).

36

Law and Consumer Credit Information in the EC

reports to conclude that trade credit histories have substantially greater predictive power than data taken from financial statements alone.19 Also, Galindo and Miller analyse the extent to which credit reporting alleviates credit rationing to companies, indicating that they are less credit constrained when credit reports are available.20 Similarly, using cross-country firm level data, Love and Mylenko study the effect of credit reporting institutions on financing constraints, as they are perceived by a firm’s manager, and on the firm’s reliance on bank financing. They suggest that the existence of private credit reporting systems is associated with lower financing constraints and a higher share and availability of bank financing for small and medium-sized firms, while public credit registries do not seem to have a significant effect on the availability of financing.21 From a different perspective, there is a limited number of empirical studies, or else case studies, that concentrate on the diverse subject of credit information systems operating in sectors other than the business or commercial sector. Even though some studies put forward the case for either private or public CRAs collecting and disseminating information between lenders operating in developing economies, the literature does not include empirical analysis on the ability of information-sharing systems to increase access to credit among the poor and/or issues of social justice.22 Luoto, McIntosh and Wydick, using an empirical test of the effects of a newly implemented credit information system in Guatemala, argue that credit information systems help to build an efficient financial system by promoting transparency in lending, and remark that there has been burgeoning growth in the implementation of such systems worldwide in the last decade. They conclude by arguing that beneficial effects of credit information systems are to be found when CRAs are utilised in the microfinance sector (the authors, however, do not specify if such organisations are, or should be, of a private or public nature).23 Jappelli and Pagano’s chapter in a recent publication on the economics of consumer credit confirm the arguments of the early economic literature. Corroborating the theory of their earlier studies, the authors overview the economic effects of information-sharing systems with a view to obtaining directions for a tangible design of the systems. They conclude that the design of the mechanisms used to share credit information matter at least as much as

19 Kallberg and Udell (2003). 20 Galindo and Miller (2001), available at http://www.aaep.org.ar/espa/anales/pdf_01/ inv_galindo_miller.pdf on 1 August 2005. 21 Love and Mylenko (2003). 22 Campion (2001); Lenaghan (2001), available at http://www2.gtz.de/dokumente/bib/030070.pdf on 29 July 2005. 23 Luoto et al (2004), at http://are.berkeley.edu/courses/DEVELWORK/papers/Luoto.pdf on 29 July 2005.

The lack of a legal perspective

37

the decision to set up the information-sharing devices themselves, warning about possible pitfalls such as the relationship between public and private databases, the dosage between negative and positive information, the memory of the system, and others.24 Only very recently, Jentzsch has published a monograph that can be considered the first in-depth analysis of the economics of credit reporting systems. The study offers a comprehensive contribution to the economics of competition in information markets, offering a comparison of informationsharing systems in the United States and a few European countries. The author, exploring efficiency gains in markets and the econometrics of financial privacy, attempts to provide macro- and microeconomic evidence of credit reporting. Reproducing the economic theory reviewed above and introducing game-theoretic microeconomic models, she concludes that information markets cannot be equated with traditional markets for goods and services, because they lead to a concentration of information power and supply. Also, the study helps economists to understand the incentives and strategic behaviour of market players in different regulatory environments.25 Until now, however, empirical evidence relating to the consumer credit market still seems to be missing.

Institutional aspects and the literature in regulatory policy As overviewed above, the literature in economics is abundant. However, it focuses largely – if not exclusively – on US or developing country markets, to a certain extent disregarding Europe. Moreover, when it comes to an analysis of the institutional aspects and the regulatory policy of credit reporting, studies become scarce. Margaret Miller’s collection Credit Reporting Systems and the International Economy (2003c) offers the first comprehensive study focusing specifically on CRAs, as well as the only source for the institutional aspects of credit reporting systems. The book – which has been written as part of a research project carried out by the World Bank acting in an advisory and financing capacity with developing countries – complements and extends existing economic research, offering further theoretical and empirical evidence on the importance of credit reporting for determining creditworthiness. While several chapters of the work extend case studies in developing countries (mainly in South America) providing empirical analysis of credit reporting, the volume originally attempts to provide answers to fundamental questions such as how credit-reporting institutions can enable markets to overcome problems of asymmetric information.26

24 Jappelli and Pagano (2006). 25 Jentzsch (2006). 26 Miller (2003c).

38

Law and Consumer Credit Information in the EC

In her own chapter, Miller, using results from a World Bank survey, offers an insight on the institutional dimension of credit reporting, providing empirical data on the state of the art of private and public CRAs around the world. The economist shows that CRAs can provide borrowers with the so-called ‘reputation collateral’ as a valuable instrument for timely repayments, arguing that the type of data collected and disseminated by CRAs often provide the best predictors of such repayments.27 Jappelli and Pagano’s contribution, on the other hand, offers an account of public credit information registries in Europe, suggesting that countries currently setting up a credit information system should make its design compatible for future integration with those of their main commercial and financial partnering countries.28 When it comes to a review of the literature in regulatory policy, it is surprising to note that little has been written on the topic, and that the main contributions usually relate to the development of regulatory indexes by economists, or analysis on the impact of legislation on the economy or, at a different though related level, on the design of scoring models. San José Riestra, whose starting point centres on the necessity of credit information sharing and the role of CRAs as key actors in the assessment of an individual’s ability to repay incurred debts as well as a valuable disciplinary instrument vis-à-vis borrowers, warns nevertheless that CRAs cannot provide perfect or quasi-perfect creditworthiness assessments. The research, analysing evidence from the US, finds that the collection of comprehensive information by CRAs does not ensure the ability to anticipate the occurrence of situations of defaults and/or over-indebtedness.29 In addition, the author argues that ‘the collection and maintenance of adequate positive data will significantly increase technical, personnel and financial requirements of credit bureaus, raising the cost for credit institutions, which will ultimately be reflected in the cost of loans for consumers’, concluding that ‘consumer information, responsible lending practices and the legal environment should be balanced in any public policy strategy’.30 Similarly, Avrey, Calem and Canner – researching on the related issue of credit scoring – advise that although credit history offers benefits to lenders and the economy, failure to consider situational circumstances raises important statistical issues that affect the ability of scoring systems to accurately quantify an individual credit risk.31 Looking at the issue from a different perspective, Jentzsch – who underlines once more the economic benefits of information-sharing mechanisms –

27 28 29 30 31

Miller (2003b), 26. Jappelli and Pagano (2003). San José Riestra (2002). Ibid, 28. Avrey et al (2004a). See also Avrey et al (2004b).

The lack of a legal perspective

39

presents a new panel mapping the regulatory environment for commercial reporting. The economist develops an econometric analysis and index to show the impact of regulation on data sharing as well as its effect on credit market breadth. She proposes that the regulatory environment is crucial to, and has a significant impact on, information sharing: in fact, more information sources mandated via regulation, better access to them, a high degree of centralisation (i.e. information not scattered but collected in a centralised manner), and property rights would strengthen and increase information flows, thus boosting a thriving credit market.32 Interestingly, the study explicitly – although incidentally – warns that it ‘would not propose any data collection and centralisation measure for undemocratic regimes’.33 On a similar line of argument, the same author provides in a different paper a quantitative analysis of the effects of differing regulatory environments on both CRAs and the efficiency of the consumer credit market. The author, quantifying data protection regimes with an economic index, contrasts the US with four European countries to conclude that information exchange is not really inhibited by privacy regulations in the individual countries but, in any event, the international comparison shows that more stringent data protection regulations inhibit the distribution of credit reports (in terms of credit report sales) in consumer credit markets which, in turn, could result in reduced access to credit, less integrated credit markets, and more consumer credit risk.34 This latter conclusion may seem quite unclear as to the impact of regulation on borrowings and in some ways some results could be interpreted as contradictory, especially if compared with the conclusions of the former paper. The author, nevertheless, ultimately warns that increased access to credit is also correlated with increased consumer indebtedness and rising consumer credit risk. In addition, she finally recommends that the EC should proceed to standardise its credit reporting systems to exchange data crossborder as a precondition of an integrated consumer credit market.35 Putting their own research together, Jentzsch and San José Riestra found that integration indicators of the consumer credit market within the EC give a negative picture and it remains an objective that is far from being achieved. The study points out that the US experience teaches that a lightly regulated industry may provide high volumes of credit reports sold, which in turn would contribute to the quick integration of consumer credit markets at least in certain market segments. However – the authors conclude – ‘differences in

32 Jentzsch (2003b), available at http://rru.worldbank.org/Documents/doingbusiness/Explore Topics/GettingCredit/BusinessInfoSharingRegulation.pdf on 2 August 2005. 33 Ibid, 32. 34 Jentzsch (2003a). 35 Ibid, 46–47.

40

Law and Consumer Credit Information in the EC

languages, credit culture and strong preferences for privacy contribute to a credit market that will remain distinct (sic) “European” and that will remain segmented for probably a much longer time’.36 A revisited version of the latter paper reviews aggregate statistics on the level and composition of consumer debt in the US and a few European countries. From there, the authors build a summary index of the regulation of credit reporting based on a number of indicators. They examine quantitatively the relationship between such a composite index and a range of indicators of national indebtedness and industry credit reporting, discussing possible impacts of EC legislation on the reporting systems. The result, obtained from admittedly limited information, purports to show that increasing coverage in credit reporting is associated with increasing access to credit but overall there is no evidence that legal restrictions hamper information allocation in consumer credit markets.37

Literature in law Surprisingly, a legal examination of credit reporting systems vis-à-vis the positive law seems almost non-existent. The legal community, lawyers and academics alike, have not backed the increasing research led by economists, and have neglected to analyse the many effects that credit reporting may have on consumers. This is particularly the case when the context of the EC is taken into consideration, or else the jurisdictions of its Member States.38 Only in recent times have a handful of scholars touched the issue, limiting their contribution to legal policy reflections. Appreciably, Andreeva, Ansell and Crook give consideration to the impact that credit scoring may have on anti-discriminatory laws: they seem to point out that legislation would potentially limit the development of scoring models and techniques but, at the same time, suggest that there is a need for balance and a degree of protection for consumers within the credit market.39 However, the authors are not lawyers and, unsurprisingly, do not provide a legal analysis of the subject. In any event, it is useful to remember that credit scoring is something distinct from credit reporting: although it is certainly a related issue in that it

36 Jentzsch and San José Riestra (2003), 29. 37 Jentzsch and San José Riestra (2006). 38 Howells (1995), Johnson (1991), and Johnson (1992) all provide a comprehensive legal analysis of CRAs against consumer concerns in the United Kingdom. The papers, however, although interesting and offering valuable far-sighted reflections, cannot be considered relevant today as they refer to a time preceding the enactment of relevant EC and UK legislation such as, for example, the EC Data Protection Directive 95/46/EC and the 1998 UK Data Protection Act. 39 Andreeva et al (2004).

The lack of a legal perspective

41

includes credit reports as one of its core elements, it remains a separate riskmanagement instrument, and would deserve a discussion of its own. The one author who provides a pertinent legal examination of the subject is Hunt, presenting in his recent studies detailed insights into the consumer credit reporting industry in the US. Such examination, however, is limited to the requirements in the US legislation to show an attempt to attain in that specific jurisdiction an appropriate balancing of information-sharing arrangements against the costs of processing inaccurate personal data resulting in mistakes.40 Similarly, Staten and Cate offer a comprehensive legal analysis of the US Fair Credit Reporting Act, addressing the question whether such a particular piece of legislation promotes accurate credit reporting.41 Cate, Litan, Staten and Wallison, by contrast, look at the same American legislation, examining the debate surrounding the role of the State in regulating CRAs, and making the case for continued federal pre-emption of the states in the sector.42 Surveys that explore the regulation of credit reporting are rare and usually reported incidentally in a context analysing and/or putting forward arguments of economic interest, an exception being the paper by Del Villar, Diaz de Leon and Hubert.43 The scholars – far from providing a legal assessment of consumer credit reporting, its compliance with existing legislation, its impact on human rights/civil liberties and/or investigations of the like – explore in very broad terms the regulatory frameworks of the US, the EC (the data protection directive), and some Latin American countries. Finally, in her latest publication, The Economics and Regulation of Financial Privacy, Jentzsch attempts to deal with the regulation of credit reporting: far from providing an analysis of the legal framework – despite the title of the book suggesting otherwise, but such a lack is justified by the fact that she is not a lawyer – the author limits the description of regulatory regimes in the US and some European countries to a superficial overview. In particular, as far as the EC and its Member States are concerned, the study is restricted to general but incomplete routine descriptions of privacy, with no attempt to investigate the concrete rationale and application of the law (save for a few specific circumstances relating to Germany), analyse it vis-à-vis the systems, understand its adequacy to regulate the sector or provide policy/regulatory considerations.44

40 41 42 43

Hunt (2002); (2005). Also in (2006). Staten and Cate (2004). Cate et al (2003). Del Villar et al (2003). For papers that incidentally mention credit reporting regulation in the context of economic analysis see Jappelli and Pagano (2000); Jentzsch (2003b); Jentzsch (2003a). 44 Jentzsch (2006), ch. 3.2.

42

Law and Consumer Credit Information in the EC

Information asymmetry and consumers As this chapter has tried to stress, the economic studies that justify the existence and operation of information-sharing systems run by CRAs do so in an attempt to find a solution to the problems of asymmetric information and adverse selection in credit markets. It is not within the scope of this work to evaluate, nor analyse or challenge, the economic theories and rationale for the use of credit reporting (and scoring systems). It is interesting, however – and in some aspects rather perplexing – to note how the problem of asymmetric information in the lender–borrower relationship has been dealt with as if it were a one-sided unilateral concern for lenders only. As reviewed earlier, in fact, research in economics and regulatory policy insist on sharing information only about borrowers. Arguably, though, before entering into any borrowing contract, consumers would also have a keen interest in the lenders’ reputations and reliability. They would require information not only about the lenders’ products but also about the lenders themselves, in order to make informed choices and assess their trustworthiness. The reputation and reliability of lenders, either – though not exclusively – in terms of customer relationship management, customers’ satisfaction and complaints, or behaviour in past transactions, would play a crucial part in the choice of consumers about the right lender, forcing lenders to behave fairly and reduce abusive practices to a minimum. From an economic (free market approach) perspective, in fact, consumers play the role of rational maximisers of their own utility, if they have the information upon which to make an informed decision, meaning that individuals are considered the best judges of what is in their best interest in terms of choice of both supplier and products.45 This reflection seems important, as it permits a clear-cut separation between two types of third-party intermediaries that have established themselves to meet the problem of asymmetric information in credit markets. On the one hand, there are brokers that use their own information to allocate persons (either natural or legal) to the various types of contracts matching the requirements of borrowers and lenders for specific transactions. They are independent intermediaries that use information that is spontaneously and freely given to them by the parties to enable informed decisions in view of a business transaction. On the other hand, by contrast, there are CRAs that differ consistently from brokers, because they lack independence from both the contracting parties. CRAs, in fact, operate at the service of lenders notwithstanding the agreement, or disagreement, of borrowers. They provide information to

45 See Jolls et al (1998); Posner (1998).

The lack of a legal perspective

43

lenders that they have received, not directly from borrowers but from other lender clients. In this respect, CRAs are closer to private investigators, in that they gather and disseminate information about borrowers through technologies that inform their own clients. In the end, thus, CRAs would solve the problem of information asymmetry on the part of lenders only. However, as others have extensively pointed out, not only do financial markets suffer from information asymmetry and the risk of externalities exclusively on the part of lenders, but so do consumers.46 Arguably, this latter aspect is widely accepted, together with social rationales, to constitute the key economic justification for financial regulation.47 In this respect, it should not be forgotten that the financial services industry is one of the most important sectors of a country’s economy, and is perceived as somehow delicate and special – as different and more sensitive from other industries. Indeed, this is the reason the financial services industry is also one of the most closely regulated sectors.48 Yet, the literature on CRAs seems to have failed to take both sides of the same coin into perspective when offering the solution to the problem of information asymmetry and adverse selection in credit markets, underestimating the scope for increasing financial regulation in the credit-reporting sector as well. On the contrary, it is noticeable that studies on CRAs take the different approach of neglecting market regulation in favour of consumer financial information, at times taking the view that considers regulation as a limit that may restrict the development – or else, efficacy – of credit reporting systems, rather than improving their effectiveness.

Remarks on the review of the literature This chapter aimed at reviewing the literature on credit reporting systems intended as a device to overcome the problem of asymmetric information and adverse selection in the consumer credit market. In summary, it found that the existing works predominantly focus their attention on the economic side of credit reporting, and insist on prospective positive effects or results for lenders. It seems, however, that there is still neither consensus nor sufficient conclusive evidence to prove either their efficacy in the assessment of the creditworthiness of consumers at least, or the validity of such an envisaged solution. Besides, some have begun to suggest some forms of caution precisely in the interest of consumers.

46 Cartwright (2004); Goodhart (1995), 454; Davies (1998); Ford and Kay (1996); Benston (1998); Llewellyn (1999). 47 Ibid. 48 Cartwright (2004), 13.

44

Law and Consumer Credit Information in the EC

Interestingly, the handful of scholars who have dealt with informationsharing mechanisms with specific reference to the consumer credit market also tend to analyse the issue of asymmetric information and the need for information-sharing systems from the viewpoint of the advantages for lenders, often neglecting the concerns of consumers. If it is true that some literature points out some sort of benefits, in pure economic terms, that a thriving consumer credit market may indirectly and ultimately have on (some) consumers, up-to-date research focusing specifically on concerns about possible violations or abuse of consumer rights and civil liberties seems almost non-existent.49 Intuitively, for instance, consumer credit reporting systems represent a threat to the privacy of individuals. As seen, in fact, there are sophisticated and highly technological mechanisms in place, where data from different sources are easily and quickly aggregated, new data are automatically created, and data are disclosed to a potentially unlimited number of third parties for a growing number of expanding purposes. Certainly, one may reasonably think that CRAs induce an increase in the volume of lending, thus indirectly providing important benefits to those with good credit risks and making interest for debtors too. Whether CRAs really serve the interest of a number of debtors or not, however, this seems hardly the point, if one looks at and balances the civil rights involved (for example, the right to privacy) and the foundations upon which credit reporting relies. To begin with, it could be argued that there are no fixed rules in the industry or the literature as to what constitutes a good credit risk. Assuming that a good credit risk is someone with immaculate repayment behaviour, the system seems to penalise those with a weaker credit history notwithstanding their personal circumstances. From this point of view, the profiling and standardisation of the behaviours of individuals not only appear hazardous to the civil rights and privacy issues involved, but also artificial. As this work will emphasise later, very often, contrary to the very foundations of credit reporting, human behaviours are heterogeneous and unpredictable. At any rate, systems that may be beneficial to some consumers but exclude or penalise others could hardly be considered to be in the interest of consumers as a whole. Most importantly, moreover, as it will be shown in detail later in this work, it is difficult to think of data-sharing instruments in the interest of consumers that require the necessary sacrifice of individual privacy, and are imposed unilaterally by the industry, leaving them no option to decide whether or not to take advantage of their alleged benefits. As individual rights are involved, whether such systems could be in the interest of (some) consumers is doubtful, because the right to privacy is clearly an established right, but conflicts with the reporting systems at stake, which centralise private information, and

49 For all, see Miller (2003c).

The lack of a legal perspective

45

standardise and profile people. To this end, one should expect to consider that in Europe at least, privacy rights now benefit from, and should be interpreted in light of, the provisions of the EC Data Protection Directive 95/46/EC as well as Art 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.50 Moreover, the reviewed economic literature provides no conclusive or at least empirical evidence – nor a certain relation of cause and effect – as to the connection between credit reporting and the predictability of human behaviour. What’s more, when considering all such issues, one should not forget that the use of CRAs’ databases is not mandatory by law.

The importance of legal research Whether all such considerations are relevant or could be contested, will be dealt with in subsequent chapters. What in any event emerges from the review of the literature is that despite the copious research in economics – and some literature in regulatory policy – on the importance of sharing credit information by a wide source of lenders, there has been almost no attention paid by lawyers to an analysis and/or assessment of the legal framework of consumer information systems, or their compliance with the positive law, especially in the jurisdictions of the European countries or within the context of the EC. First of all, the reviewed literature largely omits to distinguish between business and consumer borrowers, and centres its attention for the most part on the US market or the economies of developing countries, marginalising Europe. It is surprising to note that the borders between consumer and commercial credit reporting and their use have not been marked sufficiently, and that they are too often ignored or blurred. The two, however, differ greatly in several aspects, the most important being the most obvious one, i.e. that consumers are human beings who, in modern European society at least, benefit from the recognition of civil liberties and the respect of fundamental human rights transposed into several pieces of legislation, or debated in increasing calls and demands for further protection, as well as sustainable social justice. Moreover, it should be also taken into consideration that arguments that may be relevant for the US market are inapplicable to the European one. In fact, the two markets and the business cultures, as well as the legislative attitude and existing legal systems (just to mention a few factors), arguably differ greatly one versus the other.51

50 A detailed description and analysis of the legal framework of consumer credit reporting will be carried out in Chapters 4, 5 and 6. See also the legislative references therein contained, including the ones mentioned above. 51 Diez Guardia (2002).

46

Law and Consumer Credit Information in the EC

For the purpose of this discussion, the best example of diverging legislative approaches is arguably represented by the inherent tension between the historical focus of the US on freedom of expression and the strong emphasis placed on privacy and data protection in the EC, together with the latter’s attitude towards a tighter consumer protection regime.52 Another important distinction that the literature often fails to cover unambiguously is the one between the function of CRAs and that of public credit registries. As Chapter 1 has explained in detail, CRAs provide information-sharing services for the credit risk management of a wide category of lenders. Public registries, by contrast, share financial information for the prudential supervision of banks and the soundness of the whole financial system, thus providing a public function in the interest of all. Also this distinction, which is too often blurred in the economic literature, is a vital one for lawyers and their research, helping to give the right perspective on financial information sharing and to shape its design and use. Hence, the aforesaid legal analysis and research on the subject-matter seems particularly relevant, especially at a time when the use of credit information-sharing systems, together with the number of other activities carried out by CRAs, already represent the current practice in consumer credit and lending relationships in every European country. In many ways, in fact, the development of the credit industry has reflected the intuitions developed in the economic theoretical literature on informationsharing arrangements, with the addition of the industry’s substantial investments in technologies that were not in place when data sharing was initially considered, as well as the industry’s increasing push for more information to be made available through increased data sharing.53 At the same time, legislation has been slower to respond to the new concerns brought about by such mechanisms, leaving them under the regulatory umbrella of general principles of existing laws. As Chapter 4 will explain, in fact, legislators across Europe mainly rely on at least one law that has a significant impact on consumer credit reporting activities, namely the EC Data Protection Directive as transposed in national law.54 However, whether data protection legislation is adequate and relevant to the sophisticated and highly technological mechanisms of credit reporting – where data from different sources are easily and quickly aggregated, new data are automatically created, and are disclosed to a potentially unlimited number of third parties for a growing number of expanding purposes – is open to discussion. This is why legal research and analysis are vital, and necessarily come into play to shape and balance policies.

52 See Chapter 5 below. 53 Bradford (2004). See also Guardian (30 July 2005). 54 Directive 95/46/EC, OJ 1995 L 281 p 0031–0050.

The lack of a legal perspective

47

Concluding remarks Looking ahead, legal research on the topic of consumer credit reporting in the context of the EC seems particularly important. In particular, the legal community and policy makers should debate openly whether the sophisticated mechanisms of credit reporting comply with the positive law (mainly, though not exclusively, data protection), and whether the latter is adequate to cover the many difficult questions and complex legal issues and concerns that may arise, above all over the privacy rights and civil liberties of individuals. This seems particularly the case, and the right time, as the EC single market and the political desire for further integration and harmonisation within the Community are likely to have a dramatic impact on the financial service industry (including, in particular, consumer credit lending). Harmonisation in this sector, however, is likely to bring with it a number of important decisions for both credit grantors and legislators, which could represent a source of conflict and controversy with consumers. The policy and legislative decisions at stake, in fact, could reflect interests that push in opposite directions, and that require a difficult balance between the protective consumer attitude versus the market-oriented and profit-seeking credit industry perspective. If the smooth operation and further development of an efficient financial market is important for the economy, there is also a duty to preserve the established right of the individual to the privacy of his/her transactions as well as a fair and legitimate use of his/her (essential and strictly necessary) personal data. Such a balance seems particularly difficult to find at the EC single market level, as in Europe, credit markets are still reported to vary widely, and to differ strongly in credit culture, practice, use and regulatory regimes, which arguably hampers the development of a truly integrated single European market and political union.55 Perhaps the time has come for lawyers to conduct tailored research on the issue. Obviously, this will carry interest of its own, but it may also be useful to anticipate the debate that will need to happen at the EC institutional level – if it is not happening already – thus blazing what appears to be a tortuous trail. Before attempting to provide such debate, in the next chapter this work will explore the historical background of consumer credit reporting in order to gather further elements that could become useful in the legal discussion.

55 See Chapter 5 below.

3

Historical background: the cultural framework A lesson from history?

Introduction As discussed in the previous Chapters, CRAs are deemed to represent, at least in their original function, an institutional response to the problem of asymmetric information in the financial market at the service of the credit industry. More specifically, they are private organisations that provide credit-risk management services to lenders for the assessment of consumers’ creditworthiness, achieving also the function of suppliers of reputation collaterals for the repayment of their debts. Credit reporting, as it has evolved over history, has established itself thoroughly in the credit granting practices of Western economies, at times differing from country to country only in minor ways. Also, it has been stressed that recent scholarship has focused its attention largely on the economic efficiency of credit markets, but that another framework that has been too often neglected, but nevertheless should not be underestimated, is the legal one. This, in turn, should take into account the cultural framework, intended as the set of societal norms that influence the success, promotion, acceptance, and most importantly the legitimisation of a business in the context in which it operates. The cultural dimension is certainly one difficult to measure. But one suggestive way to approach the problem is that of taking an historical perspective as a description of a social process.1 Thus, one may be tempted to address the same type of questions about the system implemented for consumers in the same way as business credit reporting has been questioned:2 why and how has consumer credit reporting emerged and evolved into the present system? What led to the development of powerful organisations such as CRAs, which crucially affect the way credit is

1 Olegario (2003); Strasser (2003). 2 Olegario (2003).

50

Law and Consumer Credit Information in the EC

allocated and, ultimately, the lives of individuals? Why was this solution to the problem of information asymmetry in the consumer credit market implemented in Europe instead of other models? What cultural baggage does consumer credit reporting carry with it, and how may this affect its operation elsewhere other than where it first developed? Already at this early stage, one may suspect that the modelling of a system that was developed in the context of a different culture, timeframe and pace of establishment may cause problems of adaptation and legitimisation if transplanted in jurisdictions with different traditions. Thus, tracing the origins of consumer credit reporting within a specific historical time and place proves useful as:

• • • •

it has its own interest in business and legal history; it helps to understand better the pillars upon which the credit information business is based; it provides a cultural perspective that could clarify how much the transplantation from one jurisdiction to others, of systems capable of affecting significantly the lives of people, may lack legitimacy and not adequately fit into pre-existing legal frameworks; it may contribute to the policy debate that the competent authorities in the EC would need to face when setting a legal framework.

In order to attempt to answer the questions that it asks, this work will try to identify those informal mechanisms that are considered the ancestors of credit reporting. An investigation of the commercial area of credit reporting in the US – the country where it first originated – will follow. Such scrutiny appears necessary, as reporting about consumers seems to owe its development precisely to the model that was implemented long before for the business sector. Once the process of legitimisation that consumer credit reporting had to go through in the US has been outlined, then an analysis of the European context will be carried out. Only then may one assess if and to what extent the cultural baggage and dimension of consumer credit reporting are likely to play a decisive role in the success of the system and its legal framework. Any thorough account of the detailed history or ideologies behind consumer credit would require a book-length study in itself and, for certain aspects, still needs to be written. For instance, debates among economists or historians about the exact causes of the development of a certain form of credit or another, though significant in their own right, are of little interest to this study, insofar as they do not have an impact on information-sharing mechanisms. Sources of information and materials about the origins of the phenomenon of credit reporting are scarce. Until now, few scholars have investigated the historical background of the industry (mainly business credit reporting), and those who examined it acknowledge that most of the early agencies’

Historical background: the cultural framework

51

records have not survived, and so a number of aspects concerning their evolution can only be a matter of conjecture.3

Historical informal information-sharing mechanisms Locating the origins of credit reporting with a certain degree of historical precision is a difficult task. In fact, it seems that informal information-sharing mechanisms have existed since the genesis of the notion of society itself. To this extent, there appear to be both conceptual and historical connections between credit reporting and the practice of ‘gossip’, an informal informationsharing method that has its roots in humankind living in communities.4 Arguably, ‘gossip’ – a term used in the literature of the subject as a synecdoche for community information transmission achieved through group meetings, correspondence, local newspapers, leaflets, word of mouth and so on5 – has its roots in humankind living in communities. In particular, civilised societies, at least as they are known today according to Western world standards, would need to rely on accountability mechanisms to protect the social order and historically ‘gossip’ best served as a vital function of creating social reputation. As Klein reasons, this was particularly so when it came to trade and business practices because: . . . when people interact, there is no referee overseeing the interaction. If one party fails to meet his or her obligations, the other party is the only person able to report it. Reporting the failure helps to form a reputation on the chiseller and creates accountability against chiselling.6 Thus, long before CRAs existed, merchants extending credit had to rely on word of mouth, letters of reference, and other forms of gossip to assess the trustworthiness of those counterparties dealing with them.7 However, informal information flows such as ‘gossip’ are known to be efficient in small communities ensuring the diffusion of information about their members. By contrast, across all the members of a greater society – defined by Klein as a large community forming a society of vast division of labour, of individual objectives among its members, of dispersed knowledge, of undesigned intermeshing of activities, of a high degree of anonymity – ‘gossip’ would be impossible as with increasing social complexity informal social controls would necessarily diminish in significance and need to be replaced by formal mechanisms of social control.8

3 4 5 6 7 8

Olegario (2003). Klein (2001). Klein (1992). Klein (2001), 325. Ibid, 330. Klein (1992), 119–120.

52

Law and Consumer Credit Information in the EC

For these reasons, credit reporting is considered to represent an institutionalised transformation of ‘gossip’ originating from informal reputation mechanisms in the creditor–debtor relationship that could be traced over the centuries, and are said to be nearly as old as credit itself.9 Notably, such evolution has created the most standardised and extensive reputation system humankind has ever known.10 This alone, however, does not explain the formal emergence of CRAs as the institutional response associated with the problem of asymmetric information and the risk of granting credit. It is important to note that these mechanisms were initially appropriate only for trade-related or small-scale business activities among a closed group of local merchants. An annual report of the World Bank identifies the emergence of embryonic formal institutions for credit information sharing as early as seventeenthcentury (sic!) Paris, where notaries were deemed to exchange data on debtors’ creditworthiness.11 This view, however, is isolated and appears somehow misleading. Hoffman, Postel-Vinay and Rosenthal used evidence from eighteenthcentury Paris to examine how financial intermediaries resolved problems of asymmetric information in the financial market. The intermediaries in Paris were indeed notaries, who were in high demand for all sorts of inter-temporal contracts (for example debt, trade ventures, probate records, marriage contracts) and were required to keep a copy of the contracts they drew up. Their archives, thus, were a valuable source of information about the private wealth of individuals. It was from their archives that they acquired and used the information needed to match borrowers and lenders for specific transactions. However, that information was the notaries’ property and the archives were closed to outsiders. Thus, they did not hand out the information to lenders to assess the creditworthiness of those borrowers who entered independently into business with the lenders themselves. On the contrary, such dealings practised by notaries rather evolved in what modern society today defines as ‘brokers’, i.e. intermediaries allocating persons to the various types of contracts.12 This distinction is important to separate two types of third-party intermediaries that have established themselves to meet the problem of asymmetric information in credit markets. As already noted earlier in Chapter 2, in fact, CRAs are not brokers, mainly because they lack independence from both the contracting parties. They operate at the service of lenders notwithstanding the agreement or disagreement of borrowers. They provide information to lenders that they have not received directly from borrowers but from other 9 Olegario (2003). 10 Klein (1992), 121. 11 World Bank Group, ‘Doing Business in 2004 – Understanding Regulation’, available at http:// www.doingbusiness.org/Main/DoingBusiness2004.aspx. 12 Hoffman et al (1994).

Historical background: the cultural framework

53

lender clients. In this respect, CRAs are closer to private investigators, gathering and disseminating information about borrowers through a peculiar means that aims to keep their clients informed. This distinction has crucial consequences when attempting to map the legal framework of credit reporting systems in the consumer sector. For example, it could be anticipated that the latter, apart from being perceived by many as ‘inquisitorial’, has the potential to collide with privacy rights. In the case of brokers, on the contrary, this does not happen in so far as borrowers voluntarily seek them to the same extent as lenders do, i.e. to be allocated to the best contractual solution corresponding to their needs (the rule of the matching between demand and supply). In contrast, in an historic search about the formal emergence of CRAs, there is agreement that they evolved in the US well after the first half of the nineteenth century.

The origins of credit information-sharing systems: business credit reporting in the US In the US, business credit reporting preceded consumer credit reporting by several decades. According to some, it developed from an agrarian need that generated a system of credit: during the spring and summer months, farmers lacked a source of income and retailers provided them unsecured credit to be recovered later in the year upon sale of their products. While farmers traded their expectations of future income, creditors kept records of the transactions and on occasion shared the information.13 More commonly, and on a much larger scale, however, historians agree that in the nineteenth century, credit reporting emerged in the US more as an attempt to manage the risk of mercantile credit, intended as the extension of goods to other merchants or businesses based on the promise that the receivers of the goods paid for them at a later date. This form of credit was – as it continues to be – a vital source of funding for small businesses. It functioned as short-term working capital, allowing them full use of the goods before their payment. At that historical time, it was often – if not exclusively – the only type of credit available to small businesses, as opposed to today’s forms, varieties, and availability of financing arrangements. At the same time, it represented a form of unsecured business-to-business lending, whose repayment terms during the American colonial era extended to a year or more, as compared with the 30 to 90 days of today’s commercial practices.14 Likewise, as it happens at present times, sellers did not charge any interest

13 Trans Union LLC, ‘Credit Reporting – The Backbone of a Vibrant Market Economy’, available at http://www.transunion.com; Gup (1976), 210. 14 Norris (1978).

54

Law and Consumer Credit Information in the EC

unless buyers incurred them in late repayments, in accordance with penalty clauses in the underlying contract, whilst discounts were granted for straightforward or early payment.15 Thus, good information became an essential element, particularly in those trade relationships where the parties did not know each other personally. The small scale of trade in the US until the early nineteenth century had allowed traders to rely on personal ties or, in the event the seller did not know a prospective buyer personally, on the experiences and opinions of other merchants. In this latter circumstance, merchants relied on letters of recommendation or word-of-mouth information exchanges with members of the same industry group. This is the reason why they developed networks of mutual cooperation, taking the forms of roundtables, associations and mutual protection industry organisations restricted to members only, sharing information about the trustworthiness of their customers in meeting their obligations. An important feature of such closed users’ groups was that there was no attempt to profit from it as it exclusively served as a means of making good business.16 Industry groups of this kind, however, were not a novelty, as such practice was already an established one in Britain, especially on those occasions where merchants needed to safeguard their trade relationships with the colonies: distant lands where personal ties where more difficult to put in place. But a differential and decisive set of elements occurred in the US by the second decade of the nineteenth century: population growth and the expansion of the American country, coupled with a considerable increase in the volume of transactions favoured by the construction of canals and railroads, opened the market to a growing number of potential new customers, many of whom were unknown to merchants, being located in distant states and territories.17 As a result, existing industry group systems and techniques became unreliable. As Olegario explains, it was because of the vast geographic scale of the US and the high mobility of its population that mutual protection societies and other merchants’ groups could not last as an effective response to credit risk.18 The need for knowledge about distant and unknown customers stimulated several larger business houses to develop more formal methods of acquiring credit information.19 In order to cope with the changing needs of the market, during the 1830s groups of wholesalers attempted innovative solutions and hired private investigators or travelling salesmen providing data about unknown customers. However, some businesses, including international banking houses such as Barings and Brown Brothers, preferred to use their own agents, with the 15 16 17 18 19

Olegario (2003). Klein (2001); Olegario (2003), 118–120; Madison (1974); Hidy (1939); Wyatt-Brown (1966). Norris (1978); Olegario (2003). Olegario (2003), 118. Madison (1974), 166; Norris (1978).

Historical background: the cultural framework

55

responsibility only for credit reporting, as they didn’t trust third-party data providers who were either unreliable (as they were themselves unknown) or subject to various forms of bias or, in the worst cases, collusion.20 Such arrangements had a crucial downturn: the reports of these large banking houses, described as being high quality and more reliable than other forms, were also high in cost, and only few businesses could afford to hire a full-time credit agent or develop their own systems of reporting.21 Because reasonable alternatives did not exist, most businesses had no choice but to continue to rely on their personal knowledge, the knowledge of others they knew, mutual protection groups hiring unreliable third-party investigators or travelling salesmen, or luck. The inadequacy of such methods became particularly evident during the economic crises of the late 1830s and the early 1840s, when rapid changes in the financial condition of many demonstrated even more the wide extent of the ill-founded trust in many new customers. In contrast to the industry groups, as a reaction to their inadequacy, enterprising individuals in New York set up a new type of organisation better suited to the peculiar needs of American society, where traders needed information about their (potential) customers whose businesses were dispersed over a wide territory, at the same time being able to meet the costs of such expanded service. The first of this new type of organisations – the credit reporting agencies – opened its doors in New York in 1841 and was soon followed by others.22 As Madison writes, CRAs ‘attempted to provide in a formal and institutional manner a service that earlier was almost exclusively a function of personal ties within the mercantile community’.23 To do so, they set up as third-party profit-seeking providers of information that turned information into a commodity accessible not only to the industry group members, but by anyone willing to pay the agencies a subscription fee. In their operations, the new CRAs gathered information on a wide array of businesses, and did not limit themselves to those of interest to a particular network.24 Thus, it may be acceptably maintained that such added value, provided at affordable costs, coupled with the financial robustness of earning fees from subscribers, were the most probable reasons that CRAs emerged over industry groups or other organisations in providing information services about (potential) trade partners or customers. For the most part, above all, CRAs succeeded in emerging owing to the context, and exploiting the momentum with which they set up. The country’s growth in population and territories, the development of transportation, 20 21 22 23 24

Hidy (1939); Wyatt-Brown (1966). Ibid. Norris (1978). Madison (1974), 167. Ibid. See also Norris (1978); Olegario (2003).

56

Law and Consumer Credit Information in the EC

the new opportunities and consequent ever-stronger commercial orientation, coupled with the absence of established interests in that particular market, were factors highly encouraging to institutional experimentation. Furthermore, as many CRAs emerged rapidly with the entry of new competitors, the actors involved in such a brand new sector needed to gain a competitive advantage over one another, thus being forced to develop the largest possible territorial coverage as well as provide the greatest amount of available information and reporting on even the smallest businesses.25 These factors led the most successful CRAs achieving scale and scope efficiencies by setting up a network of correspondents, local agencies and branches all trading under a common name, soon becoming what some commentators defined as organisations being among the first US businesses to be truly national in scope. Taking advantage of the local knowledge of their network structure, and pursuing their perennial efforts to prevail over rival organisations, CRAs also began to offer a wide range of further services, such as debt collection and analysis of local market conditions.26 In other words, as Olegario puts it, CRAs ‘helped to entrench the very conditions that gave rise to them, and which made their work possible’.27 As far as the type of information available to the American creditor of the nineteenth century is concerned, it is interesting to observe that it was very different from that used today. There were no track records of early financial transactions, payment histories, and other quantitative data. Norris and Olegario provide a comprehensive account of the information collected and used for credit purposes. Little or no information was provided on business revenues, profits, losses, and cash flow. Creditors, in addition, were reluctant to request them, for fear of offending and losing existing or potential customers. In any event, as credit terms extended from six to twelve months, a customer’s current liquidity was not of much interest as it could not be available at the time of the repayment. Creditors, by contrast, were more interested in the borrower’s ‘character’, as an indication of past behaviour. To this purpose, not all character traits were considered relevant or equally important. Creditors, instead, focused their attention on those elements that they thought, according to the culture of the territory at that particular time, directly linked to the borrower’s willingness or ability to repay the debt. These included, for example, honour and honesty, punctuality, extravagance, experience, energy, vices (drinking and gambling only) and a few others. Accordingly, such methods of assessing creditworthiness, aided by the CRAs network structure, spread quickly in the US territory, because they were relatively simple and congenial to the American values of that particular

25 Norris (1978); Olegario (2003). See also Wyatt-Brown (1966). 26 Olegario (2003); Wyatt-Brown (1966). 27 Olegario (2003), 119.

Historical background: the cultural framework

57

time. This is also the reason why such methods became a standard for the industry in managing situations of credit risk.28 Credit reporting in the US became the activity it is today not only through the application of those techniques that were determined by the needs of the market, but was also shaped by the subsequent regulatory environment that developed over time. Early complaints and discontent about the services of CRAs centred on the pragmatic issue of the accuracy of their information. The CRAs’ unprecedented methods of collecting and disseminating information, some of it erroneous, outdated or incomplete, made them the target of lawsuits as the result of a number of circumstances in which subscribers were misled about potential customers and incurred losses. As a result, in the absence of legislation and clear legal precedent, courts emerged as the sole and most active controllers of the credit reporting business, which had the additional merit of opening its secret workings to public scrutiny. The first cases all focused on the concepts of ‘defamation’ and the defence of privilege. According to the CRAs, the reports fell under the legal heading of ‘privileged communication’ between the CRAs and their subscribers (i.e. their clients), therefore they did not constitute libel or slander. As they fall within the rule of privileged communications of a confidential nature in a client relationship – the argument runs – the reported-on persons should have had no right of access to it. Judges, at first, rejected this view, reasoning that credit reports could not benefit from the protection of privileged communication because the information was available to a large number of subscribers, potentially open to anyone willing to pay for the service.29 In later decades, however, the courts broadened the definition of privileged communication accepting the CRAs’ arguments, provided that the communication must be in ‘good faith’ and ‘made in a proper manner, without evil intent or malicious motive’.30 At the same time, CRAs recognised that improvements in the quality of their services were not only possible but also necessary if they were to earn wider acceptance from American businesses and consolidate. More importantly for their survival, they simultaneously refined their contracts with subscribers to include disclaimers regarding the accuracy of information they provided, and formulating denials of liability to the fullest extent possible. Such disclaimers, however, could have had little effect unless the courts were willing to accept a very limited definition of liability.31 In the late nineteenth century, the major thrust of court decisions was 28 29 30 31

Norris (1978); Olegario (2003). See also Wyatt-Brown (1966). Beardsley v Tappan (1867), cited in Madison (1974), 179 et seq. Ormsby v Douglass (1868), cited in Madison (1974), 179 et seq. Olegario (2003); Wyatt-Brown (1966); Madison (1974).

58

Law and Consumer Credit Information in the EC

favourable to CRAs, as judges ruled that they would need only to carry out their activities using ‘reasonable diligence’ in order to be exempt from liability if their reports were inaccurate.32 In unison, the courts went further by extending the obligation of the person about whom a report was made to provide truthful statements to the CRAs’ reporters. In such circumstances, it was held that CRAs were not accountable for the losses suffered by their subscribers but rather the merchants who intentionally deceived CRAs’ reporters were the ones liable, as if they had made the false representation directly to the party injured.33 Thus, throughout and after the post Civil War period, as a result of the increased protection from the courts, improved quality of services, growing use and convenience of credit reporting services, as well as the utter prevalence of the business practice, the resistance to CRAs slowly gave way not only to acceptance but also imposed the CRAs as permanent elements of the US commercial infrastructure and established business institutions.34 As Olegario comments: lawsuits were a constant source of concern to the agencies, but they functioned as an important check on an otherwise unregulated industry. . . . Equally important, the court decisions helped to legitimise the agencies’ activities.35 Once consolidated on the US market, large agencies began to establish foreign branches, particularly in those countries where American companies conducted sizeable trade.36 Only later did other European countries follow the example of the US and start to develop mutual protection society operations.37

Consumer credit reporting in the US The history of consumer credit reporting differs from that of business credit reporting, in that the former developed much later and for a long time operated on a non-profit basis. Apart from that, the design of the system and the fundamental functions of the two types were not different: the provision of information to a party about another (stranger) party by an outsider, so that the former may trust the latter party to engage in a contractual relationship prior to receiving a payment for goods or services, i.e. on the basis of credit.

32 33 34 35 36 37

Madison (1974), 179. Eaton v Avery (1880), cited in Madison (1974), 179 et seq. Wyatt-Brown (1966); Madison (1974). Olegario (2003), 132. For example with countries such as Canada, Mexico and, in Europe, the UK and Paris. Creditreform 1879, a German company, prides itself on being the first one of this sort. See http://www.creditreform.de/.

Historical background: the cultural framework

59

Tracing the origins of consumer credit reporting would require, in the first place, looking at the history of consumer credit in its modern form, which took place – again in the US – much later in time than mercantile and business credit. Although credit for consumer goods is one of the oldest of all forms of credit, with a history stretching back to antiquity, the modern system of credit for consumption – the one properly known today as ‘modern consumer credit’ – has its roots only in the early decades of the twentieth century. The ongoing debate among economists and historians regarding the legitimacy of labelling the 1920s as a revolutionary period in consumer credit and spending, while significant in its own right, is of little consequence to the argument of this work. This work is concerned primarily with the origins of consumer credit reporting and its close relationship with American culture. During the 1920s, in the US, there was a dramatic change in consumption culture and standards, as well as selling techniques.38 Accordingly, modern consumer credit differentiated from the original conception of credit for goods in that it was built on two institutional foundations:

• •

a peculiar method of credit based on the instalment plan, where money is lent or a good is sold on the condition that the borrower or purchaser repays the loan with fixed payments to be made at regular times over a specified period; an array of particular sources of credit other than the traditional historic pawnbrokers and/or illegal moneylenders.

Certainly, by the end of the nineteenth/early twentieth century, Americans had more than their share of financial pressures and were indisputably involved in borrowing practices. However, the concept of debt was different from modern consumer credit. Households rarely went into debt for things that were nonessential or frivolous. Borrowing, in fact, was acceptable and safe only when used to acquire goods that increased in value or had productive uses.39 A number of studies take seriously the role that culture and religion played in market development. Among them, Calder provides an extensive account of the cultural history of modern consumer credit that best explains the distinction between the different approaches of consumer debt as compared with that of business debt. Consumer credit was not invented during the years of the consumer revolution of the 1920s, although it is undisputed that household debt levels soared during that decade. Rather, the American Victorian era of the late nineteenth century is considered as the point in history where analysis should start, a period marked with attempts to solve a new major problem introduced by the rapidly industrialising economy of that time, i.e.

38 Calder (1999); Gelpi and Julien-Labruyère (2000); Gup (1976); Kubik (1996). 39 Calder (1999), 16–22; Gelpi and Julien-Labruyère (2000).

60

Law and Consumer Credit Information in the EC

the smoothing out of household cash flow. Money ethic literature of that age first began to distinguish between two types of credit: (1) the good ‘productive credit’ used to finance labour, business, and/or investments creating wealth; versus (2) the bad ‘consumptive credit’, exemplified by ‘shivering youths who pawned overcoats to pay gambling debts [and] sallow New York dandies with showy chains on their vest’.40 Yet, consumption retained an air of disreputability and, in economic terms, was suspected of having a negative effect on aggregate growth.41 Crucially, these ideological barriers fell first in the United States. As Calder explains, the economic history of consumer credit consisted of the sluggish and often insufficient adjustments made by lenders and households to the new forces of industrialisation and monetarisation. It was an uneven and ambivalent process of legitimisation that accelerated in the first decades of twentieth-century America that redirected the image and meaning of ‘consumptive debt’ into the morally neutral idea of consumer debt.42 At the same time, the ancient religious legacy in obstructing the use of credit was reflected in the enactment of state usury laws (in the US as well as in Europe) that persisted over a long period of time making it difficult – if not impossible – for lenders to earn profits on small loans lent at legal rates.43 As a result of the above cultural and legal constraints, in the US as elsewhere, consumer credit was not easily available. The first organisations to experiment successfully with the use of a hidden form of credit for consumers were retailers, the only ones that were able to take advantage of the extension of payments in instalments (i.e. credit) to consumers for the purchase of goods that otherwise they could not sell, at least for the price that they asked for. Merchants sold goods charging a credit price distinct from the cash price. The difference between the higher credit price and the cheaper cash price was not considered an interest rate, which would have been subject to usury laws. In fact, according to the time–price doctrine established in England already in 1774, credit extended by merchants for the sale of goods was exempted from usury laws.44 For the vast majority of retailers the market was limited to a town, a part of a city, or on some occasions, to a whole single city.45 At the turn of the century, however, instalment selling was still largely socially identified with poor, female, or immigrant consumers.46 As consumer credit itself was limited, the volume of consumer credit data

40 41 42 43 44 45 46

Calder (1999), 103. Kubik (1996). Calder (1999), 109 et seq. Ibid. See also Gelpi and Julien-Labruyère (2000). Gup (1976), 211. Hunt (2005). Also in Hunt (2006); Furletti (2002). Calder (1999), 111–123.

Historical background: the cultural framework

61

was modest and there was no compelling need for a reporting system of the kind that emerged for the business sector. Following the example of the latter, nevertheless, an embryonic type of consumer credit reporting emerged: it was structured in the form of local non-profit associations or cooperatives established by those community retailers that were the primary source of consumer credit. As happened for business credit reporting, early operations of this type specialised in providing reports that described customers in a particular location for a single industry segment. As a result, hundreds of small cooperatives emerged throughout the American territory, each focusing on a particular business line in a particular geographic area. These early local cooperatives were limited in scope and typically restricted their credit related reporting to negative or ‘derogatory’ information.47 For example, as Furletti reports: . . . a group of retailers in a small town might have agreed to form a cooperative that kept track of customers who were considered delinquent by any member of the group. The individual merchants would then use this information in managing their own credit relationships with prospective and current customers.48 This situation, however, gradually changed as the retail markets got bigger, following the economic growth led by the expansion and consolidation of the country enhanced by the development of new transport. The larger stores expanded forming chains of stores located in various geographical areas thus moving their administrative and financial operations into a single headquarter.49 Moreover, the social image of instalment selling changed with the booming of industrialisation and, in particular, with the development of a wide array of new consumer durable goods such as the radio, the sewing machine and the automobile, costly items that tested the ability of households of different social classes and income to pay for them or to save over a long period. Almost inevitably, the marketing of such new products was matched by the development and diffusion of innovative payment devices and selling techniques including, most prominently, instalment financing. It is not surprising that a pioneer lender in this area was General Motors, that in this way successfully managed to compete with Henry Ford and increase the sale of its cars in the 1930s despite the deep economic depression (acknowledged as the ‘Great Depression’).50

47 48 49 50

Hunt (2005), 11–16; Furletti (2002), 3–6. Furletti (2002), 4. Hunt (2005); Furletti (2002). Calder (1999), 156–208; Gelpi and Julien-Labruyère (2000), 97–112; Kubik (1996) 830–836.

62

Law and Consumer Credit Information in the EC

As a consequence of the changes carried out by the process of industrialisation, local sharing of information became less important, the next necessary step for such industries being the formation of a mechanism to share consumer credit information in different cities and regions of the country. As a first reaction, thus, in the early decades of the twentieth century the National Federation of Retail Credit Agencies was formed, a non-profit association whose task was to facilitate the nationwide sharing of consumer credit information between the cooperative agencies across industries.51 Importantly, towards the second decade of the twentieth century, many federal states abolished or relaxed their usury laws, a key factor that thereby encouraged businesses other than retailers to begin granting credit. The US experienced an unprecedented expansion and diversification of the sources for credit, and banks and finance companies – organisations that were already providing business credit – began to gain a primary role by providing open-ended consumer credit, thus fostering a market for credit that was national in scope.52 Therefore, the demand for credit reports became a consequential need of the explosion of consumer lending. At the same time, new technologies were gradually beginning to make it possible to collect and store more data at less cost, making it faster and more efficient to share information. Hence, also in the case of consumer credit reporting, the same potential for scale economies started to appear. After decades of development by cooperative associations and the rise of new technologies, the fragmented nature of consumer credit reporting began to change in the early 1950s as a number of new companies attempted to achieve scale efficiencies by taking over local non-profit operations.53 What was important about scale efficiencies and new technologies was that these companies became able to operate on a commercial profit-seeking basis. In the aftermath of the Second World War, economic recovery, coupled with the expansion and increasing mobility of the population, boosted consumers’ consumption and, with it, consumer credit. Scholarship often points out that economic growth, together with increased household disposable income, significantly affected behaviour patterns. After the war, the US was the first country where a majority of the population disposed of an income well above subsistence level. Consumers’ aspirations rose, and goods that were once a luxury or non-essential progressively became part of everyday life.54 As previous studies emphasise, ‘the triumph of the industrial society, and the development of a consumer society, had a favourable effect on attitudes to consumer credit’.55 51 52 53 54 55

Hunt (2005), 11; Staten and Cate (2004), 4–5. See also Cole and Mishler (1998). Calder (1999), 156–208; Gelpi and Julien-Labruyère (2000), 97–112; Gup (1976), 210–226. Klein (2001); Trans Union, cit at 13. Calder (1999), 156–208; Gelpi and Julien-Labruyère (2000), 97–112. Gelpi and Julien-Labruyère (2000), 105.

Historical background: the cultural framework

63

Over the same period of time, the next major innovation in consumer credit was the development of the credit card industry, which presented both opportunities and challenges for credit reporting. Not only did the arrival of credit cards have a dramatic impact on the greater participation of banks in consumer lending fostering demand for credit reports, credit cards also made lenders realise the usefulness of the credit history about applicants, thus representing a source of new business for CRAs, particularly for the provision of pre-screening services to card issuers that wanted to know a set of characteristics of potential customer users. In addition, the increasing number of people applying for credit cards made it very difficult both in economic and manpower terms to do anything but automate lending decisions. As lenders began to automate their issuing systems, they naturally quickly came to expect CRAs to develop the same automation. Hence, to meet these changes, CRAs had to both automate and get larger, undergoing a process of mergers and/or acquisitions. In this respect, therefore, CRAs had to respond to those economic and technological changes that were occurring in the US, and that was exactly what they did. For these reasons, business and consumer lending both faced increasing needs for credit data, especially for improved nationwide, multipurpose credit reports.56 As discussed above, however, while business credit reporting was already fairly developed, the same was not the case for the consumer sector. Although the two types of credit were different in that the level of development of business credit reporting was far more advanced, nevertheless the idea behind the two was the same: to provide information to lenders about potential customers. As a result, the optimal and ready solution available to the industry was probably that of transposing the model already effectively developed for business credit reporting into the consumer sector. But consumer credit reporting was more diverse and proved far more controversial. The type of information involved, in fact, was of a personal nature: it had the potential to intrude significantly on personal privacy, it was highly impressionistic, and subject to inaccuracy. In dealing with consumer information, moreover, the previously existing cooperative organisations aroused less suspicion and resentment than did a business operating for profit.57 It is also significant that until 1970, in the case of consumer credit reporting, there was virtually no legal regulation throughout its evolution, and case law referred to business credit. In the absence of statutes, common law was of no help for consumers in a large part because it recognised a privilege that protected CRAs from libel unless the plaintiff could provide evidence that CRAs intended to cause him/her harm.58

56 Gup (1976), 212; Hunt (2005), 14–16; Evans and Schmalensee (1999), 61–84; Thomas (2000), 151; Nocera (1994). 57 Staten and Cate (2004), 6. 58 Olegario (2003).

64

Law and Consumer Credit Information in the EC

The passage of the Fair Credit Reporting Act (FCRA) was one of the events that left an indelible mark on the industry.59 First passed by Congress in 1970, the FCRA took effect in 1971 and for the following 25 years specifically regulated credit reporting, with only minor amendments until substantive changes were adopted in 1996 and 2003 to further protect consumers. From its enactment, it applied only to individuals (not legal persons) and only to consumer credit (not the business or commercial credit) setting forth the rules that govern the reporting activities of CRAs in the US and regulating the way they must interact with creditors and consumers. Looking at the legislative history, the main impetus for its passage was to reduce the widely recognised problems in the content and accuracy of the reports. According to Staten and Cate, in fact: . . . one of the FCRA’s primary goals was to create a regulatory structure that would encourage the creation of credit history files that were factually correct and sufficiently descriptive of a consumer’s credit usage so that businesses could rely upon the information to make products and services more readily available to consumers. Since implementation of the FCRA in 1971, accuracy in credit reporting has been a perennial issue.60 Obviously, the FCRA represented an important piece of legislation for its substantive provisions and the way it regulated the sector. More importantly, though, it began that process of legitimisation that is so crucial for the acceptance of a system by the larger society. A peculiar feature of the credit reporting system as developed in the US consists of its reliance on the voluntary reporting from an indefinite number of lenders providing the credit data to CRAs. Arguably, this voluntary nature of reporting has made the industry particularly sensitive to the costs and limits imposed by legislation. Consequently, since the beginning of the legislative process and debate, the US Congress has been markedly cautious about imposing new requirements on either CRAs or information providers (i.e. lenders) without a clear indication of a problem that necessarily required legislative intervention.61 The FCRA responded precisely to the inaccuracy problems of reporting private consumer credit files within a voluntary system. Ultimately, the law permitted CRAs to collect consumer credit data and assemble credit reports freely. At the same time, the three broad themes that dominated the legislative debate and intervention were highlighted in the preamble of the FCRA:

59 Furletti (2002), 16. 60 Staten and Cate (2004), 2. 61 Ibid, 3.

Historical background: the cultural framework

65

to ensure that consumer reporting agencies exercise their grave responsibilities with fairness, accuracy, and a respect for the consumer’s privacy.62 In this regard, it is important to note that the FCRA has not been the only piece of legislation that has legitimised credit reporting in the US. In 1974, in fact, the enactment of the Equal Credit Opportunity Act (ECOA) ensured the complete acceptance of credit reporting, outlawing discrimination in that all consumers were given an equal chance to obtain credit. What is relevant about the ECOA is that among the factors that contribute to the final decision to extend credit, there is the explicit recognition of credit histories (together with amount of income, expenses and debts).63 In the end, therefore, the ECOA, together with the FCRA, contributed decisively to the legitimisation by law of the use of credit reports for credit granting purposes to consumers. It was not only legislation that shaped credit reporting industry in the US, but also the simple threat of new laws played an important part. In fact, regulation has always been seen as imposing costs on credit reporting systems, not all of them being obvious: depending upon where the regulatory burden is placed, some of them could endanger even the provision of the services, considering that the US system is reported to owe much of its alleged effectiveness to a reliance on voluntary reporting and competitive incentives.64 Thus, it should be taken into account that despite the legislative framework in place, through history many other voluntary industry initiatives and arrangements dealing directly with consumer concerns have been accelerated by the threat of further regulation. CRAs, moreover, have preferred to settle a considerable number of lawsuits brought against them by consumers which, together with the regulatory pressure mentioned above, have led to the adoption of standardised reporting formats and procedures specifically designed and suited to American social relations and culture.65

Consumer credit reporting in Europe Gelpi and Julien-Labruyère have so far contributed the only history of consumer credit in Europe, as well as an account of its different cultural

62 63 64 65

Fair Credit Reporting Act, 1970. Equal Credit Opportunity Act, 1975. Staten and Cate (2004), 52. The lawsuits mainly concerned errors in credit reports and other inaccuracies. The settlement of the disputes (often in the form of agreements with state Attorneys-General or the Federal Trade Commission), as well as the regulatory pressures, forced the industry to voluntarily adopt standard formats and procedures to avoid the reoccurrence of those same circumstances and/or to comply with what was agreed.

66

Law and Consumer Credit Information in the EC

approach, exemplified by the anxiety that indebtedness invokes in many middle-class Europeans and those who govern them.66 The historical and cultural difference in the development of and approach to modern consumer credit – and, most of all, consumer credit reporting – between the US and Europe is best summarised by the authors’ own words: new countries develop new techniques, whereas old countries adapt traditions to suit the times. The history of consumer credit in the United States is almost entirely free of historic influences, whereas Europe, it still suffers from a sort of mental hangover, the result of centuries of bans and taboo. Practices derive from and are explained by age-old traditions.67 Certainly, the historical claim that the history of American consumer credit is free from historic influences may seem to many as ‘shaky’.68 Nevertheless, in Europe until more or less the middle of the nineteenth century, borrowing was largely morally condemned and stigmatised, although money lending through pawn-broking has been a legal activity since 1572. In this regard, pawn-broking represents the ancestor of consumer credit, and has taken various forms alongside the culture and religious beliefs of each country, from the Catholic pious lender organisations fighting money-lending (seen as usury) – the French monts-de-piétés or Italian monte di pietà, public pawnshops controlled by official bodies and designed to help the poor overcome temporary liquidity problems – to the British liberalist free market practice and approach.69 However, pawning differed from consumer credit significantly in at least one essential element: the function of the former is to advance small loans against the security of goods and chattels while, on the contrary, the latter is often a form of unsecured credit and relies on a planned repayment. This is an important feature in money lending (or else, hire purchase) in that secured credit entails no or little risk to lenders. As anticipated, however, European countries have a very different history and cultural traditions in respect of modern consumer credit. Gelpi and Julien-Labruyère give an account of the diverging cultures and traditions in Europe in terms of different mentalities originating from religion: from the protestant reformist countries to the catholic ones.70 Studies on household credit have generally concluded that there is a cultural division between, on the one side, the US and the UK, which are historically open to credit, and on the other side continental European countries.71

66 67 68 69 70 71

Gelpi and Julien-Labruyère (2000). Ibid, 119. Calder (2000), available at http://www.eh.net/bookreviews/library/0286.shtml. Gelpi and Julien-Labruyère (2000). Ibid. Diez Guardia (2002).

Historical background: the cultural framework

67

Thus, as far as Europe is concerned, Great Britain is often seen by continental Europeans as ‘a sort of United States within easy reach of Europe’,72 where the role and development of consumer credit was just as strong as the American one, though at different periods but with the same techniques, and the same broad liberal economic approach counterbalanced by strong influences of consumer protection movements. Accordingly, this latter feature of consumer protection covers essentials such as the morality of the offer and the right to privacy. In this latter sense, it can be maintained that although Great Britain carries the above similarities with the US, at the same time it provides another clear example of the historical difference of ‘European’ consumer credit as compared with the American way.73 In Great Britain, pawning was the most important source of credit for working class households at least until the 1920s, and debts of consumers had already been extensive since the nineteenth century when County Courts already dealt extensively with disputes over petty debts. The development of hire purchase between the two world wars, a model taken from the American example, is explained in terms of being a driving force behind the mass sale of consumer items following industrialisation, and by the fact that it did not come under the dominion of strict money-lending legislation.74 In legal terms, in fact, hire purchase agreements were considered as conditional sales agreements since the hirer had to complete payment of the full price before taking legal possession.75 According to Gelpi and Julien-Labruyère: hire purchase was aimed at a cultured and well-to-do clientele who borrowed to improve their standard of living. There was practically no risk for lender or borrower. For this reason it was distinguished from money lending, and did not come to be regulated by law in Britain until 1938.76 As in the US, little by little modern consumer credit began to take shape, and loans offered by traders, banks and financing companies increased spectacularly. Consumer credit reporting pursued the same path: it followed the development of modern consumer credit, and was a system imported from the US implemented much later in time. As in the US, consumer credit attracted the attention of legislators, and laws were enacted to protect consumers. Unlike the US, however, consumer 72 73 74 75 76

Gelpi and Julien-Labruyère (2000), 133. Ibid. Parker (1990), 25–41; Johnson (1985), 144–192; Tebbut (1984). Crowther L. (1971). Gelpi and Julien-Labruyère (2000), 129.

68

Law and Consumer Credit Information in the EC

credit reporting remained largely unregulated, at least as far as substantive provision was concerned. No laws equivalent to the FCRA or the EOCA were enacted, and credit reporting was left under the provision of existing or impacting regulations that were not expressly designed for consumer credit reporting systems. In the UK, the 1974 Consumer Credit Act – considered as the culmination of intense legislative work encompassing the high development of the British consumer credit market77 – indeed established an early regulation of the credit reporting industry, but it addressed, for instance, neither issues of consumers’ privacy rights nor discrimination. Nor did it deal with delicate issues such as social exclusion, equal opportunities, confidentiality or accuracy, thus leaving its legitimacy still open to debate. Carrying dissimilar views and traditions, continental European countries – particularly France and the Mediterranean ones – saw a very different development of consumer credit regulation, both in terms of the time it was implemented and the cultural and legislative approach. Consumer credit remained for a long time underdeveloped and stigmatised, bearing negative connotations inherited from catholic prejudicial visions of credit and interests (seen as usury), as well as the concept of ‘consumption’, intended as ‘destruction by wasting’. Also, different mentalities about living on savings rather than on credit have often existed, rejecting American attitudes towards indebtedness and, in more general terms, the American way of life. Similarly, the countries of northern Europe, although influenced by various forms of Protestantism and although they all practised loans on interest from early times, have for a long time been influenced by their culture to reject money lending for the purchase of consumer goods as harmful and ostentatious.78 Notwithstanding the forgoing, it is not surprising to see how the European development of consumer credit mirrored the credit practices and business of the US, though with a considerable time lag. In France, as well as in the Mediterranean and northern European countries, as elsewhere in what is today the EC, modern consumer credit has followed the example of the US, and its model has been imported, spreading into every national market. However, the use of consumer credit still differs deeply and varies widely across the Member States of the EC. Differences in national practices and institutions exist in the marketplace notwithstanding the trend and movement towards a European harmonisation of their laws, regulations and administrative provisions.79

77 Gelpi and Julien-Labruyère (2000), 133. 78 Ibid, 133–150. 79 Diez Guardia (2002); Jentzsch (2003a).

Historical background: the cultural framework

69

As this work is attempting to stress, this is arguably the result of diverse cultures: consumer credit, in fact, results from the interaction between household decisions on consumption and savings, two factors largely influenced by the people’s traditions within countries. Recent studies show that consumer credit is very limited in Greece, Italy and the Netherlands, while consumer borrowing stands at comparatively high levels in Germany and the UK and at an intermediate level in France and Spain. They conclude that such differences in credit culture, use and regulatory regimes hamper the development of an integrated credit market in Europe.80 The same considerations could be considered applicable for the less studied phenomenon of consumer credit information systems. As modern consumer credit developed so late, consumer credit reporting systems are a relatively new phenomenon for most countries in the EC, especially when compared with the US. As happened in the US, they inevitably developed years after the introduction and consolidation of consumer credit. As in that case, also in the reporting sector, experiences vary greatly in history from country to country and information systems often developed for purposes other than identifying the creditworthiness of consumers in small credit operations. For example, from the 1950s German-influenced markets (mainly Germany, Holland and Switzerland) designed obligatory debt filing systems managed by bodies related to professional associations as a counterbalance to abuses of market developments by independent credit brokers deliberately passing bad risk customers to lenders just to earn their fee.81 Equally, after the Second World War, public credit registries were implemented in many continental European countries: they were usually managed, directly or indirectly, by the country’s central banks for the prudential supervision of financial institutions (mainly, if not exclusively, banks) in order to control the soundness of the financial system of the country rather than for assessing the creditworthiness of credit applicants.82 Notably, as Chapter 4 of this work will show in detail, this is a key difference that distinguishes and keeps such functions separate from the implementation of a national credit reporting system for assessing the creditworthiness of consumers. In a large number of European countries this meant that with the gradual introduction and expansion of modern consumer credit, the reporting

80 Diez Guardia (2002); Jentzsch (2003a). See also Lanoo and de la Mata Muñoz (2004). 81 Gelpi and Julien-Labruyère (2000), 145. 82 Jappelli and Pagano (2002), 2,028; Jappelli and Pagano (2003). With the exception of Germany, which had already established its public credit bureau in 1934. France followed in 1946, Italy and Spain in 1962, and Belgium in 1967. Consumer credit, moreover, is often neglected from the reporting of public credit registries as not having a significant impact on the balance sheet of banks. See Hefferman (2005), 155–156.

70

Law and Consumer Credit Information in the EC

of all information below the threshold required by law to supervise the banking system was left open to free market forces. As a consequence, the reporting of small sums has been taken over by private organisations that developed a brand new consumer credit information sector on the American model.83 For example, countries like Italy did not have CRAs until 1992 and started to implement consumer credit reporting systems only from then on. Significantly, others like France still do not have a consumer sharing information system in place.84 Overall, as other research has concluded, the cultural differences of European countries affect the typology of existing credit reporting systems, either in terms of modus operandi, design, ownership structure, industrial organisation, or types of information.85 As the next chapter will illustrate, today, in the panorama of the EC, private CRAs operate alone in Bulgaria, the Czech Republic, Denmark, Estonia, Hungary, Ireland, Malta, Poland, Sweden, the Netherlands and the United Kingdom. Private CRAs and public credit registries coexist in Germany, Greece, Italy (where a consortium of credit providers also operates), Portugal, Romania and Spain. In Austria and Belgium, a consortium of credit providers and a public credit bureau coexist. Public credit registries operate alone in Finland (but the operation of the database has been contracted out to a private company), France, Latvia, Lithuania, Slovakia and Slovenia. No credit registries exist in Cyprus (where there is only a bad-cheque list operated by a public authority), and Luxembourg.86 Certainly, each country is a different experience and its own cultural, institutional, and legal features explain this diversity. Yet, all such consumer credit information systems share a crucial common feature: leaving out the public registries designed for the supervision of a country’s financial system – which operate for a different function – the rationale, scope, structure, and design of CRAs were imported and transposed in whole from the system originated and developed in the US, although the culture, history, market integration, past and present legislative history and case law of the latter are unique and differ from those of each one of the Member States of the EC.

83 This was so because the law usually makes the reporting of information above a certain threshold compulsory to public registries, saying nothing about the collection by others of information below such threshold, i.e. it did not forbid it. For a detailed discussion, see below, Chapter 4. 84 Djankov et al (2005), available at http://www.doingbusiness.org/documents/private_credit_ jan23.pdf. 85 San José Riestra (2002). 86 See Table 4, below, p 97.

Historical background: the cultural framework

71

Lessons for the EC from history? The history of credit reporting shows that a strong connection exists between the one developed for the business sector and the one for the consumer credit market. Both developed in the US as a response to the country’s own economic and market changes, reflecting closely the values of its society as it gradually developed into the present one. Business credit reporting originated first: it was an institutionalised evolution of ‘gossip’ to manage the risk of mercantile credit. Consumer credit reporting followed much later, as modern consumer credit evolved in the US in the wake of the industrialisation of durable goods. It incorporated the same logic, structure and design of the system developed for managing the risks of credit in business transactions. However, the transfer and adaptation of such a model from one business sector (the commercial one) to another (the consumer one) not only rely on different dynamics but also rest on different foundations and affect different rights. In the first place, businesses and consumers borrow for diverging reasons and use the money differently: the former use credit to invest (i.e. to create more wealth) while consumers borrow to expend (i.e. to consume wealth). As Olegario maintains, in fact, in contrast to a banking relationship involving consumers, the trade relationship is more akin to a partnership wherein contracts are flexible and open to compromise. This factor is extremely important, because trade creditors have historically been willing to postpone payments when debtors are struggling (say for difficult economic times, tough selling environments, other factual situations, etc.), a flexibility that normally avoids negative credit reporting and that does not usually exist in consumer lending, a sector that is typically targeted at a very broad customer base.87 Such a leeway could arguably be helpful for new businesses to get established or, sometimes, prevent established ones from going bankrupt straightaway. In any event, businesses do not necessarily have to carry with them the stigma of being bad or late payers when factual situations occur, a concession or help that cannot be easily offered to a consumer in reporting his/her behaviour. Also, businesses normally have wider powers in negotiating terms and conditions of credit agreements (big companies being treated as better clients than others), something that consumers are not allowed to do. Many other substantial differences are likely to exist between the two types of credit, the ones mentioned above are not intended to represent an exhaustive list.

87 Olegario (2003).

72

Law and Consumer Credit Information in the EC

Above all, however, what seems to be the most important difference between dealing with legal and natural persons is the most obvious one: consumers are human beings that, as such, benefit from civil liberties and human rights alien to business entities. Therefore, all the differences between commercial and consumer credit suggest that the transplantation of one system to the other brings not only doubts about fitness for purpose, but also concern in its own right. Although the same transfer from one sector to the other took place in the US, what is noteworthy about the European context is that there it did not follow that process of legitimisation that it went through in almost a century of US history. The existing inherent tension between the US historical focus on freedom of expression on one side, and the strong emphasis placed on data protection in the EC, as well as the latter’s attitude towards a tighter consumer protection regime, on the other side, are the best example of a radically different cultural approach towards the problem. As Chapter 5 will emphasise, in the broadest terms the US favours a liberal approach to the collection and dissemination of personal information by the business community, a vision according to which the general economic good prevails. In Europe, by contrast, privacy intends to exemplify not only an aspect of individual selfdetermination, but also the individual’s right to exist in and be accepted by the community where he/she expresses his/her own personality.88 It appears clear, therefore, that consumer credit reporting brings with it concerns that European countries need to contend with, especially in view of an integrated EC single market in consumer credit. This is not, however, all that history may teach about adaptation and legitimisation. In the US, the courts rather than legislatures or official policy makers functioned as instruments by which the larger society exerted control over business credit reporting. By contrast, in the case of consumers, the American legislator intervened with tailored laws that resulted from and offered a solution to the concerns of the larger society. Regardless of the American experience, none of the like happened in Europe where the system has been incorporated into the lending practice of credit markets, without absorbing the cultural drive and industry-specific laws that left an indelible mark on the American industry. Thus, although some considerations could be seen as a matter of supposition, looking at the history of consumer credit reporting one may well reach – at the very least – the same conclusions that Olegario offered in her research about an historical account of the business type of credit reporting, bearing in mind the differences in dates and times between the two. Meaningfully, the scholar writes:

88 MacDonald (2000); Singleton (2002); Jay and Hamilton (2003).

Historical background: the cultural framework

73

Locating the origins of CRAs within a specific time . . . and place . . . demonstrates that the business assumptions upon which CRAs were originally founded were not necessarily natural or universal; they merely happened to have been good innovative solutions to the peculiar conditions that existed in the United States . . . In the intervening time, these assumptions have become naturalized. ... CRAs . . . evolved alongside other important institutions, including the country’s [own] commercial and bankruptcy laws. The agencies had ample time not only to experiment but also to accommodate the demands of the larger culture, which in turn had the opportunity to adjust to the new agencies. A long process of give-and-take occurred among the agencies, the courts, legislatures, the press, and the public before CRAs became deeply embedded in US business culture. A historical perspective makes clear that efforts to transplant CRAs . . . involve risks. An institution whose underlying assumptions were forged in the frontier United States may not be compatible with the institutions and cultures of countries that have different historical traditions. Transplanted institutions are often not given the time to adjust because both policymakers and entrepreneurs feel pressure to demonstrate their effectiveness as quickly as possible.89 All the more, the author’s cautions provoke a greater degree of unease if consumers are involved, especially in the context of the EC with its own cultural values and legal traditions. For example, the next chapters of this work will attempt to show that when balancing the reporting practice that has developed from the US vis-à-vis the right to privacy, it would be hard to accept the sacrifice of established civil liberties over a business whose history demonstrates that it was originally founded on assumptions that are not necessarily natural or universal. US-style CRAs evolved alongside the American institutional structure, court decisions and its legal framework, important circumstances that shaped the industry and people’s acceptance through history. Did the same happen in Europe where the driving traditional values are the privacy of personal financial transactions and the corresponding laws (for example, bank secrecy and data protection), often exacerbated by the cultural stigma associated with borrowing, indebtedness, and difficulties in re-payments? In summary, the history of credit reporting provides a vivid example of how a country’s own societal, behavioural and regulatory norms may shape a business and its serving institutions. In both business and consumer credit reporting, CRAs had their origins at a time and in a place whose unique

89 Olegario (2003), 117–118.

74

Law and Consumer Credit Information in the EC

circumstances have long since ceased to exist. Arguably, all such experiences have been denied to the European transplanted institutions – the extent of which surely depends on the particular country where they operate. In many circumstances, CRAs are hardly compatible with the cultures of countries that have different institutional traditions. A significant number of Member States operate public credit registries. However, these public institutions managed by central banks or other states’ regulatory authorities provide a public service in the prudential supervision of the whole banking system of a country. As will be better explained later in this work, such a public function is alien to CRAs that are designed to provide services in the interest of a large variety of lenders that includes, but is not limited to, banks. Thus, public credit registries have a legal basis for demanding the collection of information, providing an exception to data protection legislation and bank secrecy obligations. In fact, the sacrifice of personal privacy to the public interest is embedded in European culture and law, a circumstance that could not be transferred to the activities of private CRAs that operate for the profitability of lenders. On a different level, the US experience shows how consumer credit reporting transformed CRAs from not-for-profit to profit-seeking organisations. This process was facilitated by the gradual social acceptance of the reporting of personal information to access credit. Profit-seeking CRAs turned private financial information into a commodity that could be potentially accessed by anyone willing to pay for it. Arguably, this causes little or no harm in a society that has legitimised and entrenched in its culture such a system over a long period of time. By contrast, in a society that places a strong emphasis on data protection, secrecy over banking transactions, and the stigma around debt this may be harder to accept sic et simpliciter. Rather, one would expect that even assuming that CRAs do really provide an essential service to the whole financial system, this should occur without making money over the privacy of individuals, as happens with the reporting of information to State Authorities for the prudential supervision of the banking system.

Concluding remarks Building on existing studies, this chapter has attempted to offer an original contribution to research by providing an understanding of the evolution of the consumer side of credit reporting in the EC together with its cultural baggage, anticipating possible threats that are likely to be associated with it. Ultimately, the goal is to suggest that in Europe, consumer credit reporting did not go through any legislative and institutional legitimisation to adapt to its social context and – as better explained in the following chapters – adjust to the strong value placed on data protection. Understanding a foreign system developed within a foreign culture and legal process is very useful and, at the same time, would not be possible without respecting it. Indeed, debates as to the rightfulness and efficiency of a

Historical background: the cultural framework

75

particular system and the legal context in which it operates should be promoted in order to understand and create awareness of the relative value of the solutions adopted as well as the reactions of the law. By contrast, it seems that in Europe the promotion and adoption of the consumer reporting model took place disregarding the existing socio-cultural diversities and legal traditions. This chapter has attempted to demonstrate that in Europe CRAs weren’t given the time and public debate to adapt to the cultural environment, circumstances and process of legitimisation that local conditions would have required in order to deal with concerns over the lawfulness of their activities, as well as issues of social and political interference. Rather, they were forced to prove their effectiveness and success immediately, just as when a model that is successful elsewhere is imported. They lacked the same recognition and legitimisation that proved so vital in the US and that allowed them to gain acceptance by American society, becoming embedded in today’s national culture. The lesson that American history provides is that consumer credit reporting was the result of its culture, and it cannot be easily reproduced elsewhere, especially without taking into account the complexities and problems that may arise from the mismatch between legal and social cultures. Different cultures and traditions should at least be respected. Therefore, the cultural argument may prove a useful one to induce the competent European authorities to pay attention to the problems that may take place when institutions are transplanted but fail to gain social recognition. This is particularly so when transplanted systems interfere with the everyday life of individuals and their established rights. In this respect, the US has thought of another important lesson: that the regulatory environment of credit reporting through industry-specific legislation could stem consumer concerns and promote legitimacy, accuracy, fairness and acceptance. Obviously, this does not mean that the EC should reproduce the same laws and institutional arrangements of the US. Rather, as Chapter 7 will suggest, it should shape its own model, taking into account its cultural baggage made up of institutional and legal features, without neglecting the contemporary needs posed by an EC integrated market in consumer credit where consumers receive adequate protection. In the following chapters, this work will attempt to identify precisely the legal framework of consumer credit reporting systems in the context of the EC and their compliance vis-à-vis the positive law, investigating to what extent concerns over consumer protection and civil liberties violations have been addressed so far in their transplantation and integration in the credit granting practices of Europe.

4

The institutional and legal standing in the EC Is the EC missing a chance?

Introduction Previous studies concentrating on consumer credit have pointed out how, in the various European countries, cultural and legal differences affect the typology of the existing industrial organisation of the EC Member States’ national credit markets and their institutional structure.1 Obviously, this strongly influences the configuration of consumer credit reporting industry across Europe, resulting in the fragmentation and segmentation of its markets. Hence, this chapter presents the state-of-the-art of consumer credit information systems within the European Community, investigating whether and to what extent there is or could be a European dimension in view to a forthcoming completion of a single retail credit market. As well as offering an insight into the credit information sector and capturing the major differences between national systems, stressing their implications for the industry and the legal framework in which it operates, the purpose of this investigation is also to establish whether there is a European system of cross-border exchange of information to support a single European market in consumer credit. Once the current panorama of the varying arrangements across Europe has been examined, the next step of the exploration is to determine the legal standing of consumer credit reporting to date. Indeed, identifying such laws is the necessary preparatory activity that this work needs to carry out before committing itself to the legal analysis regarding the compliance of such systems to the positive law and its adequacy to contend with consumer and civil liberties concerns. To reach its goals, this chapter is organised as follows. The second section overviews European credit markets, as their structure and functioning necessarily mirror the information-reporting arrangements in place. 1 Mercer Oliver Wyman (2005); San José Riestra (2002), 5; Jentzsch and San José Riestra (2003), 8, also in ‘Consumer Credit Markets in the United States and Europe’, in Bertola et al (2006).

78

Law and Consumer Credit Information in the EC

Building on the findings of the above overview, the third and fourth sections identify those elements that are peculiar and distinctive to credit reporting, in terms of either institutional structure or industrial organisation, with the objective of assessing the features that pertain exclusively to the information distribution industry. In sequence, the fifth section examines whether there is a European dimension for the cross-border exchange of consumer information and its advancement. The obstacles and problems facing the European information market are presented in the sixth section, as well as the structural difficulties that appear to shape the European reporting industry. The final four sections survey the existing legal framework and standing in the European Community, attempting to identify the laws that impact on and regulate the functioning of consumer information-sharing arrangements at Community level. The detail of single national provisions of law, though summarised in a table for the purpose of overview, will not be discussed, as this would require an in-depth and lengthy analysis of its own that is worthy of attention separately elsewhere. The objective of these sections is rather to identify the positive law across Europe without entering into the detail of its provisions. This, in fact, will be provided later in this work. Also, it is not the aim of this chapter to make an assessment of the legal framework so identified, as this will be the subject matter for a separate analysis later. Inevitably, however, some comments and conclusions about the applicable legislation will arise at this stage, particularly when assessing the degree of the relevance of each law and the advancements of existing legislative proposals.

European markets in consumer credit As extensive economic research has recently demonstrated, European credit markets are far from being integrated, a conclusion derived from the existence of a number of legal barriers among the Member States, as well as several integration indicators such as real price and interest differentials, the absence of cross-border lending, poor market penetration by foreign lenders, the existence of large differences from country to country in the extension of consumer loans, differentials in demand, business models, language, and consumers’ cultural and psychological factors in the use of credit.2 Likewise, natural and legal hindrances have been shown to be a major reason for the diversity of credit market structures across Europe. On the one side, there are natural barriers that limit market integration although the EC legal framework aims to grant the same conditions to all lenders for entering foreign Member States’ markets. These barriers have

2 Ibid; see also Weill (2004), 3–6; Crook (2003); Guiso (2003); Lea et al (1995); Diez Guardia (2002), 7; Lanoo and de la Mata Muñoz (2004), 3–4; Buch (2000).

The institutional and legal standing in the EC 79 been identified as language, geographical distance, culture and consumers’ preference for local lenders.3 On the other side, the low level of market integration in the EC has also been explained in terms of legal obstacles, exemplified by the existence of different national legislations or regulations applicable to consumer credit in the various Member States that impede financial institutions from entering foreign EC markets, or else increase the costs of doing so.4 Until the 1970s, banking and financial services activities in the EC Member States were heavily regulated at a national level. For instance, controls were in place both on interest rates and credit growth as part of an anti-inflationary policy based on the control of money supply. Since the beginning of the 1980s, however, the regulatory framework governing consumer credit has undergone a deep transformation both at national and at Community level. Financial sector reforms have included the liberalisation of cross-country capital flows and the deregulation of domestic capital markets, ultimately having the scope of liberalising the provision of financial services and increasing competition. The removal of capital movement restrictions, the establishment of a harmonised framework for financial services and the enactment of a directive for consumer credit all seemed steps towards an integrated credit market.5 Yet the present diversity in national legislations on consumer credit has been blamed in part on the enactment, then subsequent application, of Directive 87/102/EC for the approximation of the laws, regulations and administrative provisions of the Member States concerning consumer credit.6 This results mainly from the adoption in the directive of a minimum harmonisation approach, coupled with consumer protection provisions. Accordingly, EC Member States are entitled to impose stricter national laws than that established in the directive, provided that the minimum standards therein established are incorporated into those national laws. At the same time, the bulk of consumer protection rules remained the responsibility of the various Member States, which have shown different approaches and levels of sensitivity to such issues, ranging from the minimum to the highest levels of protection.7 Thus, as stressed in recent research conducted by the CEPS: the introduction of a minimum harmonisation clause in Directive 87/ 102/EC allowed Member States to provide a higher level of consumer protection in the field of consumer credit than that established in the Directive. In many cases, national legislators have used this opportunity 3 4 5 6 7

Buch (2000); Weill (2002); Lanoo and de la Mata Muñoz (2004). Ibid. Diez Guardia (2002); Mercer Oliver Wyman (2005). Consumer Credit Directive 87/102/EC – OJ L 042, 12/02/1987 p 0048–0053. Diez Guardia (2002); Mercer Oliver Wyman (2005); Lanoo and de la Mata Muñoz (2004).

80

Law and Consumer Credit Information in the EC and consumer credit legislation has largely been re-nationalised. This move has resulted in a complex fragmentation of consumer credit regulations throughout the EC. . . . Consequently, with Directive 87/102/ EC, the legislation on consumer credit under the minimum harmonisation clause has limited the development of the EC internal market and reduced the possibilities of expanding the consumer credit business across Member State frontiers.8

Although the strengthening of consumer protection was added as an objective of European harmonisation for market integration, this has been done so far with limited success in the area of consumer credit.9 Reportedly, however, the consequences of Directive 87/102/EC and the different levels of consumer protection are not the only legal impediment to market integration. Other national practices and relevant legislation that do not follow under the scope of the directive are deemed to affect the business of consumer lending, also with the result of influencing the lenders’ strategies in foreign EC markets. The best reported example is in the area of personal bankruptcy. While on the one hand some Member States such as the UK, France and Germany have introduced legislation to regulate the issue, on the other hand the same concept and approach are alien to other jurisdictions such as Italy or Spain, where an individual can never be declared bankrupt by law.10 Another common example may be identified in legislation concerning the cost of credit and the prevention of usury. As the control of maximum interest rates is an aspect that has been left at the national level, in most Member States interest rates cannot exceed a maximum rate established by law (a so-called ‘objective control system’ approach in the fight against usury), while in other Member States the usury rates are determined by subjective case-by-case decisions of the national competent courts that in this way exercise a control over usury practices a posteriori (the so called ‘subjective control system’).11 Accordingly, such regulatory differences also have a negative influence on the market behaviour of lenders that face difficulties and costs in adapting to radical changes, as well as an adverse impact on the attitude of consumers towards credit.12 Finally, other impediments may be found in the different degrees of

8 Lanoo and de la Mata Muñoz (2004), 5–6. 9 Reference could be made, for example, to the failure to date to agree on proposals for the new consumer credit directive. See also Mercer Oliver Wyman (2004). 10 Lanoo and de la Mata Muñoz (2004). 11 For example Italy, France, the Netherlands and Belgium have an objective control system in place, while the UK and Germany rely on a subjective control system (source: Diez Guardia (2002), Table AA2, 57). 12 See also Diez Guardia (2002).

The institutional and legal standing in the EC 81 efficiency of national judiciary systems and differing credit collection laws and practices across the EC.13 As a result of the above-described fragmentation of the European credit markets, not only has consumer credit so far developed differently from one Member State to another, but it has also done so at a different pace for different organisational structures. Overall, therefore, it is not surprising that these differences are reflected noticeably in the consumer credit reporting sector, which has mirrored the development of the underlying credit markets and has concentrated on domestic markets, neglecting both the European dimension and any cross-border exchange of data. Alongside this uneven development in consumer credit, however, the information distribution industry seems to present peculiarities of its own in relation to the institutional structure serving the markets and the industrial organisation.

Institutional framework From an institutional point of view, the main differentiating factor on how credit registries operate across Europe could be grouped under two main categories based on ownership: (a) privately owned CRAs; and (b) Public Credit Registries (PCRs), generally managed by central banks or other national supervisory authorities.14 As is shown in Table 4.1 below, the state of affairs in the EC appears to be a mixed one: while in certain markets only PCRs operate, in the majority of them the consumer credit reporting business has been left to free market forces. In some Member States, however, PCRs and CRAs coexist. The little literature available rightfully concentrates on this distinction in the ownership of the organisations managing the databases to explain the uneven development of consumer credit information systems in Europe. (a) Private CRAs The role and activities of CRAs have already been dealt with above in Chapters 1 and 2 of this work. In this section, therefore, only those features that are relevant to compare the two types of organisations serving the market will be taken into account. Consumer credit information systems in the EC consumer credit markets are in most cases privately owned, normally in the form of independent forprofit companies with no restrictions on the type of shareholders, which may be either banks or other financial firms, as well as any other third-party

13 Guiso (2003); Lanoo and de la Mata Muñoz (2004). 14 See Miller (2003c).

82

Law and Consumer Credit Information in the EC

market players with no limitations of that kind. After all, in such circumstances CRAs are profit-seeking incorporated private companies that are subject to the same rules and regulations as every incorporated company doing business in the marketplace. On limited occasions, however, the databases are managed by associations owned either by professional unions of credit providers or by a pool of credit providers themselves. In such cases, third-party entry in the business is prevented and the activity may only be carried out on a not-for-profit basis. Typically, CRAs have a broad range of client members, from banks to non-bank lenders, including a wide array of businesses and agencies. As anticipated in the earlier chapters, consultation of CRAs databases by lenders is not mandatory by law prior to the underwriting of credit, and is carried out on a voluntary basis. Crucially, as participation by lenders in a privately owned consumer credit information system is not compulsory, the rules relating to the functioning of the system itself are not imposed by law or regulation but are contracted in a typical supplier–client relationship. The negotiating power of a lender changes from country to country depending on a number of factors including, for example, competition in that market and/or maturity of the system (i.e. whether the CRA is a start-up activity with no or few client members or a well established one with wide market participation, as well as other conceivable situations in between). As noticed in Chapter 1, CRAs also provide their clients with related additional services, in particular statistical models to produce and sell credit-scoring services by which they rate borrowers according to their credit history and their (believed) profile derived from the processing of information from different data sources. Where a wide range of data is available, the models may be intensively and increasingly used for purposes other than the assessment of borrowers’ creditworthiness, for example scoring customers to promote financial products, price loans, manage credit limits, etc. As in every private sector market economy, where companies are driven by the need to make profits and prevail over competitors, CRAs are continuously persuaded to study, develop and commercialise new products or services in order to retain their existing clients and/or acquire new ones, thus using data mining techniques on credit reference data and other data sources at their disposal – personal data are, after all, their core business and asset. (b) PCRs The picture illustrated above changes in those countries where public authorities have taken an active role managing credit registries. The Committee of Governors of the European Central Bank defines PCRs as information systems ‘designed to provide commercial banks, central

The institutional and legal standing in the EC 83 banks, and other regulatory bodies with information about the indebtedness of firms and individuals vis-à-vis the whole banking system’.15 PCRs are institutions typical of continental Europe, where they first originated and developed with the objective of providing an information system for supervisors to analyse financial institutions’ (banks!) portfolios. Reportedly, Germany established the first PCR in 1934, followed by France in 1946, Italy and Spain in 1962, and Belgium in 1967.16 Although PCRs operate in many respects like the privately owned CRAs, substantial differences exist between the two. As in the case of private CRAs, there is a two-way flow of customers’ credit data between the credit grantors and the PCR. However, the key difference between PCRs and CRAs is that the former are generally managed by central banks or other states’ regulatory authorities. Essentially, financial institutions that are under the supervision of a country’s central bank or supervisory authority are required to report certain credit data on a regular basis to the PCR by law or other regulation. Thus, as participation in a PCR is compulsory, its rules are imposed by law or regulation, not under contract as occurs with CRAs.17 Equally, PCRs have a legal basis for demanding that reporting lenders remedy eventual inaccuracies or make available missing data. Failure to comply results in sanctions that, by law, PCRs may impose (generally, penalty fees followed by supervisory actions).18 Indeed, as this work will attempt to demonstrate in the following chapters, such mandatory reporting and rules of participation represent a fundamental difference between a PCR and a CRA and have a decisive impact on the legal standing of consumer credit information systems. From the concise description provided hitherto, it appears clear that the information collected by PCRs serves mainly two purposes: (1) to conduct the prudential supervision of banks, monitoring the health and soundness of the overall financial system of a country; and (2) to assess and monitor the indebtedness of borrowers, both legal and natural persons. The first purpose means that PCRs exercise a public function by furthering the general stability of the banking and payment system. As such, only banks participate in the system and are subject to the underlying rules, unlike CRAs, which also take in non-bank lenders as client members. This public function is alien to the information sharing systems of CRAs that are designed to provide services in the interest of the profitability of a larger variety of lenders that includes, but is not limited to, banks. In this respect, CRAs’ databases are accessible by an indefinite number of potential client members, as they are conceived as open systems with the additional incentive 15 16 17 18

Jappelli and Pagano (2003). Miller (2003b). Jappelli and Pagano (2000); Jappelli and Pagano (2005), also in Bertola et al (2006), 347–371. Miller (2003b).

84

Law and Consumer Credit Information in the EC

of bringing an increasing number of subscribers into play to respond to competition pressures. In a different way, the element above marked as (2) leads to another important difference between PCRs and CRAs, namely, that PCRs have universal coverage of all loans above a threshold amount determined by law or regulation (such threshold varies from country to country); and the information consists of credit data disseminated in a consolidated form. This means that, unlike CRAs, lenders have access to the total loan exposure of each borrower, there is no detail on individual loans, and no merger with other personal data or data mining occurs.19 Evidently, legislators did not consider information about credit operations below a certain threshold (i.e. small loans and other credit that constitute what today is referred to as ‘consumer credit’) either as a threat to the prudential supervision of a sound national financial system or a concern in relation to indebtedness, ‘since small loans have little impact on system solvency or risk’.20 In reality, the number of incidents where retail loan defaults have had serious consequences for a lender and, consequently, the financial system, is trivial. If ever, this may occur if a lender is over-exposed in one area of large sum lending such as mortgages, and market circumstances are such that property prices collapse at the same time as interest rates rise.21 In those countries where PCRs and CRAs coexist, the threshold also demarcates the market segment below which CRAs operate without the lenders having the opportunity to turn to PCRs, while the same cannot be said for the provision of information above such a threshold.22 This segmentation, in fact, also enables CRAs to collect and store information about operations above the threshold (in detail, rather than in the consolidated form as PCRs do). This is possible because the law, which makes their communication compulsory to the competent PCR, says nothing about their collection by others, i.e. it is not forbidden. Distinctively, in this upper market segment, CRAs are able to collect and provide their member clients with information with a precise degree of detail (for example, particulars of each line of credit a borrower has with reporting lenders), as opposed to the consolidated form that PCRs provide by rule of law or regulation. Again, this advantage is possible as CRAs are not bound by the same rules that fix the functioning of PCRs.23

19 Jappelli and Pagano (2000), (2005). 20 Miller (2003b), 39. 21 Hefferman (2005), ch. 3.6. It should be noted, in addition, that even in the unlikely event of such an occurrence, banks minimise exposure and the risk of failure through asset securitisation and/or the use of credit derivatives, complex financial operations where third parties – usually market investors – assume responsibility for the credit risk of the securitised assets. See ibid, ch. 2. 22 This, of course, unless a specific law prevents them from doing so. 23 See Jappelli and Pagano (2000), (2005).

The institutional and legal standing in the EC 85 All the differences between CRAs and PCRs outlined above have induced some to argue that rather than being simple substitutes, the two seem to be complementary parts of a country’s whole credit reporting system.24 While it seems undisputable from all the features discussed above that PCRs and CRAs cannot substitute each other because the formers exercise functions in the public interest that the latter are not entitled to perform, whether CRAs are complementary to PCRs is doubtful and open to debate. Such an issue, in fact, would raise difficult questions and complex legal issues such as, for example, the relevance, adequacy and compliance of the existing legal framework with the arrangements and mechanisms in place, concerns over the privacy and right of individuals not to be discriminated against, the powerful and arbitrary positioning of privately owned companies such as CRAs in modern society, the real connection between credit reporting and the predictability of human behaviour, etc. Debates of the like are critically important, and will form the subject matter of further separate analysis in the coming chapters. Leaving such debate aside on this occasion, what is noteworthy for the present discussion is that the absence of market integration in consumer credit, coupled with differences in cultures, traditions, organisation, institutions and laws (where PCRs exist), have contributed markedly to the uneven development and multi-layered segmentation of consumer credit reporting systems within the EC, surveyed in Table 4.1 below. Also, an important feature that may be observed from such a fragmented picture concerns the differences in the type of information collected from country to country. Table 4.1 below shows that the majority of credit registries (CRAs and PCRs) in the various Member States collect and disseminate both positive and negative information, while a smaller but still significant number of them limit the collection and dissemination of only negative information.25 This represents a very important feature in the design of a system and, as Chapter 7 will later discuss, may carry with it implications for the privacy issues involved. As observed by others, what at any rate seems certain is that ‘due to the variety of institutions, Europe provides an interesting setting to study the characteristics and effects of information sharing mechanisms’.26

European consumer credit reporting markets Within the context of the institutional organisation described above, while most countries have just one large CRA dominating the market, some

24 Jappelli and Pagano (2000), (2005). See also Jentzsch (2005). 25 For the distinction between positive and negative information see Chapter 1 above. 26 Jappelli and Pagano, op. cit. at 17, 81.

86

Law and Consumer Credit Information in the EC

Table 4.1 Consumer credit information systems in the EC Country

CRA or Consortium of credit providers and associations

PCR (Consumer data)

Austria

X* Positive & Negative X*

X˚

Belgium Bulgaria Cyprus*** Czech Republic Denmark Estonia Finland

X** Positive & Negative None X** Positive & Negative X* Negative X**

X*† Negative X* Negative

France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg˚˚˚ Malta Poland Portugal Romania Slovakia Slovenia

X* Positive & Negative X** Positive & Negative Bad-check list only˚˚

X* Positive & Negative X†† Negative X** Positive & Negative X* Positive & Negative X* Positive & Negative

None X*** Positive & Negative X** Positive & Negative X* Positive & Negative X** Negative

X˚ X

X X** X** None

X* Positive & Negative X** X** X**

The institutional and legal standing in the EC 87 Spain Sweden The Netherlands United Kingdom

X* Positive & Negative X* Positive & Negative X* Positive & Negative

X* Positive & Negative

X* Positive & Negative

Sources and notes ˚ Jappelli and Pagano (2003). ˚˚ Miller (2003b), 25–80. ˚˚˚ Mercer Oliver Wyman (2005), 22. * San José Riestra (2002). ** Data obtained by the author directly from the World Bank/IFC. *** CreditInfo Group, http://www.creditinfo.com/ † In Finland the operation of the public credit registry has been contracted out to a private company. †† Tiresias, http://www.tiresias.gr/.

Member States have two or (exceptionally) three companies competing on the same national market. It should be observed that a common trait shared by credit information systems is that, in economic terms, they are natural monopolies, in that the extension of a system’s coverage itself enhances its effectiveness. In fact, they are dependent on network structures within which information is traded, where the participants that share the information constitute such a network.27 As Chapter 3 has shown, indeed, the need to achieve economies of scale with nationwide market coverage was the main reason behind the concentration process that occurred in the US after an initial period when numerous CRAs spread over the nation’s territory to serve local business communities.28 Economic research describes networks as a form of industrial organisation and market governance. Jentzsch extensively explains their functioning: The architecture of the network is constituted of the number of participants as well as the symmetry (or asymmetry) of data flows between them and the system of information flows. . . . Information diffusion and its efficiency are influenced by the network architecture and the channels; hence architecture influences economic outcomes. In this context, information is at the same time integrated in vertical networks (as part of the value chain) as well as in horizontal networks (exchanges among different firms of the same industry). . . . In credit reporting markets, the information flows among agencies, information suppliers and consumers constitute such a network of 27 Pagano and Jappelli (1993). 28 Ibid. See also Olegario (2003).

88

Law and Consumer Credit Information in the EC information which reveals strong feedback effects: its value increases as more creditors are connected to it. An increasing number of data sources produces a more detailed profile of the data subject and in turn enhances the risk prediction capabilities of the interconnected participants. The contributions of an increasing number of data sources will almost inevitably . . . increase the flow of information among the agents. . . . [T]he more the network of one agency increases, the more attractive it will be for potential participants leading to considerable bandwagon effects and network externalities.29

As the author ultimately clarifies, thus: . . . scale and scope effects also affect coverage, which has the propensity to universality. The more sources are connected to the network, the more detailed becomes the credit report and the more precise may become the risk prediction.30 In summary, the very nature of the credit reporting business demands that the success of the system depends on its broad extension, otherwise it is of little or no use. This, however, does not necessarily imply that competition in the sector is absent. Certainly, for the reasons just explained, the credit reporting sector is a peculiar one, and in several countries only one system is in place. However, some other countries are experiencing competition. A precondition for this, of course, is that the business must be left to private sector forces, although this does not guarantee per se a competitive market. In the type of market described, with such a homogeneous product and service, CRAs may compete only on price, coverage rates and data quality.31 For the reasons explained above, therefore, the real ground for competition among CRAs seems to shift from the core activity of distributing consumer information to the additional services that they offer, which are built on the secondary uses of the data, for example credit scoring and marketing.32 As a result, the experimentation and development of new products and/or services – based on data mining, manipulation, and further uses of the data – play a very important domestic competitive role. Indeed, due to the specialist knowhow and experience involved, the battlefields for competition among CRAs appear nowadays to be those international markets where credit reporting is not present or is at the embryonic stage (mainly the emerging economies) – whether alone or in partnership with local players, these latter ones being

29 30 31 32

Jentzsch (2003a), 30–31. Ibid, 36. See Jappelli and Pagano (2000), (2005). See Chapter 1 above.

The institutional and legal standing in the EC 89 usually very helpful in establishing the commercial relations necessary to gain the widest possible participation in the system. In the end, therefore, from the observation of the industry it may be argued that the unequal development of consumer credit from country to country, coupled with the peculiar competitive structure of the industry, has resulted in the establishment of national markets that rely on monopolies or, in a few cases, oligopolies.

European cross-border exchange of information Arguably, the fragmented market structure in consumer credit reporting pictured so far has played an important part in the poor exchange of information among European consumer credit registries. At present, in fact, this occurs only at an embryonic and marginal level between a handful of countries. This leads to the consideration that to date Europe still has an underdeveloped consumer credit information structure. Although the EC has clearly expressed the political desire and drive for maximum harmonisation in the consumer credit sector, exemplified by the draft of a new proposed directive, it is difficult to predict whether, when, or to what degree there will be a truly integrated European single market.33 Nevertheless, at present it is already apparent that for years an increasing number of people from the Member States are circulating within the EC and more are likely to follow, in the exercise of their right of either freedom of movement or of freedom of establishment in another Member State.34 Such mobility of nationals of the Member States within the EC – together with the recent introduction of the Euro currency that has started to remove at least one barrier to a more open credit market among the participating Member States – has enhanced a limited tendency in cross-border data exchanges. In the analysis of this phenomenon, however, once again CRAs and PCRs need to be kept separate as no interaction between the two can occur. (a) CRAs As far as CRAs are concerned, this tendency has resulted in the development of bilateral alliances between some of them operating in a few Member States, exchanging consumer data by virtue of a two-way flow of information between each other that relies on private contracts between private parties. In other cases, by contrast, few major multinational Anglo-Saxon CRAs have opted for a country-by-country market penetration strategy and are 33 See below at p 122 of this chapter the Proposal and Amended Proposal for the new consumer credit directive, referenced at 70 and 76. 34 Workers – Arts 39 (ex Art 48)–42 (ex Art 51) Treaty Establishing the European Community. Right of Establishment – Arts 43 (ex Art 52)–48 (ex Art 58) Treaty Establishing the European Community. Further discussion is provided below in Chapter 7.

90

Law and Consumer Credit Information in the EC

extending their operation by setting up subsidiaries (or other legal entities) abroad or through mergers and acquisitions of existing compatible entities, thus being able to pool information across company groups. Also, it is worth mentioning that the Association of Consumer Credit Information Suppliers (ACCIS) is working for the establishment of a network of CRAs across Europe under a project of difficult realisation called the ‘Key Factor System’, which would ideally provide lenders with access to cross-border records through their national CRA.35 The outcome of the project would be a solution by which lenders merely require one connection to their national CRA. The system would grant financial institutions with access to cross-border records about a foreign consumer and input the data about the new credit line in their domestic CRA. Thus, the newly generated credit data would always be maintained in the home country of the credit provider and the relevant national CRA. The national CRA in question, then, would inform the corresponding foreign CRA, which would incorporate the data entry also in its database.36 (b) PCRs As far as PCRs are concerned, so far their function has been considered almost exclusively a domestic public policy issue, even though an inclination towards international cooperation is slowly starting to take place in what remains an area with an underdeveloped cross-border data exchange. To date, however, this nascent form of data exchange does not involve consumer credit information in any way. A recent research paper reports that PCRs in Europe have started to work together in the so-called Working Group on Credit Registers (WGCR). The Group – which is part of the Banking Supervision Committee of the European System of Central Banks – has finalised a plan for a pan-European data exchange among the PCRs of Belgium, Germany, France, Italy, Austria, Portugal and Spain as well as representatives of the European Central Bank. As reported, the plan consists in the creation of: . . . a reporting system that allows data exchange on a regular basis. The credit register of country A will then receive information from the register in other countries on borrowers who also have debt in other European countries. . . . National financial institutions, on the other hand, are

35 See http://www.accis.org/. ACCIS is a member association that brings together 26 CRAs in 19 European countries. Its key functions are to promote, protect and preserve the common interest of its members, including in particular the representation and advocacy of member interests vis-à-vis governments, the public and other third parties. 36 European Credit Research Institute, ECRI Consumer Credit Newsletter, issue no 5, 2002, 6–7 available at http://www.ecri.be/HTM/newsletters/newsletters.htm.

The institutional and legal standing in the EC 91 supposed to gain access to borrower information of other countries via their own credit registry.37 Although this undoubtedly represents an embryonic form of cross-border exchange of information on loans, for the time being it has no relevance of any kind for the consumer credit sector, once again denoting a frequent confusion or lack of distinction that occurs in the literature of the subject about the essential difference between business and consumer credit reporting. The cross-border data exchange, in fact, is intended to provide information to financial institutions across Europe only about the indebtedness of their corporate customers as stored in other PCRs. As explicitly documented by the Deutsche Bundesbank (the Central Bank chairing the WGCR), in fact: . . . data on the total amount of loans taken up will be available for each of the participating countries as well as on an aggregated basis. The data will also provide a breakdown into asset items and off balance-sheet transactions. There will be no cross-border exchange of information on loans to individuals (emphasis added).38 The major problems behind the creation of interfaces among the consumer credit information systems of the existing PCRs seem to be the different designs regarding coverage, reporting thresholds, type of information reported and privacy protection clauses.39 Why PCRs would limit their cross-border data exchange on the grounds of privacy legislation while CRAs seem to operate undisturbed is hardly explicable and indeed it may rather be exactly the opposite. This, however, should represent a matter of separate discussion elsewhere in this work for the policy considerations that it entails.40 Supposedly, in any event, these latter substantive problems are said to be compounded by the inertia that is often typical of public organisations which operate under low budget constraints and lack the competitive pressure of the private sector, an argument that suffers from the prejudice attached to public management as if central banks and other regulatory authorities were inefficient by definition.41

37 Jentzsch and San José Riestra (2003), 22–23. Also in Jentzsch (2003a), 45. 38 Deutsche Bundesbank, ‘EU central banks open their registers for the cross-border exchange of information on loans to enterprises’ Press Release (Frankfurt am Main, 7 June 2005), available at http://www.bundesbank.de/download/presse/pressenotizen/2005/20050607bbk1_ en.pdf. 39 Jappelli and Pagano (2000), (2005). 40 See below, Chapter 7. 41 Jappelli and Pagano (2000), (2005).

92

Law and Consumer Credit Information in the EC

Structural impediments for a European single market Existing studies identify the need for a European single market in consumer credit and the creation of cross-border credit opportunities as the main factors in the need of cross-border exchange of information among information systems. According to these studies, however, the cross-border exchange of information remains hampered by an alleged reduced mobility of retail borrowers outside their own country. Therefore, banks and other financial institutions still would not have sufficient incentive to extend such an exchange. In short, supply–demand restraints would explain the existing underdeveloped information structure in Europe.42 This analysis, however, seems to neglect/omit a number of other deeper reasons behind the marginal interconnection of existing consumer credit reporting systems. It is not within the scope of this work to investigate or discuss whether the scale of mobility of individuals within the Community is still too small or, rather, it is increasing to significant numbers stimulating the demand side of the business. What at any rate seems evident for this discussion is that the described absence of market integration, coupled with the diversity in national market structures, industrial organisation, and institutional arrangements make it difficult to exchange information between the various institutions serving national markets. On the one hand PCRs and CRAs have to remain separate for structural and legal reasons, making the exchange of information impracticable between them and, therefore, among certain countries (i.e. those with only a PCR and those with only one or more CRAs). On the other hand, moreover, the private sector alone reveals structural limitations of its own. The aforementioned Key Factor System shows that not all CRAs in Europe participate in the project. Equally, bilateral agreements between CRAs in different countries are limited in number, and are subject to alliances responding to market competition logic. Understandably, with exclusive reference to those markets where CRAs exist, it would be hard to conceive private competing companies such as CRAs cooperating one with the other in partnership in the exchange of information with competitors. The databases are undeniably each company’s exclusive know-how and asset, to be guarded from competitors (this would be particularly true in those countries where more than one CRA operates). As in every private sector, in fact, competition is – or at least should be – the rule of a free market economy. For example, a CRA in a country such as Italy, where it operates in a regime of competition with a subsidiary of the CRA operating in the UK, will most probably avoid doing business with the same UK parent/controlling company, bearing in mind also that the

42 San José Riestra (2002); Jentzsch and San José Riestra (2006); Jentzsch (2003a).

The institutional and legal standing in the EC 93 same two companies may be competing in another foreign market (whether European or not). In any event, a market whose players would form partnership agreements setting a single network system between them, as well as influencing their commercial strategies accordingly, would as a minimum pose serious concerns about competition and the establishment of cartels in the consumer data distribution market. Moreover, as this work will attempt to emphasise later in Chapter 6, such agreements, whose object is the cross-border exchange of personal data between private companies that in turn disseminate the same information nationwide, would imply too many communications of personal data to an indefinite number of data controllers over a very vast territory, thus posing concerns and threats as regards the privacy of EC nationals, as well as major doubts about compliance with the existing data protection legislation.43 All the same, if this remains the state of affairs across the EC, how could a European system of cross-border exchange of information to boost a single market in consumer credit possibly be established? And, more generally, how could the Internal Market be achieved if there are such barriers to the free movement of persons and freedom of establishment between Member States? Looking ahead, in fact, the free movement of people and effective mobility of Europeans from one Member State to another, coupled with issues of non-discrimination based on nationality, will require harmonisation in the sector. How is a lender from a given Member State supposed to behave when faced by the credit application of an EC foreign national who has changed residency to that Member State? EC nationals should not face barriers caused by the lack of information provided by CRAs (or the result of different national practices and cultures) or different selection criteria used in the hosting Member State. This would equate to discrimination based on nationality.44 As the situation stands, therefore, it could be argued with little hesitation that consumer credit reporting still remains structurally a national business with little prospect of growing European, at least within the framework of the existing institutional arrangements and legal framework mapped out in the next section.

The legal framework As happens in every business sector, there are various regulatory scenarios within which the consumer information industry may operate. These are:

43 See in particular Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, referenced below at 62. 44 See the discussion below, Chapter 7.

94

Law and Consumer Credit Information in the EC

general provisions of a comprehensive law, industry-specific (or sectoral) laws, industry codes of self-discipline (or, else, codes of conduct or practice), or an absence of any form of regulation. Normally, industry-specific laws have the advantage of representing derogation to general laws that may interfere with a business, insofar as the latter successively do not abrogate them. They are specifically tailored for the issues that distinctively affect a particular industry and involve detailed provisions covering a vast array of situations that typically (may) occur. This may particularly be the case for consumer credit reporting in those circumstances where it is not mandated by law, and there is no legal obligation for consumers to provide information, nor for lenders to obtain a credit report before granting credit. As illustrated earlier in Chapter 3, for example, in the US, the country where credit reporting first originated long before its transplantation to Europe, industry-specific laws such as the Fair Credit Reporting Act (FCRA) and the Equal Credit Opportunity Act (ECOA) shaped the industry and contributed decisively to the legitimisation by law of the use of credit reports for credit granting purposes to consumers. To date, however, this approach is alien to the EC, where there is no industryspecific law at Community level. Similarly, at national level the Member States do not have laws equivalent to the FCRA and/or the ECOA. Of course, this does not mean that the market remains unregulated, but rather that general provisions of comprehensive law apply. Exceptionally, though, some Member States provide domestically for a few dispositions concerning consumers’ data within the context of other regulations.45 The following sections attempt to identify those comprehensive laws that may affect the mechanisms at study in the EC.

Bank secrecy As seen, banks and other financial institutions (non-banks) share their customers’ information via third-party CRAs. At a first glance, this practice collides with banks’ customers’ expectation of confidentiality in financial and commercial transactions, whose history can be traced back thousands of years, with mention of it being reported at the time of the Roman Empire.46 In many cases, in fact, bank secrecy laws are cited as a primary reason for influencing (in some cases obstructing) the development of credit reporting in a country, pulling in opposite directions and sometimes serving as a barrier.47 45 As will be seen below, for example, this occurs within a banking act or, more commonly, data protection legislation. For an example of code of conduct within data protection legislation, see also below, the Appendix. 46 Bonini (1984); Talamanca (1989). 47 Del Villar et al (2003).

The institutional and legal standing in the EC 95 Among the several objectives of bank secrecy laws, the most evident one is to protect customers from the unwanted distribution of information about their financial matters. Certainly, it cannot be denied that on some occasions there may be objectionable reasons for the customers’ interest in bank secrecy, including illegal activities such as for example money laundering, tax evasion and various forms of illicit use of the financial system. At the same time, however, there are a number of legitimate interests for customers to maintain the confidentiality of their financial data, last but not least general privacy considerations. Actually, this assertion is easily tested in today’s international recognition and acceptance of the confidential nature of bank transactions when criminal offences are not involved. The duty of confidence by banks raises difficult questions and complex legal issues that are beyond the scope of this work insofar as they do not collide with the subject matter at hand.48 Moreover, the legal protection for confidentiality at the disposal of customers may present appreciable differences from jurisdiction to jurisdiction. Nevertheless, for the purposes of this examination, and bearing in mind that each country has its own peculiarities, a general distinction could be drawn between civil and common law countries, pointing out fundamental common characteristics. In common law countries the duty of confidentiality is an implied term in the contractual relationship between a bank and its customer. This obligation, therefore, does not arise from statute or legislation but from precedents that form a body of case law decided by competent courts in common law jurisdictions. To summarise, the historic leading case is Tournier v National Provincial and Union Bank of England, in which it was established that the bank owed its customer a legal, and not merely a moral, duty of confidentiality and could not lawfully disclose to third parties information concerning the customer’s affairs.49 This duty is not absolute but it is qualified by four exceptions, namely: (i) (ii) (iii) (iv)

where disclosure is under compulsion by law; where there is a duty to the public to disclose; where the interests of the bank require disclosure; where disclosure is made by the express or implied consent of the customer.

The first two exceptions mean that the release of a customer’s confidential information may be mandated by law in cases where the public interest prevails, as the latter will suffer if disclosure does not occur. This, for example,

48 For a thorough analysis of international banking secrecy laws, see Campbell (1992). 49 [1924] 1 KB 461.

96

Law and Consumer Credit Information in the EC

happens in cases of criminal offences and tax evasion, or for the purposes of banking supervision (intended as the reporting of financial data by banks to monitor the soundness of the financial system). Significantly, in most cases – and certainly in the case of banking supervision – the data of customers do not become publicly available but rather their dissemination is limited to the relevant authorities (such as, for example, a bank supervisor) that in turn are required to maintain a certain degree of confidentiality. As far as consumer credit reporting is concerned, this is radically different from banking supervision. In fact, as already remarked on more than one occasion above, while the former represent a tool at the service of lenders (banks and non-banks) for their profitability, the latter is a public function carried out by central banks or other public regulatory bodies that serve a public interest in the general stability of the banking and payments system.50 Also, this work has already stressed that the use of CRAs by lenders is not mandated by law, but it occurs on a voluntary basis. Thus, legal scholars mainly assume that banks have been relying on either the interest of the bank or the consent of the customer; but it is arguable that banks have no entitlement to divulge customers’ credit information under the common law and that the safest and proper course of action would be to ensure that they have the consent of the customer, either express or implied.51 Moreover, communication of positive data without consent would not be justifiable. In civil law countries such as European continental jurisdictions, by contrast, bank secrecy is not limited to a contractual obligation of the bank to its customers, but the obligation may also arise from statute or legislation, generally in banking law or civil code, or from tradition. This, however, does not mean to say that it cannot be overridden by other legislation making an exception to the rule. In some cases, besides, a breach of bank secrecy may constitute a criminal offence, unlike in common law jurisdiction where it gives rise to a civil claim for damages and/or a right to an injunction to prevent further disclosure. Obviously, the exact content of the law varies from jurisdiction to jurisdiction, an example of which is provided in Table 4.2 below. An interesting model is represented by some other countries that explicitly mention directly in the banking law what activity is permitted, thus avoiding any conflict with bank secrecy. This is the example offered by credit reporting in the Czech Republic, which managed to implement data sharing arrangements through the provision of

50 Jappelli and Pagano (2000), (2005). 51 Wadsley and Penn (2000), 137–199; Campbell (1999), 93 et seq.

The institutional and legal standing in the EC 97 Table 4.2 Bank secrecy laws Country

Sources

Secrecy laws

Punishment of bank officials for violation of bank secrecy

Austria

1,2

There are criminal sanctions, the prosecution is at the request of the injured party.

Belgium

1

Denmark

1,2

Finland

1,2

Sections 23, 23a, 34, 35a of the Credit System Act (KWG). Relatively new amendments, they indicate a moderate-strong level of secrecy and are solidified through Austrian court decisions. Secrecy is not written out, rather is observed out of tradition. However, society places little value in banking secrecy, and consequently secrecy is rather weak. Banking code explicitly states that secrecy must be maintained, leading to a ‘more trusting relationship than what is usual in business’. Generic secrecy law exists, although not particularly strong.

France

1,2

Germany

1

Greece

1

Ireland

1

Italy

1

Formerly a topic of discussion, Art 57(1) of the Banking Law passed in 1984 clearly requires bank secrecy in France. Not explicitly written out anywhere, Germany refers to Art 2(1) of the Basic Law which grants every individual the right to develop his own personality; this law is viewed as including bank secrecy. Generally held that bank secrecy has become a law through time/ custom, the Law Decree of 1971 recognised this and placed bankers under almost absolute secrecy. Secrecy is not clearly written into laws, yet enforced through court decisions. Unwritten, yet traditionally observed (thus legally binding) provision restricts bankers from releasing information to third parties.

No criminal offence, but any loss from wrongdoing must be reimbursed.

Moderate prison terms and fines.

Criminal sanctions, as well as compensation and/or fines. Criminal sanctions and fines.

Reparations for lost money, and the right for the customer to seek a court injunction against a bank.

Criminal sanctions.

n.a.

Failure to comply with court orders are punishable with criminal sanctions. (Continued overleaf )

98

Law and Consumer Credit Information in the EC

Table 4.2 Continued. Country

Sources

Luxembourg 1

Portugal

1

Spain

1

Sweden

1

The Netherlands

1

United Kingdom

1

Secrecy laws

Punishment of bank officials for violation of bank secrecy

Article 458 of the Penal Code states that ‘. . . professionals (i.e. bankers, etc.) who come into contact with secrets entrusted to them must respect those secrets’. Decree Law 2/78 was passed stating that the utmost concern must be shown for the safeguarding of bank secrecy. No express provision establishing secrecy, yet a secrecy clause exists in the bylaws of the Bank of Spain. General provision states that the relations of individuals to a bank may not be disclosed without legal causes. No written law, the country relies on the principles gleaned from the intent of the law to define bank secrecy. No written law, Tournier v National Provincial and Union Bank of England (1924) created a clear definition of bank secrecy, although recent court decisions have weakened it.

A fine is imposed for divulging confidential information.

n.a.

Moderate fines and criminal sanctions.

Fines/reimbursement.

Moderate fines/ sentences.

Civil sanctions.

Sources and notes: Research Group – Centre for Economic Studies, IFO Institute for Economic Research, Munich Society for the Promotion of Economic Research.52 1 Campbell (1992). 2 Center for the Study of Central Banks, New York University, http://www.law.nyu.edu/central bankscenter/.

an exception in the banking law that was introduced only very recently, expressly to grant banks the authority to share information.53

52 CESifo Dice, available at http://www.cesifo-group.de/pls/diceguest/download/F4547/LAWS/ PDF. 53 The Banks Act No 21/1992. Article 38 states that ‘(1) Banks and foreign bank branches may provide each other with bank account details, identification data on account holders and information on matters attesting to the financial soundness and trustworthiness of their clients, including via legal entities which are not banks. Holdings in such legal entities may only be held by banks, which shall see to it that such legal entities keep the information secret

The institutional and legal standing in the EC 99 As already mentioned, the major erosion of the concept of bank confidentiality has occurred through the introduction in both common law and civil law jurisdiction of legislation to fight criminal activities, tax evasion and abuses of the financial system. For the purposes of this work, in many cases the sharing (i.e. disclosure to third parties) of financial data is allowed through the individual authorisation of customers (i.e. individual consent) required by banks. Ultimately, therefore, it may well be that nowadays a banker’s duty of confidentiality, whether in common law or civil law, has very similar rules as to when information may be disclosed, either pursuant to overriding statutory obligation or by way of consent. In conclusion, it may be anticipated here that individual authorisation by consent seems to be the element that consumer credit reporting has to rely on in order to avoid breaches of bank secrecy, except in those countries where the exception is expressed in the banking law itself.54 Whether such authorisation is the free choice of the individual, or rather is enforced by financial institutions, is another (crucial) matter that will be explored in greater detail in Chapter 7.

Data protection As has already very clearly emerged so far, an impressive number and type of personal data are involved, constituting the basis, or ‘raw material’, of consumer credit information systems. To begin with, in the EC the activities of CRAs necessarily fall within the scope of privacy legislation, more specifically data protection.55 While bank secrecy obligations are part of a long-standing legal tradition, though eroded in recent years, data protection laws are a relatively new phenomenon. From the aftermath of the atrocities of the Second World War, when the Nazi regime used various data collection and mining techniques available at the time to identify and persecute Jews all over the countries of their dominion, there is general consensus in Europe that information can become

and protect it against misuse. . . . (2) The Czech National Bank shall create a database from the information within the scope referred to in paragraph 1 obtained from banks, foreign bank branches, and other persons where a special legislative act so provides. . . . The transfer of information into this database shall not be deemed a breach of banking secrecy. However, banks and foreign bank branches shall treat information on the clients of another bank or foreign bank branch acquired from the database as if it were information on their own clients. (3) (omissis)’. 54 See above the example of the Czech Republic. 55 It is useful to remind that data protection is one of several concepts (or aspects) of privacy, thus the two are not coincidental.

100

Law and Consumer Credit Information in the EC

a tool of oppression and personal privacy must be protected.56 Such consciousness was reflected very early in many European countries, which recognised at domestic level the importance of privacy as a fundamental freedom of the individual, and considered its protection as a constitutional principle.57 Also, at the international level the significance of providing an adequate legal protection to the privacy of individuals was cherished since as early as 1950 in the Council of Europe’s Convention on Human Rights and Fundamental Freedoms, which, in Art 8, established for the first time ‘the right to privacy’, elevating it as an international human right.58 From the 1960s, the rapid developments of information and communication technologies gave rise to the need to protect individuals from the massive processing of data regarding individuals and the increasing purposes of their use. Such concerns provoked a shift of regulatory attention from the privacy of individuals to the more specific concept of protection of ‘personal data’, which culminated in the 1981 Council of Europe’s Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention No. 108/1981).59 Several Member States of the European Community, however, did not sign the Convention.60

56 See Electronic Privacy Information Centre and Privacy International (2002). According to the Report, ‘the recognition of privacy is deeply rooted in history. There is recognition of privacy in the Qur
an [an-Noor 24:27–28 (Yusufali); al-Hujraat 49:11–12 (Yusufali)] and in the sayings of Mohammed [Volume 1, Book 10, Number 509 (Sahih Bukhari); Book 020, Number 4727 (Sahih Muslim); Book 31, Number 4003 (Sunan Abu Dawud)]. The Bible has numerous references to privacy [Richard Hixson, Privacy in a Public Society: Human Rights in Conflict 3 (1987). See also Barrington Moore, Privacy: Studies in Social and Cultural History (1984)]. Jewish law has long recognised the concept of being free from being watched [see Jeffrey Rosen, The Unwanted Gaze (Random House 2000)]. There were also protections in Classical Greece and ancient China [Robert Ellis Smith, Ben Franklin’s Web Site 6 (Sheridan Books 2000)].’ (Italic added, it transcribes the references indicated in the Report.) See also Kuner (2005); Samuelson (2000); Singleton (1999). 57 The genesis of modern legislation in this area at European national level can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978). See Privacy and Human Rights, cit above at 56. 58 Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, (ETS No 005) open for signature 4 November 1950, entry into force 3 September 1950. Article 8 states: ‘(1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others.’ 59 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data Convention, (ETS No 108), Strasbourg, 1981, available at http://www.coe.fr/ eng/legaltxt/108e.htm. 60 For example, Italy and Greece.

The institutional and legal standing in the EC 101 Still, since the year 2000, the fundamental right to privacy recognised by the European Convention of Human Rights has been incorporated also in the Charter of Fundamental Rights of the European Union (Art 8).61 Importantly, moreover, the Convention represented a major contribution to the current Community’s legal framework, which culminated in the adoption of the 1995 EC Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Data (Directive 95/46/EC) to respond to the threats posed by sophisticated information technologies to personal privacy, and at the same time fostering the single market in a global information society. Thus, the Directive serves the double purpose of both ensuring the free movement of personal data in the internal market and guaranteeing a high level of protection for data subjects. It establishes a minimum level of harmonisation, setting out a high level of normative protection, with the result that the Member States cannot go beyond nor fall short of these minimum standards.62 The scope of the Directive, which applies to any operations performed upon personal data (data processing) is to provide for good data management practices on the part of those entities that determine the purposes and means of the processing of personal data (data controllers). It contemplates a sequence of general rules on the lawfulness of the processing of personal data, the principal ones including the following obligations:

• • • • • •

to process personal data only for specified, explicit and legitimate purposes; to use personal data that are adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed; to process accurate and up-to-date personal data, taking any reasonable step to ensure the rectification or erasure of inaccurate data; to keep the personal data in a form that permits identification of data subjects for no longer than necessary; to process personal data only upon obtaining the unambiguous consent of data subjects after having informed him or her of the processing of the data; to guarantee the security of the data against accidental, unauthorised access, or manipulation;

61 C 364 (2000), p 0001–0022. Article 8 – Protection of personal data – states: ‘1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.’ 62 Directive 95/46/EC, OJ L 281, 23 November 1995, p 0031–0050.

102

• •

Law and Consumer Credit Information in the EC to provide notification to the national supervisory authority before carrying out all or certain types of data processing operations; to provide for certain safeguards or special procedures in the case of transfer of data outside the EC to third countries that guarantee an adequate level of protection.63

For the purpose of this discussion, it is worth emphasising that the Directive applies to all data controllers and/or any other persons processing personal data on their behalf (data processors), meaning that it is a comprehensive law that creates a regime where the same rules and principles apply to everyone across all industries. Consumer credit reporting is no exception. Indeed, data protection legislation constitutes its principal legal framework, having an enormous impact on how, and even whether, the industry develops (or, at least, ought to develop). Notably, however, the Directive provides in its Art 5 that ‘the Member States shall . . . determine more precisely the conditions under which the processing of personal data is lawful’ within the limits of the provisions that it establishes.64 This leaves a distinctive margin of manoeuvre to the Member States, causing the well-known result that data protection legislation is not interpreted uniformly within their national jurisdictions, and is applied according to diverging concepts, despite the principle that ‘the level of protection must be equivalent in all Member States’.65 As a result of this lack of uniformity in the implementation of the Directive by the Member States, one of the major concerns relates to its legal certainty, as well as whether it is a burden to the free movement of data in the EC, and the effectiveness of equivalent high standards of protection of the rights and freedoms of individuals alike is a further concern.66 Directive 95/46/EC provides umbrella coverage, but there is variation among national regimes. In this context, some Member States have enacted provisions or guidelines that further specify the domestic regulation of consumer information sharing. As a consequence, this has contributed to the implementation of different national legal requirements for the industry under investigation that results in an overall lack of coordination. 63 Directive 95/46/EC. For a detailed study of the principles of Directive 95/46/EC see below, Chapter 6. 64 Ibid, Art 5. 65 Ibid, Recital (8) and Recital (9). According to Recital (9) such margin of manoeuvre in the implementation of the Directive should be in accordance with EC Law. On the differing implementation of the Data Protection Directive (95/46/EC) see Commission of the European Communities (2003b); Korff (2002); Commission of the European Communties (2003a), available at http://www.europa.eu.int/comm/privacy. 66 Ibid. See also Sousa de Jesus (2004), 27; International Chamber of Commerce, Position Paper to the European Commission on the Consultation process on the data protection directive available at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/lawreport/paper/uscib_en .pdf; Korff (2002).

The institutional and legal standing in the EC 103 Table 4.3 below provides a comparative overview of the legal standing of consumer credit reporting and highlights the applicable different legal provisions.

Consumer credit laws Although one may be tempted to think that consumer credit laws by their nature should include the regulation of information-sharing arrangements, unexpectedly these are normally excluded from their provision.

Table 4.3 Comparative overview of the basic legal standing of consumer credit reporting in the EC Country

Relevant provision of law

Content of the law and national regime

Austria

Sections 8, 26, and 50 of the ‘Datenschutzgesetz 2000 (DSG 2000)’ (Federal Act Concerning the Protection of Personal Data), Austrian Federal Law Gazette part I, No 165/1999

The data processing and dissemination are based on consent. The controllers of a joint information system shall appoint a suitable operator for the system. As a result, lenders own the national CRA on a non-profit basis. The operator has duties of information to data subjects and data security measures. The omnicomprehensive provisions of the Federal Act Concerning the Protection of Personal Data apply. In the end, the system relies on consent from consumers.

Belgium

Belgian Law of 8 December 1992 on Privacy Protection in relation to the Processing of Personal Data as modified by the law of 11 December 1998 implementing Directive 95/46/EC and the law of 26 February 2003 (Belgian State Gazette, 26 June 2003) Credit Bureau Law 11336 10 August 2001 (Moniteur Belge, 25 September 2001 – F. 2001–2622)

There is no specific provision in the Law on Privacy Protection and its omnicomprehensive general provisions apply. Law 11336/2001 regulates in detail the credit reporting activity of the Banque Nationale de Belgique (Belgian Central Bank) as regards the Central Bank duties, the type of data involved, the duties of lenders, sanctions, etc.

Bulgaria

Personal Data There is no specific provision in the Protection Act 2002, SG Personal Data Protection Act and its omniNo 1/2002 comprehensive general provisions apply.

Cyprus

Not applicable

Not applicable. (Continued overleaf )

104

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime

Czech Republic

The Banks Act No 21/ 1992 Coll of 20 December 1991 on Banks, as revised – Art 38a

The banking law explicitly mentions (by means of an exception recently introduced in the law) what activity is permitted, thus avoiding any conflict with bank secrecy or data protection provisions. Article 38a of the Banks Act states that banks and foreign bank branches may provide each other with bank account details, identification data on account holders and information on matters attesting to the financial soundness and trustworthiness of their clients, including via legal entities which are not banks. Holdings in such legal entities may only be held by banks, which shall see to it that such legal entities keep the information secret and protect it against misuse. The Czech National Bank shall create a database from such information obtained from banks, foreign bank branches and other persons where a special legislative act so provides. The transfer of information into this database shall not be deemed a breach of banking secrecy. However, banks and foreign bank branches shall treat information on the clients of another bank or foreign bank branch acquired from the database as if it were information on their own clients.

Denmark

Part 6, ss. 19, 20, 21, 22, 23, 24, 25, 26 of Act No 429 of 31 May 2000 (Danish Data Protection Act) in Lovtidende (Official Journal) on 2 June 2000

The Danish regime centres on a single CRA that integrates data from financial institutions, utility operators and retailers with data from the Danish Official Gazette (including bankruptcies and court ordered sales). Data on facts speaking against creditworthiness and dating back more than five years may not be processed, except where it is obvious in any specific case that the facts in question are of decisive importance for the assessment of the financial standing and creditworthiness of the person concerned. There are timeframes in which the CRA shall notify the person to whom the data relate about the data and their sources. Publications from credit information agencies may contain data in a summary form only and may be distributed only to persons or enterprises subscribing

The institutional and legal standing in the EC 105 to notices from the agency. The publications may not indicate the civil registration numbers of data subjects. Disclosure of summary data on indebtedness may only take place where the data originate from the Danish Official Gazette, have been notified by a public authority under the rules laid down in Part 5 of this Act, or if the data relate to indebtedness in excess of DKK 1,000 to a single creditor and the creditor has obtained the written acknowledgement by the data subject of the debt being due and payable, or where legal proceedings have been instituted against the debtor concerned. Data on approved debt rescheduling schemes may, however, not be disclosed. Summary data on the indebtedness of individuals may be disclosed only in such a manner that the data cannot form the basis for assessment of the financial standing and creditworthiness of other persons than the individuals concerned. Estonia

Databases Act of 1–19 April 1997

The Databases Act is an untraditional law in terms of the Estonian legal system, as it is one of the least general laws in the country. The Databases Act is a procedural law for the establishment of national databases. The law sets out the general principles for the maintenance of databases, prescribes requirements and protection measures for data processing, and unifies the terminology to be used in the maintenance of databases. Section 5 of the law specifies that state and local governments should establish databases pursuant to the procedure that is described in the act. As the Databases Act is a general law for databases, the act governs the maintenance of databases in any area that is not governed by other legislation or acts. The legality of the maintenance of databases is supervised by a Data Protection Supervision Authority.

Finland

Personal Data Act (523/ 1999), s 20 – Processing of personal credit data

A person engaged in credit data activity may record into a credit data file the name and contact information on a person, as well as data on a default in payment or performance, where: (1) the default has been established by a judgment or judgment by default handed down by a court and no longer subject to appeal, by a measure undertaken by the enforcement authorities (Continued overleaf )

106

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime or by the protest of a registered bill of exchange; or the default has led to the official declaration of the insolvency of the data subject in enforcement proceedings; (2) the default has led to the filing of a bankruptcy petition; (3) the default has been acknowledged in writing by the data subject to the creditor; or (4) the default relates to a hire-purchase scheme and under the Hire-Purchase Act (91/1966) entitles the seller to repossess the object, or relates to another consumer credit agreement and under the Consumer Protection Act (38/ 1978) entitles the creditor to terminate the agreement. Under this latter circumstance, data may be recorded only if there is a clause in the consumer credit agreement stating the situations in which the default can be recorded into the credit data file. Further prerequisites are that the creditor has at least 21 days earlier sent the debtor a written reminder which mentions the possibility of recording default data into the credit data file and that the debtor has been in default for at least 60 days from the original due date, mentioned in the reminder.

Finland Continued

France

Act of 6 January 1978 France has a PCR and CRAs are not relative to computers, permitted. files and liberties and Decree No 2005–1309 of 20 October 2005 enacted for the application of Act No 78–17 of 6 January 1978 on Data Processing, Files and Individual Liberties amended by Act No 2004–801 of 6 August 2004

Germany

German Federal Act on Data Protection of 1990 (BGBl IS 2954) as amended after implementation of the EC Data Protection Directive, particularly amended by law of

The public registry is owned and operated by the Deutsche Bundesbank (Central Bank). In the year 2000 the private sector CRA has transformed from an association to a private shareholding company. Given its size and impact on the market, its pricing is regulated by the German Competition Authority (Bundeskartellamt). Under

The institutional and legal standing in the EC 107

Greece

14 September 1994 (BGBl IS 2325), law of 16 December 1997 (BGBl IS 2325) and 17 December 1997 (BGBl IS 2325), last amendment by law of 23 May 2001

standard business conditions, banks are usually bound to secrecy regarding their customers. This is the result of the contractual relationship between a bank and its customer. At the same time, data protection is imposed by act of law (the BDSG). The general provisions of the BDSG (ss 27–38) apply to private sector financial service providers in the absence of special data protection rights in the sector. The regulations for public institutions (ss 12–26) apply to federal credit institutions operated under public law, such as the Bundesbank. Credit data can be processed only upon obtaining the written consent of the data subject. Therefore, customer consent is the tool used to legitimise both data processing and share information in observance of bank confidentiality duties. In the private sector, the so-called ‘Schufa-clause’ is the legal instrument that enables the sharing of information, particularly the positive one. The clause is integrated in all credit contracts, asking for permission to share data. If consumers are eager to get credit, they must sign the clause. The ‘Schufaclause’ has recently come under review by Germany’s high courts. Under German banking contract law, a clause is considered valid when it clearly reveals that the granting of an approval is optional and that the opening of an account is not dependent on whether the customer decides to release his/her data throughout the corporation. The banking industry, thus, now requires that clauses are distinctively formulated and include a notation regarding the extent of the data transfer.

Law 2472/97 on the ‘Protection of the individual from the processing of personal data’ Authority Decision 109/ 31 March 1999 – Tiresias I Authority Decision 523/ 19 October 1999 – Tiresias II Authority Decision 050/ 20 January 2000 – Terms

The national CRA is an inter-banking company that was initially founded as a non-profit organisation. Since September 1997 it operates as a joint stock (SA) company, yet it fully maintains the philosophy of a genuine non-profit organisation while at the same time securing the necessary preconditions for its further development. Only credit institutions and their subsidiaries which are active in leasing, factoring, or in the management of consumer credit products and payment means on behalf of the mother institutions, can become shareholders. The processing of (Continued overleaf )

108

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime

Greece Continued

for the lawful processing of personal data as regards the purposes of direct marketing/ advertising and the ascertainment of creditworthiness

credit profile data is subject to the relevant omni-comprehensive provisions of L. 2472/ 97 on the ‘Protection of the individual from the processing of personal data’. The CRA has communicated to the Hellenic Data Protection Authority its Data Processing Regulation, which has granted its relevant approval. In addition, the CRA regularly informs the public through press announcements.

Hungary

Section 54 of Act CXII of 1996 on Credit Institutions and Financial Enterprise (Hpt) and Sched No 3 to Act CXII of 1996 (Hpt) Resolution 2566/1999 of the Hungarian Financial Supervisory Authority (PSZÁF) Cooperation Agreement

Hungary has a complex system in place. By explicit provision of law the central credit information system shall not constitute a breach of bank secrecy. The central credit information system may only retain the data obtained from the credit-data provider that pertain to the borrower’s loan contracts with the credit-data provider as well as the credit-data provider’s contracts with the persons accepting a bankcard or a cheque, and it may give such data to the borrower and the credit-data provider. The central credit information system, in respect of natural person borrowers, may manage and keep data, described in a separate Sched (No 3) to the Act, that are necessary for the conclusion or amendment of loan contracts, on file along with the principal data in connection with the nature of the obligation – or any changes thereto – assumed in the relevant agreement, in the event of the debtor’s failure to fulfil his contractual obligations within ninety days, or in excess of the minimum wage, regarding the amount of such agreement. The central credit information system may manage and retain the identifying data of natural persons who have bankcards or cheques, which particulars are necessary for making and amending contracts; the data specified in Sched No. 3 for bankcards and the use thereof; and the basic data pertaining to the nature of the obligation specified in the contract concerned and any deviation from it: a) within the context of rejected bankcard applications and the use of bankcards, if the applicant or cardholder provides false data or if the applicant or

The institutional and legal standing in the EC 109 cardholder uses the data of another person in the course of applying for or using a bankcard; b) within the context of breach of contract pertaining to a bankcard if the uncovered use of the bankcard exceeds the minimum wage or if, after a bankcard has been stopped, the cardholder conducts a transaction with the stopped bankcard; c) when a cardholder makes an unfounded complaint, if there have been at least two other complaints within one year, d) when there are criminal proceedings in connection with the bankcard, e) when a person with a bankcard or cheque cannot make a payment in an amount that exceeds the minimum wage on all of his contractual obligations within sixty days. The central credit information system may manage and retain data pertaining to persons who accept bankcards and cheques; data on the content of the contract concerned, deviations from it involving nonperformance of contractual obligations, violation of obligations or the abuse of any right; and statistical information containing the conditions for accepting bankcards or cheques. Upon conclusion of a loan or loan-type agreement, the credit-data provider shall notify the natural person loan debtor in writing regarding the data disclosure or on the eventuality of such with the purpose of data disclosure and the sphere of data to be disclosed indicated. The central credit information system and the credit-data provider shall keep records on any and all data disclosed. Only data concerning the relevant debtor may be provided in relation to a credit-data provider’s request. The central credit information system may keep and manage the principle data of natural persons for no more than five years following the debt of the debtor being settled in full. The debtor may only exercise his right to review such data by way of the credit-data provider with which the debtor is in contractual relationship. By express resolution 2566/1999 of the Hungarian Financial Supervisory Authority the relevant CRA qualifies as a central credit information system acknowledged by Supervision entitled to provide credit reference services. (Continued overleaf )

110

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime The exact rules of operation of the relevant CRA are contained in the publicly approved Cooperation Agreement concluded between the users and the CRA. Some provisions which have an impact on the content of the database are highlighted as follows: (1) In compliance with the Cooperation Agreement, users are required to report to the database any data changes and events concerning their contracts within five working days. This rule guarantees that data be up-to-date. (2) The relevant CRA should utilise the full length of the period of a maximum of five years stipulated by law to store closed data. In other words, no user is entitled to subsequently delete data concerning a closed contract, a default or an abuse due to considerations of ‘fairness’. Such data will automatically disappear from the results of inquiries following the 5-year period of accessibility. (3) Final destruction of data: following the accessibility period, there is a further 5-year period of archive data storage, at the end of which data are automatically deleted from the system without trace.

Hungary Continued

Ireland

Consolidation of the Data Protection Act of 13 July 1988 and of the Data Protection (Amendment) of 10 April 2003

No special provision on consumer credit reporting. The omni-comprehensive provisions of the Data Protection Act apply. Thus, the system relies on consent from consumers.

Italy

Sections 13, 53(1)(b), A thorough description and discussion of 60(1), 64, 67(1)(b), 106, the legal framework of Italy is dealt with in 107, 144 and 145 of the Appendix of this work. Legislative Decree No 385 of 1 September 1993 (Consolidated Statute on Banking and Credit) CICR resolution of 3 March 1999 (published in OJ No 158 of 8 July 1999) Legislative Decree No 196/2003 of 30 June 2003 substituting the

The institutional and legal standing in the EC 111 Data Protection Act No 675/96 (Data Protection Code) – Code of Conduct and Professional Practice applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments Latvia

Council of the Bank of Latvia Resolution No 117/05 – Regulation for the Register of Debtors

The ‘Regulation for the Register of Debtors’ outlines the procedure whereby the participants of the Register of Debtors provide information on debtors to the Register of Debtors, the procedures for registering the provided information and providing the information from the Register of Debtors. The Regulation is prepared pursuant to the Republic of Latvia Laws ‘On Credit Institutions’ and ‘On Insurance Companies and Supervision Thereof’ and other laws and regulations. The register of debtors is an information system of the Bank of Latvia which aims to provide the collection, centralised storage and archiving of information on debtors and their obligations and make this information available to the participants of the register, the Financial and Capital Market Commission and debtors themselves pursuant to the procedure prescribed by the Republic of Latvia laws and regulations. By regulation, banks and insurers registered in the Republic of Latvia, subsidiaries of Member States and branches of foreign banks (including leasing and factoring companies) shall enter information on all debtors. A lender must provide information on a debtor and its obligations to the Register, if the debtor has delayed a repayment or the court judgement for more than 60 days and the amount of the outstanding payments (including a delay fee and a penalty) is no less than 100 Lats or the respective equivalent in foreign currencies; has failed to meet the requirements of the Law On Credit Institutions; or has committed other material breaches of the credit agreement in the lender’s opinion. If a debtor settles the delayed payment reported to the Register, the lender must submit to the Register a (Continued overleaf )

112

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

notice on the settlement of the delayed payment, containing a reference to the respective notice on a delayed payment. Once in six months, within the first five business days of each six month period, the Register shall send to each lender a report on all registered debtors of the relevant lender and all notices of the respective lender received by the Register during the period under review and information requests from it. Within a month after the receipt of the current report, the lender shall verify the conformity of the received information with the current information it possesses and send to the Register a confirmation of the report or make the necessary changes in information, sending to the Register a confirmation of the report afterwards. Any person is entitled to receive from the Bank of Latvia information on himself/herself contained in the Register, as well as information on the requests made by the participants on him/her.

Latvia Continued

Lithuania

Content of the law and national regime

Law On Legal Protection Of Personal Data 21 January 2003, No. IX-1296 Vilnius Article 16 – Processing of personal data for the purposes of evaluation of a person’s solvency and management of his debt

The data controllers shall have the right to process and disclose to third parties having a legitimate interest the data as well as the personal identification number of the data subjects who have failed to fulfil in a timely and proper manner their financial and/or property obligations for the purposes of evaluation of the person’s solvency and debt management, provided that all the data protection requirements set out in the data protection law and other legal acts are duly complied with. The data controller shall have the right to disclose the debtors’ personal data and personal identification number to data controllers processing consolidated debtor files. The data controller may process consolidated files with a view to disclosing such data to third parties having the legitimate interests so that they could evaluate the solvency of the data subject and manage the debt only if it has duly notified, following the State Data Protection Inspectorate which must carry out a prior checking. The data controller

The institutional and legal standing in the EC 113 may disclose the debtors’ personal data on condition that it has sent a reminder in writing to the data subject about his/her default on the debt and where, within 18 calendar days of the date when the data controller sent/submitted to the data subject a reminder: (1) the debt was not settled and/or the deadline for the repayment was not extended; (2) the data subject did not contest the debt on compelling grounds. Consolidated files may not be combined with personal data from the files of other personal data that were compiled and are processed for purposes other than evaluation of solvency and debt management. Upon receiving the debtor’s data, the data controller who is processing consolidated files must provide to each data subject the following information, except where the data subject already has such information: (1) the data controller’s identity and its representative if any, and its registered office; (2) the purposes of the processing of the data subject’s personal data; (3) the sources and type of the data subject’s personal data which have been collected, the recipient and the purposes for which the data are being disclosed, the data subject’s right of access to his/her personal data and his/her right to request rectification of incorrect, inaccurate and incomplete personal data. The data about the default of the data subject on a timely and proper fulfilment of his/her financial and/or property obligations may not be processed for a period over 10 years from the date of the settlement of the debt. Where the data subject repays his debt, data controllers must ensure that during the processing of the data about the data subject’s default on a timely and proper fulfilment of his/her financial and/or property obligations the following information is specified: (1) settlement of the debt by the data subject; (2) the data of the debt settlement. Banks and other credit institutions and financial undertakings engaged in credit and/or financial activities may disclose to each other the following data of the data subjects who have taken out loans from them, including leasing/financial leasing: the name, surname, personal identification (Continued overleaf )

114

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime

Lithuania Continued

number, the type of the loan, its amount and the deadline for the repayment of the loan in order to evaluate the solvency of the subjects. Banks and other credit institutions and financial undertakings engaged in credit and/or financial activities may apply to each other with a request to obtain the personal data only when the data subject applies to these institutions for a loan, including leasing/financial leasing, and gives his/her consent that these institutions and undertakings obtain his data. The data of the data subjects may not be: (1) stored for a period longer than two working days of the receipt of such data; (2) combined with the other personal data.

Luxembourg Not applicable

Not applicable.

Malta

Data Protection Act (CAP 440), Act XXVI of 2001, as amended by Act XXXI of 2002

The gathering, vetting and distribution of personal data is regulated. Information is gathered from official sources such as the Registry of the Courts of Justice and the Government Gazette, or from subscribers who have documentary evidence supporting the claim. The following forms of authentication are used for information collection: (1) Judgements on debt. This authentication is applicable when a dispute about payment has been taken to the Courts, and the defendant has not paid following the judgement. The notice given in the judgement to the defendant must be current; (2) Warrants. The national CRA registers warrants issued of executive title filed at the courts in the normal course of business. The types that are dealt with only relate to debt and include Garnishee Orders and Warrants of Seizure. In certain exceptional situations, a request for registration from the representing lawyer may be required. These include – Counter warrants – Cases in which a settlement has been agreed (and the case has been deleted from the CRA’s registry), but where the debtor then breaks the settlement agreement; (3) The Judicial Sale of Immovable Property. The inability to settle a substantial debt may lead to a Judicial decree for a Sale by Auction of real estate

The institutional and legal standing in the EC 115 (land and buildings) belonging to the debtor, until the creditor has recovered the debt in full; (4) A signed acknowledgement by the debtor that he has defaulted. This is mainly relevant when the owner and debtor have agreed to postpone payments and collection actions. If the debtor does not then comply with the rescheduled payment terms, the agreement can be used as an authentication of the debt and is sufficient for registration; (5) Credit Agreements. A Contract that binds the debtor to pay the creditor an agreed amount within a stipulated payment schedule. This has to have been defaulted on; (6) Other equally valid authentication for a debt. Approval from the Data Protection Commissioner is required before other forms of authentication can be used as a ground for registration. More details will be presented when available. Note: cases or debts that are known to be in dispute must not be referred to the CRA. Before any case is registered in the registry, a letter of notification is sent to the debtor, asking him to provide proof of payment within 14 days. If the debt has been settled, the CRA will not register the information. Information will be deregistered once the debt is settled. Poland

Act of 29 August 1997 on the Protection of Personal Data (original text: Journal of Laws of 29 October 1997, No 133, item 883; unified text: Journal of Laws of 2002 No 72, item 665) with amendments

The basic legal act regulating the processing of personal data in the banking sector is the Act of 29 August 1997 (the Banking Law) as amended. The issue of legality of the transfer of personal data to the Polish national CRA BIK SA and to ZBP (Polish Banks Association) was one of the most important problems related to the processing of the clients of banks. Pursuant to Art 105 para 1 point 1 of the Banking Laws the bank is obliged to provide information constituting banking secrecy to other banks and credit institutions in the scope in which this information is necessary in connection with the execution of banking activities and purchase and sale of claims. This provision specifies directly the bank’s right to possible transfer of borrowers’ data to the institution referred to in Art 105 para 4 of the Banking Law and the national CRA BIK SA has been recognised as such an institution. So in the situation where the bank’s debtor (Continued overleaf )

116

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country Poland Continued

Relevant provision of law

Content of the law and national regime questioned the legality of transferring by the bank of his/her data and their processing in BIK SA no violation of the Act on Personal Data Protection was stated. A completely different situation occurred when the borrower ceased to be a debtor and still his/her data were in the file of BIK SA. The banks and BIK SA justified such practice with the regulations on collection and disclosure of information by BIK SA by which they were bound, apart from the contract. Pursuant to the contents of the regulations BIK SA shall be obliged to process the data sent by BIK SA for the period of five years (since the day of closing the account for accounts showing no arrears above 30 days) or for the period of seven years (since the day of closing the account for accounts showing no arrears above 30 days). In the Inspector General’s view the regulations do not include commonly binding legal provisions and cannot be a source of the rights and obligations for the clients of banks, and therefore ordered erasure of data of former debtors from the files of BIK SA. There were also situations where the processing of data by BIK SA or the lack of the bank’s motion for erasure of this data from the file was caused by defects of the information system. In such situations the Inspector General for Personal Data Protection addressed banks with a request to undertake activities aimed at restoring the proper legal state. If there is a statutory basis for the functioning of the institution BIK SA, then in the Inspector General’s view there are no statutory prerequisites for the processing of data in the file called ‘Inter-bank Economic Information System Banking Register’ containing debtors’ data run by ZBP. The latter Association indicated as the basis of its activity, apart from Art 105 para 1 point 1 of the Banking Law, also the provision of Art 105 para 4 of the Banking Law. After having analysed it, the Inspector General stated that this provision does not give grounds for the processing of personal data by ZBP. For

The institutional and legal standing in the EC 117 this provision allows for establishing by banks together with chambers of commerce an institution for collecting, processing and disclosing to banks and other institutions statutorily entitled to granting loans among others information constituting banking secrecy or information on claims. So, information, including personal data, can be processed by independent institutions the activity of which will be limited to the collecting, processing and disclosing of information indicated in Art 105 para 4 of the Banking Law. ZBP is not an institution established separately to fulfil the purposes specified in the analysed provision, but it is a chamber of commerce within the meaning of the provisions of the Act of 30 May 1989 on chambers of commerce (Journal of Laws No 35, item 195 with amendments.). Therefore, it was necessary to order the erasure of the complainants’ data from the file kept by ZBP, if the data were contained therein. In many cases the proceedings were discontinued due to the fact that the bank has erased the complainants’ data from the file of ZBP (i.e. in connection with negotiated agreement between the bank and the complainant). Portugal

Act 67/98 of 26 October on the Protection of Personal Data (1998) Decree Law 2/78 on Banking Secrecy Legal Framework of Credit Institutions and Financial Companies, approved by DecreeLaw No 298/92 as amended – Arts 78– 84

The Bank of Portugal operates a registry for the general supervision of lending institutions. There is no special provision on consumer credit reporting. The omnicomprehensive provisions of the Act on Protection of Personal Data apply. However, Art 17 of the Act on the Protection of Personal Data deals with professional secrecy providing that data controllers and persons who obtain knowledge of the personal data processed in carrying out their functions must be bound by professional secrecy, even after their functions have ended. Thus, the system relies on consent from consumers. The national Banking Secrecy Act prohibits the sharing of data by financial and non-financial enterprises. Violation of professional secrecy is punishable under the criminal code.

Romania

Law no 677/2001 for the Protection of Persons concerning the

The protection of personal data represents a new field for Romania’s legislative space. A National Authority for the Supervision (Continued overleaf )

118

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime

Romania Continued

Processing of Personal Data and Free Circulation of Such Data Regulation No 4/2004 on the organisation and operation of the Credit Information Bureau with the National Bank of Romania (published in Monitorul Oficial Romaniei, Part 1, No 739 of 16 August 2004)

of Personal Data Processing came into existence in Romania only recently under the Law No 102/2005. The Authority exerts the competence established mainly by the Law No 677/2001, in terms of independence from any public authority or private entity. There is no special provision on consumer credit reporting in the law. The Authority intervened very recently with Decision No 89/2006 on the establishment of categories of personal data processing operations that are likely to present special risks to the rights and liberties of individuals. According to the Decision, data controllers have the obligation to notify to the Authority within at least 30 days from the moment the processing begins all personal data processing operations carried out through electronic means within filling systems with the purpose of analysing credit references or the economic and financial situation of natural persons. On 7 April 2006 the Authority issued Decision No 36/2097 according to which a bank was sanctioned under the terms of Art 31 of the Law No 677/2001 for it did not notify the processing of personal data done for the purpose of credit granting to natural persons. Also, the controller was sanctioned for the illegal processing of personal data, for he did not inform properly the data subjects about the transmission of their data to the CRA, and the standard request for the opening of a current account was wrongly written. The controller was obliged to inform, within five days of the decision’s communication, also all the data subjects about their data transmission to the CRA, to change the standard request used for the opening of a current account, in order to respect the provisions of the Law No 677/ 2001. Regulation No 4/2004, instead, sets the rules for the operation of the national PCR (operations above the threshold of
5,000).

Slovak Republic

Act No 428/2002 Coll on Protection of

No special provision on consumer credit reporting. The omni-comprehensive

The institutional and legal standing in the EC 119 Personal Data, as amended by the Act No 602/2003 Coll, Act No 576/2004 Coll and the Act No 90/2005 Coll

provisions of the Act on Protection of Personal Data apply.

Slovenia

Personal Data Protection Act (Official Gazette, No 86/04 in 113/05)

No special provision on consumer credit reporting. The omni-comprehensive provisions of the Personal Data Protection Act apply.

Spain

Organic Law 15/1999 of 13 December on the Protection of Personal Data – Art 29. (Provision of information services on creditworthiness and credit)

The Bank of Spain operates a registry for the general supervision of lending institutions. It has a high threshold, which excludes consumer credit. The operation of a private CRA requires authorisation from the national Competition Court as CRAs represent a form of trust between companies in the same sector influencing commercial strategies. The Law on the Protection of Personal Data contains a specific provision on consumer credit reporting. Article 29 of the Law provides that providers of information services on creditworthiness and credit may process only personal data obtained from registers and sources accessible to the public and set up for that purpose or based on information provided by the data subject or with his consent. In addition, processing of personal data relating to the fulfilment or non-fulfilment of financial obligations provided by the creditor or by someone acting on his behalf is allowed. In such cases the data subjects shall be informed, within a period of 30 days from the recording, of those who have recorded personal data in files, with a reference to the data included, and they shall be informed of their right to request information on all of them under the conditions laid down by the Law. In all the cases above, at the request of the data subject, the data controller shall communicate to him/her the data, together with any assessments and appreciations made about him/her during the previous six months and the name and address of the person or body to whom the data have been disclosed. Only those personal data that are necessary for assessing the economic capacity of the data subjects may be recorded and transferred. In the case of presence of negative data (Continued overleaf )

120

Law and Consumer Credit Information in the EC

Table 4.3 Continued. Country

Relevant provision of law

Content of the law and national regime these should not go back for more than six years, always provided that they give a true picture of the current situation of the data subjects.

Spain Continued

Sweden

Kreditupplysningslagen, SFS 1973:1173 (The Credit Information Act 1973)

Anyone planning to conduct credit-rating operations normally requires a permit from the Data Inspection Board. The Data Inspection Board carries out inspections to ensure that the operations are being conducted in a proper manner. Particulars concerning a private person may only be provided to a third party if there is a legitimate reason, for example an investigation into creditworthiness. Swedish law specifies that the data can only be released with the individual concerned receiving a copy of the report that has been supplied and information about who received that report. Negligence on the part of a credit-rating agency can result in a liability to pay damages and those responsible may be fined or imprisoned. Data are available to lenders, retailers, government agencies, real estate service providers, and utility providers. Inclusion of negative data is dependent on government recognition of the debt. Unpaid debts remain in the register for as long as the creditor attempts recovery and a further 10 years after the creditor abandons recovery. When a debt is successfully recovered the data remain in the register until the end of the running year plus three extra years.

The Netherlands

Personal Data Protection Act adopted by the Dutch Lower House on 23 November 1999 and accepted by the Dutch Upper House on 03/07/2000, entered into force on 01/09/2001 Consumer Credit Act 1990, s 14(2)

The Dutch Data Protection Authority supervises compliance with legislation regulating the use of personal data. The Authority is convinced that self-regulation contributes effectively to the achievement of the individual’s fundamental right to the protection of his/her privacy. As such, the Authority is promoting the appointment of a data protection officer and is encouraging companies to formulate codes of conduct for their branch of industry or sector. A ‘Code of Conduct for the Processing of Personal Data by Financial Institutions’

The institutional and legal standing in the EC 121 has been drawn-up. Section 5.6.1 of the Code of Conduct provides that in view of the legal regulations, financial institutions are obliged to provide information on their customers to government institutions and other institutions. Among the most essential legal obligations, s 5.6.9 of the Code of Conduct specifies the Consumer Credit Act. Under the Consumer Credit Act, financial institutions engaged in extending loans to consumers should join a ‘system of credit registrations’ operated by the Central Credit Registration Office (Bureau Krediet Registratie, BKR). Lenders provide data relating to the origin and settlement of financing to BKR. The nature of the recorded data, the conditions for recording, use and provision and the rules for removing the data are laid down in the BKR rules and regulations. There is also a BKR code of conduct. In case of dispute, consumers registered with BKR may apply to the BKR arbitration committee as well as having the possibility to apply to the Dutch Data Protection Authority pursuant to s 60 of the Personal Data Protection Act. United Kingdom

Consumer Credit Act A thorough description and discussion of 1974 (as modernised and the legal framework of the UK is dealt with reformed by the in the Appendix of this work. Consumer Credit Act 2006) Data Protection Act 1998 Bank confidentiality case law Banking Code of Practice

Note: the above national Data Protection Acts and the relevant Data Protection Authorities are accessible from the website of the Council of Europe at http://www.coe.int/T/e/legal_affairs/ Legal_co-operation/Data_protection/Supervisory_authorities/

The United Kingdom provides an example at a national level of the most recently enacted and modern consumer credit law vis-à-vis the attitude towards the related issue of consumer credit reporting. The Consumer Credit Act 2006 reforms the Consumer Credit Act 1974. The aim of the new Act is to protect consumers and create a fairer and more competitive credit market. There has been some pressure from the industry to use the Consumer Credit Act 2006 as a vehicle for addressing the subject of data sharing. However, this issue has been considered broader than the range of provisions in

122

Law and Consumer Credit Information in the EC

the Consumer Credit Act. Data sharing does not, therefore, feature in the Act, and the British Government does not propose to make any changes relating to CRAs.67 The example provided by the UK is in some way reflected at European level, where it appears that similar reasoning and choices were made. Adopted in 1987, the Consumer Credit Directive 87/102/EEC established a legal framework for consumer credit throughout the EC, with the aim of promoting a common market for credit and creating an environment in which consumers receive adequate protection.68 Significantly, no provision or mention of consumer information sharing was made. Directive 87/102/EEC has been amended twice, in 1990 and in 1998, but again no action in relation to consumers’ data was taken on these occasions. However, as noted earlier, the minimal harmonisation approach of Directive 87/102/EEC has resulted in the fragmentation and segmentation of credit markets into separate national ones. Driven by the failure of Directive 87/102/EEC to integrate European markets effectively, on 11 September 2002 the European Commission presented a proposal for a new Directive on the harmonisation of the laws, regulations and administrative provisions concerning credit for consumers (the ‘Proposal’).70 The Proposal aimed ‘to pave the way for a more transparent market, a more effective market and to offer such a degree of protection for consumers that the free movement of offers of credit can occur under the best possible conditions both for those who offer credit and those who require it’.71 The text spelled out a comprehensive set of provisions that would have affected the way the consumer credit industry and market function, including consumer credit reporting. In particular, in Chapter III of the Proposal titling ‘Protection of Privacy’, Art 7 (Collection and Processing of Data) stated: Personal data obtained from consumers, guarantors or any other person in connection with the conclusion and management of agreements

67 Department of Trade and Industry, Consumer Credit Bill, Full Regulatory Impact Assessment, available at http://www.dti.gov/uk/ccp/creditbill/pdfs/creditbillria2pdf, on 15 May 2005; see also Experian, available at http://www.experian.co.uk/corporate/compliance/ consumercredit/consumercredit.html. 68 Directive 87/102/EC for the approximation of the laws, regulations and administrative provisions of the Member States concerning consumer credit, cit at 6. 69 Lanoo and de la Mata Muñoz (2004), 5–6. 70 Proposal for a Directive of the European Parliament and of the Council on the harmonisation of the laws, regulations and administrative provisions of the Member States concerning credit for consumers, COM (2002) 443 final 2002/0222 (COD). 71 COM (2002) 443 final 2002/0222 (COD), Explanatory Memorandum, 4.

The institutional and legal standing in the EC 123 covered by this directive, and in particular by Article 6 (1), may be processed only for the purpose of assessing the financial situation of those persons and their ability to repay.72 The following Art 8 (Central Database), innovatively bringing into play either CRAs or PCRs, depending on the various institutional arrangements of each Member State, specified: 1. Without prejudice to the application of Directive 95/46/EC, Member States shall ensure the operation on their territory of a central database for the purpose of registration of consumers and guarantors who have defaulted. This database may take the form of a network of databases. Creditors must consult the database prior to any commitment on the part of the consumer or guarantor, subject to the restrictions referred to in Article 9. The consumer and, where appropriate, the guarantor shall, if they so request, be informed of the result of any consultation immediately and without charge. 2. Access to the central database in another Member State shall be ensured under the same conditions as for firms and individuals in that Member State, either directly or via the central database of the home Member State. 3. Personal data received under paragraph 1 may be processed only for the purpose of assessing the financial situation of the consumer and guarantor and their ability to repay. The data shall be destroyed immediately after the conclusion of the credit or surety agreement or the refusal by the creditor of the application for credit or the proposed surety. 4. The central database referred to in paragraph 1 may include the registration of credit agreements and surety agreements.73 The Proposal, finally, introduced in Art 9 the principle of ‘responsible lending’, based on the requirement that a lender has ‘previously assessed, by any means at his disposal, whether the consumer and, where appropriate, the guarantor can reasonably be expected to discharge their obligations under the agreement’.74

72 COM (2002) 443 final 2002/0222 (COD). In turn, Art 6(1) – Exchange of Information in Advance and duty to provide advice – of the Proposal provided: ‘Without prejudice to the application of Directive 95/46/EC, and in particular Article 6 thereof, the creditor and, where applicable, the credit intermediary may request of a consumer seeking a credit agreement, and any guarantor, only such information as is adequate, relevant and not excessive, with a view to assessing their financial situation and their ability to repay. The consumer and guarantor shall reply accurately and in full to any such request for information.’ 73 Ibid. 74 Ibid.

124

Law and Consumer Credit Information in the EC

In practice, the introduction of the rather difficult – and controversial – concept of ‘responsible lending’ would have represented an obligation for the ‘good lender’ to consult centralised credit databases and to examine the responses provided by the consumer and eventually the guarantor. The above three provisions of the Proposal would have been interesting grounds for a discussion and detailed analysis for this work and its subject matter, but they were suppressed in the modified version presented after rejection of the Proposal on 11 September 2003 by the Legal Affairs Committee of the European Parliament and its consequent withdrawal by the Commission.75 On 10 October 2005, in fact, the Commission presented, pursuant to Art 250(2) of the EC Treaty, a modified proposal for a Directive of the European Parliament and of the Council on credit agreements for consumers, amending Council Directive 93/13/EC (the ‘Amended Proposal’).76 As a whole, the Amended Proposal has revolutionised the original Proposal. As far as consumer information sharing is concerned, the former Art 7 has been completely erased and the former Art 6 has been incorporated with substantial modifications in the new Art 5(1): The creditor and, where applicable, the credit intermediary shall adhere to the principle of responsible lending. Therefore, the creditor and, where applicable, the credit intermediary, shall comply with their obligations concerning the provision of pre-contractual information and the requirement for the creditor to assess the consumer’s creditworthiness on the basis of accurate information provided by the latter, and, where appropriate, on the basis of a consultation of the relevant database [emphasis added]. Where the credit agreement allows the creditor to change the total amount of credit after the date of conclusion of the credit agreement, the creditor shall update the financial information at his disposal concerning the consumer and shall assess the consumer’s creditworthiness before any significant increase in the total amount of credit.77 As was made clear in the Explanatory Memorandum of the Amended Proposal, the obligation to set up national credit reference databases has been deleted, since this would go beyond the purpose of this Directive. Issues relating to data protection are already dealt with in the Data Protection Directive 95/46/EC. Therefore, the Commission proposes to guarantee 75 Committee on Legal Affairs and the Internal Market, P5_TA-PROV(2004)0297. 76 Modified proposal for a directive of the European Parliament and of the Council on credit agreements for consumers amending Council Directive 93/13/EC, COM (2005) 483 final 2002/ 0222 (COD). 77 Ibid, Art 5(1).

The institutional and legal standing in the EC 125 only a mutual access to existing private and public databases on a non-discriminatory basis.78 In the intention of the legislator, this simply means that the Amended Proposal requires all existing consumer credit databases to be opened up to EC credit providers on a non-discriminatory basis, instead of requiring the setting up of new consumer credit databases at national levels.79 Finally, as regards the controversial concept of ‘responsible lending’, the Amended Proposal has modified the initial formulation requiring lenders to give standardised information about important elements, such as annual percentage interest rates, fees and monthly repayments when advertising consumer credit products. It also obliges lenders to give consumers comprehensive information about credit agreements expeditiously before they sign the contract, to document the agreement properly and to keep consumers properly informed about their respective rights and obligations under the agreement throughout their credit relationship. These information requirements, coupled with the right to cancel a credit agreement within 14 days of signing it, are intended to help consumers avoid taking on more debt than they can afford. In addition to these core requirements, the revised law demands that lenders check a consumer’s creditworthiness before concluding a credit agreement with him or her, without imposing any specific means among the many that could be used (CRAs, indeed, are just one possibility).80 In the end, therefore, the position of the relevant European institutions after consultation with the industry seems to voluntarily neglect the regulation of consumer credit reporting within the context of a consumer credit law, with the result that it will substantially leave the status quo in the sector. After more than four years of negotiations where Member States have been stuck in a stalemate, the Council of Ministers of the EU has recently reached, by qualified majority, a political agreement on the Amended Proposal. This means that the Council needs to adopt its common position at one of its meetings after the finalisation of the exact text, then it has to forward the document setting out this position to the European Parliament for a second reading in the framework of the co-decision procedure of the law-making process in the EC.81 78 COM (2005) 483 final 2002/0222 (COD), Explanatory Memorandum, 6; see also ibid, Art 8(1) Database Access. 79 European Commission MEMO/05/361, 10 October 2005, available at http://europa.eu.int/ rapid/pressReleasesAction.do?reference=MEMO/05/361&format=HTML&aged=0& language=EN&guiLanguage=fr. 80 Ibid. 81 At the Competitiveness EC Council meeting held in December 2006 the Member States failed to find an agreement on the Amended Proposal. The Member States reached an agreement at the Competitive EC Council meeting on 21–22 May 2007 under the German Presidency. See Council of the European Union, Press Release, Brussels, 21 May 2007, 9739/07 (Presse 112).

126

Law and Consumer Credit Information in the EC

Concluding remarks: missing a chance? An overview of consumer credit information systems in Europe suggests that their reference markets are fragmented and still remain a national affair. Certainly, this is the result of the negative picture provided by the integration indicators of the credit markets themselves, as well as natural and legal barriers alike. In addition, however, the industrial organisation and institutional structure of the credit information industry present features of their own that contribute markedly to an uneven development of the sector from country to country, leaving Community market integration an objective far from achievement. When looking at the combination of all the factors described in the above survey, though, it is noteworthy that, in most cases, appropriate institutional arrangements are absent, having been left to commercial organisations that are monopolistic in nature and scope. Although in recent years a trend has started to emerge for an increasing number of EC nationals to circulate and establish themselves in other Member States, and despite the EC political desire for maximum harmonisation in retail credit markets, Europe does not seem to have adequate instruments in place to provide a European cross-border exchange of information, jeopardising every effort towards market integration. In short, the picture that comes out from the above survey is that of a fragmented Europe with its own institutional organisation and national information-sharing systems in place, each one different from the others and responding exclusively to domestic needs. After all, as the situation stands, the structural problems of the credit information distribution industry, together with issues of competition, leave little ground for an European dimension. The legal standing of consumer credit reporting, in turn, reflects the segmentation of the sector. Within the various existing legal scenarios, industry-specific laws are alien to the data-sharing arrangements in place, thus at Community level there is no uniform or harmonised legislation similar to that which has shaped the industry in the US where they first developed. What emerges from an inspection of the legislative framework in the EC is that omni-comprehensive data protection is and will remain the crucial law that to date regulates the sector. At the same time, the discussions of EC policy-makers over a future European framework for consumer credit offer little or no elucidation. The Proposal and the following Amended Proposal for a new consumer credit directive seem to leave the state of affairs unchanged, as the issues relating to consumers’ data have been considered wider than those that they intend to cover, referring their regulation back to Directive 95/46/EC. This means, in the end, that it is the data protection legislation as implemented in each national Member State that applies. However, what is perplexing about this outcome is that the lack of uniform application of the national

The institutional and legal standing in the EC 127 rules is likely to contribute to leave the sector as an un-integrated domestic business far from the principles of the Community’s Internal Market. However, the free movement of people and an effective mobility of Europeans from one Member State to another, coupled with issues of non-discrimination based on nationality, will require harmonisation in the sector. How is a lender from one Member State supposed to behave when faced by the credit application of an EC foreign national who has changed residency to that Member State and whose information are stored in his or her previous country? What rules should it apply? Will the EC foreign national be discriminated in his or her credit application? What above all strikes a commentator’s attention immediately is that, throughout the discussions that have taken place at EC level, there was no mention at all of the institutional side and the problems that this – or, better, the absence of it – raises. It seems that no consideration was given to the real function that the organisations serving the market carry out. A basic question should be asked: do CRAs exercise a public function for the benefit of all, the industry and consumers alike, or rather do they not simply provide services for the benefit of the profitability of lenders? In the former circumstance, in fact, debates over a form of institutional governance, at a minimum, should have occurred. If, however, this is not the case, it poses the serious problem of what role CRAs should have in the consumer credit sector. Do they exercise a function similar to that of private investigators at the service of the industry? Should the latter be the case, then, an assessment of the true compliance of consumer credit reporting with the requirements of data protection legislation should take place. Depending on the results of such analysis, there would be grounds for propositions ranging from extreme ones to outlaw CRAs or more moderate solutions to introduce industry-specific laws covering the many aspects that consumer credit reporting entails, to lenient ones that leave the legal framework as it is. Certainly, additional intriguing scenarios of other less obvious applicable laws may be identified, such as provisions concerning gender recognition (when existing in some Member States) or issues of social discrimination and access/exclusion to credit. As well, as this work will comment further in Chapter 7, the mechanisms of information sharing in today’s sensitive context of data protection being perceived as a human right may give rise to new possibilities of other applicable laws, such as those relating to unfair commercial practices. After this preliminary overview of the sector at EC level, the impression is that the unequal development of consumer credit from country to country, characterised by the peculiar monopolistic/oligopolistic structure of the information industry, coupled with many other issues relating to privacy concerns, which will be exemplified in the coming chapters, causes unease over basic consumer freedoms and civil society guarantees. For all these reasons, the results of the Amended Proposals seem far from satisfactory. Most probably, the EC is missing a chance to start thinking about

128

Law and Consumer Credit Information in the EC

a regulatory model for consumer credit information to support a healthy single market in retail credit in which consumers receive adequate protection. At the very least, the new consumer credit directive should have represented the appropriate forum for a public debate, without voluntarily dismissing the matter neglecting important issues. In the coming chapters, therefore, it is precisely the legal consequences of leaving the sector to the regulation of the omni-comprehensive data protection legislation that this study will attempt to explore and examine in detail.

5

Reputation, privacy and the law What rights and interests are at stake and to what extent are these conflicting?

Introduction As the previous chapter has revealed, given the number, type and uses of personal data involved, to date the omni-comprehensive data protection legislation constitutes the crucial law that regulates consumer credit reporting in the context of the EC. At present, in fact, legislators across Europe mainly rely on the EC Data Protection Directive as transposed in national law.1 Also, this work has pointed out that although in the vast majority of cases the regulation of consumer credit data processed by private CRAs is contained in the national laws transposing Directive 95/46/EC, in a few situations (in Sweden, Hungary and the Czech Republic) it features in rules governing the financial sector that contain safeguards as to the ownership or supervision of the relevant CRA.2 Within this identified legal framework, the aim of this chapter is first to evaluate and then balance the rights and interests of both lenders and consumers in order to stress to what extent these are conflicting ones. Ultimately, therefore, such an assessment proves essential in setting priorities and serves as an interpretative tool to carry on a compliance analysis in the next chapter. This approach also claims to be useful in setting methodological standards for such an analysis. It is necessary to evaluate the results of said examination in order to assess whether the positive law adequately safeguards against one interest prevailing over the other, or in the case of equally important ones, finds the right balance between the two. The rights and interests of the credit industry, as well as arguments in favour of consumer credit reporting in unison with the economic theory and the reported literature, have already been discussed at length in the previous chapters of this work.

1 Data Protection Directive 95/46/EC, OJ 1995 L 281 p 0031–0050. 2 However, in the Czech Republic the system in practice relies on a sham legal construction according to which the entity whose holdings are held by banks by provision of law (the Banks Act No 21/1992 at Art 38a) out-sources the management of the system to a commercial entity owned by a foreign private CRA that processes the consumer data.

130 Law and Consumer Credit Information in the EC Thus, to reach the aforementioned goals, the opening section of this chapter looks more closely at the basic elements behind those mechanisms of credit reporting that have already been extensively studied in the earlier chapters. It attempts to show the negative and prejudicial side of sharing peoples’ reputation and how information technologies exacerbate such concerns. The following section, therefore, extracts and explains those values that data protection legislation (the legal framework of credit reporting) aims to safeguard. It will stress why it is considered so important to protect personal data in contemporary European society, and what are the dangers that the law aims to prevent. This investigation is a necessary precondition to balancing the rights involved and providing the key to interpreting and analysing the lawfulness of the widespread use and sharing of consumers’ information throughout this work. However, the well-known problems relating to the different implementation of the EC Data Protection Directive in Member States facilitate neither economic operators nor individuals to manoeuvre at Community level, take advantage of the possibilities offered by the Common Market or abide by the EC legal framework.3 Likewise, they pose difficulties in providing a correct analysis of the compliance of the systems at study and, therefore, an assessment of the adequacy of the law that regulates them. At any rate, national regimes implementing a Community directive should not fall short of the normative standards that it sets. Consequently, the last section of this chapter will look at the appropriate benchmark to make reference to in a compliance analysis, as well as the criteria to be used for interpreting and evaluating the law in line with the EC enforcement agenda to be implemented in every Member State.

Reputation As Chapters 1 to 3 have shown, CRAs originated from, and respond to, an asserted need to minimise risk in contractual relationships involving credit, i.e. the advancement of money, services or goods that will be repaid with interest at a later stage with a profit for the lender. Accordingly, trust is a precondition of many social relations, especially, though not exclusively, those involving risks. In this context, trust can

3 See Recital 7 of Directive 95/46/EC which states: ‘Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions.’

Reputation, privacy and the law

131

be intended as ‘one’s expectation that another will act in a way that is advantageous to oneself, supplemented by one’s ability to act upon such expectation, accepting the corresponding risks’.4 Certainly, many other definitions of trust exist in the literature, but all make reference to a component of rational expectations by a party on the counter party’s behaviour.5 Arguably, without trust there could not be any active social relationship, including business and the underlying contracts that are one expression of the many social relations that exist. Trust, therefore, presupposes a decision to expose oneself in a relationship involving others that inevitably contains a risk involving the performance of the counter part. In particular, in commercial relations it is well known that risk is part of business itself and the taking of the risk is compensated by profit or penalised by failure. In this regard, every business involves risk, because risk is entrenched in the nature of business. Trust and risk are necessary preconditions for business to exist. Then, on those occasions where trust is misplaced and it has been breached, the law provides an alternative to the spontaneous cooperation, or correct performance, of the counterpart (the trustee). The law, therefore, not only provides a means for repairing the failure of trust but also provides a reason for relying upon others and contributing to the rational formation of trust in those social relations that it covers. At the same time, the law provides a disciplinary mechanism for the trustee, who knows that there are in place tools accepted by society at large for the enforcement of his/her obligations and the punishment for having breached someone else’s trust.6 CRAs, by contrast, have developed as informal social accountability mechanisms that contribute to the formation of trust and serve as disciplinary devices for the borrower.7 As such, they have established themselves as an alternative to the law in the formation of trust. In this way, they replace the law, which remains a remedy once trust has been breached. Although judicial procedures have the undisputable advantage of the certainty and rule of law, they are also lengthy, have an uncertain outcome and could be expensive on those occasions where the debt is irrecoverable. Therefore, in the name of the minimisation of risk and the consequential maximisation of profits for lenders, CRAs bring into play the reputation of consumers to favour the formation of trust or supplement it. As social accountability mechanisms, they create and disseminate reputations that give rise to rewards for standardised good behaviour, and punishments for standardised bad behaviour.8 In this way, however, it could be

4 Sartor (2006), available at http://www.iue.it/LAW/People/Faculty/CVs/sartor.shtml. 5 See, for example, McKnight and Chervany (1996), available at http://misrc.umn.edu/wpaper/; Fukuyama (1995); Herzberg (1988); Falcone and Castelfranchi (2001); Castelfranchi and Falcone (2003); Gambetta (1990); Klein (1997). 6 Sartor (2006). 7 Klein (2001). 8 Ibid.

132

Law and Consumer Credit Information in the EC

maintained that from social accountability mechanisms they also become social control mechanisms and impose a set discipline via surveillance. Once more, Sartor provides a useful definition of reputation, considered as ‘the evaluative opinion that people (the public in general or certain sections of it) have on a particular person, and the social mechanism which produces such an opinion’.9 In the logic of the credit reporting business, as in every section of society, reputation results from shared beliefs. A meaning is given to the various pieces of personal information, and persons (lenders) form opinions concerning other persons (borrowers), sometimes on the basis of personal experiences but many times on the basis of the experiences of others. Such opinions and beliefs are adopted by others and further conveyed through CRAs.10 As a result, reputation provides a cognitive basis for people to trust others based on the positive or negative experience or opinion of an external party. This confers a personal evaluation of a fact that has not gone through the formal mechanism of declaratory action that is a judicial proceeding and confers to the judgement force of law for this particular situation. From a different angle, reputation puts a person in a position towards others that can alternatively be that of reliance by others, resulting in the invitation to enter social relationships (inclusion), or that of distrust by those same persons resulting in refusal to enter those relations (exclusion). Problematically, reputation can be associated with, and inevitably becomes, identity: someone is not his/her real self but rather becomes the result of the judgement of his/her individual achievements and verification of corresponding credentials by others. It becomes a fact when it becomes a story shared by many, as this gives authority to the story. Someone is what others say, not what he/she truly is.11 On its negative side, therefore, a bad reputation (for example, failure) becomes one person’s achieved identity and, in the case of CRAs, a market commodity for the risk-management of trust. Also, a negative reputation can be easily related to prejudice and stigmatisation: negative conclusions are drawn from certain reported information about, or features of, a person. Choices are then made accordingly, but these may damage that person further. And, in turn, this information, which is built on previous information, spreads in society, contributing to consolidate such a reputation in a spill-over fashion. In this way, not only does reputation fail as a cognitive mechanism, but it is also intrusive and bears with it issues of social exclusion and discrimination based on one’s achieved identity, precisely what Sandage calls the achieved identity of a ‘born loser’.12

9 10 11 12

Sartor (2006). Ibid. See also Conte and Paolucci (2003). See Sandage (2005), chs 4–6. Ibid.

Reputation, privacy and the law

133

Certainly, reputation is a natural and unavoidable component of the dialectical interaction between the individual and the community where he/ she lives. However, the evolution and use of sophisticated information technologies exacerbate and contribute markedly to the dissemination and diffusion of reputation, therefore marking more neatly and spreading comprehensively, if not completely, on the marketplace such a reputation, i.e. the inclusion or exclusion of persons in/from social relationships beyond the community where they live, together with the consequences that follow expressed above. Technologies, thus, may become the arbiters of achieved identities, standardising, sorting, monitoring and labelling people. The problem is that the informal social surveillance mechanism operated by CRAs lacks the certainty of the law. As described by Klein, who writes in defence of credit reporting, it generates reputations and ‘is akin to gossip in that it gathers, interprets, formats, stores, retrieves, and transmits information’.13 This reputation, however, crucially misses the authority of judicial recognition, i.e. the rule of law. Indeed, such a phenomenon has been at the centre of the recent attention of the Article 29 Working Party on Data Protection set up by Directive 95/46/ EC of the European Parliament and of the Council. According to the data protection authorities, entering individuals onto databases on which they are identified in connection with a specific situation or facts, i.e. on reputation, represents an intrusive phenomenon known as ‘blacklist’ and defined as: the collection and dissemination of specific information relating to a specific group of persons, which is compiled to specific criteria according to the kind of blacklist in question, which generally implies adverse and prejudicial effects for the individuals included thereon and which may discriminate against a group of people by barring them access to a specific service or harming their reputation.14 The insertion in a database of a group of people based on their reputation is precisely what CRAs do. The assessment of consumers’ creditworthiness is based on past financial behaviour, and information about such a past has a meaning that forms one’s reputation within the credit sector. Obviously, CRAs deny that they make blacklists or that they provide opinions, one reason being that they provide cold data that lenders independently evaluate in making decisions, and that credit files are also formed including positive information.15 13 Klein (2001), 343. 14 Article 29, Working Party on Data Protection, Working Document on Blacklists, 11118/02/ EN/final, adopted on 3 October 2002. 15 See, for example, UK Information Commissioner’s Office, ‘No Credit?’, available at http:// www.informationcommissioner.gov.uk/cms/document/uploads/common%20complaints%20

134

Law and Consumer Credit Information in the EC

This assertion, however, is a quibble that lacks legal basis and credibility. Each piece of information – a single datum – has a meaning and is read in conjunction with all other reported data. Every credit file undoubtedly pictures and reports a consumer’s behaviour, forming a reputation. Even if the intention is not that of stigmatising a group of people according to certain features (expressed by the data), their widespread use has had the same effect and result. The use of positive information, moreover, not only fails to stem the above-mentioned concerns but, if any, exacerbates them by way of positive discrimination, that is anyone who has no positive information in his/her credit file, or else elements contributing to a positive reputation, then has a bad or at least suspect reputation. This includes those who are not present in the database at all, thus in theory should not have a reputation, but get (a suspicious) one for not having a credit history.16 Yet, reliance based upon reputation through data sharing and the formation of blacklists seem to conflict with the legal framework that Chapter 4 has identified earlier, i.e. data protection as the omni-comprehensive legislation regulating the sector. How is the formation and diffusion of reputation impaired by data protection? May a system that relies on the creation and dissemination of the reputation of consumers ever be lawful vis-à-vis a law that protects the processing of their personal data? Is there a solution or a balance that can duly take into account the interests at stake? To answer this set of questions, which imply an intrinsic conflict and fundamental tension between the right to privacy of an individual living in a society and his/her interaction within such a community, it seems essential to evaluate the reasons behind both the enactment of data protection laws and the interests of lenders. The latter has already been extensively examined earlier in this work. The following sections, therefore, will concentrate on the significance to Europe of protecting consumers’ personal data, and the value placed upon such a notion.

The importance of data protection and the reasons for EC legislation As seen in the previous chapter, in collecting, processing, and disseminating the personal data of consumers in credit operations, CRAs must, like any other data controller, comply with data protection legislation. Before turning to this stricter compliance analysis, however, it is useful to put the complex technological mechanisms of consumer credit data sharing

about%20credit%20reference%20file%20information.pdf. See also Equifax, available at http://www.econsumer.equifax.co.uk; Experian, available at http://www.experian.co.uk. The same argument is made by the other European CRAs available through their websites. 16 Article 29, Working Party on Data Protection, cit at 14.

Reputation, privacy and the law

135

in context with the aim and scope of data protection law, recalling once again – as a way to set priorities as well as an interpretative tool – the origins, evolution and justifications of such a distinctly European piece of innovative legislation. (a) The concept of privacy Accordingly, the concept of privacy can have a multitude of meanings to different people in different countries at different times and has been the subject of much scholarly debate. There are so many wide-ranging views as to its significance, depending on the context and environment in which they are taken, that by general consensus the concept of privacy is seen as still under construction or always in transition, in any event almost impossible to define.17 Nonetheless, as reported earlier in Chapter 4, the recognition of the idea of privacy has a long tradition and is deeply rooted in history.18 However, it was only in the nineteenth century that the concept of privacy was developed as an independent legal value, when American Harvard law professors Brandeis and Warren in their well-known publication, The Right to Privacy, identified such a right as a tort action, defining it as ‘the right to be left alone’.19 Since that publication, it has been widely accepted that in its most general accession, privacy protection is seen as a legal way of drawing the line at how far society or other individual subjects may intrude into a person’s own affairs. It entails that such a person should be left able to conduct his/her personal legitimate affairs relatively free from unwanted intrusions. As such, privacy is unquestionably considered to be an expression of freedom and dignity of the individual.20 Within such a broad notion, then, privacy typically encompasses the following four separate but related aspects:

•

information privacy, or privacy as self-determination over one’s personal

17 Electronic Privacy Information Center and Privacy International (2002); Jay and Hamilton (2003); MacDonald (2000). 18 Electronic Privacy Information Center and Privacy International (2002). 19 Warren and Brandeis (1980). 20 There is a considerable amount of literature that contributes to the moral, social, political and jurisprudential debates on privacy. The literature also helps to distinguish descriptive from normative accounts of privacy. In these discussions, some emphasise the moral value of and interest in privacy, while others focus on it as a legal right to be protected. For general discussions about the value of privacy and its protection see Pennock and Chapman (1971); Paul et al (2000). For privacy as a human dignity see Bloustein (1964). For a narrower view of privacy as self-determination, intimacy or a meaningful aspect of interpersonal relationships, personal expression, and choice see Parent (1983); Gerstein (1978); Westin (1967); Inness (1992); Fried (1970); Rachels (1975); Gavison (1980); Moore (1998); Schoeman (1984); DeCew (1997). Contra, see Thomson (1975); Posner (1981); Bork (1990). For a feminist critique of privacy see MacKinnon (1989).

136

• • •

Law and Consumer Credit Information in the EC data. This aspect relates to the data subject’s power of decision over his/ her own information (i.e. control over his/her personal data); bodily privacy. This concerns the protection of one’s physical self against invasive intrusions or procedures in his/her body (for example, genetic or blood tests, cavity searches, etc.); privacy of communications. This covers the security and privacy/confidentiality of all forms of communications (for example, mail, telephone, electronic mail, etc.); territorial privacy. This refers to the individual’s intimate space setting the limits from unwanted intrusions (home, workplace, etc.).21

(b) Directive 95/46/EC Data protection is a distinctive European innovation in law that over the last few years has been gaining acceptance and has been emulated over the world outside the EC. As noted in Chapter 4, the atrocities of Nazism, fascism and communism pushed Western nations into attaching great importance to the right to privacy, as it had been demonstrated how easily it could be violated, and the extreme consequences of such violations. Privacy was soon elevated as a human right and its standard at an international level was enshrined in the 1948 Universal Declaration of Human Rights and later, at European level, incorporated in the 1950 European Convention for the Protection of Human Rights and Fundamental Freedoms.22 Certainly, the horrors of recent European history and the international conventions that followed played an important role in the development of privacy laws across Europe and, ultimately, in the adoption of Directive 95/ 46/EC. Two other factors, however, proved decisive for the enactment of the latter piece of legislation: (1) the progressive development in computers and information technologies, i.e. ultimately in the information society, together with the dangers that this could represent for individuals; and (2) the need for the free movement of personal data within the Community to solve trade disputes arising from separate national privacy regimes, hence the harmonisation of data protection laws of the Member States.23 In the end, as a result, the real aims and scope of Directive 95/46/EC were (1) the protection of fundamental rights and freedoms of Europeans, and (2) the achievement of the Internal Market. Both objectives were equally important, though in mere legal terms the existence of the Directive, and the

21 Electronic Privacy Information Center and Privacy International (2002). 22 Universal Declaration of Human Rights, 10 December 1948, available at http://www.un.org/ Overview/rights.html; Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, ETS No 005, available at http://conventions.coe.int/Treaty/EN/ cadreprincipal.htm. 23 See Directive 95/46/EC, cit at 1, Recitals 1–11.

Reputation, privacy and the law

137

jurisdiction of the EC rather than the national ones, rested on Internal Market grounds, having its legal basis in then Art 100a (now Art 95) of the EC Treaty. However, the recent proclamation of the Charter of Fundamental Rights of the European Union, that in its Art 8 incorporates the right to data protection, has given added political emphasis to the dimension of the protection of the fundamental rights of individuals contained in Directive 95/46/EC. Until recently, one could not overlook the fact that the exact nature of such a solemn proclamation was uncertain. However, the recognition of those fundamental rights made by the Member States and the EC institutions provides an indubitable indication of their importance, a source of inspiration and a valuable point of reference for all the actors involved in the EC legislative, administrative and judicial process (thus transcending its mere declaratory character). Significantly, also, the Charter is embedded in the EU Reform Treaty. This means that, once it has been ratified by the Member States, data protection will enjoy added legal value, thus giving it recognition at the highest level of binding legislation in the EU.24 Indeed, to reach its two main stated goals, the result of Directive 95/46/EC was not the protection of privacy in its broad significance but the protection of personal data, that is to say solely one specific aspect of privacy protection: information privacy. The Directive, in fact, is about the right of informational self-determination of the individual, a right that – as already said – is related, but not identical, to the wider right to privacy (the general right to be left alone). (c) Data protection as a civil liberty In a broad sense, informational privacy is a right of the personality of the human being, an individual condition of life characterised by exclusion from unwanted knowledge of his/her personal information from outsiders, i.e. exclusion from publicity. More specifically, though, the basic concept of informational selfdetermination entails that an individual should have control over data generated about himself/herself, that there should be certain rules about how information is processed, and that data processing activities by data controllers should be as transparent as possible.25

24 Charter of Fundamental Rights of the European Union, C 364 (2000), p 0001–0022. See also Commission of the European Communities (2003b); Skouris (2006a). But see the exemption obtained by the United Kingdom – according to which the Charter on Fundamental Rights will not be justiciable in British courts or alter British law – after the agreement reached in late June 2007 on the Reform Treaty which replaces and preserves much of the Constitutional Treaty nominally collapsed after the rejection by Dutch and French voters in 2005. 25 See also, for example, the literature cited earlier in this chapter at 20.

138

Law and Consumer Credit Information in the EC

From this perspective, hence, someone’s informational privacy can be infringed by means of the acquisition of personal information by outsiders contrary to the determination of that concerned individual, insofar as such individual is identified or identifiable. This can take place in two ways: that is, through intrusion and/or disclosure. The former occurs through the illegitimate collection and storage of personal data by a third party contrary to the data subject’s determination. Infringement through disclosure, by contrast, entails that a third party communicates illegitimately to other third parties personal data, once again contrary to the data subject’s determination. Certainly, it goes without saying that the communicating party may hold such information illegitimately in the first place, in which case there is a double infringement or as many infringements depending on the spill-over communication of data (data dissemination). For infringements to occur and liability to be established, the simple illegitimate processing (collection, storage, or communication) of personal data by a third party is sufficient, its intent – or knowledge and/or will to perpetrate the violation – being irrelevant. As the next chapter will closely analyse, every one of these basic principles is reflected in the provisions of Directive 95/46/EC, such as those that require that data processing must be done for legitimate and precise purposes that must be previously notified to the concerned individual; or, again, those requiring that there should be a valid legal basis for the data processing, such as consent of the data subject, another overriding right or a legal obligation.26 (d) Data protection and technologies Most of all, informational self-determination seems particularly important today in the era of the so-called information society characterised by everevolving technological innovations, as also made clear by Recital (4) of Directive 95/46/EC in recognising frequent recourse in the Community to the processing of personal data in the various spheres of economic and social activity, ‘whereas the progress made in information technology is making the processing and exchange of such data considerably easier’.27 In this context, data protection legislation in general – and Directive 95/46/ EC in particular – is a legal tool aimed at the recognition of fundamental rights of the individual, and awareness that the individual’s protection could represent an obstacle for market integration unless there is convergence among the Member States. Hence, contrary to the isolated view expressed by some commentators, it is far from being a measure reflecting what has been defined as ‘the fear of the democracies of the European Union that

26 A more detailed discussion of these rules will follow in Chapter 6 in the attempt to assess to what extent consumer credit reporting abides by them. 27 Directive 95/46/EC, cit at 1, Recital 4.

Reputation, privacy and the law

139

information technology might be used in the future to subjugate people to private-sector dictators’.28 Indeed, there is a considerable amount of literature available about the perils of indiscriminate use of information technologies in today’s information society. Just to give a few examples, it is well known that technologies have the potential capability of aggregating an enormous amount of data in a short time, manipulating, storing, retaining and disseminating them as quickly to an indefinite number of third parties that may access them from many different points. Then, data may be inaccurate, outdated, out of context, expressed in an unintelligible form and so on. Consequently, they make it possible to follow an individual’s information trail step by step, manipulate his/her economic decisions, profile and/or categorise people, discriminate against them, impede forgetfulness (the possibility to forget as well as being forgotten), enable people to change and/or progress, infringe (if not steal) their identities, create reputations, etc.29 In short, they have a clear potential to influence dramatically the lives of people, and this represents exceptional power in the hands of those who use them. Put it in simple terms, that is the reason why data protection is about liberty, intimacy and dignity, thus constituting an important legislative tool to protect those fundamental legal values of a modern democratic order. This is also why data protection, as an essential part of the right to privacy, is generally accepted and construed as a human right – at least in Europe.30 (e) The public v the private sector The power that technologies and data processing may give to those who use them, and the related perils for individuals, also explain why data protection is a law that purports to apply to the public and the private sector alike. As both governments and business are in a dominant position vis-à-vis the individual, their use of power – dictated by whatever reason, may it be political or simply by the search for profitability – could easily result in the abuse of such power and/or dominant position, thus penalising the individual as described

28 MacDonald (2000), 55. Arguably, this opinion stems from the view over privacy laws enshrined in the US legal system. It follows the criterion that someone should have a reasonable expectation of privacy in a particular activity, rather than embracing the European view that an individual should have control over data generated about him/herself. See Kuner (2005). See also Jay and Hamilton (2003), ch 2. 29 See, for example, Kuner (2005); Hanson and Kysar (1999); Solove (2004); Rodotà (1995); Levi and Wall (2004). 30 Ibid. Bygrave (1998); Chalton and Gaskill (2006); Blankart et al (2000). See also Jay and Hamilton (2003): as the authors explain (pp 39–69), data protection is no longer seen as a ‘stand alone’ area of law as judges have increasingly taken an holistic view of personal information bringing together converging privacy sources. Reference should also be made to the Charter of Fundamental Rights of the European Union, cit at 24.

140

Law and Consumer Credit Information in the EC

in the examples provided above. Moreover, nowadays consumers interact with a great number of organisations (both public and private) that capture, process, store and disseminate their information. Again, in this sense, respect for data protection intends to mirror the safeguarding of the individual and deference for his/her freedom from any person. By applying to both the State and the private sector, the law addresses the issue whether data protection is or ought to be a person-to-person or a personto-State matter. This, in many ways, disturbs the North Americans’ approach to data protection, but is along the lines of the European model of the welfare state and the idea of the social market. In that perception, it reflects the EC view about the relationship between Member States and their citizens as well as relationships among the latter. And this is where the European and the American views over privacy clash. In the broadest terms, in fact, in the US the private sector remains comparatively free of regulation, as it is not considered a danger to individuals and their human rights in the sense that governments are (in terms of expansion, surveillance and deprivation of people’s liberties), thus reflecting a greater distrust of government by North Americans as compared with a less suspicious view of big or small business alike. Similarly, in economic terms, restrictions on the private sector are deemed to be counterproductive, because by reducing the free flow of information consumers would lose out on favourable new products and/or better prices. In summary, the US favours a liberal understanding and approach towards the collection and dissemination of personal information by the business community, as long as it does not harm others, a vision according to which the general economic good prevails.31 All these differences in cultural and legal approaches to privacy and data protection between the two continents have given rise to a vast amount of (continuing) both political discussion and literature. It is certainly not within the scope of this work to enter into the long-standing dispute over data protection between the EC and the US, its significance, and the arguments in favour of the legal approach of one or the other, nor to assess or compare the prevailing efficiency of the two systems. What is important to highlight here is the value placed over data protection by the EC and the reasons for its innovative legislative approach, albeit widely criticised – thoughtful as those criticisms may be – by its detractors. In this regard, the EC acceptance of data protection as both a person-to-person and a person-to-State concern denotes a circumstance that exemplifies the centrality of the individual and his/her right to freedom vis-à-vis third parties notwithstanding who they are, may they be governments, the business sector or other individuals. It intends to exemplify not only an aspect of individual self-determinism but also the individual’s right to exist in, or be accepted by,

31 Jay and Hamilton (2003); MacDonald (2000); Singleton (1999), 186–202; Blankart et al (2000); Stratford and Stratford (1998); Klein (2001).

Reputation, privacy and the law

141

the community where he/she expresses his/her own personality. EC legislation perceives data protection as a safeguard of social relationships.32 Such centrality, of course, has exceptions arising from the respect for the prevailing conflicting rights of others, including the public or general good. In fact, for the completeness of the picture provided so far, it is most important to say that the right to data protection is not absolute, insofar as the justified interest of others outweighs the interest of the individual concerned. Accordingly, this happens in those cases where an absolute right prevails over a qualified right, such as that to privacy, or where two or more qualified rights are in opposition and the judiciary has to take them all into account and weigh the one versus the other in the concrete case. So, for example, despite the extent to which this could be criticised, the Directive expressly provides that it does not apply to the processing of data in the course of the so-called ‘third pillar’, that is a number of State activities such as those falling outside the scope of Community law like Title V (PESC) and VI (JAI) of the Treaty, public safety, defence, State security and the activities of the State in criminal law matters.33 Equally, Art 7(b–f) and Art 8(2) of the Directive are clauses designed for the balancing of interests, establishing that personal data may legitimately be processed by certain subjects for certain purposes without the consent of the person concerned. (f) Criticisms on data protection Of course, not all the above considerations about data protection legislation are necessarily intended to provide nor imply a positive evaluation of the same, or to suggest that it is successfully constructed to reach its goals. On the contrary, for instance, one of its main criticisms is that data protection law is not adequate for a knowledge-based economy: most of the time the new economy and technological developments may bring advantages and gains to consumers and industries alike that the current design of the law is incapable of exploiting. The so-called ‘data explosion’ of modern economies inevitably raises the question whether data protection could ever cope with the challenges brought by progress. Ultimately, this is believed to be the reason why the law would need therefore to be brought in line and up-to-date with new concepts, processes and products. It is not a novelty, in fact, that the EC is often said to be facing the paradox in finding a balance between the need to protect the fundamental rights of consumers on the one side, and foster the Internal Market in the context of the benefits of the technological era on the

32 Ibid. 33 Directive 95/46/EC, cit at 1, Art 3(2). Such derogation has been criticised as it could confer too much power to Governments or easily turn them into a ‘Big Brother’, hardly protecting the privacy of individuals and their liberty. See Singleton (1999); Sousa De Jesus (2004), 9.

142

Law and Consumer Credit Information in the EC

other side.34 Unfortunately, the constant development of the information society and the continuous growth of, and reliance upon, the knowledgebased economy make it difficult for legislation to draw alongside new processes. It really seems that as soon as it is enacted the law is already obsolete, or as one commentator has put it, ‘it’s a race the regulator will never win’.35 In this way, data protection legislation is constantly tested by new technological challenges forcing EC policy to take into account on the one hand progress and economic growth, and on the other hand new threats that could seriously affect its citizens. As openly admitted by the Council of Europe, experience has demonstrated that the principles and regulations on data protection cannot regulate every situation in which personal data are collected in different sectors.36 In business, this phenomenon seems exacerbated by the development of what has been called the ‘risk and instant society’, epitomised by the development of highly technological risk or knowledge management tools (such as consumer credit reporting and risk-scoring systems) designed to make instant decisions in order to provide instant services to customers – all, of course, in the name of profitability (a circumstance that, per se, certainly has a positive connotation). In general terms, they are tools that make large-scale use of personal data, as well as data mining and manipulation techniques, and notoriously include, among others, interconnections, traceability processes, automations, task optimisation options and data sharing.37 (g) The rule of law Nevertheless, as this work has already emphasised, in each sector – including in the ‘risk and instant society’ in which consumer credit reporting takes part – and whatever technology is used, personal data must be collected, processed and communicated to third parties in line and accordance with the principles and the provisions of the positive law, notwithstanding any individual evaluations as to its adequacy to regulate a given situation. After that, if the law proves inadequate to such a situation and the latter is one that either is necessary for the larger society or outweighs the interests thereby protected, then there may be ground for amendments in the law or alternative regulatory instruments that comply with the new legislative framework. However, until that moment (if ever), legal certainty and respect for the rule of law require compliance with the existing regime in accordance with its underlying

34 Commission of the European Communities (2003b); Sousa De Jesus (2004), 27–28; Levi and Wall (2004). For other criticisms on data protection legislation see Bainbridge and Pearce (2000), at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_2/bainbridge/. 35 Sousa De Jesus (2004), 27. 36 Council of Europe, Committee of Ministers (1997). 37 Commission Nationale de l’Informatique et des Libertés (2003).

Reputation, privacy and the law

143

principles. Consequently, any infringement that may occur should be treated as an unlawful interference with a legally protected personality interest. When balancing the conflicting interests at stake, it appears already clear that the right of informational self-determination of individuals in modern society cannot be sacrificed to the interest of lenders for minimising risk in the name of better business. Obviously, the protection of creditors’ rights is important. But the legal tools to achieve this are already in place in the positive law. If a debtor fails to comply with his/her contractual obligations, the law recognises the rights of creditors to recover the debt and it offers the tools to satisfy creditors’ rights. It is important to stress, however, that credit reporting is about minimising business risk, not about the rights of creditors. As already noted by others, the law could punish or forgive a failing debtor, but credit reporting is about predicting failure beforehand.38 It does not satisfy any right of the creditor. As Chapter 1 has explained, it is a risk management tool for the profitability of lenders, it is not a right. In fact, there is no legal right to maximise profits, especially if obtained with the sacrifice of other parties’ rights. Credit reporting is an activity that is carried out before a person enters any obligation in the creditor–debtor relationship. Only when a contractual relationship has been established does the creditor gain rights, which however are not satisfied by the sharing of the debtor’s data. Consumer credit reporting, in fact, satisfies only an interest of lenders but not their rights. It is against this background that one needs to analyse the legal framework of consumer credit reporting in the EC. Likewise, it is against the same background that an interpreter should read existing data protection legislation – ultimately, Directive 95/46/EC – and ask how does the sharing of a multitude of credit reference data empowered by highly sophisticated technologies comply with it. In so doing, he/she should bear in mind the design, functioning and uses of modern consumer credit reporting systems, described earlier in Chapter 1 of this work: systems where data from different sources are easily and quickly aggregated, new data automatically created, and are disclosed to a potentially unlimited number of third parties for a growing number of expanding purposes. Likewise, it is in light of the above that it should be investigated how systems transplanted from the American tradition and shaped by its laws, such as those of consumer credit reporting managed by private CRAs, may fit into the European regime of data protection, especially considering the diverse cultural vision and approach of the two jurisdictions about data processing by private commercial organisations. For consumer credit reporting systems to exist legally, in fact, they must be subject to the prevailing protection offered to individuals set out in the law. Then, it would be a different question to verify whether European

38 Sandage (2005), 111.

144

Law and Consumer Credit Information in the EC

omni-comprehensive data protection schemes are really adequate for protecting the fundamental rights of consumers from the intrusion of systems that, as seen, form blacklists that disseminate their ‘achieved reputation’.

Problems relating to the implementation of Directive 95/46/EC (a) Differing implementation in Member States Before attempting in the next chapter to provide an answer to the set of questions above, it must be noted once more that the lack of uniformity in implementing Directive 95/46/EC by the Member States – discussed earlier in Chapter 4 – continues to create obstacles to completing the Internal Market and areas of legal uncertainty in those situations where the margin of manoeuvre left to the national legislators has been used (or abused) in diverging ways.39 As highlighted earlier by Table 4.4 in Chapter 4, the consumer credit reporting sector seems to be no exception, providing a specific and tangible exemplification of the phenomenon. As also Recital (9) of Directive 95/46/EC makes clear, it is certainly true that in specified areas Member States have, under certain conditions, a margin of manoeuvre in the implementation of the Directive. Correctly, the European Commission has recently recalled that the objective of a directive should be the ‘approximation and not complete uniformity and that, in order to respect the subsidiarity principle, the process of approximation should not go further than is necessary’.40 Nevertheless, Member States should not go beyond, nor fall short of, the high standards of normative protection set by the Directive itself. In practical terms, approximation does not mean that Member States should be allowed to lower the level of protection or make breaches of such protection possible in their national regime.41 This latter circumstance, in fact, would count as a divergence resulting from the incorrect implementation of the Directive, which, in turn, is equal to a breach of Community law. By contrast, the correct use by the Member States of their margin of manoeuvre should in any event permit national legislation to reach the results set by European law, which is precisely the meaning of that form of Community legislation that is a ‘directive’.42 And this is how Art 5 of the Directive

39 Commission of the European Communities (2003b); Commission of the European Communities (2003a), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/lawreport/ consultation/technical-annex_en.pdf; Korff (2002); Sousa De Jesus (2004) 26–27. 40 Commission of the European Communities (2003b), 11. 41 Directive 95/46/EC, cit at 1, Recital 10. 42 Article 249 (ex Art 189) of the EC Treaty. A directive is binding as to the result to be achieved, upon each Member State to which it is addressed, but allows States discretion as to the form and method of implementation.

Reputation, privacy and the law

145

should be interpreted when affirming that ‘Member States shall, within the limits of the provision of this chapter, determine more precisely the conditions under which the processing of personal data is lawful’ (emphasis added), whereby the chapter in question establishes the general provisions of the law.43 Crucially, the following Arts of the indicated chapter of the Directive set the general rules on the lawfulness of the processing of personal data, including provisions relating to data quality, the criteria for making data processing legitimate, special categories of processing, information to be given to the data subjects and exemptions and restrictions. In this framework, Directive 95/46/EC is silent about the sharing of consumer credit information or about the safeguarding of the purposes that the latter is deemed to address (creditworthiness, over-indebtedness, fraud prevention, etc.).44 Equally, there is no indication in the law or in other Community legislation that Member States may have any margin of manoeuvre in this regard. In particular, among the exceptions listed in Art 13 of the Directive that allow Member States to adopt legislative measures to restrict the scope of the obligations and rights referring, among others things, to the principles relating to data quality and information to be given to data subjects, nothing suggests that consumer credit reporting or its claimed purposes should benefit from such inclusion. Certainly, it is not a matter of national security, defence, public security, dealing with criminal offences, nor there is any monitoring or regulatory function connected with the exercise of official authority relating to them (a function that, by contrast, PCRs would have).45 Similarly, as far as exception (e) is concerned, it would be difficult to consider commercial CRAs as organisations that exercise an important economic or financial interest of a Member State or the EC.46 In fact, as this work has to some extent already explained, CRAs simply operate at the service of lenders for their mutual profitability and do not provide any supervisory nor prudential function, a task that in any event they would not have the authority to carry out (a circumstance that, as seen in the previous chapter, markedly distinguishes CRAs from PCRs). Moreover, as better explained later, the role that they aim to provide in the economy is a circumstance that still needs to be demonstrated, either by way of a conclusive relation of cause and effect or, at least, empirically.

43 44 45 46

Directive 95/46/EC, cit at 1, Art 5. See Chapter 1 above. See Chapter 4 above. According to Art 13 (e) Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Arts 6(1), 10, 11(1), 12 and 21 of the Directive when such a restriction constitutes a necessary measure to safeguard ‘an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters’.

146

Law and Consumer Credit Information in the EC

Finally, exception (g) ‘the protection of the data subject or the rights and freedoms of others’ seems clearly not applicable to justify a restriction by Member States of data protection rights or obligations. In fact, as will be explained in depth later when weighing the interests involved in consumer credit reporting, there is no regulatory source that protects the interest of the profitability of lenders, at least no more than the interest of any commercial organisation in making earnings in the carrying out of their business, a legitimate circumstance that nevertheless cannot necessarily lead to the sacrifice through national intervention of any right or obligation relating to the protection of a fundamental right such as information privacy. (b) Implications for the interpretation of the law and methodology As emerges clearly above, when analysing the compliance of consumer credit reporting with data protection legislation of any Member States, the basic rules of Directive 95/46/EC should be respected and any national provision that is in conflict with them, or falls short of their normative protection, should be treated as a breach of Community law and remedied by the modification of the law of the Member State concerned. Moreover, the discretion left to Member States in transposing European directives is now significantly limited when their provisions impose a minimum protection to be assured. Although directives are binding upon each Member State as to the result to be achieved, in fact, they may nevertheless contain directly effective provisions, provided that: (1) these are clear and unconditional, (2) the period for transposition has expired, and (3) the directive has not been transposed or has been transposed inadequately.47 While it is explicitly excluded that directives may have a horizontal direct effect – meaning that persons cannot rely directly on provisions of Community law vis-à-vis other persons – yet the concept of vertical direct effect is fully endorsed in Community law, indirectly sanctioning Member States for failure to implement or for violating them.48 This entails that national courts must interpret provisions of national law as far as possible in light of the wording and purpose of directives, which in the end carry with them an incidental horizontal effect.49 It is beyond the scope of this work to enter into the ongoing debate as to

47 Grad v Finanzamt Traunstein; Van Duyn v Home Office; Rikkskatterverket v Soghra Gharehveran; Pubblico Ministero v Ratti; Verbond van Nederlandse Ondernemingen (VNO) v Inspecteur der Invoerrechten en Accijnzen; Hansa Fleisch Ernst GmbH und Co KG v Landrat des Kreises Schleswig-Holstein. See also Steiner et al (2006), 94–104; Skouris (2006b). 48 For all see Marshall v Southampton and South West Hampshire Area Health Authority; Fratelli Costanzo SpA v Comune di Milano. 49 CIA Security International SA v Signalson SA; Lemmens, Criminal Proceedings against; Unilever Italia SpA v Central Food SpA. See also Steiner et al (2006), 101–104; Skouris (2006b), 247–249.

Reputation, privacy and the law

147

what extent directives have horizontal indirect effect, or whether they should also have a horizontal direct effect at all. Arguably, what seems at any rate important for this discussion is that as far as it concerns at least the provisions relating to legitimate data processing of Directive 95/46/EC, there is little doubt that they satisfy the first two above criteria (1) and (2) for their direct effect. Therefore, in the event that such provisions have been transposed inadequately in Member States or the latter have exceeded the margin of discretion in implementing them (criterion 3), courts should find no difficulties in allowing individuals to invoke their so-called effet utile (useful effect) by recourse to the principle of direct effect.50 To complete the case for respecting the basic protection afforded by Directive 95/46/EC vis-à-vis any diverging national implementation lowering such a protection, it should be finally taken into account that national measures implementing Community legislation should do so with respect to fundamental human rights.51 In the subject matter at study, for instance, breaches of Directive 95/46/EC would occur in the case of a provision of national law legitimising, allowing or further specifying data processing operations in a manner not compatible with the provisions of the Directive and the rights granted to data subjects, such as, for example, one eventually excluding consumer credit reporting from its application, or providing exceptions to the operation of its basic principles. Should the latter circumstance arise in one or more jurisdictions, then there could arguably be grounds for questioning the legality of such a national provision in the relevant data protection act. Likewise, under the same circumstances, doubt could be cast over the compatibility of certain separate domestic rules legitimising consumer credit reporting systems (for example, rules governing the financial sector), in a way that ultimately does not respect or nullifies the provisions of Directive 95/46/EC, bearing in mind its status/rank of Community legislation, so a source of law prevailing over conflicting national dispositions or other administrative burdens. Furthermore, obstacles to the free circulation of personal data within the Community and incomplete protection of the fundamental rights of individuals can take a different form or be even more subtle than non-compliance with the Directive in the implementation of national law. These would be the cases, for example, in the event of conflicting decisions or interpretations by national supervisory authorities, or else where other barriers exist that permit or limit (as the case may be) the processing of personal data in one Member State, affecting the right to information privacy of an individual in another Member State (this work, for instance, has already identified in Chapter 4 the industrial organisation and institutional structure of consumer credit

50 Sabine von Colson and Elisabeth Kamann v Land Nordrhein-Westfalen; Faccini Dori v Recreb Srl; Pfeiffer v Deutsches Rotes Kreuz Kreisverband Waldshut eV; Mangold v Helm. 51 Wachauf v Bundesamt fur Ernährung und Forstwirtschaft; ERT v DEP.

148

Law and Consumer Credit Information in the EC

reporting across the EC as a barrier). Arguably, therefore, any barriers would count as a breach of Community law that would need to be tackled too. Eventually, however, these latter investigations aimed at verifying the compliance of each regulatory provision of domestic jurisdictions that impacts on consumer credit reporting would have a broader scope than that of this work, and therefore would not fall within its area of study; rather they should be left to further independent appraisals on a country-by-country basis that could take into account all the variables and complex legal mechanisms of each Member State, each one requiring a book-length study on its own. All the considerations so far expressed as to the way that this work intends to interpret the European regime would be in unison with the latest tougher enforcement strategies unveiled by the EC that will force European data protection regulators into a strategic rethink about a more aggressive implementation and enforcement agenda.52 As a consequence of all that has been written above, this work will focus its analysis only on Directive 95/46/EC considering it as the proper benchmark for assessing the legal framework of consumer credit reporting in the EC, determining any lack of compliance or adequacy with Community law as, respectively, an infringement, or an insufficiency, further reflected in national regimes. In any event, two case studies will be presented later in the Appendix of this work to show practical implications of the analysis.

Concluding remarks The aim of this chapter was to highlight the conflicting rights that distinguish the lender–consumer relationship in credit reporting operations. This is relevant for determining how the law reacts or should be interpreted – and therefore applied – when a conflict of legitimate interests occurs, as well as to what extent a balance is or should be reflected in the corresponding legal framework. On the one hand, through the deconstruction and simplification of the assumptions upon which consumer credit reporting is based, it emerges that personal data are processed by CRAs as an informal social control mechanism to share consumers’ reputation as the method commonly used to form the lenders’ trust in order to minimise that natural component of risk that exists in every business relationship, all finalised to maximise profitability. This method supplements existing mechanisms provided by the law for the same scope. However, the problem with automated reputation sharing seems to be that it leads to either inclusion or exclusion in social relationships, and this matters particularly when individuals are involved. In the event of a bad

52 Pedersen (2005). See also the European Commission website, Justice and Home Affairs, at http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.

Reputation, privacy and the law

149

reputation, in fact, this easily converges in prejudice and stigmatisation, with all the negative consequences that follow. The sharing of reputation also counts as an intrusion in an individual’s private life, particularly if such a person does not have the instruments to determine the correct formation of his/her reputation. The existence of reputation is certainly an inevitable phenomenon that affects every individual living in a community (‘no man is an island’, as Sartor writes, quoting poet John Donne)53 but ever-developing sophisticated information technologies exacerbate and push to the extreme the negative consequences that it entails. What seems particularly relevant, moreover, is that credit reporting satisfies an interest, but certainly not a right, of lenders. On the other hand, by contrast, the origins of, and reasons for, European data protection legislation denote the importance of the need for individual self-determination over one’s personal data, and the dangers that would derive from its absence or violation. Informational privacy is a right, and represents a safeguard of social relationships for every individual living in a community. It is about liberty, dignity and intimacy (just to mention a few), and contributes to protecting the values of the democratic order, at least as it is perceived according to the European welfare state model. Despite all the criticisms and problems of implementation associated with Directive 95/46/EC, respect for the rule of law requires compliance with the basic principles that it sets out. As recommended by the Article 29 Working Party, it is important to have harmonised criteria in the Member States and eliminate those rules that go beyond the high level of normative protection laid down by Directive 95/46/EC.54 In the next chapter, therefore, this work will analyse the compliance of consumer credit reporting systems with the principles of legitimacy of Directive 95/46/EC, considering any national law that allows data processing beyond its level of normative protection as unlawful a priori for breach of Community law. Also, it will assess the adequacy of omni-comprehensive data protection legislation as the appropriate regulatory tool to safeguard the effective privacy of individuals and respect for the values that it encompasses, eventually putting forward suggestions for corrective measures. Evidently, the analysis that follows in the next chapter would be applicable only to those EC jurisdictions where private CRAs operate (see Table 4.1, p 86).

53 Sartor (2006). 54 Article 29, Working Party on Data Protection, cit at 14.

6

Legal compliance What are the legal mechanisms upon which consumer credit reporting needs to rely?

Introduction As this study has already indicated, specific processes and practices to ensure data protection compliance may vary from country to country, depending on the way the law has been implemented in each Member State, the industrial organisation and institutional structure in place, and also the corporate policy of each lender. However, judging against the above criteria, there are certain features of the consumer credit reporting process which exist throughout the lifecycle of the consumer personal data which should comply with the minimum standards set by Directive 95/46/EC for what the legislation of the Member States must – or at least should – provide.1 Such basic principles, which form the backbone of the legislation, are contained in Art 6 of the Directive. As an analysis and impact study on the implementation of Directive 95/46/ EC confirms, these data protection principles are set out in very similar or slightly varying terms in most of the national laws of the Member States.2 Also, the first report from the EC Commission on the implementation of the Directive does not detect significant divergences in the law of the Member States.3 The basic principles upon which Directive 95/46/EC is based have been already outlined in Chapters 4 and 5. In short, said data protection principles aim at providing that personal data must be:

• • •

processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed;

1 Directive 95/46/EC, OJ 1995 L 281, p 0031–0050. 2 Commission of the European Communities (2003a), available at http://ec.europa.eu/justice_ home/fsj/privacy/docs/lawreport/consultation/technical-annex_en.pdf. 3 Commission of the European Communities (2003b).

152

• •

Law and Consumer Credit Information in the EC accurate and kept up-to-date; every reasonable step must be taken to ensure that data that are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.4

Every European data controller has the obligation to ensure that all the above requirements are respected, unless it qualifies for any of the exceptions provided therein.5 Within this framework, the aim of this chapter is to carry out an analysis of the compliance of CRAs’ activities with the principles of Directive 95/46/EC that Member States have a duty to transpose into domestic law. As so many actors are involved in processing a great amount and range of personal data, the ultimate goal is to determine the legal mechanisms upon which consumer credit reporting relies or ought to rely. The result of the investigation will form the basis for the discussion in the next chapter about the suitability of the systems under study vis-à-vis the European legal framework and agenda.

Data controllers At this stage of the discussion regarding consumer credit operations, it is important to assess the capacity in which the players involved in a credit application process handle personal data. This determination, in fact, is crucial in providing an appreciation of the number of subjects that eventually have access to the consumer’s credit data and, more importantly, in establishing the nature and extent of the obligations set by the law for each actor involved. According to the definitions provided in Art 2(d) of the Directive, a ‘data controller’ is a natural or legal person that, alone or jointly with others, determines the purposes and means of personal data.6 Hence, in a typical consumer credit operation, the application process begins with a consumer contacting either a lender or a broker and providing either of them with those personal details described in Chapter 1. A lender, in processing such data for purposes connected with the provision of the commercial service the consumer requires, becomes unquestionably a data controller, determining inter alia whether or not to use a CRA, and which one (in those few jurisdictions where more than one exist). As far as credit brokers are concerned, it appears that they too could be

4 Directive 95/46/EC, cit at 1, Art 6(1). 5 Ibid, Art 6(2). 6 Ibid, Art 2(d).

Legal compliance

153

considered nothing else but data controllers: once a consumer approaches them, they process his/her personal data, determine which lender to contact, theoretically, in the best interest of the customer, and then pass the credit application to the chosen lender(s). In determining which credit product is better for the consumer and to whom to forward the matching application (the right lender), they collect information that forms part of the application itself. Consequently, they seem to determine, or at least contribute to determining, the purposes of the data processing and the third party lenders to whom they communicate the data. This issue may or may be not covered in a contract between a lender and the broker, but all the same a contract construing the capacity of a broker as ‘data processor’ may appear a legal sham. According to the definition of ‘data processor’, in fact, this refers to a natural or legal person that processes personal data on behalf of the controller.7 It is true that the processing of the credit application by the broker could be considered as done on behalf of the lender, however it is the decision of the broker about which lender to approach that renders such a construction problematic. Obviously, in those cases where a supposed broker acts exclusively as the commercial arm of one lender this consideration would not apply, but then it would be hard to consider such a natural or legal person as a ‘broker’ in the first place. As far as CRAs are concerned, for the purposes of Directive 95/46/EC they are also data controllers. This is so because they decide why and how they process personal data.8 Also, in the credit-granting process, CRAs are thirdparty commercial organisations that do not act under the authority of lenders nor process the data of the lenders’ existing or potential customers on instructions from lenders.9 In addition, lenders are certainly not responsible for implementing the appropriate and organisational measures to protect the data contained in CRAs databases as required of data controllers by Art 17 of Directive 95/46/EC, an obligation that incontrovertibly makes CRAs ‘data controllers’ if ever there was any doubt.10 Indeed, the relationship between lenders and CRAs is one between two separate data controllers, where the former are simply the clients to whom the latter provide a service by virtue of a private commercial agreement. The result is that CRAs, as every data controller in the EC, must ensure in their own right that the principles of Directive 95/46/EC, particularly those laid down in Art 6, are complied with in the same manner as lenders do to ensure their own lawful processing. In the end, therefore, it is against these criteria that the lawfulness of consumer credit reporting operations should be assessed, bearing in mind 7 Directive 95/46/EC, Art 2(e). 8 See for example the UK Information Commissioner Guidance notes under the Data Protection Act, http://www.informationcommissioner.gov.uk. 9 Directive 95/46/EC, cit at 1, Art 16. 10 Ibid, Art 17.

154

Law and Consumer Credit Information in the EC

that by reason of their open-ended nature they may be capable of being differently applied in some Member States within the limits of the minimum harmonisation allowed by Community law.

Fair and lawful data processing The first principle embedded in Art 6 of the Directive demands data controllers to process personal data (1) fairly; and (2) lawfully. 1) The requirement of ‘fairness’ is often viewed by commentators as the most complex one, with particular reference to its meaning and how to assess it.11 Certainly, ‘fairness’ represents an abstract condition, potentially posing interpretative difficulties and the application of principles of proportionality that could take very different forms within a single domestic legal system, let alone within Europe-wide regimes. At any rate, it should be taken into account that in assessing ‘fairness’, consideration should be given to the consequences of the processing to the interests of the data subjects.12 In the identification of what is ‘fair processing’, it is the same Directive that elaborates those further specified requirements that data controllers must meet, as set out in detail in its Arts 7 and 10–11 (as the case may be), which is discussed further below in this chapter. Moreover, in the occurrence of the processing of sensitive personal data, as defined in the Directive, the ‘fair processing’ would further require compliance with the additional conditions set out in Art 8 of the same legislation. 2) The requirement of ‘lawfulness’, by contrast, provides that personal data must be processed in accordance with any existing relevant legal requirements (whether civil or criminal) or any other legally enforceable obligation. It incorporates consideration for other laws and obliges data controllers to have regard to them in the context of data protection. So, for example, as seen earlier in Chapter 4, in the bank–client relationship, bank secrecy is the result of a contractual relationship between a bank and its customer, while data protection is imposed by act of omnicomprehensive law.13 Hence, bank secrecy and data protection represent two independent bodies of legal rules and sets of legal obligations that do not oppose one another. On the contrary, they coexist as long as they do not overlap, therefore a bank should observe both sets of legal obligations.14 Thus, a communication of data eventually carried out in

11 Carey (2004b), 52 et seq; Webster (2006), 21–44. 12 Ibid. 13 As mentioned earlier in Chapter 4, note that in the UK the obligation of confidence is an equitable obligation that may be modified and clarified by contract. 14 Bullesbach (2000), 222–250, 227.

Legal compliance

155

breach of the law of confidence, whether statutory or in common law, would be equal to an ‘unlawful’ processing pursuant to Art 6 of the Directive. As some commentators have noticed, at first sight it may appear difficult to conceive of an unlawful processing that might be still considered fair.15 However, the voluntary double indication provided by the legislator tends to the interpretation that the two requirements cannot be considered as synonyms. The peculiarity of the distinction between the two concepts is well summarised by Jay and Hamilton: fairness is a concept which is applicable between two or more parties. . . . Lawfulness suggests a community-wide set of norms enforceable by the intervention of the state. An act could be fair between consenting private parties but unlawful by virtue of legal rules.16 Hence, from the above it can be inferred that an analysis of a typical consumer credit operation should take into account two separate levels of compliance: on the one hand compliance with Arts 10 and 11 (information to be given to the data subject), 7 (criteria for making data processing legitimate), and – if applicable – Art 8 (special categories of processing) of the Directive; and on the other hand compliance with any other laws or legal obligations. Importantly, it must be said from the outset that although personal details of bank transactions and personal financial matters, including credit, have long been considered very important information that throughout history has justified the existence of bank secrecy rules worldwide, whose degree of strictness varies from jurisdiction to jurisdiction, they are not sensitive data in the meaning set out by Directive 46/95/EC in its Art 8. As a direct consequence, the further conditions set out therein are not applicable to consumer credit operations, insofar as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning the health or sex life of consumers are not called into play in the credit granting decision.17 Thus, in order to carry out a ‘fair processing’, lenders and CRAs have to meet only the conditions set out in Art 7 of the Directive, other than the duty to inform consumers about data processing (Arts 10 and 11).

15 Jay and Hamilton (2003), 150–162. 16 Ibid, 154–155. The example reported is that of ‘the Madam of a brothel who, with the full consent of both her clients and her staff, keeps a computerised list of clients and their particular preferences for the purpose of running the establishment. She might not be acting unfairly in carrying out such processing but might be acting unlawfully’. 17 Directive 95/46/EC, cit at 1, Art 8.

156

Law and Consumer Credit Information in the EC

Information to be given to data subjects According to the Directive, the information that a data controller must supply to the data subject at the time of collection of his/her data depends upon whether such data were obtained from the data subject himself or herself or from some other person.18 This is particularly relevant in the analysis of consumer credit reporting. For this purpose, it is useful to recall the personal data lifecycle in a consumer credit operation: once a consumer has submitted his/her credit application, lenders begin that series of checks that characterise the decision-making process, aimed at verifying the identity of the applicant, possible frauds, his/ her creditworthiness and level of indebtedness, and so on. Before doing so, however, lenders or brokers, as the case may be, should provide the consumer with a number of pieces of information as prescribed by the law. To simplify the picture, from now on brokers will be put aside, and their distinctiveness acknowledged if and when the case may so require, stressing unique features about their involvement. In the case under study, in the language of Directive 95/46/EC personal data are processed by at least two data controllers. In one case they are collected directly by lenders from the data subject for their own processing. In the other case, by contrast, data are not collected from the data subject for processing by CRAs, because CRAs obtain the data from lenders. Hence, the same data controller (the lender) collects personal data directly for its own data processing purposes, but contextually it collects data also on behalf of the other data controller (the CRA) for different processing purposes. In the provision of the notice to be given to the data subject, therefore, both Art 10 and Art 11 of the Directive apply at the same time, meaning that the data subject should receive two separate sets of information (supposing that no other data controllers are involved). Normally, it is the lender, acting on behalf of a CRA and complying with the disposition of a private service contract between them, that serves the two different notices to its customers (the data subjects). This is so because there is no relationship or contact between a data subject and a CRA. (a) Notice pursuant to Art 10 In the first notice, pursuant to Art 10 of the Directive, the lender should inform data subjects about its own identity and that of its representative(s), if any; the purposes of data processing that it has to carry out – i.e. processing concerning the application for concluding a contract for granting credit and

18 Directive 95/46/EC, Art 10 and Art 11.

Legal compliance

157

other listed activities the lender may want to carry out with the data; and further information, including the obligatory or voluntary nature of the provision of information, together with the consequences of failure to provide such information.19 So, for example, in the instance of processing data to grant credit (the service required by the applicant), lenders would inform the customer that his/her refusal to provide certain information results in the impossibility of providing the service itself (a service cannot be provided unless data are processed); prospectively, the lender may inform him/her that the data are also processed for marketing purposes, in which case it should inform the customer that his/her refusal would not prevent it from supplying the service (the provision of credit). Also, lenders must inform consumers about the recipients or categories of recipients of their personal information: in particular, that they will communicate the data to CRAs, and the reasons for such communication, together with the obligatory or voluntary nature of such communication, and the consequences of the failure to communicate the data. In any event, data subjects must be informed about the existence of their right of access to, and rectification of, the data so collected. (b) Notice pursuant to Art 11 So far, the above notice refers to the obligations of lenders for their own processing purposes. Further processing will subsequently take place. Lenders, this time on behalf of CRAs, should also deliver a notice to data subjects in compliance with Art 11 of the Directive. As anticipated, this happens because CRAs do not obtain the data from the data subject. Thus, also in the case of the provision now under consideration, CRAs must at the time of undertaking the recording of personal data (i.e. through the lender) provide the data subject with the same type of information discussed earlier: their own identity and that of their representatives (if any, for example outsourcing organisations), the purposes of the processing of the data by them – i.e. processing for the purpose of verifying the identity of the applicant and whether his/her application is genuine or fraudulent, assessing his/her creditworthiness and level of indebtedness, and other activities they may want to carry out with the data – together with further information including the categories of data concerned, the aggregation of the data with other data sources that they may already hold, the obligatory or voluntary nature of the provision of information and the consequences of failing to provide the information.20 Most importantly, credit applicants should also be informed about the future consequences of the data processing: (1) according to a positive

19 Directive 95/46/EC, Art 10. 20 Ibid, Art 11.

158

Law and Consumer Credit Information in the EC

scenario, that credit will be granted to them and that, in the event of timely repayments and other positive information about the line of credit so granted, they will keep a positive credit record that would eventually allow them future access to further credit and/or better deals; (2) by contrast, in a negative scenario, that they will have their credit application rejected and/or although credit is granted, that delays, failures to repay or any other negative circumstances will result in future difficulties, denials or granting of credit at more expensive rates. Notice should also be provided that new data will be generated, for example the denial of credit or every circumstance that will occur with reference to the credit line prospectively granted (information that does not exist at the application stage). In addition, of course, to complicate the picture even more, CRAs should take care to inform data subjects that their data may be further communicated to an open group of third parties, i.e. to all those organisations that are already their client members as well as those that in future may become client members, either in the Member State where the credit operation takes place or in other Member States or elsewhere depending on private commercial agreements that exist or will exist in future between CRAs and lenders abroad or with other foreign CRAs (that in turn disseminate the data to their member clients). This spill-over effect may lead to the suspicion that the duty by CRAs to inform consumers about the recipients of the data is a task that appears, as a minimum, problematic, given the potentially unlimited number of subjects to whom the data may be disseminated and possible geographical coverage. On too many occasions, the receivers of the data are, at the time of collection, indeterminate or indeterminable. In the end, it amounts to informing consumers that their data may be communicated to whoever is or will be willing to pay a fee for it. Needless to say, the addition of brokers to the data processing chain, and the duties imposed on data controllers complicate the above picture further. The chain of data communications raises further doubts about the accuracy of information to be provided to data subjects and the formalities required by data controllers. For instance, every time lenders carry out searches in CRAs’ databases at the time of the consumer’s credit application, they probably receive personal data that were originally processed by another lender and, further, by CRAs. The lender in question, therefore, by receiving such data, in turn collects data according to Art 11 of the Directive. It certainly collects information directly from the data subjects, but at the same time it receives additional information from third parties and not from the data subject himself/herself. From a different angle, the same happens when a data subject applies for credit at a later date on top of his/her first credit application. The result, it seems, is that of an extremely tortuous, difficult and bureaucratic procedure, whose compliance with the dispositions of the law appears problematic.

Legal compliance

159

In this regard, the second paragraph of Art 11 of the Directive seems of little help in simplifying the process. First of all, the exemption therein contained about the non-applicability of the above obligations is relevant in case of impossibility or disproportionate effort by data controllers ‘for processing for statistical purposes or for the purposes of historical scientific research’ (emphasis added).21 Secondly, as many jurisdictions have expanded the scope of ‘disproportionate effort’, nevertheless there is agreement that the test involves a balancing exercise, and relevant factors are the time and expense borne by data controllers in providing the relevant information to data subjects, and the prejudicial effect on data subjects caused by the withholding of such information.22 In this latter sense, in the case under study the prejudicial effect on consumers would be severe for all the considerations made so far, and would in any case outweigh the self-interest of the credit industry, especially if the facultative nature of the credit reporting process is taken into account, not to speak of the financial robustness of lenders and commercial organisations such as CRAs, whose fees are themselves ultimately paid by consumers in the costs of making credit applications and/or the cost of credit itself.23 Equally, the recording or disclosure of the data by CRAs is not necessary to comply with any legal obligation other than a contractual one with lenders (as opposed to the case of PCRs that respond to legal obligations in those Member States where they exist). Therefore, exemptions from giving the specified information eventually provided by Member States should not apply either. What seems disproportionate here, and complicates so much the provision of a correct notice to consumers, is not the effort required from data controllers to comply with a legal obligation, but rather the number of persons to whom personal data are disseminated and the expanding purposes of such processing (in other words, an open system for consumer data sharing for indefinite uses). Thus, as information must always be given to data subjects, some perplexities arise in terms of legal compliance, as the general objective of transparency set by Directive 95/46/EC seems seriously compromised by the amount of information to be provided and the number of actors involved. In fact, it could be argued that all information to be given to consumers looks not only rather complex and lengthy, but doubts may be also cast over the intelligibility of

21 Directive 95/46/EC, Art 11(2). 22 Bainbridge and Pearce (2000), at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_2/ bainbridge/; Carey (2004b) 69. This happens, for instance, in the UK transposition of Directive 95/46/EC. However, it is doubtful that such expansion is compliant with the Directive and may fall short of its standards of normative protection. There would be grounds, therefore, to claim that in such a circumstance a breach of Community law occurs (see above, Chapter 5). 23 Lenders, in fact, extract from consumers a mark-up above their costs to compensate them for their business risk.

160

Law and Consumer Credit Information in the EC

such information to the averagely educated consumer.24 Certainly, the technological mechanisms behind the whole credit reporting process are rather intricate, but it is mainly the theory, logic and consequences of the entire process, which could hardly be considered transparent enough to allow that right of self-determination that is at the heart of data protection and – as seen – so vital for civil rights and the protection of freedom. The law, however, is silent over such latter issues, although it makes clear that data subjects must be ‘informed’: that means, at least, that no phase of the credit reporting process should be kept hidden. In any event, in the interests of transparency consumers should be put in a position to understand the consequences of providing their personal data. This leads to the question about what type of notice lenders and CRAs effectively give to data subjects about the voluntary or obligatory nature of the provision of their data, as well as the relation of such a provision with the successful granting of credit and/or the impact on the price of the credit eventually obtained, as well as the extent of the consequences in the event that someone refuses to communicate the data (here a key distinction could also be made between the refusal of data processing about past financial matters and that of data relating to the occurrences of the future relationship evolving from the application). Ideally, lenders and CRAs should indicate clearly that such provision of data is voluntary. In theory, in fact, lenders could well be able to grant credit even without using credit-reporting systems. Moreover, if one may accept the value of knowing data about the past of a borrower, by contrast it would be much harder to explain the release of future data evolving from a credit application that has already been approved. It seems quite clear that CRAs and the services that they provide do not have a relation of cause and effect to money lending, i.e. they are not necessary. Prospectively, they might just be useful in securing better profitability for a credit operation, a circumstance that once again lacks clear evidence.25 And, on top of that, there is no legal requirement for lenders to do a credit check. Likewise, CRAs are by no means necessary to identify people, because proper legal forms of identification already exist in every Member State, and these have the authority and official character that CRAs’ database matching systems are deficient in (moreover, official passports now use the

24 The ‘average consumer’ refers to the ECJ jurisprudence and is also an expression used by the Unfair Commercial Practices Directive 2005/29/EC, (2005) OJ L 149/22 which in its Recital 18 uses the wording from early ECJ jurisprudence that describes the ‘average consumer’ as being ‘reasonably well-informed and reasonably observant and circumspect’, making it clear that account should be taken of ‘social, cultural and linguistic factors’. Although no such language is used in Directive 95/46/EC, it is true that a notice, to be one, must be understood by the data subjects, who in this case are indeed consumers. On the intelligibility of information see also de Cock Buning et al (2001), 287–338, 300–301; Twigg-Flesner et al (2005), 15 et seq; Wilhelmsson (2007). 25 See Chapters 1 and 2 above.

Legal compliance

161

latest technologies that already contain enough personal data and are becoming increasingly difficult to forge). The problem relating to the facultative nature of data processing by CRAs is a recurrent one that will be better dealt with when examining the related issue of consent and the failure to provide it. At this stage, to complete the picture about the notice to be given to data subjects, it should be added that even under the circumstance falling under the provision of Art 11 of the Directive data subjects must be informed about the existence of their right of access to and rectification of the data so collected. To clarify any doubt that may arise in an attempt to simplify the complexities described so far, it is worth repeating that the data dissemination and sharing mechanisms within the consumer credit sector cannot benefit from the exemptions provided for in Art 13 of the Directive. As discussed in the previous section of this work, in fact, the only way to concede such exemption from the application of Arts 6(1), 10 and 11 would be considering CRAs as institutions providing necessary measures to safeguard an important economic or financial interest of Member States.26 However, such interpretation would be unacceptable because CRAs find no recognition or legitimisation in any law, their consultation is not compulsory, and they lack institutional authority, as opposed to the example offered by the role and function of PCRs in those jurisdictions where they have been institutionalised by law or regulation together with their functioning.

Criteria for making data processing legitimate Once consumer credit applicants are provided with the information of Arts 10 and 11, in order to comply with the ‘fair processing’ requirement of the law, the underlying data processing by credit controllers to be legitimate must meet at least one of the conditions contained in Art 7 of the Directive below detailed: (a) the data subject has unambiguously given his/her consent.27 Article 2(h) defines consent as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.28 Some problems of implementation and interpretation occurred in the various Member States as to the notion of ‘unambiguous consent’. It would go

26 Directive 95/46/EC, cit at 1, Art 13(e). 27 Ibid, Art 7(a). 28 Ibid, Art 2(h). Recital 30 of the Directive, in turn, defines consent as an expression of the will of the data subject.

162

Law and Consumer Credit Information in the EC

too far for the purposes of this analysis to examine the multitude of early discussions for interpretation purposes in the various jurisdictions.29 What is nonetheless important to bear in mind is that the EC Commission has recognised that the ‘notion of “unambiguous consent” (Art 7(a)) in particular, as compared with the notion of “explicit consent” in Art 8, needs further clarification and more uniform interpretation’.30 Moreover, while in some countries ‘consent’ is given primary status over the other criteria, in others ‘consent’ should be relied upon only as a last resort.31 At any rate, in keeping their duty to transpose the provisions of Directive 95/46/EC into domestic law, the Member States all allow for the processing of personal data on the basis of consent in terms almost identical to those used in the Directive, or at least close to it with some additional requirements.32 Three key elements may be identified in Art 7 of the Directive, which should form the backbone of every domestic implementation of the notion of ‘consent’: (1) it must be unambiguous, as ambiguous consent is no consent; (2) it must be freely given, as enforced consent is no consent; (3) it must be specific and informed so that all processing activities are properly described, as uninformed or vague consent is no consent. The above elements seem to shed some light over the illegitimacy of ‘assumed or implicit consent’, or at least some practices making use of it. Likewise, such consent seems to be inadmissible for the purposes of data protection, inasmuch as the data subject must express his/her will unambiguously for such an expression to be clear and conclusive.33 A non-response by a data subject is ambiguous, as long as specific information is not provided and no option has been given to decide freely whether or not to agree. Arguably, therefore, ‘consent’ should clearly emanate from the data subject in a way that no doubts exist over his/her agreement, whatever form it takes, oral or written.34 However, as discussed further in the next chapter, consent may be obtained in a number of methods and is easily abused. According to this criterion of the law, nothing should prevent lenders and CRAs from processing personal data after obtaining freely given unambiguous, specific and informed consent by a data subject.

29 See Korff (2002). 30 Commission of the European Communities (2003b), 17. 31 The latter, for example, is the view expressed by the UK Information Commissioner. See http://www.informationcommissioner.gov.uk. See also Commission of the European Communities (2003b), 10; Webster (2006), 24; Carey (2004b), 72. 32 For example, the data protection laws of Austria, Belgium, Cyprus, Czech Republic, Denmark, Finland, Greece, Latvia, Lithuania, Luxemburg, Malta, the Netherlands, Poland, Portugal, Slovakia, Spain and Sweden word the definition of consent in more or less exactly the same terms as the Directive. German law requires that consent should be given in writing, while Italian law stipulates that consent should be documented in writing. See Commission of the European Communities (2003b), 10; Pinar Manas (2004). 33 Ibid. 34 Webster (2006), 26–27; Carey (2004b), 74–75; Jay and Hamilton (2003), 150–162.

Legal compliance

163

(b) Data processing is necessary to the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.35 This condition seems clearly not applicable for the data processing carried out by CRAs. Lenders and data subjects will eventually become parties of a credit agreement, and lenders could rely on this condition insofar as certain personal data are strictly necessary for the performance of said agreement. As already discussed, however, CRAs are not necessary subjects in the credit granting process and their processing of personal data is not a necessary step for the conclusion or performance of any agreement. By providing services in support of decision-making, they simply attempt to help their clients (the lenders) to improve their profitability in contracts that the latter could conclude anyway (and could make nevertheless the same profits). (c) Data processing is necessary to comply with a legal obligation to which the data controller is subject.36 As already extensively discussed, there is no obligation to consult CRAs in the consumer credit granting process nor are there obligations or functions relating to the prudential supervision of the financial system. This condition, therefore, is certainly not applicable to CRAs. (d) Data processing is necessary in order to protect the vital interests of the data subject.37 It needs no explanation that this condition is not applicable to the processing of personal data by CRAs. (e) Data processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller, or in a third party to whom the data are disclosed.38 As made clear under the comment of condition (c) above, CRAs have no such authority, nor do their member clients, to whom the data may be potentially disseminated. Although one may be tempted to argue that they provide a tool in the fight of over-indebtedness, thus a task carried out in the public interest, no country has invested CRAs with such a task, provided also that as yet there is still no understanding – let alone consensus – over the meaning

35 36 37 38

Directive 95/46/EC, cit at 1, Art 7(b). Ibid, Art 7(c). Ibid, Art 7(d). Ibid, Art 7(e).

164

Law and Consumer Credit Information in the EC

of, or what eventually constitutes, ‘over-indebtedness’.39 Moreover, overindebtedness and creditworthiness are two separate concepts that have different implications on personal data processing. Arguably, therefore, under no circumstance could the assessment of consumer creditworthiness be considered to be ‘in the public interest’.40 Likewise, although banks are essential subjects in the economic system, consumer credit is not essential (along with all those other lenders that are not even banks), or at least decision-making tools for its profitability are certainly not essential. In the end, therefore, it can be maintained with no hesitation that this condition of the law is not applicable to CRAs. (f) Data processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject, in particular their right to privacy.41 This is the so-called ‘balance of interest’ clause and therefore under this condition there is ground for discussion in the weighting of the rights at stake. This work has illustrated in Chapters 1 and 2 the economic theoretical arguments behind the development of credit reporting in the credit granting process. Undoubtedly, data processing by CRAs would be carried out for legitimate interests, that is, the decision-making and improved profitability of lenders. Assuming the real effectiveness of the economic theory and thus the services provided by CRAs, making good business and profits would indeed be a legitimate interest. However, for all that that has been explained in the earlier chapter about the importance of informational privacy and the needs for data protection measures, it would certainly be odd – if not illegal – to sacrifice, in the name of the industry’s self-interest, the protection of a fundamental civil liberty, such as privacy, which has found recognition at the highest level as a fundamental human right – all the more, if one considers that the entire consumer credit reporting business is based on statistical assumptions, and that the theory behind it still lacks conclusive evidence in terms of a causal nexus of cause and effect, or at least empirically, as to the certainty or the predictability of the future behaviour of a human being. In fact, as it will be better explained later, the major factors behind the creditworthiness or over-indebtedness of individuals were found to be unforeseen life events, such as sudden illness, loss of job, death of someone close, etc.

39 See San José Riestra (2002), 18–25; European Credit Research Institute (2006). 40 A more extensive discussion about over-indebtedness will be carried out later in Chapter 7. 41 Directive 95/46/EC, cit at 1, Art 7(f).

Legal compliance

165

rather than a mismanagement of resources.42 From a different angle, moreover, it could be argued that someone who has had problems in the past does not necessarily have problems at present or in the future. Or else, an individual may well also have a low profile credit record from failing to make payments that are not due or the individual could be in conflict with the service provider.43 Ultimately, therefore, it could be concluded that an ultimate reliance on this condition (f) by lenders and CRAs in order to justify ‘fair processing’ of personal data in the consumer credit reporting process would be frankly too risky. In conclusion, from the above analysis of the criteria for making the processing of personal data legitimate in the consumer credit relationship, it emerges that the only permissible instrument to be used by lenders and CRAs for making credit reporting ‘fair processing’ is that of relying on the consent of data subjects. No other condition of Art 7 of the Directive would be applicable. Significantly, such consent would also release bank secrecy duties from lenders in those many jurisdictions where they exist, making it ‘lawful’ in such respect also in terms of data protection legislation.44

Specified, explicit and legitimate purposes of data processing and further processing The second principle that data controllers must comply with is contained in Art 6 of the Directive. It concerns once more the obtaining and further processing of personal information, carrying an obligation to data controllers to limit the uses of the personal data, and to make known to data subjects the explicit purposes for which the data are required.45 Accordingly, the impact of this principle is not completely clear, largely because of the partial overlap with the principle first analysed above. As discussed, in fact, data processing without providing the specified information to the relevant data subjects is unfair. However, the principle now in comment seems to admit that the purpose specification may be contained elsewhere or at another stage than the notice to data subjects at the moment of collection, to the point that it has been interpreted:

42 Such consideration has also been expressly stated by the director of data protection and regulatory affairs at Credit Reference Agency Experian UK, see Bradford (2004), 11; see also San José Riestra (2002). 43 Guardian, Jobs & Money, ‘Total History of Your Dealings’ (30 October 2004), for instance, reports examples of such incidents. 44 Only lenders that are banks have bank secrecy obligations. The other lenders that are not banks do not have such an obligation. On bank secrecy see Chapter 4 above. 45 Carey (2004b), 54–55.

166

Law and Consumer Credit Information in the EC to provide an additional fairness ‘safety net’ . . . relevant in respect of the exemption . . . where a data controller who does not gather personal data directly from a data subject decides that providing the specified information would involve a disproportionate effort. Such a controller would still bear a responsibility for specifying the purposes of processing. . . .46

Information about the purpose(s) of data processing must be explicit: this means that it would be unlawful to provide in a general, vague and openended way the purpose(s) of collection, putting a data controller at risk of enforcement action if it makes use of blanket notices. Then, according to the second limb of the provision, once the purposes have been specified explicitly, any further processing should be restricted to ensure it is compatible with the original purposes. In particular, such a requirement not only forces data controllers to be aware of any further processing on their part, but also obliges them to exercise some control (for example, in a contract) over the purposes for which personal data are intended to be processed by any third parties to whom the data are to be disclosed, actually or potentially.47 Without a doubt, this requirement opens the key question as to the meaning of ‘incompatible’. Jay and Hamilton provide a convincing interpretation: according to the authors, it . . . suggests a use that is contradictory to rather than simply different from any originally specified purpose or purposes. Synonyms . . . are ‘unsuited’, ‘incongruous’, ‘inconsistent’, ‘unsuitable’, ‘opposite’ or ‘irreconcilable’.48 Thus, it would be the duty of the relevant data controller to subsequently inform and demonstrate to data subjects that further purposes that were not specified at the time of collection are not inconsistent with the specified, explicit, lawful, original purpose(s).49 Inevitably, then, an interpreter would further contend that if the further processing is compatible but still different, then the relevant data controller should specify the obligatory or optional nature of such further processing, as well as request a new unambiguous consent for the processing of the new purpose(s) (in the event that none of the other conditions of Art 7 of the Directive applies). As far as consumer credit reporting is concerned, this work has already dealt with the difficulties surrounding the information to be given to consumers. In this section, two further points would arguably need attention:

46 47 48 49

Jay and Hamilton (2003), 162. See also Webster (2006), 47. Carey (2004b), 54–55. Jay and Hamilton (2003), 162. Ibid, 162–165; Carey (2004b), 54–55; Webster (2006), 45–50.

Legal compliance

•

•

167

The first one refers to the following question: would the possible further processing of the information of a given credit line (whether it has been obtained or denied, a circumstance that could generate a new set of data about the denial) be compatible with the assessment of a separate credit agreement made at a later time by the same consumer, in all likelihood with a different lender? Or, else, to what extent data referring to a past credit line are compatible with a brand new potential contractual relationship between different parties? Arguably, a positive answer to this type of question would require a strained conceptual interpretation, particularly when data that do not fall within the scope of consumer credit are concerned (for example, telecom data or other data about different types of credit such as mortgage lending). Nevertheless, from a legal point of view, supported by practice, an answer to this question seems to be of little or no importance. In fact, upon a successive credit application, a consumer would be asked to give his/her permission to the (new) lender to carry out searches on his/her personal data about past credit lines, such a consent thus legitimising the further processing for that new purpose(s). What instead seems to affect the application of this condition of Art 6(b) are the expanding purposes of the processing and uses of the data in relation to the additional activities performed by CRAs (such as those described in Chapter 1, i.e. the fight against over-indebtedness, fraud prevention, identity verification, the fight against identity theft, scoring, marketing and so on).

Arguably, the processing of personal data for such expanding purposes would not be incompatible with the assessment of creditworthiness, insofar as one considers those additional services as tools for the protection of credit. However, as discussed earlier, either they are contained in the already tortuous information provided to data subjects at the time of the data collection to which the latter have consented, or a new informed consent would be required. Equally, the same should happen for the communication of the data to new persons that were not mentioned in the original notice (for example, new member clients that were not such at the time of the credit relationship, unless one considers an open system where data could be communicated to whoever is willing to pay for them compatible with the aim and scope of data protection law – in which case Art 6(b) would never be applicable). At the end of the examination, therefore, it emerges once more that even under the conditions set under Art 6(b) it is crucial for consumer credit reporting always to rely on informed consent by data subjects, possibly interpreted in compliance with the aims and scope of the law.

Adequacy, relevancy and reasonableness of data processing Accordingly, the requirements set out in this clause (c) of Art 6 of the Directive represent other abstract conditions, imposing again the use of a

168

Law and Consumer Credit Information in the EC

proportionality principle that is difficult to apply evenly, particularly if convergence is sought among the Member States. Whether personal data are adequate in relation to the purpose(s) for which they are collected and/or further processed is a matter of fact that can only be interpreted on a case-by-case basis. Arguably, as suggested by others, one way to measure ‘adequacy’ is the ability of an organisation to meet the obligations in relation to the service at stake and/or obligations undertaken as part of the original purposes for which data was obtained. It relates not only to the information sought initially from data subjects but also to maintaining the records adequately throughout the changing circumstances of the relationship. Thus, every individual situation should ideally be at least reviewed and assessed at the termination of the relevant relationship.50 As far as the relevance of personal data is concerned, this is considered to operate on two levels. Personal data should be relevant to the purpose for which they have to be processed, and they should be relevant relative to the data subject. Also this latter circumstance, therefore, should be assessed on a case-by-case basis taking into account individual factual circumstances.51 Importantly, in such an assessment, the data controller’s subjective views as to the relevance of the data should not be the governing criteria, but rather an objective view would comply with the scope of the requirement. Accordingly, such objectivity should refer to standards agreed within a given sector and recognised by all participants, including consumers as corporate stakeholders, or be the result of an agreed Code of Practice taking account of the specific features of such a sector, as envisaged by Directive 95/46/EC itself in Art 27.52 Finally, an overlapping area exists between what is ‘relevant’ and what is ‘not excessive’, as personal data that turn out to be irrelevant for the purpose for which they are to be processed, they are also excessive.53 In light of the above, it seems that for ‘adequate and relevant processing’ ends, the peculiar features of consumer credit reporting may not be easily reconciled with the individual factual circumstances of each individual consumer. The adequacy and relevance of data processing should be demonstrated by the industry in the first place, and not by consumers challenging the illegitimacy of such processing. Just to provide an example of the difficulties

50 Webster (2006), 52–53. 51 Ibid. The reported example is that of a job application form that asks whether or not the applicant holds a full driving licence. Assuming that driving is not a requirement of the job, such a request on an application form is likely to be irrelevant for the purpose for which it is obtained, i.e. making a recruitment decision. However, in the case that the applicant would be entitled to a company car as a benefit if recruited, then the collection of such information is relevant. 52 Jay and Hamilton (2003), 165–166. 53 Ibid; Carey (2004b), 55–56; Webster (2006), 51–57.

Legal compliance

169

surrounding the industry, this work has already mentioned that the major factors behind the creditworthiness of individuals were found to be unforeseen life events. Thus, someone who went through an illness or a divorce during the course of an open credit line, and as a consequence failed to manage his/ her resources in the same way as under normal circumstances, would need to notify the occurrence of such events to CRAs for insertion in his/her credit file for further processing (but then, one may legitimately debate and contest what ‘normal circumstances’ really are or should be). This would be done to justify a behaviour that otherwise would provoke future unfavourable situations. Lenders and CRAs, in turn, would arguably be interested in obtaining health data of an applicant or of those people close to him/her, or information about an intimate relationship of a potential customer, to assess its solidity, all in order to prevent delinquencies. Personal financial management all too often mirrors personal everyday life occurrences and it is dependant on too many (personal) situations. It should be borne in mind that consumer credit reporting is based on statistical principles that aim to analyse mass phenomena, and therefore may work on large numbers, but not on small ones, i.e. they work on average but not for factual or individual situations. However, processing information concerning all personal situations would go too far and in all likelihoods be unacceptable as disproportionate, irrelevant or inadequate. Should CRAs process and disseminate all the information relating to personal (past and present) situations of whatever nature, as they would be potentially capable of influencing the creditworthiness of individuals? Clearly, condition (c) of Art 6 of the Directive would intervene to prevent that. And in any event many would agree that such a scenario would receive the fiercest civil opposition. These considerations add to previous research which has stressed that further consideration should be given to what constitutes ‘essential information’ that allows the credit assessment process by lenders.54 In this respect, it would certainly be a useful exercise to assess the necessity and scope of all the information provided by CRAs for the purpose of predicting the future behaviour of a borrower, matching it with the causal nexus about the likelihood of repayments with the contracted interests. Is the provision of all such information and the consequent intrusion into one’s private life justified by the carrying on of an historically profitable commercial business such as banking? It should not be forgotten, to this purpose, that it is the lenders’ business to provide credit to borrowers and that they make their profit out of it, the risk being part of the business, and yielded by further high interest in case of defaults and arrears. Moreover, as noted by others, when commercial services such as consumer credit are offered on a large scale, creditors think collectively instead of individually, and the risk is spread and absorbed as expenses that, in

54 San José Riestra (2002), 17; Howells (1995).

170

Law and Consumer Credit Information in the EC

the end, figure in the cost of credit. Lenders should survey and know the market and therefore do not become vexed by the possible conduct of a few particular borrowers because they should have calculated the risks and the percentage of borrowers that will have difficulties in repaying their debts. Eventually, thus, ‘a certain percentage of default is accepted as part of the costs of doing business and therefore treated as tax-deductible as well’.55 To what extent past behaviour is relevant to future behaviour, or past information adequate to predict the future, especially in the context of the absence of rules agreed within the larger society? The parameters of consumer credit reporting and the type of information processed seem to reflect the subjective views of the industry, that is, what CRAs and lenders subjectively consider adequate and relevant for the assessment of creditworthiness without any public discussion – let alone a form of consensus – having taken place, nor evidence offered. For instance, in an analysis of what constitutes ‘essential information’ one of the main questions refers to the distinction between ‘black’ (negative) and ‘white’ (positive) data. Whereas some people may accept the value of sharing ‘black’ data as a disciplinary instrument, at least where customers are informed and provide consent in a context where clear and transparent rules are set, the issue of sharing ‘white’ information proves more difficult.56 Even under the requirements of this Art 6(c) of the Directive, it seems that the informed consent of consumers turns out to be crucial for the processing of data that are not strictly necessary for the purpose(s) for which they were or are collected and/or further processed.

Accuracy and updating of the data As it has been observed, this principle contained in Art 6(d) of the Directive is relatively self-explanatory.57 Data are inaccurate whenever they are incorrect or misleading as to any matter of fact.58 It is worth noting that the first part of the principle (‘personal data must be accurate’) is unqualified, while there is a qualification in the requirement to keep information up to date only ‘where necessary’. Thus, whilst ‘accuracy’ can be tested against an expression of fact, the type of personal data and the purpose(s) for which they are used play a crucial factor in deciding whether updating is necessary or not. The example usually reported is that of data used merely as an historical record of a transaction

55 56 57 58

Reifner et al (2003). San José Riestra (2002); Howells (1995). Carey (2004b), 57. Ibid. See also Jay and Hamilton (2003), 166–167.

Legal compliance

171

between a data controller and a data subject, in which case updating would be unsuitable.59 By contrast, updating of information is crucial for consumer credit reporting because data are used to decide whether to grant credit and/or its terms and conditions. Arguably, in fact, in such a circumstance failure to update a credit file would be equal to an inaccuracy to the extent that ‘accuracy’ and ‘updating’ need to be tested against an expression of fact or the purposes for which data are processed. Indeed, from this point of view, ‘accuracy’ and ‘updating’ could also be measured vis-à-vis further criteria, for example in terms of data taken out of context, data that are inconsistent one to the other or that are duplicative, or pieces of information that have an ambiguous significance. To date, however, there is no common definition of ‘accuracy’ in the context of the industry at study. In this regard, ‘accuracy’ overlaps on many instances with the requirement of ‘adequacy’ and ‘relevance’ of the data of Art 6(c) of the Directive. For example, data taken out of context could easily account for inaccuracies. At the same time, there is the issue of what is then ‘relevant’ for the credit granting process. As for that case, the subjective view of the data controller is not a governing criterion. Thus, the analysis undertaken above for the requirements set by Art 6(c) would apply also under the circumstances of this Art 6(d). What is equally important, moreover, is that no information exists on the extent of credit reporting errors in the context of the EC and their implications for either consumers or lenders. Theoretically, from the consumer perspective, this issue is a cause for concern insofar as the level of accuracy and/or updating could result in a credit denial or higher borrowing costs, as well as affecting the credit file together with the following refusal or high rate of credit and the further spill-over consequences (let alone the stigma associated with debt and poor repayment records). But accuracy is equally important for lenders. First, assuming the benefits of the current system, they would risk losing potential customers and business opportunities. Secondly, they may rely on inaccurate data and engage in business that, according to those same standards, would have induced them to avoid an unfavourable business. In the absence of data from the EC, the US experience – where consumer credit reporting is most developed – shows that errors do occur on a large scale. According to the Federal Reserve Board, 70 per cent of the 600 million credit files maintained by the three largest CRAs have missing or inconsistent credit information, and 78 per cent are missing at least one account in good standing. The same figures are confirmed by another study carried out by the Public Interest Research Group, which specifies that of the 70 per cent of

59 Carey (2004b).

172

Law and Consumer Credit Information in the EC

reports containing errors, 29 per cent contained errors resulting in the denial of credit and 41 per cent had incorrect demographic identifying information. On occasion, figures have been contested by the CRAs, but every time calculations omitted something like nine million consumers reviewing and correcting their files each year.60 It is imperative to remember that data subjects are granted a right of access that among other things could be used as a tool to assess the accuracy and level of updating of the data. All the same, the obligation to ensure the accuracy and updating of personal data is on data controllers, and cannot be delegated to the data subjects. A statement given at the commencement of the processing by data controllers to data subjects that they must inform the former of any subsequent changes to the data would not comply with the law. At the same time, it would be unreasonable for data controllers and too intrusive towards data subjects to require constant checks to be made by the former. Accordingly, therefore, there will be no breach of Art 6(d) of the Directive where the data are inaccurate, but the data controller has accurately recorded the information from a data subject or a third party and (1) it has taken reasonable steps to ensure the accuracy of the data, and (2) it has recorded the data subject’s view that the data are inaccurate where such views have been expressed.61 CRAs, therefore, should take reasonable steps to monitor the accuracy of data obtained from lenders with reference to the purpose(s) for which they were communicated, and are or will be further processed. Given the severe consequences that this may have on consumers (but, from a different angle, also on the lenders themselves), they should be required to carry out stringent accuracy checks. Likewise, data subjects’ views about inaccuracies should be present in the credit files, even under circumstances when data controllers confirm the data. But once again the lack of agreement of accepted criteria within the industry as to what accounts for ‘accurate data’ makes compliance problematic. If data taken out of context are incorrect vis-à-vis the purpose(s) of their processing, should consumers be obliged to express their view and supply additional personal information to be attached to their credit file? Then, do they have an obligation to ensure the accuracy and updating of personal data, or would it rather amount to a de facto delegation of obligations from data controllers to data subjects? To conclude, then, the solution for CRAs to comply with data protection legislation and avoid harm to individuals and their own client members alike would rest on finding the appropriate technical solutions and having

60 Avrey et al (2004b); Brelsford (2005); United States General Accounting Office (2003); CFRANCA (2002); Ramaden (1995); LA Times, ‘Losing Faith in Credit Files’ (22 July 1991), A1. 61 Carey (2004b), 57; Jay and Hamilton (2003), 166–167.

Legal compliance

173

procedures in place for verifying accuracy and updating, bearing in mind that such requirements could be disputed regardless of this. To avoid this, CRAs would once again need to rely on the informed consent by consumers as to the unambiguous acceptance of the ‘rules of the game’.

Data retention period Article 6(e) of the Directive requires that personal data must be not kept beyond the length of time necessary for the purpose(s) for which they were or are processed. Then, personal data that are no longer necessary to satisfy their purpose(s) should be destroyed, either under conditions of appropriate security in accordance with Art 17 of the same Directive or by removing all identifiers in order to make the data anonymous.62 Even in this case, there is no concrete length of time that data controllers may rely on with any degree of certainty. The Directive or other regulatory provisions, in fact, contain no interpretative provisions or guidance for what is the time necessary for data retention. Accordingly, once again the criteria for its determination depend on the nature and type of data in consideration, in relation with the relevant purpose(s) for their processing.63 Many doubts arise as far as criteria applicable to data retention periods for consumer credit reporting are concerned. For how long should CRAs retain consumers’ data? What length of time is necessary to process data about past credit relationships for assessing creditworthiness? Would the same period of time be necessary for the other activities (therefore purposes) that CRAs carry out? The answer to this set of questions seems an impossible one to provide. The assumptions upon which consumer credit reporting is based have not been demonstrated, and have no validity on an individual basis. Therefore, retention itself is not ‘necessary’ in the first place, making it problematic to assess a length of time for it. Assuming nevertheless the acceptance of consumer credit reporting own rules, would an indefinite timeframe satisfy the needs of the lending business? Should the data be kept for no longer than the duration of the contractual relationship to which they refer or rather for a longer period after its expiry/ termination? And in his latter case, for how long?

62 Carey (2004b). According to Art 17(1) of Directive 95/46/EC ‘Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by processing and the nature of the data to be protected’. 63 Jay and Hamilton (2003), 167–168; Carey (2004b), 58–59; Webster (2006).

174

Law and Consumer Credit Information in the EC

In addition, it appears that not all data have the same value. Are negative data equal to positive data? And, for example, in the category of negative data alone, should a debt that has not been repaid at all be treated the same way as a debt that has been repaid late but nonetheless repaid? What about data indicating the refusal of a credit application (i.e. a certain lender refusing someone’s application)? And those referring to an applicant waiving his/her application? Or data relating to the searches carried out by a lender (which identify an individual on whose financial affairs searches have been conducted for the purpose of a credit application)? Far more questions could be raised in the absence of rules that are certain and transparent, but no single satisfactory answer can be found. In the absence of the acceptance of the assumptions upon which credit reporting for consumers is based, or at least accepted criteria about the timeframe for data retention and/or an agreed Code of Conduct in line with those envisaged by Art 27 of the Directive, it appears clear that CRAs need to rely on the informed consent of data subjects unambiguously agreeing a data retention period that, however, would be put forward unilaterally by the CRAs themselves.

Automated individual decisions Article 15 of Directive 95/46/EC provides that in certain cases, including expressly that of the evaluation of a person’s creditworthiness, data subjects have the right not to be subject to a decision based solely on the automatic processing of data.64 However, Member States may provide that a person may be subjected to an automated decision as long as the decision: . . . is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract . . . has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view [emphasis added].65 Alternatively, Member States may allow automated decision making if this is authorised by a law that also lays down measures to safeguard the data subject’s legitimate interests.66 In the absence of this type of law, the first limb of the provision applies. Interestingly, the key terms ‘satisfied’ and ‘legitimate interests’ have not been specified and leave some uncertainty, especially if one considers that the right to informational privacy should be satisfied in the first place.

64 Directive 95/46/EC, cit at 1, Art 15(1). 65 Ibid, Art 15(2)(a). 66 Ibid, Art 15(2)(b).

Legal compliance

175

Crucially, indeed, this Article would not affect credit reporting but instead the case of credit scoring. As explained in Chapter 1, the latter is built on, but is still different from, consumer credit reporting. Before applying, therefore, the data that are used to generate the score, a new personal datum allowing the automated decision-making must be processed according to the other provisions of Directive 95/46/EC. The compliance with the provisions above examined, thus, precedes the application of the provision now under consideration, which relates to a secondary use of the credit reporting data that allows automated decisions to be made.

Concluding remarks This chapter has analysed the compliance of consumer credit reporting carried out by CRAs vis-à-vis Directive 95/46/EC on data protection, taking it into account that any transposition in the Member States that goes beyond or falls short of its standards of normative protection should be considered as a breach of Community law. For consumer credit reporting to exist legally in the EC, it must be subject to, and comply with, the requirements set out in the Directive, respecting and upholding the rights that it confers on individuals. Indeed, as it emerges clearly from the compliance analysis, it does not qualify for any of the exceptions that the law itself provides. By contrast, such an analysis shows that the legitimacy of sharing consumer credit personal data via CRAs is on many occasions problematic, and raises critical issues as to the safeguards in place. This seems particularly the case as far as the information to be provided to individuals is concerned, putting at risk the requirement of the law for ‘fair processing’. As far as all the other requirements set by the Directive are concerned (i.e. processing purposes, the adequacy and relevance of the data, accuracy, the length of time, etc.), in the end the whole system relies exclusively on the consent of the data subjects. The same instance of consent enables lenders and CRAs to process personal financial data vis-à-vis bank secrecy/confidentiality obligations. Data subjects’ consent, therefore, is vital for the business to exist legally in the context of the EC. But, according to the law, such consent must be informed, unequivocal, specific and given freely. Whether this is the case according to present practice is another matter, which will be discussed in the next chapter. This issue is even more important in a system that is voluntary, as there is not any necessary requirement, either legal or natural, to justify the communication and sharing of personal data for the performance of a contract that, after all, is the core of the business of lending. Lending money in exchange for a profit (the interests on money lending) is perfectly possible and most probably lucrative even without the intervention of CRAs. At the most, such a requirement is useful, in the same manner as using personal data for

176

Law and Consumer Credit Information in the EC

marketing purposes is useful. When consumers interact with business entities, however, the latter do not necessarily have to disseminate the data for marketing reasons, no matter how useful this may be (it is unquestionable that in business terms marketing is a very important activity). Indeed, the processing of data for marketing purposes is (or at least should be) kept separate from the processing of data for the purposes for which they were originally collected. This voluntary aspect about marketing is very well accepted by the business community and (legal) current practice. Consumer credit data sharing should not be treated any differently. Certainly, lenders have a legitimate interest in wanting to know whether credit applicants are, in their own terms, creditworthy, after all they have a legitimate interest in profitability. At the same time, though, consumers have not only a legitimate interest but indeed a right in the respect of their informational privacy, and the law recognises and protects that. Besides, CRAs do not satisfy a legitimate common interest in the preservation and stability of the financial system that would justify the processing of data without the data subjects’ consent. If ever that would be the case for consumer credit – a circumstance that is certainly not reflected in today’s institutional and regulatory arrangements – such a function should be provided by properly recognised institutions such as PCRs that have the necessary authority and legitimisation, and operate within unambiguous and transparent regulatory rules. These sort of considerations, however, will be dealt with in the concluding chapter, which provides a commentary about the adequacy of the results of findings regarding the system’s compliance with the law, as well as an attempt to put forward a few basic policy recommendations.

7

Conclusions

Introduction This concluding chapter draws together and discusses the main themes of this work, and sets out its principal conclusions. This work has examined the legal framework of consumer credit reporting in the EC in the interests of consumers. It has shown that the management of credit risk is an important determinant of the lender’s profitability. In this context, consumer credit reporting responds to a justifiable interest of the credit industry but is not a right and is not mandated by law to satisfy a public interest. The practice of credit reporting to assess consumers’ creditworthiness is supported by the theoretical economic scholarship to solve the problem of asymmetric information, bad selection and moral hazard in credit markets. However, despite the copious economic literature, so far little attention has been paid by lawyers to this issue, although consumer information-sharing systems have become current practice in almost every EC Member State. This seems to conflict with the fundamental right of informational privacy of European consumers. In the absence of industry-specific legislation in the style developed in the US, the EC Data Protection Directive 95/46/EC remains indeed the principal piece of legislation regulating the sector. Policy-makers, so far, seem to be missing the chance to include the reporting of consumer data in the discussions regarding the harmonisation of the wider consumer credit sector. As emerged from the previous chapter, however, whether CRAs’ activities truly comply with the EC data protection legislation is problematic. There are critical legal concerns about the necessity, adequacy and relevance of the type of data involved and the foundations upon which consumer credit reporting is based in order to determine the predictability of individual human behaviours and/or the real financial capability of borrowers, particularly vis-à-vis the respect of the fundamental right to informational privacy of individuals, increasingly accounted as a human right. As noted, many doubts arise as far as the legal compliance of information to be given to data subjects is concerned. Indeed, the general objectives of

178

Law and Consumer Credit Information in the EC

transparency and informational self-determination set by the Directive seem seriously compromised by the amount and intelligibility of information that should be provided to consumers, the type and number of personal data processed by CRAs, the indefinite number of actors involved in a spill-over data dissemination and the secondary uses of the same data.1 Already at this stage, two alternative interpretations about the criticalities so far identified emerge: (i) these are key factors that, taken alone, represent, in their own right, serious breaches of the law, thus making consumer credit reporting illegitimate; or, from a different angle, it could otherwise be argued that: (ii) they reveal that the positive law is inadequate to cope with the foundations, logics, design and sophisticated technological mechanisms of credit reporting systems where data from different sources are easily and quickly aggregated, data are de-contextualised, new data are automatically created, and are disclosed to a potentially unlimited number of third parties willing to pay a fee for a growing number of expanding purposes. Hence, these criticisms alone could probably be sufficient to call for (1) a declaration of illegitimacy of CRAs activities, or (2) changes in the law, the choice between the two depending on the point of view from which consumer credit reporting is regarded, i.e. whether it is (1) a useful but unnecessary tool at the service of the credit industry for the management of consumer credit transactions or, rather, (2) an essential instrument in the general interest or for a right of lenders. This work has extensively expressed its attitude towards the way in which CRAs’ activities should be regarded and the reasons for concern, namely, that information-sharing mechanisms are commercial services delivered to assess the creditworthiness of consumers in the self-interest of lenders for their profitability. These are not, however, the only aspects worth a discussion and upon which to open a juridical debate. In fact, from a legal positivist approach, what above all the analysis in the previous chapter has continuously attempted to emphasise is that the entire process is based and relies on the consent of the data subjects for sharing their data via CRAs to make the whole data processing exercise legitimate.2

1 See Chapter 6 above. In particular, see Directive 95/46/EC, OJ 1995 L 281, p 0031–0050, Art 10 and Art 11. 2 See Directive 95/46/EC cit at 1, Art 7(a).

Conclusions 179 Inter alia, the same instance of consent also releases bank secrecy duties from those lenders who have such a legal obligation.3 Earlier, Chapter 6 has provided some explanatory interpretations surrounding the meaning of ‘consent’ according to Directive 95/46/EC. Now, the question is whether the adopted practice of ‘consent’ used to permit lenders to share customer information with third parties, thus allowing CRAs to exist legally, really respects the rationale and objectives of the law, together with the values and rights that data protection safeguards in unison with the underlying fundamental freedoms of individuals.4 This important issue, in turn, raises a number of further questions about the effective protection granted to consumers that need discussion. Building on the analyses carried out so far in this study, therefore, this concluding chapter develops, and comments on, the many aspects that pose a threat to consumer rights and liberties, highlighting the legal setbacks that emerge. By concluding with some policy considerations addressed to consider some concerns in the general interest, the final part of the study ultimately purports to initiate and promote a debate to stem a situation that it finds conclusively alarming for the respect of European consumer rights.

Consent model As extensively stressed, Directive 95/46/EC refers explicitly to unambiguous consent as one of the essential principles for a legitimate data processing. Consent, as conceived by the law, is a key element that permits the processing of personal data by data controllers that would otherwise be forbidden. When consent is validly provided by a data subject, this releases data controllers from the restrictions provided by the law in a fashion that has been described as an ‘opt-in’ system, i.e. the processing becomes lawful from the moment such a consent is unambiguously expressed.5 Clearly, in the absence of any indication in the law to the contrary, or by way of explicit legitimisation in other prevailing legislation, the consumer credit granting process must not be treated differently. Indeed, this work has stressed that consent is the key legal mechanism upon which CRAs need to rely for every single aspect of the reporting business. In summary, therefore, according to Directive 95/46/EC, a lawful consumer credit transaction involving CRAs should be finally construed as follows:

3 It should be reminded that not all lenders have such an obligation, as bank confidentiality does not apply to non-bank lenders. 4 See Chapter 5 above. 5 In the so-called opt-out systems, by contrast, the processing is legitimate unless an individual decides by opting out that such processing should not be done.

180

Law and Consumer Credit Information in the EC

1) At the time a consumer makes a credit application, lenders should inform and obtain the consumer’s consent in order to carry out a search at a CRA. Such searches refer to data of past transactions of the data subject. 2) As each search generates new data (for example, the search flag and the related information in the CRAs’ databases), the data subject should be informed and provide his/her consent about such new data being generated, processed and passed to CRAs, as well as the other lenders for future possible applications, including inter alia notice as to the scope and length of time of such data processing. 3) Once the lenders have agreed to grant a credit line, thus entering into a credit contract, they should inform and seek the consumer’s consent to pass the relevant information to CRAs for future searches relating to new and different credit applications, including notice as to the scope and length of time of such data processing. Also in this situation, new data are generated, but on this occasion the consumer ignores its future content as he/she consents to the processing of data whose content cannot be known at that stage. 4) In the event that a lender decides to refuse the grant of a credit line to the applicant, it should inform and seek the data subject’s consent to generate and communicate such new data to CRAs and, in turn, other third parties (for example, the application being refused). Under such a comprehensive process, consent should be further sought to legitimise the adequacy of the type of data to be processed vis-à-vis the purposes for which they will be used, including consent relating to the data retention period. Crucially, more than one instance of consent should be required because it would otherwise create a problem of absence of specificity. In fact, it would be a violation of the information privacy principles to ask consumers to sign authorisations, unlimited in subject matter, essentially purporting to give permission to data controllers to process any personal data that they unilaterally decide to be relevant and disclose that information for expanding purposes to any person. By contrast, this study has already emphasised that one of the primary concerns of the Directive is to ensure that data subjects consent specifically to all uses the data is processed for. Processing based on consent cannot be regarded to be lawful if sought for general or vague aims, or if the data subject has no possibility of knowing the recipients of his/her data.6 Importantly, it has to be remembered that the above instances of consent should be separate from the consent that a customer gives for the processing of his/her data for the specific purposes of the credit relationship with the lender at stake.

6 See Chapter 6 above. Consent must be specific. Directive 95/46/EC, cit at 1, Art 7(a).

Conclusions 181 Another fundamental feature is that, as a general rule, each instance of consent should be the free choice of the individual. Arguably, in fact, consent would be meaningless if people had no option but to consent in order to obtain a benefit or a service that could be nonetheless provided. It seems the case, however, that in the credit reporting process consumers do not have much choice if they do not want to be refused credit. The consumer’s consent with regard to the searches to be carried out in the CRAs’ databases, for example, seems to be viewed either mandatory or assumed (i.e. implied consent). Lenders say that the lack of such consent would impede them from taking the credit application any further. No consent means no credit (i.e. enforced consent). Moreover, lenders make it a condition of the credit contract that at a later stage they have the right to pass the information concerning such specific credit line to CRAs, which in turn will have the right to disseminate the same to their client members, such clause seeming to be non-negotiable (no consent, no contract). There is another important aspect of consent. As construed by data protection legislation, consent is normally a unilateral act, and therefore it is inherent in its nature that it can be withdrawn by the data subject at any time.7 The more, thus, consent may be withdrawn if the data processing is not necessary for the service provided, or it may be denied for a further processing that is compatible, but still different, from the original purpose of the processing. Once the assessment of the creditworthiness has tested positive and credit has been granted to a consumer, there would be no necessary reason for the communication of his/her data to CRAs, hence there would be no reason to impede the concerned individual’s right to revoke his/her consent to the subsequent processing. However, consent may not be withdrawn by a data subject, at least for a certain amount of time, if it has been given under contractual arrangements that limit its withdrawal. In legal terms, such an obligation seems once more incorporated in the standard terms of consumer credit agreements, leaving no option to data subjects to exercise the right of withdrawal. All the above difficulties would probably be acceptable if consumer credit reporting were a necessary step of the credit granting process, or processing were in the public interest. It is useful to recall that for the processing of data to be considered lawful under these latter circumstances it must be certain that the interest at stake is indeed a legitimate one recognised and protected by law. But assessing the creditworthiness of consumers via CRAs does not, in fact, fulfil such a legitimate function and, at any rate, the consent of the data subject would not even be a necessary requirement of the law. Furthermore, other questions arise that need discussion.

7

Carey (2004b), 73; Bainbridge and Pearce (2000), at http://www2.warwick.ac.uk/fac/soc/law/ elj/jilt/2000_2/bainbridge/.

182

Law and Consumer Credit Information in the EC

Other concerns From the viewpoint of civil liberties’ protection, if the conceived system carries major concerns for processing that are not necessary, the more it does when one considers the consequences of such a processing and dissemination as outlined throughout this work, alias profiling, creation of de facto blacklists, discrimination, exclusion, stigma, etc. – all corollaries of the violation of the wider right to privacy. As already said, this is exacerbated by the consideration that a consumer may not withdraw his/her consent at a later stage, as once more he/she is bound by another non-negotiable contract term. It is certainly true that ‘no one has a right to credit’.8 At the same time, it is also true that consumer lending is not a mandatory business but a commercial activity no different from any other, therefore the actors involved should nevertheless play by the rules. In any case, what is almost certainly indubitable is that no one should suffer the abuse of his/her fundamental rights, especially by means of instruments that do not have a causal connection with the service required, nor a basis of conclusive evidence. Moreover, credit – though not strictly necessary to people’s lives – is becoming an increasingly important aspect in consumer society and for the individual sustainability of the general economic model based upon consumption imposed by the market economy. In addition, nowadays, access to credit has become an issue of social equality and the consequences of credit reporting may indeed lead to inequality, at least in terms of individual selection, if not in terms of race or ethnicity.9 As Chapter 5 has pointed out, in fact, privacy is also about discrimination. When people are refused credit they should not become more vulnerable either to getting credit at more expensive rates and/or to disadvantageous contract terms (sometimes to the point of extortionate credit deals) or, even worse, to being victims of usury in the black market. What is of note is the fact that information about defaults are passed on to CRAs (and then, in turn, disseminated) simply by the lenders so affirming, regardless of any judicial hearing having taken place, thus raising questions as to whether is there any respect for the certainty and rule of law. Is someone guilty for failing to pay a lender back because the lender simply says so or because a judge has taken a decision by law accordingly?

8 The UK Information Commissioner’s Office, ‘No Credit?’, available at www.information commissioner.gov.uk/cms/document/uploads/common%20complaints%20about%credit%20 reference%20file%20information.pdf. 9 For literature on the issue of financial exclusion see Castells (1996); Financial Services Authority (2000); HM Treasury (1999); Hogarth and O’Donnell (1999); Hogarth and O’Donnell (2000); Kempson and Whyley (1998); Kempson and Whyley (1999); Lee (2002). For literature on racial and minorities’ inequality in the financial services market see Ramsay and Williams (1999); Burton (1996); Kempson (1998).

Conclusions 183 The legitimisation of the processing of financial data through enforced consent also shows that there exists almost limitless potential utilisation of CRAs’ databases for further activities. The list of additional products, services and trends in the use of such data offered by CRAs, provided earlier in Chapter 1, exemplifies the problem, exacerbated by increasing complexities that come from the use of ever-evolving data mining techniques and advanced technologies. For example, in consumer credit scoring, which is built on consumer credit reporting data, not only are the same sophisticated information systems involved, but so are the use of the latest findings in artificial intelligence technologies.10 The issue of obliging credit applicants to communicate data to CRAs should also be put in context with another problem that seems to be present: the absence of set and transparent rules regarding the design and working of the system. In particular, it is hardly explicable what happens in the absence of personal data referring to a consumer who, for instance, approaches the credit market for the first time. In the meaning of CRAs’ systems, no reputation exists about an individual who has no credit history. Does this mean that he/she is creditworthy or rather that he/she is a credit risk? What reputation is attached to a similar condition? What is in fact relevant about the answer to this set of questions has consequences for (1) the nature of the system itself, or at least (2) the processing of positive information in the credit history of consumers: (i) In the event that the individual with no credit history is considered a risk, thus being treated differently from others with an immaculate credit history, then the reputation mechanism at stake presents weaknesses that lead to a contradiction. Arguably, in fact, on several occasions someone may have no credit history because he/she never needed credit in the first place due to having enough savings/assets or, in any event, as a result of managing well or just differently his/her resources. This should not represent a negative indicator of behaviour in repaying debts, and certainly no negative reputation should be attached to a similar personal financial management. Will lenders grant credit to someone who approaches the credit market for the first time? Of course they will, as there has been a first time for everyone who later has developed a credit history, thus feeding the system. So credit can indeed be granted to people who don’t have a credit reference. This, at the same time, reinforces once more – if it were ever still necessary – the idea that credit granting and consumer

10 The use of credit scoring models has become increasingly automated with the use of IT and internet to obtain and compile financial data. It is also important to stress that the most important feature of artificial intelligence technologies is their modelling on the neural networks of the human brain and ability to learn. This may also occur from distorted or incomplete sample data. See Baesens et al (2003); Handzic et al (2003); Crook et al (2005); Bower and Sawicki (1998); Diana (2005).

184

Law and Consumer Credit Information in the EC

credit reporting are on two different levels and the latter is not a necessary condition for the former to take place. (ii) If, by contrast, no importance is attached to the absence of information about an individual, as what matters is that there are no defaults in the credit history, and therefore the concerned individual is treated as fairly and equally as everybody else with an immaculate credit history, then major doubts arise about the processing and dissemination of positive data. As Chapter 1 anticipated, the justification for such processing may lie in the fight against over-indebtedness. A more detailed discussion about over-indebtedness and its measurement is carried out further below. Already at this stage, however, it is worth noting that the need for different types of information indicates that there is a marked difference between the assessment of creditworthiness and the assessment of over-indebtedness, and that the latter is a different concept that requires secondary processing.11 As far as the assessment of creditworthiness is concerned, however, it seems that the use of positive information in the assessment of creditworthiness is excessive. The above is only one situation that may occur, and serves the purpose of exemplification. Other issues, such as the importance attached to every piece of information, the occurrence of a late repayment but still payment (yielded by added interests and penalties), the retention periods of each type of data, etc. may give rise to many more unclear situations. In the end, what is worrying is that the contractual mechanisms in place seem to force consumers to sacrifice their right to privacy by taking part in an unnecessary system where the rules are far from clear, let alone transparent. Yet again, consequently, no other conclusion can be drawn but to underpin the view that respect for the law seems seriously compromised.

Secondary data processing purposes and consumer protection (a) Over-indebtedness As emphasised in Chapter 1, a growing reason put forward by CRAs and the credit industry for the sharing of consumer financial data is that it provides a tool in the fight against consumer over-indebtedness.

11 Data processing for the assessment of creditworthiness and over-indebtedness share the common element of being carried out for purposes relating to the management of personal resources. This element, however, seems very wide and potentially any data processing could be justified on this ground, which hardly makes it acceptable as a valid specific purpose for more data uses.

Conclusions 185 As anticipated above, over-indebtedness is different from creditworthiness. In fact, someone who – in the language of the credit industry – is creditworthy may still be over-committed, i.e. over-indebted. In data processing terms, moreover, the two have compatible but still different purposes with all the following legal consequences imposed by data protection legislation.12 The problem with over-commitment is that it may lead to a default in the repayment of debts. And, of course, from that moment, this occurrence will be perpetuated in the credit history of individuals, affecting their creditworthiness. To assess an individual’s commitments, thus, the industry maintains that the processing and dissemination of positive information play a major role. Against this background, recently the concept of ‘responsible lending’ was introduced in the language of policy-makers and lenders alike, particularly in proposals for future legislation regarding consumer credit.13 In simple terms, ‘responsible lending’ seems to imply that the responsibility to make optimal decisions for a sustainable management of one’s financial capability needs to be shifted from the concerned consumer to the lenders. Or, in the terms of other commentators, the responsibility is shared between the parties involved, although it is difficult to see what responsibility is left to consumers if the decision to grant credit is ultimately taken by the lenders unilaterally.14 Responsible lenders, therefore, would be allowed to grant credit only to those consumers who are objectively deemed to be able to sustain their spending. This paternalistic view is debatable, as it presupposes that all consumers are incapable of making their own optimal decisions and lenders, in a clear conflict of interest, would be better carers.15 Moreover, making an objective judgement would entail a complete and intimate knowledge of consumers, including factual and situational circumstances of a personal nature. Certainly, the industry should not be held exempt from responsibilities on the matter of consumers’ over-indebtedness, but other more important issues should be addressed before stimulating the use of information-sharing

12 See Chapter 6 above. 13 See Proposal for a Directive of the European Parliament and of the Council on the harmonisation of the laws, regulations and administrative provisions of the Member States concerning credit for consumers, COM (2002) 443 final 2002/0222 (COD) followed by Modified proposal for a directive of the European Parliament and of the Council on credit agreements for consumers amending Council Directive 93/13/EC, COM (2005) 483 final 2002/0222 (COD). See, in particular, Chapter 4 above. 14 European Credit Research Institute (2006). 15 Moreover, acting as good, responsible lenders would mean always offering the best possible deal to borrowers and it is unclear what ‘responsible lending’ would entail in the event of breaches of such a duty as ‘responsible lender’. But see OECD (2005), available at http://www.oecd.org/document/28/0,2340,en_2649_ 15251491_35802524_1_1_1_1,00.html, according to which there is a low level of education among European consumers on how to manage and budget finances.

186

Law and Consumer Credit Information in the EC

devices. Priorities would include, for example, informing consumers properly, educating them, refraining from misleading advertising and aggressive marketing, refraining from fuelling unnecessary demands for consumption, desisting from generating an instant credit culture, and so on. These are indeed areas of concern expressed by policy-makers at EC and national level.16 A recent study conducted on European consumers identifies three basic complementary remedies to improve the management of their financial affairs: education, information and protection. As justified by the industry and the study alike, consumer credit reporting falls within the instruments that enhance the third remedy, which is consumer protection. Lenders would be able to identify over-committed borrowers and protect them from running-up debts beyond their means.17 Ultimately, therefore, consumer credit reporting would serve as an instrument in favour of consumers. However, the use of CRAs’ databases in this context may appear, once again, controversial.

•

In first place, it is difficult to conceive of an instrument in favour of consumers that does not allow them to decide freely whether or not to take advantage of its alleged benefits.

•

Secondly, it is very hard to define what the financial capability of a consumer really is or should be. Certainly, CRAs databases could recognise the traditional borrowings of an individual, such as indebtedness for a mortgage or other traditional loans. However, other less obvious forms of debt may exist: for instance, regular monthly payment for the household economy, such as rent (not all consumers are property owners), utility bills, insurance, taxes, school fees, commuting costs, etc. as well as sudden ones that may take the form of regular payments, such as medical expenses that were not needed before, the financial results of a divorce or a separation, etc. Other factors, such as the growing phenomenon of legalised gambling or other less legitimate/illicit habits of a consumer, may play a role. The list may be endless, depending on the personal life of each individual, which lenders do not necessarily control.

16 European Credit Research Institute (2006). See also Proposal for a Directive of the European Parliament and of the Council on the harmonisation of the laws, regulations and administrative provisions of the Member States concerning credit for consumers and Modified proposal for a directive of the European Parliament and of the Council on credit agreements for consumers amending Council Directive 93/13/EC, cit at 13. See also, as a national example, the UK Consumer Credit Act 2006 and Department of Trade and Industry, ‘Consumer Credit Bill, Full Regulatory Impact Assessment’, available at www.dti.gov/uk/ccp/creditbill/ pdfs/creditbillria2.pdf or at www.ber.gov.uk/files/file24434.pdf. Collard and Kempson (2005). 17 European Credit Research Institute (2006); San José Riestra (2002); Bradford (2004).

Conclusions 187 Then, all debts should be put in parameter with income or credits that a borrower may have. Arguably, in fact, the capability to repay debts may depend on a number of heterogeneous sources of income. Someone may have proceeds other than those coming from the official job occupation. For example, savings, returns on investments, inheritances, money paid in from divorce/separation, a second activity, the contribution of other people including family members, gifts, etc. Once again, the list may be endless. And, from one day to the other, income may drop as the result of unpredictable circumstances, either of a personal nature or in the general economy (like rises in official interest rates, a recession, a drop in the stock market, etc.). All things considered, the real importance of the weight of consumer credit vis-à-vis other forms of debts (including but certainly not limited to mortgage debt) in the indebtedness of individuals is doubtful and open to discussion. In business lending, borrowers normally have to produce the earlier years’ certified balance sheets and forecasts that include all the financial movements and assets of an organisation. Consumers, on the contrary, do not have certified balance sheets. Thus, an assessment of the financial capability of consumers would result from incomplete information, which is deceptive information. What appears relevant for this discussion is that it would be difficult to accept the centralisation in a database of all the above types of information in order to assess a consumer’s financial capability, all in order to protect him/her from the mismanagement of resources. But, as the situation stands, CRAs are far from solving all such problems, since their tools would not be capable of reflecting the reality of the causes of over-indebtedness that are not simply the accumulation of debt. Arguably, therefore, the sacrifice of a fundamental right, such as privacy, for partial and de-contextualised information (which, again, is deceptive information) appears even less justifiable, but this is precisely the current situation in the consumer credit sector.

•

Thirdly, this work has already expressed the importance of other factors other than the mismanagement of resources as likely occurrences in the life of human beings that may affect someone’s financial capability. And, it is worth repeating it shortly here, life-time events and/or contingent poor market conditions in the economy could be – as they normally are – decisive factors for personal financial imbalances.

•

Finally, a borrower with an immaculate credit history may be turned down in a credit application for being, in the judgement of a given lender, over-indebted. A negative piece of information will be created, processed and disseminated. This may induce other lenders to turn down this individual in the fashion of the reputation mechanism in place.

188

Law and Consumer Credit Information in the EC Then, whether one can impute if the rejected customer is a good or bad debtor is questionable. Moreover, this is scarcely a matter of objective judgement.

This is just an example, and does not pretend to be exhaustive as other different situations may occur. What it nevertheless seems to show is that yet again the absence of set and transparent rules undermines the system, especially when important rights – such as that of privacy – are at stake. All the more, consumer credit reporting appears inappropriate if one considers that it is difficult to evaluate it as an objective remedy that may contribute to the ‘consumer protection’ element above identified in the fight against over-indebtedness. Above all, in the context of all that has been said in this study about the importance of informational privacy for individuals, a major question to be raised in the fight against over-indebtedness is what the perception of a consumer protection policy should be, i.e. whether protecting consumers from privacy intrusions and profiling or, rather, paternalistically protecting them (against themselves?) by making lenders responsible to judge individual limits to their access to credit. If the answer is that the latter circumstance should prevail, then another consequent issue to be raised next would be to what extent such a perception of consumer protection should override the established right to privacy of individuals. (b) Fraud prevention The credit industry claims, in addition to the arguments so far discussed, that CRAs’ databases also provide a fraud prevention service.18 If the problem of the industry is the phenomenon, or technique, used by some to repay debts underwriting further debts in what ends-up as a debt chain (for example, via credit cards used to repay outstanding balances on other credit cards), the question should focus on the ease with which the system as it is structured allows this to happen, providing excessive and lax credit facilities for single borrowings that are not tied with a specific good or service, rather than the use of intrusive techniques used on everyone to defeat the few. Also, it has been argued that CRAs databases may help to identify those consumers who make several applications to different lenders for acceptable amounts in order to receive an aggregate sum that exceeds the credit that would have been granted by a single lender.19 Again, this presupposes people wanting to circumvent the system; but figures about this occurrence are missing. In any event, especially in the absence of precise indications of a problem that seems to originate from the lack of 18 See Chapter 1 above. 19 European Credit Research Institute (2006), 94.

Conclusions 189 proper assessment beyond information sharing, it could be maintained that the solution of sharing financial information is in any event excessive vis-à-vis that type of behaviour. It suggests one more time, in fact, that there is a need to hit all to catch the few. Most probably, this strategy could hardly fit in the ‘consumer protection’ element identified to remedy the financial management of consumers. As it happens for every commercial transaction in all sectors of the economy, no matter if in a business-to-business or business-to-consumer environment, the credit industry should put in place more accurate checks on a personal basis without necessarily relying too much on databases and profiling techniques. The use of these types of technologies, in fact, seems more likely to respond to, and at the same time feed, an ‘instant credit’ culture, where traditional face-to-face screenings, supported by documentation and other techniques aimed at knowing a customer, lose importance vis-à-vis reliance on personal data-sharing devices powered by software to grant credit immediately. This, if anything, seems to rather play against any ‘consumer education’ remedy.20 Furthermore, in situations that data sharing aims at preventing, the borderline between financial capability and fraudulent behaviour is subtle and it could be difficult to separate the two. Actually, contrary to the assertion of the credit industry, it is questionable whether CRAs’ services could indeed represent fraud prevention instruments. It should be clear from the outset that this work does not mean to contest the effectiveness of data-mining techniques in the fight against crime, an analysis that goes far beyond its scope. What it suspects, on the contrary, is that their use should be left to the competent authorities, and not exploited to justify the marketing of CRAs’ services which eventually always aim to reach the very different objective of increasing the lenders’ profit. In the context of CRAs’ databases, in fact, it is debatable whether the practice of relying on personal data and technologies may really prevent fraud or, by contrast, be the cause of it, at least as long as it concerns new forms of information and financial fraud that are increasingly taking place. Indeed, it has been argued that the impact of information technologies on personal information has fostered the misuse of data, facilitating fast-growing financial crimes, including identity theft. Apparently, in fact, identity thieves operate thanks to the practice of the industry to rely heavily on databases, 20 Arguably, time-taking checks by lenders and the following efforts required to borrowers would not only help the former to better know their customers but could also make the latter more responsible of their actions. By contrast, the development of an instant credit culture rather seems to exacerbate the idea that people may afford everything they like irrespective of real possibilities and the consequent relaxation and ease in the use of credit, thus leading to over-commitment. Moreover, screening customers face to face and applying other techniques such as trial loans (small loans are granted in the first instance) would allow access to more complete information about the personal and economic circumstances of applicants as well as changes in those circumstances. See also Collard and Kempson (2005).

190

Law and Consumer Credit Information in the EC

coupled with the ease of obtaining someone else’s basic personal identifiers. And, if anything, consumer credit reporting worsens the damage suffered by victims by feeding an inaccurate information system, affecting their reputation, and excluding them from credit. These are accrued damages that take victims a long time to repair, on top of the distress caused by the theft itself.21 Without entering in detail into the debate over the origins and causes of financial criminal matters, what seems vitally important is that further legal concerns would arise should consumer credit reporting really be used for fraud prevention objectives. First of all, as anticipated, distributing information about fraudulent behaviours should be managed by the relevant authorities. CRAs have not been invested with policing duties or authority, which would arguably require the previous assignment of the law. Next, especially in criminal matters, any alleged fraudulent activity should go through a judicial hearing and the rule of law should be respected. It may be useful to remember that a core principle in every democratic system of criminal law is that someone is innocent until proven guilty following a fair trial. Accusing or treating someone as a criminal simply as the result of inclusion in a database maintained by private commercial organisations such as CRAs, i.e. before a judicial declaration of guilt, could account as calumny22 or defamation, in most jurisdictions a criminal offence in itself giving the right to compensation to the person offended. In the end, what the considerations above aim to put forward is that to assume, as the credit industry seems to do, that consumers all too often attempt to defraud the system is manipulative. This work is aware of and takes seriously into account the problem of the crime of fraud. The reproachable conduct of particular borrowers should indeed be prevented and punished by the competent authorities with appropriate policing means, but not by self-proclaimed commercial organisations operating at the necessary expense of everyone’s fundamental rights.

Consent, privacy, EC consumer law and competition: further implications for consumer protection? The problem of enforced consent is a known one that has already been stressed by the literature on data protection for situations different from the 21 May (2002); Sovern (2004). See also, for example, Jennifer Barrett, ‘It’s Just Too Easy’, Newsweek (2002); Tom Zeller, ‘For Victims, Repairing ID Theft Can Be Gruelling’, New York Times (1 October 2005). See also Banisar and Davies (1999); Research Group (2005). Recently, moreover, newspapers have reported a record number of identity frauds facilitated by the lax way that lenders distribute credit cards coupled with the simplicity for fraudsters to provide easily obtainable information. See, for example, ‘Watch out, they are still about’ and ‘On the lukewarm trail of the doppelgangsters’, Guardian Money (3 February 2007), 1 and 3. 22 Calumny is a legal category of many civil law jurisdictions within the EC but unknown to English law. The Webster’s New Collegiate Dictionary defines it as ‘1) the act of uttering false charges or misrepresentations maliciously calculated to damage another’s reputation; or 2) a misrepresentation intended to blacken another’s reputation’.

Conclusions 191 one now under study. As suggested, when an individual deals with a business organisation, particularly a large one, there is pressure on the individual to behave in compliance with that organisation’s standard terms of business. In such a situation, there is unequal bargaining power between the two that clearly influences whether or not the consent of the individual is freely given.23 For example, an area where such abuse of the data subject’s consent has been so far identified by other studies is the employer–employee relationship in the labour market. This is due to the perceived inequality and disadvantage of employees in terms of bargaining power in the relationship, and the resultant lack of proper consent in its ‘freely given’ element.24 Arguably, the above elements of contractual ‘inequality’ and ‘disadvantage’ may be seen also in the consumer credit relationship, which is at the basis of the reporting process. Such imbalance, which imposes on consumers to provide consent, raises the suspicion that consumer credit reporting may also fall within the scope of other less obvious applicable laws, for example other European or domestic consumer protection legislation, particularly as regards general prohibitions of unfair commercial practices.25 This would certainly represent an intriguing legal scenario that Howells long-sightedly approached in the framework of English law even before the enactment of Directive 95/46/EC and the following developments.26 The new European legal framework and advances since then would give rise to a further legal analysis that, in the absence of the inclusion of consumer credit information reporting in any relevant law or existence of case law, would result in pioneering an unexplored territory of wider legal interpretation. This falls outside the investigation of this work for the complexities that may arise, that as such deserve separate attention.27 Although this is not the place to develop such a detailed study, the issue nevertheless contributes further thoughts on the legal problems that enforced consent poses in the consumer credit sector. In consumer credit, in fact, it is not just individuals who normally deal with large lenders, but also all other lenders in the marketplace make use of the same type of standard terms, as they are part of a network system, a membership that owes its alleged

23 Webster (2006), 25. 24 Ibid. See also Carey (2004b), 72–73. 25 Directive 2005/29/EC (2005) OJ L 149/22. The Directive replaces earlier consumer protection directives (like Directive 93/13/EEC on unfair terms in consumer contracts) providing a comprehensive framework for dealing with all commercial practices targeted at consumers. 26 Howells (1995), 350–355. 27 For an analysis of the Unfair Commercial Practices Directive see Howells et al (2006); TwiggFlesner et al (2005); Howells et al (2007). Consumer protection legislative measures, including product safety and liability, sale of consumer goods, unfair contract terms and practices, have been the subject of earlier extensive scholarly analysis. See generally Howells and Weatherill (2005); Howells and Wilhelmsson (1997); Howells and Wilhelmsson (2003); Stuyck (2000).

192

Law and Consumer Credit Information in the EC

business success to extensive coverage in terms of scale and scope, which has the propensity to universality.28 Thus, consumers sign up to the standard terms of a given lender or seek another lender, but then all other lenders would be part of the reporting network and impose the same terms. The fact that some Member States have more than one CRA in place is of little or no help for consumers, as the alternative in the marketplace would be for the benefit of lenders only.29 Lenders, moreover, normally use all the existing CRAs of the reference market to obtain full coverage, because reliance on one CRA only would result in an incomplete assessment, which, by definition, is a useless one for their goals. Consequently, they mirror this circumstance in the underlying consumer contract terms, forcing borrowers to consent to the data processing of more than one CRA – which, if anything, is even more worrying for the privacy of consumers. Ultimately, therefore, even without entering into the details of the present wider European consumer protection legislation, this uniform and systematic practice by the industry seems ostensibly to count as an abuse of the rights of individuals, in particular the right to consent freely to the processing of personal data that undermines the rationale and essence of the whole data protection law. In this framework, it seems significant that European consumer law, together with the related legislation enacted by Member States, has been adopted so far with the objective of increasing consumer confidence in taking advantage of the opportunities offered by the Internal Market.30 Moreover, it is generally accepted that there exists a strong link between consumer policy and competition, and that one of the main aims of competition law is to benefit consumers and stimulate innovation alike.31 In this context, consumer credit agreements undoubtedly vary considerably in the marketplace. Also in consumer credit, in fact, competition among lenders seems to be a decisive factor in differentiating the offers to borrowers. Differentiations include type of product, lateral added services, costs, penalties and so on. The clauses referring to information sharing, however, seem alien to any use for competitive advantage. Besides, it is unquestionable that any data used by CRAs can be turned into a commodity with a price tag. Such a commodity is a matter between lenders (who pay for the data despite being the original contributors of

28 Jentzsch (2003a). See Chapter 4 above. 29 See Chapter 4 above. 30 Member States have been left with higher margins of consumer protection following the ‘minimum harmonisation’ approach in EC consumer policy. Recent initiatives, however, point to the direction of a shift towards a ‘maximum harmonisation’ approach. See Howells et al (2006); Howells and Wilhelmsson (2003), op. cit. at 27. As far as it concerns the objective to increase consumer confidence in taking advantage of the opportunities offered by the Internal Market, see contra Wilhelmsson (2004). 31 Twigg-Flesner (2005); Costanzo and Ashton (2006).

Conclusions 193 information) and CRAs (who earn their business out of information trading). Data subjects, however, who are the original source of information relating to themselves, are excluded from this profitable trade, and are passively subjected to the imposition of their data being traded by others. In other sectors of the economy, for example food shopping or other goods, consumers are compensated for their information trading, used for marketing purposes, with various types of rewards, such as fidelity cards that allow discounts or other gratuities. A number of consumers may be willing to trade off a degree of their privacy for these discounts, free products/services, points or other benefits, and that would be their free choice. This option, unfortunately, is absent in the trading of consumer credit information. What the above reasoning aims to say is that if a consumer wants or needs credit facilities, either he/she accepts renouncing his/her privacy or he/she is forced to abandon the request. In this respect, consumer confidence can be affected by the extent to which privacy is not adequately protected. It appears that as far as the sacrifice of their privacy is concerned, consumers are offered no choice and face a cartel that abuses its dominant position. Also, as the possibility to opt out of the ‘CRAs clause’ is precluded, this affects the competitive advantage that consumers should have in the selection of the right lender for their needs: one able to respect their personal values or need for privacy (for instance, an ‘ethical lender’). Also, from a different angle of competition policy, it could be argued that credit assessment methods could be used as a key know-how and competitive tool for lenders, for whom a correct assessment of borrowers’ creditworthiness becomes an essential element of the market and a key that contributes to determining the success or the failure of a venture. Those who are good at selecting reliable borrowers would succeed, by contrast those who have a poor performance in selecting their customers fail. All this could happen without adding CRAs’ costs to the cost of credit, ultimately paid by consumers.32 For this to be done, it is also a matter of innovation in credit management techniques. And, as observed by others, innovation requires a competitive market, in which businesses compete to satisfy the demands of customers, including the requirement of an appropriate attention to their concerns.33 To prevent agreements that reduce consumer choice and/or abuse rights in a particular market, as it may be for network agreements, Art 81 and 82 of the EC Treaty provide a legal tool against the abuse of such practices or power of those businesses that dominate that market.34

32 For example, in competition terms, those lenders that prove to be better in lowering the costs of their credit risk management could reflect this circumstance in the final cost of credit for consumers by offering better deals. 33 Twigg-Flesner (2005). 34 Ibid. In particular, it should be observed that Art 81(1)(e) refers to ‘agreements which make the conclusion of contracts subject to acceptance by other parties of supplementary obligation which, by their nature and/or according to commercial usage, have no connection with

194

Law and Consumer Credit Information in the EC

So, might present consumer credit reporting practices fall within the scope of Art 81 or 82 of the EC Treaty or, else, violate existing EC consumer laws? The answer to this question could be very complex and, in the end, this work does not want to suggest that all the above considerations necessarily mean that consumer credit reporting practices automatically fall short of the requirements of wider European consumer legislation and/or competition law. Instead it aims at maintaining that, seen from the above angle, at least such a circumstance represents a possibility worth a deeper investigation. To make such an assessment, the interconnection between data protection, wider consumer law and policy and competition law should be further explored and debated in a scholarly way. Clearly, such an analysis should not be limited to the consumer credit reporting sector but should cover part of EC and national legal theory and general consumer protection policy, thus deserving closer attention elsewhere. At last, the answer to the latter question posed will depend much on the extent of the acceptance of effective data protection measures, such as freely given consent, in the broader consumer and competition policies. However, on the question regarding the applicability of Art 81(1) and 81(3) EC to credit information systems, in a recent judgement the European Court of Justice (ECJ) took a different perspective to the issue. It reasoned that the compatibility of an information exchange system with the Community competition rules cannot be assessed in the abstract. Rather, it should depend on the economic conditions of the relevant market and on the specific characteristics of the system concerned. In this regard, in the ECJ view, Art 81(1) EC should be interpreted as meaning that a system for the exchange of information on credit between financial institutions does not have as its effect the restriction of competition among lenders, provided that the relevant market or markets are not highly concentrated, that the system does not permit lenders to be identified, and that the conditions of access and use by financial institutions are not discriminatory, in law or in fact. In the event that a credit information system restricts competition within the the subject matter of such contracts’. Under Art 81(3), Art 81(1) may be declared inapplicable to any agreement ‘which contributes to improving the production or distribution of goods or to promoting technical or economic progress, while allowing consumers a fair share of the resulting benefit, and which does not: (a) impose on the undertakings concerned restrictions which are not indispensable to the attainment of these objectives; (b) afford such undertakings the possibility of eliminating competition in respect of a substantial part of the products in question’. Article 82, instead, provides that ‘any abuse by one or more undertakings of a dominant position within the common market or in a substantial part of it shall be prohibited as incompatible with the common market insofar as it may affect trade between Member States’. Thus, for Art 82 to apply there must be some effect on trade between Member States, but such an effect is not hard to establish as long as there is evidence that a particular activity might theoretically affect trade. See British Leyland plc v Commission. See also Steiner et al (2006), ch. 28.

Conclusions 195 meaning of Art 81(1) EC, national courts should determine whether the cumulative conditions laid down in Art 81(3) EC are satisfied. Significantly but controversially, the ECJ concluded that in order for the condition that consumers be allowed a fair share of the benefit to be satisfied, it is not necessary for each consumer individually to derive a benefit from an agreement or a concerted practice, but the overall effect on consumers in the relevant markets must be favourable.35 Crucially, however, the ECJ expressly stated that any possible issues relating to data protection are not, as such, a matter for competition law, and they must be resolved on the basis of the relevant provisions governing data protection.36 Clearly, therefore, the above judgement confirms the need to respect data protection legislation, but at the same time it shows the reluctance of the Court to explore the interconnection between data protection and the wider consumer and competition law as suggested earlier in this work.

The paradox of consumer credit reporting systems So far, the sections above have identified a number of reasons for concerns over the effective protection of consumer rights and liberties. In legal terms, by analysing the meaning and importance of consent, it could be argued that the present consumer credit reporting practice contravenes the rationale and objectives of Directive 95/46/EC, and that an attentive application of the law should lead to a different scenario, where consumers are left the choice to be included or excluded from CRAs’ databases. The many other problems examined above reinforce this view. At the same time, however, the freedom that must be left to people to decide upon their participation in the system leads to a conflicting reflection: a CRA database comprised only of individuals who voluntarily accept the inclusion of their data in it, who could furthermore withdraw at any time their consent for the processing of their data, would have no reason to exist, as it could not even address the rationale and objective of the system itself. In all likelihood, those who eventually decide to be excluded from CRAs’ databases or withdraw their consent every time a negative piece of information is created would be largely, though not exclusively, precisely those customers that a credit reporting system is designed to identify. Indeed, a database designed to be incomplete would be helpless in addressing any need of the credit industry in the first place. Paradoxically, therefore, as the system stands it seems that:

•

the essential option that on the one hand must be offered to consumers by law to accept or decline inclusion in the system, and

35 Asnef-Equifax v Associatiòn de Usuarios de Servicios Bancarios (C-238/05), Judgement of the Court of 23 November 2006. 36 Ibid.

196

•

Law and Consumer Credit Information in the EC the rationale and scope of consumer credit reporting on the other hand,

are incompatible elements that create a vicious circle. Either the industry violates the law abusing consumers’ freedom to provide consent, or it abides to the positive law but feeds a system that is ineffective and has no reason to exist. In summary, the problem with CRAs is that consumers are not presented with a choice, and if the choice were given, this would be incompatible with the logic of the reporting system itself. There could be two alternative solutions to overcome this contradiction. (a) Exemption in the law. Data protection laws could contain an exemption for consumer credit information sharing thus avoiding the necessary requisite of data subjects’ consent. Indeed, the legal basis for such a manoeuvre could be found in Directive 95/46/EC itself, precisely in Recital 22, according to which Member States are given permission for special processing conditions for specific sectors.37 This interpretation, however, seems unacceptable, as it would remove the significance, rationale and objectives of the law and the important values and liberties that it aims to protect. It would be equal to riddling the law with exceptions concerning the most important dangers that it aims to prevent, i.e. the dangers connected with the use of technologies processing personal data to profile, pre-screen and categorise personally identifiable people. These, arguably, are precisely the real threat to privacy, certainly more dangerous in civil liberty terms than the standard marketing activities that companies carry out to develop and advertise their products that are so often stigmatised and the target of data protection laws. Has the law been enacted only to prevent irritating marketing activities and/or to introduce bureaucracies seeking data subjects’ consent to formally comply with it? It would be paradoxical if the law were adopted simply to place the burden on data controllers of enforcing consent to make possible what otherwise would be forbidden, then leaving them free to process and disseminate whatever they like once the legal obstacles have been bureaucratically removed. Similarly, it would be an absurdity to provide exceptions to make legal exactly those occurrences that the law aims at curing, leaving the prohibition only for minor threats. If these were the reasons for the enactment of the data protection legislation, then it would

37 Recital 22 of Directive 95/46/EC states: ‘Whereas Member States shall more precisely define in the laws they enact or when bringing into force the measures taken under this Directive the general circumstances in which processing is lawful; whereas in particular Article 5, in conjunction with Article 7 and 8, allows Member States, independently of general rules, to provide for special processing conditions for specific sectors and for the various categories of data covered by Article 8’.

Conclusions 197 be correct to side with those detractors of the data protection legislation and the European model, such as Singleton, when criticising that . . . the view that uses of information for marketing in the private sector violate human rights is a peculiar one. . . . Why would it violate someone’s rights to use information about him to sell him something? Junk mail may be annoying, but it is difficult to see it as akin to torture.38 Obviously, as shown in Chapter 5, the violations of human rights that the law aims at protecting are different, and the prevention of individual profiling, selection, categorisation and discrimination are among them. Exemptions in the law, therefore, would still require the protection of a prevailing interest for the benefit of the society generally, an interest that needs conclusive evidence or recognition, which makes the proposed alternative not viable for consumer credit reporting. (b) Industry-specific legislation It could be also maintained that, without the need to provide exceptions in the law, a separate industry-specific rather than omni-comprehensive legislation could stem consumer protection concerns, allowing CRAs to operate in a transparent, regulated environment. The difference between providing for an exception in the law and adopting an ad hoc legislation is straightforward: although both methods would prevail over general omni-comprehensive law in a specific to generic relation, both derogating to the general law, industry-specific legislation would positively address in detail the sector it aims to cover. An exception in the law, by contrast, would just negatively provide that a specific issue should not fall within the scope of the general law, failing to provide the coverage for what has been left out. For the protection of the rights of consumers, therefore, such a difference between the two approaches appears decisive. From this point of view, the solution of having in place a specific consumer credit reporting law would represent a step forward in the protection of the privacy of individuals and sweep aside doubts over unfair contract impositions. Enforced consent would no longer be required, lenders would have legal authority to share data, all the technical aspects could be considered, concerns addressed and provided for, the consequences of inclusion in a database would be set in a clear-cut manner, consumers would know clearly which specific piece of information is evaluated and its weighting, how far CRAs could go in the use of data and the number and type of services could

38 Singleton (2000), 186–202, 197.

198

Law and Consumer Credit Information in the EC

be established, and so on. In short, the system would benefit from tailor-made provisions, able to control any arbitrary use of credit reference information and the arbitrary positioning of CRAs and lenders in modern society. In more general terms, consumer information sharing would operate under the umbrella of the rule of law and legal certainty, where the development of robust provisions provide a strong substitute for the present practice based on the illegal enforced provision of consent. As Chapter 3 has shown, industry-specific legislation is already a model used in the US, where it also has the merit of having brought social acceptance into the system and shaped the industry over the years. If the trade-offs are so significant, could this represent a viable solution in the context of the EC? The legal basis for the adoption of this strategy could be traced in Directive 95/46/EC itself, in particular in Recital 23, according to which Member States are empowered to enact sectoral laws for the protection of the privacy of individuals.39 Yet, for such a solution to take place, a major structural problem seems to remain, precisely the one connected with the European dimension within which consumer credit reporting needs to be considered, together with the following institutional arrangements for its functioning.40

The European dimension There are at least four main interrelated reasons to put forward the case for a legal, harmonised Community framework and the Community’s competence in the area of consumer credit reporting: (i) The creation of a single market in consumer credit. This issue has been extensively dealt with earlier in Chapter 4. (ii) The freedom of movement of people and of establishment within the EC. The free movement of people within the EC is one of the four freedoms forming the foundations of the Common Market. At first, this freedom was limited to workers and entailed the right to move to another Member State and to live there as a prerequisite to accessing the job market. A number of social and ancillary rights were the natural corollary of removing the barriers 39 Recital 23 of Directive 95/46/EC states: ‘Whereas Member States are empowered to ensure the implementation of the protection of individuals both by means of a general law on the protection of individuals as regards the processing of personal data and by sectoral laws such as those relating, for example, to statistical institutes.’ 40 For the present industrial organisation and institutional arrangements see Chapter 4 above.

Conclusions 199 and disadvantages to the worker arising from the exercise of the right of free movement, in order to ensure that the migrant and his/her family members integrate into the host Member State.41 The freedoms of movement and residence granted under Art 39 (ex 48) EC, together with the related social and other ancillary rights, were also granted to the self-employed and entrepreneurs in exercising the right of establishment and to provide services within the EC, and any restrictions on such freedoms have been abolished accordingly.42 Until recently, the EC free movement rights focused on the movement of the economically active. Finally, however, the EC has moved away from this position, and expanded the right of free movement in an internal market that allows the free movement of all persons. Thus, not only the economically active ones but all nationals and the lawfully migrant residents of the Member States now benefit from such a right. In particular, Art 18 (ex 8a) of the EC Treaty provides that every citizen of the Community shall have the right to move and reside freely within the territory of the Member States. Secondary legislation gives effect to said free movement and residence of persons: Directive 2004/38/EC, also known as the Citizenship Directive, drawing on early Community legislation as well as the relevant jurisprudence and wide interpretations of the European Court of Justice, has renewed and integrated the earlier framework. Importantly, as said, it applies to all European citizens and legitimate third-country nationals irrespective of any test of economic sufficiency, removing restrictions on the movement and residence of natural persons within the Community.43 Consequently, the rights contained in the citizenship provisions extend the network of protection offered to all European citizens who now enjoy

41 Article 39 (ex 48) of the EC Treaty. As required under Art 39(3)(d) (ex 43(3)(d)) and Art 40 (ex 49), secondary legislation was introduced to give substance to the free movement of workers. Principal interventions include Directive 68/360/EEC, OJ L 257 p 0013–0016, governing rights of entry and residence; Regulation 1612/68, OJ L 257 p 0002–0012, governing access to, and conditions of, employment; Regulation 1251/70 OJ L 142 p 0024–0026, governing rights to remain in the territory of a Member State after having been employed there; Directive 64/221/EEC OJ L 56 p 0850–0857, governing Member States’ right to derogate from the free movement provisions on the grounds of public policy, public security, or public health. Such measures were later repealed or updated by the so-called Citizenship Directive 2004/38/EC, below at 41. The term ‘worker’ has been broadly construed by the following jurisprudence of the European Court of Justice. See Hoekstra v BBDA; Levin v Staatssecretaris van Justitie; Kempf v Staatssecretaris van Justitie. For the free movement of students see Brown v Secretary of State for Scotland; Lair v Universität Hannover. See also Directive 93/96/EC OJ L 317 p 0059–0060 now replaced by the Citizenship Directive 2004/38/EC, below at 41. 42 Articles 43–48 (ex 52–58) of the EC Treaty provide for the right of establishment. Articles 49–55 (ex 59–66) establish the right to provide services. 43 Directive 2004/38/EC OJ L 317 p 0059–0060. Grounds for derogation are public security, public health, and public policy.

200

Law and Consumer Credit Information in the EC

the same related social and ancillary rights as the nationals of the host Member State.44 (iii) The freedom to provide and receive services within the EC. Article 49 (ex 59) of the EC Treaty provides that restrictions on the freedom to provide services within the Community are prohibited in respect of nationals of Member States who are established in a State of the Community other than that of the person for whom the services are intended.45 And, without prejudice to the right of establishment, the person providing a service may temporarily pursue his/her activity in the State where the service is provided under the same conditions imposed by that State on its own nationals.46 However, the scope of Art 49 EC does not simply refer to a temporary form of establishment where people move to provide services, or to services provided cross-border without physical movements. In fact, it also includes the situation where people move and remain in another Member State to receive the services.47 (iv) The respect for the Community principle of non-discrimination according to nationality. The EC Treaty expressly makes discrimination on the grounds of nationality illegal.48 A common requisite in the free movement provisions and the achievement of the Common Market (including a single market in consumer credit) is the prohibition of all forms of discrimination on the grounds of nationality, both direct and indirect. Such a prohibition has been central to the interpretation and development of the law throughout the years. At first, non-discrimination rights referred to the economically active and their families.49 From the start, the European Court of Justice has adopted a very broad approach to the issue, including the challenge to rules that were not unequivocally discriminatory but which still had an adverse impact on people’s ability to exercise their free movement rights. The prohibition of discrimination, in fact, applies to any rules that, although expressed as operating without distinction, constitute a barrier to free move-

44 Baumbast v R; Martinez Sala v Freistaat Bayern; Collins v Secretary of State of Work and Pensions; Trojani v Le Centre Public d’Aide Sociale de Bruxelles. 45 Article 49 (ex 59) of the EC Treaty. 46 Article 50(3) of the EC Treaty. 47 Watson v Belmann; Luisi v Ministero del Tesoro; Commission v Netherlands. Note that the impact of citizenship rights may also be felt in this area of EC Law. See Carpenter. 48 Article 12 (ex 6) of the EC Treaty. 49 Articles 39(2) (ex 48), 43 (ex 52) and 49 (ex 59) of the EC Treaty all provide that the freedoms granted to the migrant workers shall entail the abolition of any discrimination based on nationality between workers of the Member States.

Conclusions 201 ment rights.50 It has a twofold purpose: it concerns both professional and personal rights. Together with the former rights, in fact, the law covers all social advantages whether or not attached to contracts of employment.51 By contrast, in the case of a provider of a service under Arts 49 and 50(3) of the EC Treaty, the matter is less clear as far as it concerns the right to claim full equality other than access to, and conditions of, work in the host Member State. The related freedom to receive services, however, also imposes equal personal rights, at least as far as it concerns rights apt to provide/ receive, in the host Member State, those services on a temporary basis free from discrimination on the grounds of nationality.52 At any rate, the Citizenship Directive now clarifies any doubt. It extends the provisions of equality of treatment and related jurisprudential interpretations to all Community citizens and third-country nationals lawfully residing, as well as providing or receiving services, in the territory of the host Member State.53 In conclusion, thus, the impact of the concept of citizenship can be observed in full on the prohibition of discrimination based on nationality, enabling those who move and reside within the EC to enjoy the same treatment in law irrespective of their nationality, where direct or indirect barriers to such free movement provisions shall be removed.54 As is made clear in the section above, no law or regulation provides for the right to credit, either in terms of straight professional or personal right. Arguably, nevertheless, access to credit constitutes a precondition for the equality of treatment among EC citizens and lawful third-country nationals to fully enjoy the rights granted by the Community freedoms. At the very least, when a national or resident of a Member State applies for credit to a 50 Union Royale Belge des Sociétés de Football Association v Bosman. 51 Ministère Public v Even. Of particular interest for the subject matter of this work is Reina v Landeskreditbank Baden-Würtemberg. An Italian couple living in Germany claimed a special State-financed childbirth loan from a bank, which was however payable only to German nationals living in Germany. The bank claimed that the loan was not a social benefit as it was not granted as a social right and in any event was granted as every other loan on a discretionary basis (arguing that the difference in treatment was justified on account of the practical difficulties of recovering loans from workers later returning to their home country). The ECJ held that the loan should have been granted by reason of the claimant’s objective status and that social advantages covered not only benefits granted as of right but also those granted on a discretionary basis. Similarly, see Commission v Italy, where it was held that a discounted mortgage facility available to Italian nationals was in breach of then Art 7 EEC, now Art 12 (ex 6), and therefore should have been made available on a basis of equality to all residing EC nationals in Italy. 52 Gravier v City of Liège; Luisi v Ministero del Tesoro. 53 Directive 2004/38/EC, cit at 41. Such extension has some limitations applying to those who are not economically active (excluding family members of economically active ones) as far as it concerns social assistance during the first three months of residence or while seeking work. 54 Maybe the most interesting cases on the repercussions of citizenship can be observed in Grzelczyk; Collins v Secretary of State of Work and Pensions; Ioannidis.

202

Law and Consumer Credit Information in the EC

lender in another Member State, whether in the exercise of the freedom of movement right or the right to receive services, he/she should benefit from exactly the same treatment that nationals of the host Member State enjoy. For example, a consumer lawfully resident in another Member State should be able to buy goods on the same terms and conditions as anyone else, including the possibility of taking advantage of the credit/instalment purchase facilities on offer. It would be discriminatory to offer better deals to people only on the basis of nationality, especially if one considers that a number of expensive goods on many occasions may be purchased only on credit terms. Any direct or indirect barrier to achieve equality, therefore, should be removed. Indeed, the problem with consumer credit reporting is that it seems to represent a barrier in access to credit for foreign nationals, and is thus an indirect form of discrimination based on nationality that undermines the full enjoyment of the basic Community freedoms and their corollaries. As the previous chapters have emphasised, the inconsistency appears to be that there is no credit history of a migrant the first time he/she accesses a Member State’s credit market. Should this circumstance constitute a barrier, turning down the application or providing credit at a more expensive rate, the discrimination based on nationality would be blatant. As reasoned above, in the opposite case it would be hard to accept credit reporting as an effective tool for credit risk management – or at least it would be hardly justifiable to sacrifice individual rights for it. At the same time, as Chapter 4 has stressed, the interrogation of a foreign lender to a CRA of another Member State, or national CRAs communicating data to each other, would accrue the potential of dissemination of personal financial data, exacerbating the privacy concerns so far extensively expressed. Additionally, leaving aside for a moment the identified violations of data protection legislation, there would be a difficulty with the well known problem of differing implementation of Directive 95/46/EC in the various Member States, where the absence of uniformity could easily create incongruence and a lack of reciprocity in the application of conflicting national laws and other regulations. For example, supposing an Italian lender were dealing with an English consumer, the former would approach an English CRA to obtain a credit report, and English law would apply. In the opposite scenario of an English lender dealing with an Italian consumer and approaching an Italian CRA, the lender would need to comply with Italian law. But, as shown in the case study in the Appendix, Italian law in this matter is very different from English law, bearing different consequences on consumers’ privacy, which would inevitably create an uneven playing field within the Community. This situation would be even worse if, for example, a French consumer or a French lender were involved. French law, in fact, prohibits CRAs, and certain information from being processed.55

55 See Chapter 4 and Table 4.3 above.

Conclusions 203 For this purpose, it should not be forgotten that communication between certain countries is at present impossible for structural and institutional reasons, as systems are very different from country to country, access to them depends on different rules or practices, and there is no uniform standardisation of the type of information involved.56 Finally, in the worrying scenario – at present remote – that all countries permitted CRAs to operate in their market and that the latter decided to form a network, the legal obstacle to such dissemination, apart from the respect for data protection rights, would be that of a concerted cartel in the EC information distribution market. Further thought and debate would be necessary should such a presently distant possibility one day materialise. As the situation stands, therefore, the EC dimension seems to constitute an important legal obstacle to the sharing of information, as it indirectly discriminates against individuals based on their nationality. At the same time, this condition could also possibly act as a disadvantage for lenders, who risk losing out on the market of consumer migrants, or who may grant credit to individuals who have a bad credit history and/or are over-indebted in another Member State.57 This, at least, seems to be the present scenario, unless lenders contradictorily recognise that they do not attach all that much importance to consumer credit reporting, in which case it would count as a manifest admission of civil liberties violations for the many legal reasons analysed throughout this study. In the end, therefore, the European dimension not only fortifies the argument of the unlawfulness of the present consumer information sharing practice, but also suggests that industry-specific legislation, though appreciable and welcome as it may be in order to stem consumer concerns, could hardly be practicable unless there is an institutional re-organisation. Most probably, as the case of Italy illustrates in the Appendix, the explicit regulation of the sector could be a viable temporary national solution in those Member States where CRAs operate, but at present the much-needed European harmonisation and Community competence proves very difficult for the emphasised institutional problems – the more if one considers the failing outcome of the issue in the discussions accompanying the proposals for a Consumer Credit Directive.58 As the state of affairs of consumer credit reporting represents an obstacle to free movement, the freedom to provide/receive services, and market integration, Art 95 of the EC Treaty could form the basis for Community

56 See Chapter 4 for the distinction between CRAs and PCRs, and the structural impediments that such a distinction involves, and Table 4.1 for the institutional mapping within the EC. 57 It could also be the case, for example, of nationals of the same Member State of the lender who have a bad credit history or are over-indebted in another Member States where they have been resident in their exercise of the right of free movement. 58 See Chapter 4 above.

204

Law and Consumer Credit Information in the EC

competence in adopting those measures that have the objective of establishing the Internal Market as well as measures relating to its functioning.59 However, as this analysis has attempted to demonstrate, for this to be done the EC should start to question and re-think the institutional arrangements in place as the foundation on which to build an integrated credit market where consumers receive adequate protection.

Concluding policy and institutional considerations So far this study has attempted to stress that to the extent the credit industry in general, and CRAs in particular, need to rely on informed and freely given consent to legitimise personal data sharing – and, ultimately, to validate the existence of the business – the present system and procedures seem wholly at variance with the positive law. Or, if someone wants to take a different point of view, it is the present legal framework that is not adequate for the current practice. Before suggesting that the law is inadequate, however, this study takes the view that the former conclusion is more likely to correspond to the present standing, at least insofar as further studies demonstrate conclusively the industry’s prevailing need for consumer information sharing – in the form currently carried out by CRAs and for the stated purposes – in order to justify the sacrifice of a fundamental human right such as privacy. It appears, in fact, that the heart of the debate and fundamental question referring to credit reporting for consumers is how far the latter should be forced to surrender their privacy in the interest of the credit industry (under these circumstances, not in the general interest), bearing in mind that the ‘utilitarian’ concerns of lenders cannot necessarily prevail over civil liberty and fundamental human rights concerns.60 By contrast, should decisive evidence be provided that the reporting of consumer financial information is carried out in the general interest, then different considerations would apply. For this to be done, however, it would mean to count the monitoring of consumer operations as necessary to the stability of the financial system and the prudential supervision of the banking system, a job carried out by Central Banks or other financial authorities. In that event, data protection would no longer represent the applicable

59 Article 95 of the EC Treaty assigns Community’s competence for the adoption of measures for the approximation of the provisions laid down by law, regulation or administrative action in Member States, which have as their object the establishment and functioning of the Internal Market. In particular, Art 95(3) provides that ‘The Commission, in its proposals . . . concerning health, safety, environmental protection and consumer protection, will take as a base a high level of protection, taking account in particular of any new development based on scientific facts. Within their respective powers, the European Parliament and the Council will also seek to achieve this objective’ [emphasis added]. 60 The same concern has been expressed by Howells (1995), 358.

Conclusions 205 legislation, thus solving the problem of enforced consent and lifting any bureaucratic burden on data controllers. The public sector in all Member States, in fact, is governed by the legality principle, the basic rule being the possibility to freely process data if necessary for the performance of a task carried out in the public interest. At the same time, very different rules would need to be present. To begin with, there would be a problem with non-bank lenders that do not take part in the banking system. These are private organisations that should abide by the same market rules and laws that every person, either natural or legal, should respect, without benefiting from privileged instruments that suppress the rights of individuals. If these lending organisations do bad business as the result of their choices, then they should fail. By contrast, if they are good then they should succeed. What matters for this discussion is that the stability of the system as a whole has no interest in their financial health, and they should be allowed to fail as any other company does in a market economy. Secondly, consumer credit lenders that are banks would need to report credit operations principally for the assessment of their own financial stability. Such reporting, however, should be done to an institution that has the legitimacy and the authority to receive it. And, yet again, this is where the CRAs’ role and type of organisation institutionally fail. As this work has explained in Chapter 4, it would rather be the task of PCRs or other financial authorities to include consumer credit operations in the wider context of financial reporting for the prudential supervision of the system, together with the obligation to abide by the set of rules that follows with the participation in such systems. This, inter alia, would at least carry the advantage for consumers of clear and transparent rules, the use of essential information only, and accountability measures in place for the respect of rules legitimately set according to a proper legislative or regulatory procedure.61 Arguably, the feature that the set of rules of the system originates from the legality of a legitimate law-making process (i.e. sources of legal theory) would represent per se an important consumer protection guarantee. Further, consumers could find another guarantee in the legitimacy and authority of supervisors and regulators, as well as a better governance of power that would carry with it measures of accountability. Accountability, in fact, may play a major role in the management of economic and social resources, including the rights of individuals.62 It is a pervasive concept defined as: an obligation owed by one person (the accountable) to another (the accountee) according to which the former must give account of, explain

61 See Chapter 4 above. 62 World Bank (1992).

206

Law and Consumer Credit Information in the EC and justify his actions or decisions against criteria of some kind, and take responsibility for any fault or damage [emphasis added].63

A key element at the core of accountability is the content of the obligation of the accountable, that is the obligation of the holder of power to give an account of his decisions or actions, to explain and justify them, and to own the responsibility and take appropriate measures of amendment or redress when error is proved or harm inflicted. The establishment of clear criteria of conduct and specific outcomes are paramount ingredients of the content of such an obligation, for any form of accountability presupposes the existence of objectives or standards according to which an action or decision may be addressed.64 As Chapter 4 has underlined, all these mechanisms of good governance legitimately exist for PCRs, but are absent as far as CRAs are concerned. Still, this issue could prove vital for the pursuit of the general interest in a more transparent environment, thus ultimately in the protection of consumers against abuses of their rights. On the practical side, the relevant authorities presently in charge of supervising the financial system have already developed a communication network among them, showing that appropriate cooperation is already in place without the hurdle of creating a system from nowhere.65 Additionally, the existing technologies in use in the sector support the view that, for such a system to be complemented, radical organisational or innovative measures would not be required.

63 Lastra and Shams (2001). 64 Ibid. 65 The European institutional architecture for the regulation and supervision of the financial stability of the system is a rather complex one, which was approved in December 2002 by the Council of Economic and Financial Affairs (ECOFIN). The main aim of this fully-fledged reform is to respond to the challenges brought by the ongoing process of financial integration in the EC and the introduction of the Euro currency. It entails a strict cooperation between regulatory and supervisory national authorities, both across sectors and across countries, in order to obtain an optimal knowledge of European crossborder financial activity allowing convergence towards supervisory best practices and ensuring financial stability. The institutional arrangements foresee a sectoral and decentralised model of financial regulation and supervision leaving those functions at national level but ensuring cooperation among the national regulators and supervisors. In compliance with Art 105(5) of the EC Treaty, the European System of Central Banks contributes to the conduct of the policies pursued by the competent authorities in relation to the prudential supervision of credit institutions. At the same time, the Treaty leaves open the possibility that the European Central Bank, as the institution setting monetary policy, gains some supervisory responsibility with the exception of insurance companies. Thus, the explicit coordination among competent national supervisors and the implicit coordination between the latter and monetary policy-makers take place in the Banking Supervision Committee of the European Central Bank which has become the legitimate forum for cooperation between supervisors and central bankers in the EC. For a detailed description see Nieto and Penalosa (2004).

Conclusions 207 Thus, the inclusion of consumer financial data, in an appropriately regulated form, in public credit registries may be used not only to strengthen bank supervision, but could also serve to improve the quality of credit analysis by financial institutions to the extent that this is necessary in the general interest of financial stability.66 In this way, fundamental privacy rights and civil liberties could be better preserved and, should any sacrifice of the latter occur and in the measure that this is eventually necessary, that would be in the general interest but still in a regulated environment designed to stem excesses and abuses. Last but not least, the supervisors or regulators of the Member States could legitimately engage in a European exchange of information that could not only strengthen the supervision of the European financial system, but could also foster the Internal Market by removing barriers to the basic Community freedoms, and making a step in support of the creation of a single European market in consumer credit where consumers receive adequate protection. For this to occur, there would need to be agreement about the standardisation of the type and use of information and the setting of a very low – possibly zero – threshold in PCRs.67 In extreme synthesis, this work has attempted to stress that it is doubtful that consumer credit reporting complies with the requirements of data protection legislation, and in any event such a law would be inadequate to bring a balance to the sector, solving the number of concerns that affect individuals and the larger European society alike. In all likelihood, the response to all the above questions that could be inferred from this study is that the present market structure and institutional

66 For similar considerations about the value of public credit registries see also Majinoni et al (2004). It may be worth a note that the new recommendations of the Basel Committee for Banking Supervision (so-called Basel II) on the methods aimed to determine the necessary capital requirements of banks permit for the first time the latter to group their loans to private individuals into a retail portfolio to be audited by the competent supervisory authorities. CRAs clearly do not and cannot have a role, first of all because of the aims and design of credit reporting systems (information sharing is alien to the analysis of an existing portfolio) and, in any event, lack the necessary authority. On the risk relating to retail credit portfolios see Kaltofen et al (2006). At the same time, it is important to stress the difference between CRAs and Credit Rating Agencies like Standard & Poor, Moody’s and Fitch. First of all, the latter provide different functions where they play a role in global market regulation and are authoritative gatekeepers for the issue and trading of debt securities (and no civil liberties or human rights are involved). Importantly, many States give official recognition to rating agencies that meet certain criteria. Moreover, according to scholars, the latter have acquired an ‘epistemic’ authority which is less contestable than that of CRAs which, among other things, are the first ones to acknowledge the limits of their authority when claiming that they are simply information providers and bear no responsibility for decisions that are taken solely by lenders. See Olegario (2003); Schwarcz (2001); Jackson (2001). 67 Jappelli and Pagano (2005).

208

Law and Consumer Credit Information in the EC

architecture are not appropriate, and that a system of governance in a framework of legality should be rethought for the sector. Before that, however, it is the purpose of consumer credit reporting that should be reset, provided that this is in the public interest – that is for the prudential supervision of the European financial system. This would clarify, at least, the institutional side of the reporting of consumer financial information and the resulting legal framework. Almost certainly, the above thoughts may raise further questions and controversy. At this stage, however, they are intended as early policy considerations that have the precise aim of being a starting point for stimulating further scholarly debate and research, particularly among lawyers. After all, what this work has stressed on more than one occasion is the lack of legal and institutional transparency that surrounds the subject matter, therefore public discussions are not only opportune but indeed essential.

Appendix Case studies

United Kingdom In the United Kingdom there is no law that specifically regulates creditreporting activities. There are, however, two laws that have a significant impact: (i) the 1974 Consumer Credit Act as modernised and reformed by the 2006 Consumer Credit Act, and (ii) the 1998 Data Protection Act transposing EC Directive 95/46/EC. Other laws, regulations, or codes of practices to be taken into account would also include: (iii) Bank secrecy/confidentiality laws; and (iv) the Banking Code of Practice. The 1974 Consumer Credit Act (i) established the early regulation of the credit reporting industry. The Act contains a number of provisions available to consumers to remedy the main mischief that may occur. Under s 25 of the Act all CRAs must be licensed by the Office of Fair Trading (OFT), the latter having the right to revoke such licence, inter alia, for deceitful or oppressive business practices, or unfair or improper conduct. These powers available to the OFT are commonly said to ensure that CRAs disclose credit information about individuals strictly for the purposes intended. Section 157 puts the lenders under a duty to disclose to the consumer at his/her request the name and address of any CRA to which the lender applied for information. Section 158 then goes on to oblige CRAs to provide the consumer with a copy of the file relating to him/her, together with a statement1 of his/her rights to have mistakes corrected under s 159.2

1 As prescribed in Consumer Credit (Credit Reference Agency) Regulations 1977, SI 1983/1571. 2 See also Alqudah (1995), 54; Harvey and Parry (1996), 312–313.

210

Appendix

The 2006 Consumer Credit Act reforms the Consumer Credit Act 1974. The aim of the Act is to protect consumers and create a fairer and more competitive credit market. There has been some pressure from the industry to use the 2006 Consumer Credit Act as a vehicle for addressing the issue of data sharing. However, this issue has been considered wider than just what is covered by the Act. Data sharing does not therefore feature in the Act, and the Government does not propose to make any changes relating to CRAs.3 It should be noted from the outset, however, that the provisions referring to CRAs in the 1974 Consumer Credit Act do not address the issues of data collection, processing and dissemination, and thus ignore privacy concerns. Thus, today the primary mechanism for regulating the activities of consumer credit reporting in the UK is the 1998 Data Protection Act (DPA), transposing EC Directive 95/46/EC4 (ii). The DPA reproduces the principles of the Directive discussed in Chapter 6. It includes a notice of purpose of the data collection, the types of data that are collected, basic rights of access, as well as principles of good practice in which data have to be processed fairly and lawfully, and for only limited purposes and a limited time. The DPA also provides that a data subject has the right to prevent the data controller from taking evaluation decisions concerning him/her by automated means alone.5 Hence, the analysis provided in Chapter 6, as well as the problems outlined therein, would apply for CRAs, taking into account that the provisions of the DPA should not fall short of the minimum protection guaranteed by the Directive. As has been pointed out in Chapter 1, lenders not only subscribe as client members to CRAs for the use of the information of the databases but also contribute information to them. This is where questions of potential breaches of bank secrecy/confidentiality (iii) may arise. It has been already accepted for some time through banking practice that lenders reveal negative information to CRAs. By contrast, banks have stated in the Banking Code of Practice (iv) that no positive information would be passed to CRAs without the consent of the customer (the Banking Code of Practice March 2005, para 13.8).6 However, whether there is a legal justification for such practices (concerning both negative and positive credit data) is problematic. In fact, nothing is said in the Banking Code of Practice about its legal status, and there is no suggestion that it confers legal rights on customers, although it purports to impose liabilities on them. As it is expressly stated that it is ‘voluntary’, it

3 Department of Trade and Industry, ‘Consumer Credit Bill, Full Regulatory Impact Assessment’, available at www.dti.gov/uk/ccp/creditbill/pdfs/creditbillria2.pdf; Experian, available at http://www.experian.co.uk/corporate/compliance/consumercredit/consumercredit.html. 4 OJ L 281, 23 November 1995, p 0031–0050. 5 See Carey (2004a); Lowe and Woodroffe (1999), s 26.04. 6 See Campbell (1999), 76–96, 93.

Appendix

211

may well be suggested that it has no legal effect at all (but, as subscribing banks advertise that they adhere to it and make it available to customers, its provisions may not be treated as implied terms in the banking contract).7 In addition, there is no statutory law relating to the bankers’ duty of secrecy and the rules as set by precedents and terms implied in the contract between a bank and a customer. To recapitulate what has been anticipated earlier in Chapter 4, the leading case is Tournier v National Provincial and Union Bank of England, in which it was established that the bank owed its customer a legal, and not merely a moral, duty of confidentiality, and could not lawfully disclose to third parties information concerning the customer’s affairs.8 This duty is not absolute but it is qualified by four exceptions: (a) (b) (c) (d)

where disclosure is under compulsion by law; where there is a duty to the public to disclose; where the interests of the bank require disclosure; where disclosure is made by the express or implied consent of the customer.

Legal scholars mainly assume that banks have been relying on either exception (c), the interest of the bank; or exception (d), consent of the customer; but it is arguable that banks have no entitlement to divulge customers’ credit information under the common law and that the safest and proper course of action would be to ensure that they have the consent of the customer, either express or implied.9 To this purpose, it is worth going back a little in history to look at the 1998 ‘Jack Report on Banking Service: Law and Practice’, which looked at many aspects of the banker–customer relationship.10 The Jack Report was never implemented, but its findings are nonetheless interesting. The recommendation in relation to CRAs and the possible disclosure of confidential information by banks was made that the extent of permitted disclosure ‘in the interest of the bank’ without customer consent should be clearly limited by statute, and that in any event exception (c) should not really be used other than in the most tightly defined situations.11 In addition, exception (c) could not be used to justify the sharing of positive information. Therefore, this would leave a bank disclosing a customer’s information having to obtain consent from him/her, or being able to demonstrate implied consent. 7 8 9 10 11

Ellinger et al (2002), 61. [1924] 1 KB 461. Wadsley and Penn (2000), 137–199; Campbell, op cit at 6, 93 et seq. (1989) Cm 622. Turner (2000).

212

Appendix

Implied consent, however, whether it could be considered acceptable for bank secrecy purposes, is problematic. As Chapter 6 and 7 attempt to demonstrate, in fact, it would not comply with data protection legislation. Moreover, to what extent could a bank argue that a customer knew or ought to have known of all the uses of his/her personal data as outlined above, in order to justify arguing for implied consent? In the end, one suspects that in such a situation there would be grounds to exclude the application of exception (c), and that consent should not be implied. To complete the picture, finally, it should be pointed out that, as far as the institutional point of view of credit reporting is concerned, there is in place a complex system of enforcement and supervision. According to the 1974 Consumer Credit Act, the Department of Trade and Industry (DTI) issues regulations, while the OFT has the duty to supervise the enforcement. According to the DPA, however, the Home Office issues regulations and the Information Commissioner is the enforcement authority.12 Secondary legislation on CRAs in the UK includes the Consumer Credit (Conduct of Business) (Credit References) Regulations 1977 No 330, amended by the Consumer (CRA) Regulations 2000 No 290, and the Consumer Credit (Conduct of Business) (Credit References) (Amendment) Regulations 2000 No 291. In conclusion, the main barrier to sharing consumer data seems to be the interaction between the DPA and the common law duty of confidence. The DPA, in fact, requires that any processing of personal data must be ‘lawful’. Legal advice sought by the Information Commissioner about historic data concluded that: . . . the above exceptions could not be used to justify the sharing of positive information without consent. This legal advice also raised doubts as to whether these exceptions to the duty of confidence could be used to justify the sharing of negative information.13 Under all these circumstances, thus, there could be doubts stimulating challenging legal analysis, in particular with reference to: 1) ‘extortionate or enforced consent’ (the same consideration described above in Chapter 7 relating to consent would apply); 2) whether Tournier could also apply and relate to lenders that are not banks (as it has been stressed elsewhere, in fact, an increasing number of lenders are not banks); 12 See Jentzsch (2003a). 13 House of Commons Treasury Committee (2005) available at www.which.net/campaigns/ personalfinance/credit/creditact.html, quoting the Letter from the Information Commissioner to the Committee, annexed at EV 74, 25.

Appendix

213

3) the adequacy of case-law referring to a case heard in 1924 as compared to banking practices applied that employ modern technological advances and sophistication. The case of the UK provides a concrete example of the problems stressed throughout this work about the compliance of consumer credit reporting with omni-comprehensive data protection legislation to stem consumer privacy concerns. In addition, the issue of legitimate, freely given consent is further reinforced by the legal requirement of the law of confidence.

Italy The system of collecting and disseminating financial information in Italy is characterised by a mixed institutional structure between public, publiccontrolled and private organisations. By provision of law, the Bank of Italy controls directly a centralised creditrisk information system as part of its role as supervisor of the soundness of the Italian banking system. This centralised system records all data relating to credit operations between banks operating on the national territory and their customers (either physical or legal persons) for amounts over
77,468.00 and it is specifically regulated by the so-called Consolidated Statute on Banking and Credit and the dispositions of the Bank of Italy enacted accordingly.14 In addition, by virtue of a specific resolution of the Inter-ministerial Committee for Credit and Savings (CICR),15 in 1999 a low-level credit risk information system has been set up recording credit operations of amounts between
31,246.00 and
77,468.00 between banks and their customers (again, either individual or business clients) managed by a private company (called ‘SIA SpA’) controlled by the Bank of Italy.16 This means that in Italy it is mandated by law that lenders communicate all credit operations for amounts equal to or greater than
31,246.00 to the above information systems. The legislator, evidently, did not consider information about credit operations below the latter-mentioned amount to be either an issue or a threat to the prudential supervision of a sound financial system. 14 Sections 13, 53(1)(b), 60(1), 64, 67(1)(b), 106, 107, 144, and 145 of Legislative Decree No 385 of 1 September 1993. See also CICR resolution of 29 March 1994; the Bank of Italy provision of 10 August 1995; the Bank of Italy circular letter of 11 February 1991 (as subsequently updated). 15 The CICR is a collegial organ instituted by Legislative Decree No 691 of 17 July 1947 to satisfy the needs of the Public Administration and Government in the area of the protection of savings and credit. It is composed by the Ministers of the Economy, Infrastructures, Productive Activities, Agriculture and Community Policies together with the Governor of the Bank of Italy. 16 CICR resolution of 3 May 1999 as published in OJ No 158 of 8 July 1999.

214

Appendix

At the same time, however, the institutional arrangements so far described make it implicit that information about credit operations below
31,246.00 has been opened to free market forces and, as a consequence, taken over by profit-seeking private organisations that have developed a brand new consumer credit information sector based on the Anglo-American model. As often happens, the import of a new system that affected the lives of consumers carried with it a great deal of controversy. In an attempt to stem concerns about the consequences of an undisciplined use of consumer credit data, a worrying increase of controversy concerning the violation of the Italian Data Protection Code,17 and the awareness of the need to strike a balance between legitimate individual privacy rights and the requirements of the credit industry, the Italian Data Protection Authority (hereinafter ‘the Authority’) enacted the new ‘Code of Conduct and Professional Practice applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments’ (hereinafter ‘Code of Conduct’), which entered into force on 1 January 2005 and was to be implemented by 30 June 2005.18 Since these dates, anyone using personal data for the purposes of consumer credit and/or concerning the reliability and timeliness of payments must abide by its rules of conduct ‘as a fundamental prerequisite for the processing to be lawful and fair’.19 Of course, (1) it is expressly exclusive in its application to the centralised credit information system controlled by the Bank of Italy, and (2) it is provided that the centralised system for low-level risk assessment for amounts between
31,246.00 and
77,468.00 shall be regulated only by some of the provisions of the Code of Conduct concerning the notice to be given to data subjects and the exercise of their rights, insofar as they are compatible with the specifically applicable instructions of the Bank of Italy as published in the Italian Official Journal No 272 of 21 November 2000.20 The new legislation, which is composed of a preamble and 14 articles, has been elaborated on by the Authority in consultation with the credit industry, CRAs and consumer associations,21 in pursuance of ss 12 and 117 of the Italian Data Protection Code. The following is a comprehensive analysis highlighting the issues dealt with by the law now in force:

17 Legislative Decree No 196/2003 of 30 June 2003, substituting the Data Protection Act ex Law No 675/96. 18 Code of Conduct, Art 14 – Entry into Force. 19 Code of Conduct, Preamble, para 4. 20 Code of Conduct, Preamble, para 6. 21 Although the latter complain that they have been involved only after the Code of Conduct was drafted. See the comments to the Code of Conduct of the Consumer Association Adiconsum in response to the public consultation launched by the Authority available via http:// www.privacy.it/adiconsum.html on 4 November 2004.

Appendix

215

(a) Preliminary declarations of principle The Preamble plays a very important role as it sets out the essential principles that represent the precondition for the application of the rules contained in the Code of Conduct itself. As expressly declared, it aims at setting forth adequate safeguards and processing mechanisms to protect the rights of the data subjects which have to be abided by for the purposes of protecting credit and limiting its risks in order to facilitate access to consumer credit and reduce the risk of over-indebtedness. Likewise, it is importantly stated that the processing of personal data ‘shall have to be performed by respecting data subjects’ rights, fundamental freedoms, and dignity, with particular regard to the right to personal data protection, confidentiality, and personal identity’.22 What strikes one’s attention from the start is that notwithstanding the enactment of this specific law for credit reporting, CRAs and lenders are nevertheless expressly required to comply with the safeguards set out in the Data Protection Code with particular regard to obtaining consent. From the above, thus, it could be argued that the Code of Conduct supplements the Data Protection Code every time the latter is considered inadequate and in the event of conflict between the two, the provisions of the latter should prevail. (b) Limits on the use of data After giving the relevant definitions,23 the new law sets out the limits to the use of consumer credit data, providing that they may only be processed for the purpose of protecting credit and limiting the risks of non-repayment by assessing the financial status of the data subjects and their creditworthiness. No other purposes may be pursued, especially in connection with marketing activities and/or the promotion, advertising and/or direct selling of products or services.24 (c) Types of data Article 3 of the legislation prescribes that CRAs’ databases may not contain in a consumer’s file either information about other persons other than the consumer who has made a credit application (or those who are a party to the credit relationship), or sensitive or judicial data about him/her. The processing of credit information, in fact, must concern only:

22 Code of Conduct, Preamble, para 1. 23 See Code of Conduct, Art 1 – Definitions. 24 Code of Conduct, Art 2 – Purposes of Processing.

216

Appendix objective personal data that are closely relevant and not excessive in respect of the purposes sought and relate to a credit application/relationship as well as to any event occurring on whatever ground and for whatever purpose until remedying of the relevant defaults in compliance with the retention periods set out in the following Article 6.25

The provision, then, lists the types and sources of data that CRAs are allowed to process, including: census register data (i.e. name, date of birth, marital status, and current address), taxation ID, type of credit agreement, amount of credit, the repayment mechanisms, the status of the application and/or the performance of the contract, accounting data and time patterns relating to the payments, amount of residual debt and data related to credit litigations. The data that identify a lender have to be recorded in the CRAs’ databases, and should be accessible to both the relevant CRA and data subjects, whilst they may not be accessed by other lenders.26 (d) Responsibility and accountability for data collection and recording One of the most welcome innovations introduced by the Code of Conduct concerns the issues of making lenders and CRAs responsible and accountable for the type and accuracy of personal data collected, processed and used. According to Art 4 – which also codifies the principle that lenders should be able to access the databases only if they contribute to the same for the benefit of all the other contributing participant lenders – each lender is responsible for taking the appropriate measures to verify and ensure that the information to be communicated to CRAs is accurate and fair, and can be lawfully used in the system as provided by the Code of Conduct. Upon receiving the data, CRAs have the duty to verify the congruence of the information so communicated by means of logic and formal controls. If the data are found to be incomplete and/or incongruous, CRAs have to send them back to the same lender for the necessary corrections. Such information, thus, may be recorded in the relevant credit information system and made available to the other lenders only after the performance of said controls and corrections. Following the exercise of a right by a data subject, or in compliance with an order issued by either the Authority or another competent Court, any information recorded in a credit information system must be promptly deleted, supplemented or amended (as the case may be) either directly by the lender who has communicated the data at stake, if this is technically feasible, or by the CRA controlling the database.27

25 Code of Conduct, Art 3 – Data Quality and Categories, para 2. 26 Ibid, paras 3–5. 27 Code of Conduct, Art 4 – Data Collection and Recording, paras 1–5.

Appendix

217

Next, Art 4 sets out some elaborate rules relating to the time limits to be respected by lenders for the communication of the first payment delay of a consumer to the relevant CRA. Thus, a lender is entitled to communicate and share the default:

•

•

in the case of information systems collecting and sharing only negative (black) data, either after at least 120 days from the relevant payment deadline or in the event that the debtor defaulted on at least four monthly payment instalments, and these were not remedied within that period of time; in the case of information systems collecting and sharing both positive and negative data, either after 60 days following the monthly update that has to be effectuated by the communicating lender, or in the event that the consumer has defaulted on at least two consecutive monthly payment instalments, ‘or if the delay has to do with either the last or the last but one instalment (sic!)’. In this latter circumstance, such data shall be made available after the monthly update concerning the second consecutive default.

Once the above rules have been complied with, in addition, the communication of the data is subject to another requirement before they may be legitimately shared through CRAs, i.e. a lender is entitled to pass consumer credit data to CRAs only after at least fifteen days from informing the defaulting individual, together with the remainder of the relevant payment(s), that his/her data will be recorded in one or more credit information systems.28 (e) Notice Subsequently, the Code of Conduct prescribes in Art 5 a number of information duties to both lenders and CRAs. Innovatively, it introduces a compulsory model-notice to be provided in writing to the consumers at the time of the collection of the applicant’s personal data. Such a model-notice – containing at least the exact identification of the one or more CRAs used by the relevant lender, the categories of the members participating in their system, the data retention periods, eventual use of credit scoring techniques, and the mechanisms available to exercise their right of access according to s 7 of the Data Protection Code – has to be provided to consumers separately from other notices relating to the processing of their personal data for different purposes. Besides, any notice to be provided in relation to updates or changes concerning the information contained in the model-notice must be made available to consumers via regular communications and on the relevant websites. Likewise, CRAs will have to

28 Data Collection and Recording, paras 6–8.

218

Appendix

provide more detailed information supplementing those provided by lenders in the model-notice via additional dissemination mechanisms, including the use of electronic networks.29 In the event that an applicant is not granted credit, finally, the refusing lender has a duty to inform him/her as to whether it has consulted negative credit information in one or more systems together with the details required to identify both the source of such information and the controlling CRA.30 (f) Data retention periods and updating One of the most debated and controversial changes introduced by the new Code of Conduct concerns the introduction of limited data retention periods in the CRAs databases. It should be noted from the outset that the legislation at stake does not apply to the retention of their customers’ data by lenders for their own internal use, contractual relationship, and/or accounting records.31 By contrast, as far as the retention of consumers’ credit information held by CRAs is concerned, there is once more in place an intricate set of rules that may be summarised as follows: (i) credit data may be retained in CRAs’ databases for as long as necessary in order to evaluate a credit application but at all events for no longer than 180 days from the date of the same application. However, in the events that (i) the lender decides to refuse credit or (ii) the applicant himself or herself waives the application, the retention period of the data in the system may not exceed 30 days from the date of the monthly update referred to in Art 4 mentioned above;32 (ii) thereafter, once a credit relationship has been established, negative information relating to payment defaults that are subsequently remedied (i.e. effective late repayment) may be retained in the CRAs databases for (i) up to 12 months from the recording of the data concerning remedying of delays not exceeding two instalments or two months, or (ii) up to 24 months from the recording of the data concerning remedying of delays exceeding two instalments or two months. Upon expiry of either term, the information has to be removed from credit information systems if no data about further delays or defaults is recorded during the same term;33 (iii) negative credit information relating to payment defaults that are not subsequently remedied may be retained in the CRAs databases for no longer 29 30 31 32 33

Code of Conduct, Art 5 – Information Notice, paras 1–5. Ibid, para 6. Code of Conduct, Art 6 – Data Retention and Updating, para 9. Ibid, para 1. Ibid, para 2.

Appendix

219

than 36 months from the termination of the relevant contractual credit agreement;34 (iv) positive credit information may be retained in the CRAs databases for no longer than 24 months from the date of termination of the credit relationship;35 (v) however, if credit information systems contain information about the same individual relating to a different/separate credit agreement from the one that has been terminated with no defaults, the positive information about the latter may be retained in the system for longer than the term of 24 months. In such a circumstance, the positive credit information shall be removed from the system contextually with the negative information of the other relationship;36 (vi) in the event that a consumer notifies a lender that he/she decides to withdraw his/her consent to the processing of positive information, this lender will inform CRAs in the monthly update in order to remove said information by no later than 90 days from the update. The same applies in the event a consumer notifies such circumstance directly to a CRA (in that case the information has to be removed within 90 days from the date of communication to the CRA).37 Prior to the removal of consumers’ data in accordance with the rules above, CRAs are allowed to transfer the same data to a different database to be used exclusively for the purpose and time necessary for an eventual subsequent defence in a legal claim against them concerning the legitimacy of the data processing.38 (g) Use of data Article 7 dramatically restricts the circumstances in which a lender is entitled to consult a consumer credit information system, that is only when it seeks information about the applicant or the guarantor of someone else’s credit relationship solely on the occasion of a credit application. Each consultation shall relate exclusively to the personal data of the relevant applicant or guarantor, with bulk queries or acquisition of lists being expressly forbidden.39 However, there is an important exception to the principle of third parties not being allowed to access CRAs’ databases: credit information systems, in fact, are accessible by judicial or police authorities for the purposes of the administration of justice:

34 35 36 37 38 39

Data Retention and Updating, para 5. Ibid, para 6. Ibid. Ibid, para 7. Ibid, para 8. Code of Conduct, Art 7 – Use of Data.

220

Appendix . . . or else by other public institutions, authorities, administrative agencies and bodies exclusively in the cases referred to in laws, regulations and/or Community legislation [. . .].40

(h) Rights of the data subjects The Code of Conduct reinforces the provisions of the Data Protection Code with regard to the right of access, updating, amendment, rectification and cancellation by data subjects, specifying that they may exercise their rights towards either the relevant lender or CRA that, in turn, is responsible for dealing promptly and in full with such request.41 The same rights may be exercised by those third parties that are empowered in writing by the data subjects to act as an attorney or delegated entity who then may only process the personal data received from a credit information system for the purpose of protecting the data subject’s rights with the express exclusion of any other use.42 Complying with the terms set out in s 146(2) and (3) of the Data Protection Code,43 during the exercise of the above rights, CRAs have to keep track of such controls or grievances by means of the addition of a specific code in their database, for the initial term of 15 days. Throughout the following 15 days, instead, CRAs have to suspend the display of the data that are being controlled.44 ( j) Credit scoring The Code of Conduct, providing also for the regulation of the use of automated credit scoring, reflects the awareness of the Authority of the trends in the many uses of credit information systems and the additional services that CRAs offer to the industry. When the personal data contained in a credit information system are also processed by means of credit scoring techniques, both CRAs and lenders are made responsible for ensuring that: (i) such techniques may solely be used for investigating a credit application and/or managing a credit relationship already set up;

40 41 42 43

Code of Conduct, Art 7 – Use of Data, para 4. Code of Conduct, Art 8 – Access and Exercise of other Rights by Data Subjects, para 1. Ibid, para 3. According to the Data Protection Code, s 146(2), a response to the request shall be provided by the data controller or processor within 15 days of its receipt. Section 146(3) then provides that within the deadline referred to in para 2 above, the data controller or processor shall inform the data subject that the operations required to fully comply with his/her request are especially complex, or that delay can be accounted for on other grounds. In this case, the request shall have to be complied with in full within 30 days of its receipt. 44 Code of Conduct, Art 8, cit, paras 4–5.

Appendix

221

(ii) the data containing scores or otherwise judgements of data subjects may be communicated by CRAs only to the lender that either has received the relevant credit application or had previously communicated such application data. In any event, however, such data may not be retained in credit information systems nor may be made available to other lenders; (iii) the statistical models and algorithms used to calculate the scores must be verified regularly at least on an annual basis and updated accordingly; (iv) in the event credit is not granted, the relevant lender has to inform the applicant as to whether it has consulted or made use of credit scoring techniques. Upon express request of the consumer, then, the lender shall provide him/her with those same data and explain both the logic underlying the operation of the scoring system and the main factors that have been taken into account in processing the application.45 (k) Public information The Code of Conduct is also concerned with the use of public information collected by CRAs to integrate each consumer’s file. CRAs and lenders, in fact, are now responsible for ensuring compliance with the set of rules set forth in Art 10 every time CRAs, whether directly or through a subsidiary or affiliated company, process in whatever manner personal data from public registries, lists, records, or other publicly available documents, or otherwise provide lenders with services to access the data from such sources. Moreover, for the purpose of the application of Art 10, it is useful to remember that s 19(3) of the Data Protection Code provides that communication by a public body to private entities or profit-seeking public bodies, as well as dissemination by a public body, shall only be permitted if they are provided for by laws or regulations. Accordingly, thus, once public information has been properly identified: (i) the personal data from public registries referred above, if recorded, must be contained in a database separate from and not connected with the ones holding credit information; (ii) in the event that a lender accesses personal data from both a credit information system and one of such separate databases, the relevant CRA has to take suitable technical and organisational measures to ensure that the data from the credit information system may be taken apart and distinguished from those originating from such other databases so as to eliminate any ambiguities as to the different nature and source of the data;

45 Code of Conduct, Art 9 – Use of Automated Credit Scoring Techniques and Systems.

222

Appendix

(iii) in the event that credit is not granted, the refusing lender must inform the applicant as to whether it has also consulted negative information in such other separate databases, also specifying the one or more public sources at stake.46 (l) Security measures After having reminded once more the confidential nature of such personal data, the new legislation severely ascribes the natural persons appointed by either CRAs and lenders to process the data from credit information systems with the responsibility of secrecy of the information so accessed, being held liable for any breach of confidentiality resulting from the use of the data and/or disclosure of the data to third parties for unlawful purposes.47 Conversely, it must be stressed that CRAs and lenders shall a priori (i) issue specific instructions in writing to the persons in charge, and (ii) take all the necessary technical, logical, informational, procedural, physical and organisational measures to ensure the security and integrity of the databases. In addition, CRAs have the obligation to take every adequate measure to ensure the proper functioning of both credit information systems and access control, also by keeping record of every access.48 (m) Sanctions In its Art 12, the Code of Conduct reaffirms the administrative, civil and criminal sanctions set forth in the Data Protection Code. This means that the competent authorities may sanction either CRAs and lenders – if guilty – with the pecuniary fines and/or the criminal punishments set forth in ss 161 to 172 of the Data Protection Code, while data subjects are entitled to claim damages in tort to the Civil Courts according to the principles of law of the Italian Civil Code. What is new about sanctions, however, is that CRAs and lenders additionally have to lay down, in agreement with those consumer associations and other organisations that have underwritten the Code of Conduct, suitable mechanisms to impose restrictions to offenders proportionate to the seriousness of the relevant breaches. Such ‘sanctions’ (using the wording of the Code of Conduct) will be in the form of official warnings, suspension or the withdrawal of the authorisation to access credit information systems, and publication of the breach in one or more daily newspapers with nationwide circulation at the offender’s expense.49 46 47 48 49

Code of Conduct, Art 10 – Processing Data from Public Sources. Code of Conduct, Art 11 – Data Security Measures, paras 1–2. Ibid, paras 3–5. Code of Conduct, Art 12 (Sanctions).

Appendix

223

(n) Final Provisions. Finally, the two concluding articles of the Code of Conduct deal with the transitional period (also setting forth the relevant implementing measures) and its full entry into force.

Lesson from Italy? The enactment of the Code of Conduct certainly brings with it lights and shadows. On the one hand, in fact, the severity and specificity of the provisions analysed above do increase consumers’ privacy and, in the event of isolated cases of repayment default, reduce the risks of discrimination by means of instruments that are based on statistical considerations that do not provide evidence as to the certainty of the future behaviour of a human being. On the other hand, however, the industry complains that it will make it more problematic to obtain information on debtors, thus leading to more difficulties for financial institutions to evaluate risks in lending and, ultimately, having a negative effect on both the availability of credit and its costs.50 Only time will tell whether the Code of Conduct really makes it more difficult for financial institutions to carry on a profitable historical commercial business such as banking at higher costs for consumers and, in turn, to develop a healthy – and responsible – consumer credit market. What strikes an interpreter’s attention from the outset is certainly the difficulty of the reading of a legal text that appears very technical and complicated to the point of being ‘tortuous’ (probably because it is the result of the compromise between opposite contrasting interests taking more than two years of negotiations for its drafting), thus being open to criticisms and not providing the best example of model legislation for other countries with different legislative cultures and techniques. At the same time, however, the attempt of the Authority to safeguard and enhance the right to privacy – that, it is useful to remind, has been recognised, and should be considered as, a fundamental human right and freedom – by means of specific legislation of a delicate and sensitive area such as that relating to the use of financial information could be considered welcome and commendable in its intent and scope. Moreover, the choice of the Italian legislator to use as a legislative instrument a legally binding code of conduct with sanctions and payment of damages following its violation rather than pure self-regulation seems appropriate. In this way, in fact, it does not shift the responsibility of policing in the area of civil liberties and fundamental freedoms from State to user, providing sufficient guarantees for its implementation and enforcement.

50 ECRI Consumer Credit Newsletter, Issue 16 (2005), 5.

224

Appendix

However, if the new legislation provides a draconian response to a number of technical aspects of credit reporting, it unfortunately misses the opportunity to shed light on very important concerns surrounding credit reporting highlighted throughout this work. The most apparent and basic ones, in particular, seem to be those relating to (i) enforced consent, (ii) the nature of credit reporting, (iii) the institutional side and positioning of CRAs in modern society, and last but by no means least (iv) the European dimension and the drive towards integration within the EC. This work has attempted to stress the essential significance of these four interrelated aspects. In conclusion, therefore, although industry-specific legislation in the style of the Italian example could provide a temporary solution to stem privacy concerns, it seems unlikely that the difficult compromise adopted in Italy could suit the needs of the EC and its citizens.

Bibliography

Admati A.A. and Pfleiderer P.C., ‘Forcing Firms to Talk: Financial Disclosure Regulation and Externalities’, 13, Review of Financial Studies (2000), 479–519. Akelof G., ‘The Market for “Lemons”: Quality Uncertainty and the Market Mechanism’, 28(3), Quarterly Journal of Economics (1970), 523–547. Alary D. and Gollier C., ‘Strategic Default and Penalties on the Credit Market with Potential Judgment Errors’, EUI Working Paper, European University Institute (Florence, 2001). Alqudah F., ‘Bank’s Duty of Confidentiality in the Wake of Computerised Banking’, 10(2) Journal of International Banking Law (1995), 50–55. Andreeva G., Ansell J. and Crook J., ‘Impact of anti-discrimination laws on credit scoring’, 9(1), Journal of Financial Services Marketing (2004), 22–33. Article 29, Working Party on Data Protection, Working Document on Blacklists, 11118/02/EN/final, adopted on 3 October 2002. Avrey R.B., Calem P.S. and Canner G.B. (2004a), ‘Consumer Credit Scoring: Do Situational Circumstances Matter?’, 28(4), Journal of Banking and Finance (2004), 835. Avrey R.B., Calem P.S. and Canner G.B. (2004b), ‘Credit Report Accuracy and Access to Credit’, 90(3), Federal Reserve Bulletin (Summer 2004), 297–322. Baesens B. et al, ‘Using neural network rule extraction and decision tables for credit-risk evaluation’, 49(3), Management Science (2003), 312–329. Bainbridge D. and Pearce G., ‘Tilting at Windmills – Has the New Data Protection Law failed to make a Significant Contribution to Rights of Privacy?’, (2), Journal of Information, Law and Technology (2000). Banisar D. and Davies S., ‘Global Trends in Privacy Protection: an International Survey of Privacy, Data Protection, and Surveillance Laws and Developments’, 18(4), John Marshall Journal of Computer and Information Law (1999), 1–111. Barron M. and Staten M., ‘The Value of Comprehensive Credit Reports: Lesson from the US Experience’, Research Paper, Credit Research Centre, Washington DC, Georgetown University (2000). Barron M. and Staten M., ‘The Value of Comprehensive Credit Reports: Lesson from the US Experience’, in Miller M.J. (ed.), Reporting Systems and the International Economy (Cambridge, MIT Press 2003), 273–310. Benston G., Regulating Financial Markets (London, Institute of Economic Affairs 1998). Berger A.N. and Udell G.F., ‘Relationship Lending and Lines of Credit in Small Firm Finance’, 68, Journal of Business (1995), 351–381.

226

Bibliography

Bertola G., Disney R. and Grant C. (eds), The Economics of Consumer Credit (Cambridge, MIT Press 2006), 27–62. Bigus J.P., Data mining with neural networks: Solving business problems from application development to decision support (New York, McGraw-Hill 1996). Blankart F., Bonna J.A. and Dérobert M.Y., ‘Swiss Vies on Financial Privacy’ in CEI Staff (ed.), The Future of Financial Privacy (Washington DC, Competitive Enterprise Institute 2000), 204–221. Bloustein E.J., ‘Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser’, 39, New York University Law Review (1964), 962–1,007. Bonini R., Corso di Diritto Romano (Rimini, Maggioli 1984). Bork R., The Tempting of America: The Political Seduction of the Law (New York, Simon & Schuster 1990). Bower J.E. and Sawicki R.M., ‘Credit Scoring and Artificial Intelligence’, 19(7), ABA Bank Compliance (1998), 37–42. Bradford M., ‘Full data-sharing could stem over-indebtedness concerns’, 11, Credit Risk International (2004), 10–11. Brelsford G.B., ‘The Fair and Accurate Credit Transactions Act: Jeopardy to the Constitutional Right to Counsel’, National Organisation of Consumer Credit Attorneys White Paper (1 April 2005). Bridges S. and Disney R., ‘Modelling Consumer Credit Risk and Default: the Research Agenda’, Research Paper, Experian Centre for Economic Modelling (ExCEM), University of Nottingham (2001). Buch C.M., ‘Information or Regulation: What is Driving the International Activities of Commercial Banks?’, Kiel Working Paper No 1011, Kiel Institute of World Economics (Kiel, November 2000). Bullesbach A., ‘Financial Privacy and Data Protection in Europe’ in CEI Staff (ed.), The Future of Financial Privacy (Washington DC, Competitive Enterprise Institute 2000), 222–250. Burton D., ‘Ethnicity and consumer financial behaviour: A case study of British Asians in the pensions market’, 14(7), International Journal of Bank Marketing (1996), 21–31. Bygrave L.A., ‘Data Protection Pursuant to the Right to Privacy in Human Rights Treaties’, 6, International Journal of Law and Information Technology (1998), 247–284. Calari C., ‘Foreword’, in Miller M.J. (ed.), Reporting Systems and the International Economy (Cambridge, MIT Press 2003), i–ix. Calder L.G., Financing The American Dream – A Cultural History of Consumer Credit (Princeton, Princeton University Press 1999). Calder L.G., ‘Review of Rosa-Maria Gelpi and François Julien-Labruyère “The History of Consumer Credit: Doctrines and Practices” ’, EH Net Economic History Services (August 2000). Campbell A., ‘Bank Confidentiality and the Consumer in the United Kingdom’, in Cartwright P. (ed.), Consumer Protection in Financial Services (London, Kluwer Law International 1999), 76–96. Campbell D., International Bank Secrecy (London, Sweet & Maxwell 1992). Campbell T. and Kracaw A.W., ‘Financial Intermediation and the Market for Interest Rate Swaps’, 1(4) Journal of Financial Intermediation (1991), 362–384. Campion A., ‘Client Information Sharing in Bolivia’, 3(1), Journal of Microfinance (2001), 45–63.

Bibliography

227

Carey P. (2004a), Data Protection in the UK (London, Blackstone 2004). Carey P. (2004b), Data Protection – A Practical Guide to UK and EU Law (Oxford, Oxford University Press 2004). Cartwright P., Banks, Consumers and Regulation (Oxford, Hart Publishing 2004). Castelfranchi C. and Falcone R., ‘Socio-cognitive theory of trust’, in Pitt J. (ed.), Open Agent Societies: Normative Specifications in Multi-Agent Systems (London, Wiley 2003). Castells M., The Information Age: Economy, Society and Culture Vol I: The Rise of the Network Society (London, Blackwell 1996). Cate F.H., Litan R.E., Staten M. and Wallison P., Financial Privacy, Consumer Prosperity, and the Public Good (Washington DC, Brookings Institution Press 2003). CFANCRA, ‘Credit Score Accuracy and Implications for Consumers’, Consumer Federation of America National Credit Reporting Association (17 December 2002). Chalton S.N.L. and Gaskill S.J., Encyclopaedia of Data Protection (London, Sweet & Maxwell 2006). Cole R.H. and Mishler L., Consumer and Commercial Credit Management (Boston, McGraw-Hill 1998). Collard S. and Kempson E., Affordable Credit. The Way Forward (Bristol, Joseph Rowntree Foundation, Policy Press 2005). Commission Nationale de l’Informatique et des Libertés, ‘Black Lists – «Bad debtors» and «fraudsters» central data bases in respect of personal data protection’, The CNIL’s Reports (Paris, 2003 Edition, 27 March 2003). Commission of the European Communities (2003a), Analysis and impact study on the implementation of Directive EC 95/46 in Member States (Brussels, 16 May 2003). Commission of the European Communities (2003b), Report from the Commission – First report on the implementation of the Data Protection Directive (95/46/EC), Brussels, 15 May 2003, COM (2003) 265 final. Conte R. and Paolucci M., Reputation in Artificial Societies: Social Beliefs for Social Order (Dordrecht, Kluwer 2003). Costanzo L.A. and Ashton J.K., ‘Product innovation and consumer choice in the UK financial services industry’, 14(3), Journal of Financial Regulation and Compliance (2006), 285–303. Council of Europe, Committee of Ministers, Explanatory Memorandum to Recommendation No R (97) 18 of the Committee of Ministers to member states concerning the protection of personal data collected and processed for statistical purposes, Adopted by the Committee of Ministers on 30 September 1997. Crook J., ‘The Demand and Supply of Household Debt: A Cross-Country Comparison’, Working Paper, European University Institute Workshop ‘The Economics of Consumer Credit: European Experience and Lessons from the U.S.’ (Florence, May 2003). Crook J., Edelman D. and Thomas L.C., Readings in Credit Scoring (Oxford, Oxford University Press 2005). Crowther L., Consumer Credit. Report of the Committee (London, Her Majesty’s Stationery Office 1971). Davies H., ‘Why Regulate’, Henry Thornton Lecture (City University Business School, 4 November 1998). de Cock Buning M., Hondius E., Prins C. and de Vries M., ‘Consumer@Protection .EU. An analysis of European Consumer Legislation in the Information Society’, 24(3), Journal of Consumer Policy (2001), 287–338.

228

Bibliography

DeCew J., In Pursuit of Privacy: Law, Ethics, and the Rise of Technology (Ithaca, Cornell University Press 1997). Del Villar, Diaz de Leon A. and Hubert J.G., ‘Regulation of Personal Data Protection and of Credit Reporting Firms: A Comparison of Selected Countries of Latin America, the United States, and the European Union’ in Miller M.J. (ed.), Credit Reporting Systems and the International Economy (Cambridge, MIT Press 2003), 397–431. Dell’Ariccia G., ‘Asymmetric Information and the Structure of the Banking Industry’, 40, European Economic Review (2001), 1,957–1,980. Desai V.S., Convay D.G., Crook J.N. and Overstree G.A., ‘Credit scoring models in the credit union improvement using neural networks and genetic algorithms’, 8, IMA Journal of Mathematics Applied in Business and Industry (1997), 323–346. Diamond D.W., ‘Financial Intermediation and Delegated Monitoring’, 51, Review of Economic Studies (1984), 393–414. Diamond D.W., ‘Monitoring and Reputation: The Choice between Bank Loans and Directly Placed Debt’, 99(4), Journal of Political Economy (1991), 689–721. Diana T., ‘Credit Risk Analysis and Credit Scoring – Now and in the Future’, 3, Business Credit (2005), 1–4. Diez Guardia N., ‘Consumer Credit in the European Union’, ECRI Research Report No 1, European Credit Research Institute (Brussels 2002). Djankov S.D., McLiesh C. and Shleifer A., ‘Private Credit in 129 Countries’, NBER Working Paper No 11078 (June 2005). DTI, ‘Fair, Clear, and Competitive. The Consumer Credit Market in the 21st Century’, White Paper, Department of Trade and Industry (London, December 2003). DTI, ‘Over-indebtedness in Britain: a DTI Report on the MORI Financial Services Survey 2004’, Department of Trade and Industry (London, 2005). Economic and Social Research Council, ‘How people on low incomes manage their finances’, ESRC Research Report (Swindon 2002). Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2002 – An International Survey of Privacy Laws and Developments (Washington DC and London, 2002). Ellinger E.P., Lomnicka E. and Hooley R.J.A., Modern Banking Law (Oxford, Oxford University Press 2002). European Credit Research Institute (ed.), ‘Consumer Financial Capability: Empowering European Consumers’, Papers collected during the Consumer Financial Capability Workshop’, European Credit Research Institute (Brussels, 2006). European Economic and Social Committee, ‘Opinion of the Economic and Social Committee on Household Over-indebtedness (own initiative opinion)’, CES (Brussels, 5 November 2002), 2.1. Evans D.S. and Schmalensee R., Paying With Plastic (Cambridge, MIT Press 1999). Falcone R. and Castelfranchi C., Social Trust: A Cognitive Approach (Dordrecht, Kluwer 2001). Financial Services Authority, ‘In or out? Financial exclusion: A literature and research review’, Consumer Research Paper 3 (London 2000). Ford C. and Kay J., ‘Why Regulate Financial Services’ in Oditah F. (ed.), The Future of the Global Securities Market (Oxford, Clarendon Press 1996). Foss B. and Bond A., ‘Privacy, risk and good and bad consumers’, 13(1), Journal of Database Marketing & Customer Strategy Management (2005), 10–23. Fried C., An Anatomy of Values (Cambridge, Harvard University Press 1970).

Bibliography

229

Fukuyama F., Trust (New York, Free Press 1995). Furletti M., ‘An Overview and History of Credit Reporting’, Discussion Paper, Payment Cards Center, Federal Reserve Bank of Philadelphia (Philadelphia 2002). Galindo A. and Miller M.J., ‘Can Credit Registries Reduce Credit Constraints? Empirical Evidence on the Role of Credit Registries in Firm Investment Decisions’, Paper prepared for the Annual Meetings of the Inter-American Development Bank (Santiago de Chile, March 2001). Gambetta D., Trust (Oxford, Blackwell 1990). Gavison R., ‘Privacy and the Limits of the Law’, 89, Yale Law Journal (1980), 421–471. Gelpi R.M. and Julien-Labruyère F., The History of Consumer Credit (Basingstoke, Macmillan Press 2000). Gerstein R., ‘Intimacy and Privacy’, 89, Ethics (1978), 76–81. Glorfeld L.W. and Hardgrave B.C., ‘An improved method for developing neural networks: The case of evaluating commercial loan creditworthiness’, 23(10), Computer Operation Research (1996), 933–944. Goodhart C., The Central Bank and the Financial System (Basingstoke, McMillan Press 1995). Guiso L., ‘Consumer Credit and Household Loan Markets Across Italian Regions’, Working Paper, European University Institute Workshop ‘The Economics of Consumer Credit: European Experience and Lessons from the U.S.’ (Florence, May 2003). Gup B.E., Financial Intermediaries: An Introduction (Boston, Houghton Mifflin 1976). Hand D.J. and Henley W.E., ‘Statistical Classification Methods in Consumer Credit Scoring: a Review’, 160(3), Journal of the Royal Statistical Society (1997), 522–541. Handzic M., Tjandrawibawa F. and Jeo J., ‘How Neural Networks Can Help Loan Officers to Make Better Informed Application Decisions’, Informing Science (June 2003), 97–109. Hanson J.D. and Kysar D.A., ‘Taking Behavioralism Seriously: Some Evidence of Market Manipulation’, 112(7), Harvard Law Review (1999), 1,420–1,572. Harvey B.V. and Parry D.L., The Law of Consumer Protection and Fair Trading (London, Butterworths 1996). Hefferman S., Modern Banking (Chichester, John Wiley and Sons 2005). Herzberg L., ‘On the attitude of trust’, 31, Inquiry (1988), 307–322. Hidy R.W., ‘Credit Rating Before Dun and Bradstreet’, 13(6), Bulletin of the Business Historical Society (1939), 81–88. HM Treasury, Access to financial services (London, 1999). Hoffman T.P., Postel-Vinay G. and Rosenthal J.L., ‘What do notaries do? Overcoming asymmetric information in financial markets: the case of Paris, 1751’, 154(3), Journal of Institutional and Theoretical Economics (1994), 499–530. Hogarth J.M. and O’Donnell K.H., ‘Banking relationships of lower-income families and the governmental trend towards electronic payment’, 85(7), Federal Reserve Bulletin (1999), 459–473. Hogarth J.M. and O’Donnell K.H., ‘If you build it, will they come? A simulation of financial product holdings among low-to-moderate income households’, 23, Journal of Consumer Policy (2000), 419–444. House of Commons Treasury Committee, ‘Credit Card Charges and Marketing, Second Report 2004–2005’, Stationery Office (London, 4 February 2005).

230

Bibliography

Howells G.G., ‘Data Protection, Confidentiality, Unfair Contract Terms, Consumer Protection and Credit Reference Agencies’, 4, Journal of Business Law (1995), 343–359. Howells G.G. and Weatherill S., Consumer Protection Law (Aldershot, Ashgate 2005). Howells G.G. and Wilhelmsson T., EC Consumer Law (Aldershot, Ashgate 1997). Howells G.G. and Wilhelmsson T., ‘EC consumer law – Has it come of age?’, 28, European Law Review (2003), 370–388. Howells G.G., Micklitz H. and Wilhelmsson T., European Fair Trading Law: The Unfair Commercial Practices Directive (Aldershot, Ashgate 2006). Howells G.G., Nordhausen A., Parry D. and Twigg-Flesner C. (eds), The Yearbook of Consumer Law 2007 (Aldershot, Ashgate 2007). Hunt R.M., ‘The Development and Regulation of Consumer Credit Reporting in America’, Working Paper No 02-21, Federal Reserve Bank of Philadelphia (Philadelphia 2002). Hunt R.M., ‘A Century of Consumer Credit Reporting in America’, Working Paper No 05-13, Federal Reserve Bank of Philadelphia (Philadelphia 2005). Hunt R.M., ‘Development and Regulation of Consumer Credit Reporting in the United States’, in Bertola G., Disney R. and Grant C. (eds), The Economics of Consumer Credit (Cambridge, MIT Press 2006), 301–346. Hurst P., ‘Sharing performance data through credit reference agencies – levelling the playing field’, Credit Management (November 1998), 28. Inness J., Privacy, Intimacy, and Isolation (Oxford, Oxford University Press 1992). International Chamber of Commerce, Position Paper to the European Commission on the Consultation process on the Data Protection Directive available at http:// europa.eu.int/comm/justice_home/fsj/privacy/docs/lawreport/paper/uscib_en.pdf. Ironfield-Smith C., Keasey K., Summers B., Duxbury D. and Hudson R., ‘Consumer Debt in the UK: Attitudes and implications’, 13(2), Journal of Financial Regulation and Compliance (2005), 132–141. ‘Jack Report on Banking Service: Law and Practice’ (1989) Cm. 622. Jackson H.E., ‘The Role of Credit Rating Agencies in the Establishment of Capital Standards for Financial Institutions in a Global Economy’, in Ferran E. and Goodhart C.A.E. (eds), Regulating Financial Services and Markets in the Twenty First Century (Oxford, Hart Publishing 2001), 311–322. Jaffee D. and Russell T., Imperfect Information and Credit Rationing (New York, John Wiley & Sons 1976). Jappelli T. and Pagano M., ‘Information Sharing in Credit Markets: The European Experience’, Working Paper No 35, Centres for Studies in Economics and Finance (University of Salerno, 2000). Jappelli T. and Pagano M., ‘Information Sharing, Lending and Defaults: CrossCountry Evidence’, 26(10), Journal of Banking and Finance (2002), 2,017–2,045. Jappelli T. and Pagano M., ‘Public Credit Information: A European Perspective’, in Miller M.J. (ed.), Credit Reporting Systems and the International Economy (Cambridge, MIT Press 2003), 81–114. Jappelli T. and Pagano M., ‘Role and Effects of Credit Information Sharing’, CSEF Working Paper No 136 (University of Salerno, April 2005). Jappelli T. and Pagano M., ‘The Role and Effects of Credit Information Sharing’, in Bertola G., Disney R. and Grant C. (eds), The Economics of Consumer Credit (Cambridge, MIT Press 2006), 347–371.

Bibliography

231

Jay R. and Hamilton A., Data Protection – Law and Practice (London, Thomson – Sweet & Maxwell 2003, 2nd edn). Jentzsch N. (2003a), ‘The Regulation of Financial Privacy: The United States vs Europe’, ECRI Research Report No 5, European Credit Research Institute (Brussels, 2003). Jentzsch N. (2003b), ‘The Regulatory Environment for Business Information Sharing’, Working Paper, 10 July 2003, Free University of Berlin (Berlin, 2003). Jentzsch N., ‘Best World Practices in Credit Reporting and Data Protection: Lessons from China’, Paper prepared for the International Workshop on Household Credit, Peking University and University of Virginia (2005). Jentzsch N., The Economics and Regulation of Financial Privacy (Heidelberg, Physica-Verlag 2006). Jentzsch N. and San José Riestra A., ‘Information Sharing and Its Implications for Consumer Credit Markets: United States vs Europe’, Working Paper, European University Institute Workshop ‘The Economics of Consumer Credit: European Experience and Lessons from the U.S.’ (Florence 2003). Jentzsch N. and San José Riestra A., ‘Consumer Credit Markets in the United States and Europe’, in Bertola G., Disney R. and Grant C. (eds), The Economics of Consumer Credit (Cambridge, MIT Press 2006), 27–62. Johnson H., ‘Credit Blacklist Problems’, 9(12), International Banking Law (1991), 458–459. Johnson H., ‘A Winning Score: OFT Review Credit Scoring’, 11(3), International Banking and Financial Law (1992), 35–36. Johnson P., Saving and Spending – The Working-Class Economy in Britain 1870–1939 (Oxford, Clarendon Press 1985). Jolls C., Sunstein C. and Thalrer R., ‘A Behavioural Approach to Law and Economics’, 50(5), Stanford Law Review (1998), 1,471–1,550. Kallberg J.G. and Udell G.F., ‘The Value of Private Sector Business Credit Information Sharing: the U.S. Case’, 27(3), Journal of Banking and Finance (2003), 449–469. Kaltofen D., Paul S. and Stein S., ‘Retail Loans and Basel II: Using Portfolio Segmentation to Reduce Capital Requirements’, ECRI Research Report No 8 (Brussels, European Credit Research Institute, August 2006). Kempson E., Savings and low income and ethnic minority households (London, Personal Investment Authority 1998). Kempson E., ‘Over-indebtedness in Britain. A Report to the Department of Trade and Industry’, Personal Finance Research Centre, University of Bristol (Bristol 2002). Kempson E. and Whyley C., Access to current accounts (London, British Bankers Association 1998). Kempson E. and Whyley C., ‘Understanding and combating financial exclusion’, 21, Insurance Trends (1999), 18–22. Khalil F. and Parigi B.M., ‘Screening, Monitoring and Consumer Credit’, EUI Working Paper, European University Institute (Florence 2001). Klein D.B., ‘Promise-Keeping in Great Society: a Model of Credit Information Sharing’, 4(2) Economics and Politics (1992), 117–136, also reprinted in Klein D.B. (ed.), Reputation: Studies in the Voluntary Elicitation of Good Conduct (Ann Arbor, University of Michigan Press 1997). Klein D.B., ‘Knowledge, Reputation, and Trust by Voluntary Means’, in Klein D.B.

232

Bibliography

(ed.), Reputation: Studies in the Voluntary Elicitation of Good Conduct (Ann Arbor, University of Michigan Press 1997), 1–9. Klein D.B., ‘Credit Information Reporting: Why Free Speech is Vital to Social Accountability and Consumer Opportunity’, 5(3), Independent Review (2001), 325–344. Korff D., ‘Comparative summary of national laws’, EC Study on Implementation of Data Protection Directive (Study Contract ETD/2001/B5 3001/A/49), Human Rights Centre, University of Essex (Colchester 2002). Kubik P.J., ‘Federal Reserve Policy During the Great Depression: The Impact of Interwar Attitudes Regarding Consumption and Consumer Credit’, 30(3), Journal of Economic Issues (1996), 829–842. Kuner C., ‘Privacy, Security and Transparency: Challenges for Data Protection Law in a New Europe’, 16(1), European Business Law Review (2005), 1–8. Lanoo K. and de la Mata Muñoz A., ‘Integration of the EU Consumer Credit Market – Proposal for a More Efficient Regulatory Model’, CEPS Working Document No 213, Centre for European Policy Studies (Brussels, November 2004). Lastra R.M. and Shams H., ‘Public Accountability in the Financial Sector’ in Ferran E. and Goodhart C.A.E. (eds), Regulating Financial Services and Markets in the Twenty First Century (Oxford, Hart Publishing 2001), 165–188. Lea S., Webley P. and Walker C.M., ‘Psychological Factors in Consumer Debt: Money Management, Economic Socialisation, and Credit Use’, 16(4), Journal of Economic Psychology (1995), 681–701. Lee J., ‘The poor in the financial markets: Changes in the use of financial products, institutions and services from 1995 to 1998’, 25, Journal of Consumer Policy (2002), 203–231. Leigh-Pollitt P., ‘The Employment Practices Data Protection Code: Part 3 – Monitoring at Work’, 3(1), Privacy and Data Protection (2002). Lenaghan, T., ‘Microfinance and the Market for Credit Information in El Salvador’, Division 41, Financial Systems Development and Banking Services (October 2001). Levi M. and Wall D.S., ‘Technologies, Security, and Privacy in the Post-9/11 European Information Society’, 31(2), Journal of Law and Society (2004), 194–220. Llewellyn D., ‘The Economic Rationale for Financial Regulation’, FSA Occasional Paper (London, 1 April 1999). Love I. and Mylenko N., ‘Credit Reporting and Financing Constraints’, World Bank Policy Research Working Paper 3142 (Washington DC, October 2003). Lowe R. and Woodroffe G., Consumer Law and Practice (London, Sweet and Maxwell 1999). Lund G., ‘Credit bureau data: Maximising the benefits’, Credit Management (May 2004), 44–46. Luoto J., McIntosh C. and Wydick B., ‘Credit Information Systems in LessDeveloped Countries: Recent History and a Test’, Working Paper, University of San Francisco (San Francisco, September 2004). MacDonald D.A., ‘Myths in the Privacy Debate’ in CEI Staff (ed.), The Future of Financial Privacy (Washington DC, Competitive Enterprise Institute 2000), 54–75. MacKinnon C., Toward a Feminist Theory of the State (Cambridge, Harvard University Press 1989). Madison J.M., ‘The Evolution of Commercial Credit Reporting Agencies in Nineteenth-Century America’, 48(2), Business History Review (1974), 164–186. Majinoni G., Miller M., Mylenko N. and Powell A., Improving Credit Information,

Bibliography

233

Bank Regulation and Supervision: On the role and design of Public Credit Registries (Washington DC, World Bank Research Committee, June 2004). Malhorta R. and Malhorta D.K., ‘Evaluating consumer loans using neural networks’, European Financial Management Association (2001, retrieved 5 June 2002). Marquez R., ‘Competition, Averse Selection, and Information Dispersion in the Banking Industry’, 15(3), Review of Financial Studies (2002), 901–926. May G., ‘White Paper: Stop Thief! Are Credit Bureaus and Creditors “Silent” Co-conspirators to Identity Theft’, Journal of Texas Consumer Law (2002), 72–80. McIntosh C. and Wydick B., ‘A Decomposition of Incentive and Screening Effects in Credit Market Information Systems’, Working Paper – University of California at San Diego/University of San Francisco (San Diego – San Francisco 2004). McKnight D.H. and Chervany N.L., ‘The Meanings of Trust’, Technical Report MISRC Working Paper Series 96-04, Management Information Systems Research Center (University of Minnesota, 1996). Mercer O.W., ‘Consumer credit in Europe: riding the wave’, Research Report, European Credit Research Institute (Brussels, November 2005). Miller M.J. (2003a), ‘Introduction’, in Miller M.J. (ed.), Credit Reporting Systems and the International Economy (Cambridge, MIT Press 2003), 1–23. Miller M.J. (2003b), ‘Credit Reporting Systems around the Globe: the State of the Art in Public Credit Registries and Private Credit Reporting Firms’ in Miller M.J. (ed.), Credit Reporting Systems and the International Economy (Cambridge, MIT Press 2003), 25–80. Miller M.J. (2003c), Credit Reporting Systems and the International Economy (Cambridge, MIT Press 2003). Molloy T., ‘Fraud in the Cross-Hairs’, 17(3), Compliance Monitor (2004), 1. Moore A., ‘Intangible Property: Privacy, Power, and Information Control’, 35, American Philosophical Quarterly (1998), 365–378. Nieto M.J. and Penalosa J.M., ‘The European architecture of regulation, supervision and financial stability: A central bank perspective’, 5(3), Journal of International Banking Regulation (2004), 228–242. Nocera J., A Piece of the Action: How the Middle Class Joined the Money Class (New York, Simon & Schuster 1994). Norris J.D., R.G. Dun & Co. 1841–1900: The Development Of Credit-Reporting In The Nineteenth Century (Westport, Greenwood Press 1978). OECD, Improving Financial Literacy: Analysis of Issues and Policies (Paris, 2005). Olegario R., ‘Credit Reporting Agencies: A Historical Perspective’, in Miller M.J. (ed.), Reporting Systems and the International Economy (Cambridge, MIT Press 2003), 115–159. Padilla J.A. and Pagano M., ‘Endogenous Communication among Lenders and Entrepreneurial Incentives’, 10(1), Review of Financial Studies (1997), 205–236. Padilla J.A. and Pagano M., ‘Sharing Default Information as a Borrower Discipline Device’, 44(10), European Economic Review (2000), 1,951–1,980. Pagano M. and Jappelli T., ‘Information Sharing in Credit Markets’, 48(5), Journal of Finance (1993), 1,693–1,718. Parent W., ‘Privacy, Morality and the Law’, 12, Philosophy and Public Affairs (1983), 269–288. Parker G., Getting and Spending – Credit and Debt in Britain (Avebury, Hants 1990). Paul J., Miller F. and Paul E. (eds), The Right of Privacy (Cambridge, Cambridge University Press 2000).

234

Bibliography

Pedersen A., ‘European Union unveils “tougher” enforcement strategy’, 76, Privacy Laws and Business, International Newsletter (2005), 1–3. Peek J. and Rosengren E.S., ‘Banks and the Availability of Small Business Loans’, Working Paper No 95-1, Federal Reserve Bank of Boston (Boston 1995). Pennock J. and Chapman J. (eds), Privacy, NOMOS XIII (New York, Atherton Press 1971). Petersen M.A. and Rajan R.G., ‘The Benefits of Lending Relationships: Evidence from Small Business Data’, 49(1), Journal of Finance (1994), 3–37. Pinar Manas J.L., ‘Consent of the Data Subjects’, in Conference of the Rights and Responsibilities of Data Subjects, The Council of Europe and the Office for Personal Data Protection of the Czech Republic (Prague, 14 and 15 October 2004). Posner R., The Economics of Justice (Cambridge, Harvard University Press 1981). Posner R., ‘Rational Choice, Behavioural Economics and the Law’, 50(5) Stanford Law Review (1998), 1,551–1,575. Rachels J., ‘Why Privacy is Important’, 4, Philosophy and Public Affairs (1975), 323–333. Ramaden D., ‘When the Database is Wrong . . . Do Consumers Have Any Effective Remedies Against Credit Reporting Agencies or Information Providers?’, 100(3), Commercial Law Journal (1995), 390–435. Ramsay I. and Williams T., ‘Racial and Gender Equality in Markets for Financial Services’, in Cartwright P. (ed.), Consumer Protection in Financial Services (London, Kluwer Law International 1999), 266–279. Reifner U., Kiesilainen J., Huls N. and Springeneer H., ‘Consumer Overindebtedness and Consumer Law in the European Union’, Final Report to the Commission of the European Communities, Health and Consumer Protection Directorate-General, Contract Reference No B5-1000/02/000353 (International Association of Consumer Law, September 2003). Research Group, The Identity Project – an assessment of the UK Identity Cards Bill and its implications (London, London School of Economics and Political Science, 27 June 2005). Rodotà S., Tecnologie e Diritti (Bologna, Il Mulino 1995). Rosen S., ‘Avoiding Fraud’, 3(3), Due Diligence & Risk Management (October 2000). Samuelson P., ‘Privacy as Intellectual Property’, 52(5) Stanford Law Review (2000), 1,125–1,174. Sandage S.A., Born Losers: A History of Failure in America (Cambridge, Harvard University Press 2005). San José Riestra A., ‘Credit Bureaus in Today’s Credit Markets’, ECRI Research Report No 4, European Credit Research Institute (Brussels, September 2002). Sartor G., ‘Privacy, Reputation, and Trust: Some Implications for Data Protection’, EUI Law Working Paper No 2006/04 (Florence, March 2006). Schoeman F. (ed.), Philosophical Dimensions of Privacy: An Anthology (Cambridge, Cambridge University Press 1984). Schwarcz S.L., ‘The Role of Rating Agencies in Global Market Regulation’, in Ferran E. and Goodhart C.A.E. (eds), Regulating Financial Services and Markets in the Twenty First Century (Oxford, Hart Publishing 2001), 297–310. Singleton S., ‘Privacy and Human Rights: Comparing the United States to Europe’, White Paper written for the Competitive Enterprise Cato Institute’s conference on financial privacy (Cato Institute: Washington DC 1999). Singleton S., ‘Privacy and Human Rights: Comparing the United States to Europe’ in

Bibliography

235

CEI Staff (ed.), The Future of Financial Privacy (Washington DC, Competitive Enterprise Institute 2000), 186–202. Singleton S., ‘In focus – Monitoring at Work – Employment Practices Data Protection Code: Part 3’, 26(7), Consumer Law Today (2003). Skouris V. (2006a), ‘Fundamental Rights and Fundamental Freedoms: The Challenge of Striking a Delicate Balance’, 17(2), European Business Law Review (2006), 225–239. Skouris V. (2006b), ‘Effet Utile Versus Legal Certainty: The Case-law of the Court of Justice on the Direct Effect of Directives’, 17(2), European Business Law Review (2006), 241–255. Solove D.J., ‘The Virtues of Knowing Less: Justifying Privacy Protections Against Disclosure’, 53, Duke Law Journal (2004), 967–1,062. Sousa De Jesus A., ‘Data Protection in EU Financial Services’, ECRI Research Report No 6, European Credit Research Institute (Brussels, April 2004). Sovern J., ‘Stopping Identity Theft’, 38(2), Journal of Consumer Affairs (2004), 233–244. Staten M.E. and Cate F.H., ‘Does the Fair Credit Reporting Act Promote Accurate Credit Reporting?’, Working Paper Series BABC 04-14, Joint Center for Housing Studies (Harvard University, February 2004). Steiner J., Woods L. and Twigg-Flesner C., EU Law (Oxford, Oxford University Press 2006). Stiglitz J.E. and Weiss A., ‘Credit Rationing in Markets with Imperfect Information’, 71(3), American Economic Review (1981), 393–410. Stiglitz J.E. and Weiss A., ‘Banks as Social Accountants and Screening Devices for the Allocation of Credit’, National Bureau of Economic Research, No 2,710 (1988). Stiglitz J.E. and Weiss A., ‘Asymmetric Information in Credit Markets and Its Implications for Macro-economics’, 44(4), Oxford Economic Papers (1992), 694–724. Strasser S., ‘The Alien Past: Consumer Culture in Historical Perspective’, 26(4), Journal of Consumer Policy (2003), 375–393. Stratford J.S. and Stratford J., ‘Data Protection and Privacy in the United States and Europe’, 3, IASSIST Quarterly (1998), 17–20. Stuyck J., ‘European consumer law after the Treaty of Amsterdam: Consumer policy in or beyond the internal market’, 37, Common Market Law Review (2000), 367–400. Swartz N., ‘Database Debacles’, 39(3), Information Management Journal (2005), 20–24. Talamanca M., Lineamenti di Storia del Diritto Romano (Milano, Giuffré 1989). Tebbut M., Making Ends Meet, Pawnbroking and Working Class Credit (London, Metheun 1984). Thomas L.C., ‘A survey of credit and behavioural scoring: forecasting financial risk of lending to consumers’, 16(2), International Journal of Forecasting (2000), 149–172. Thomson J., ‘The Right to Privacy’, 4, Philosophy and Public Affairs (1975), 295–314. Trans Union LLC, ‘Credit Reporting – The Backbone of a Vibrant Market Economy’, available at http://www.transunion.com. Turner G., ‘Confidentiality’, 8(1), IT Law Today (2000). Twigg-Flesner C., ‘Innovation and EU Consumer Law’, 28, Journal of Consumer Policy (2005), 409–432. Twigg-Flesner C., Parry D., Howells G.G., Nordhausen A. et al, ‘An Analysis of the

236

Bibliography

Application and Scope of the Unfair Commercial Practices Directive’, A Report for the Department of Trade and Industry (18 May 2005). United States General Accounting Office, ‘Consumer Credit – Limited Information Exists on Extent of Credit Report Errors and Their Implications for Consumers’, Statement for the Record before the Committee on Banking, Housing, and Urban Affairs, US Senate (31 July 2003). Vercammen J.A., ‘Credit Bureau Policy and Sustainable Reputation Effects in Credit Markets’, 62, Economica (1995), 461–478. Wadsley J. and Penn G.A., The Law Relating to Domestic Banking (London, Sweet & Maxwell 2000). Warwood A., ‘How Do Lenders Decide Who To Lend To?’, 37, Quarterly Account (1995), 3–5. Warren S. and Brandeis L., ‘The Right to Privacy’, 4, Harvard Law Review (1980), 193–220. Webster M., Data Protection in the Financial Services Industry (Aldershot, Gower 2006). Weill L., ‘Le rôle de la relation de clientèle comme barrière à l’entrée sur les marchés bancaires’, 53(2), Revue Economique (2002), 201–222. Weill L., ‘Efficiency of Consumer Credit Companies in the European Union – A Cross-Country Frontier Analysis’, ECRI Research Report No 7, European Credit Research Institute (Brussels, 2004). Westin A., Privacy and Freedom (New York, Atheneum 1967). Wilhelmsson T., ‘The abuse of the “confident consumer” as a justification for EC consumer law’, 27, Journal of Consumer Policy (2004), 317–337. Wilhelmsson T., ‘The Informed Consumer v the Vulnerable Consumer in European Unfair Commercial Practices Law – A Comment’, in Howells G.G., Nordhausen A., Parry D. and Twigg-Flesner C. (eds), The Yearbook of Consumer Law 2007 (Aldershot, Ashgate 2007). Wilson N. and Lund G., ‘Using Postcode Data to Predict Fraud Risk’, Credit Management, Supplement (October 2004), 40–41. World Bank, Governance and Development (Washington DC, World Bank 1992). Wyatt-Brown B., ‘God and Dun & Bradstreet, 1841–1851’, 40(4), Business History Review (1966), 432–450. Yobas M. and Crook J.N., ‘Credit Scoring Using Neural and Evolutionary Techniques’, 11, IMA Statistics in Financial Mathematics Applied in Business and Industry (2000), 111–125.

Websites http://www.accis.org/. http://www.bundesbank.de/. http://www.callcredit.co.uk/. http://www.cesifo-group.de/. http://www.codacons.it/. http://www.coe.int/. http://www.consumer.gov/. http://www.creditinfo.com/. http://www.creditreform.de/. http://www.crif.com/.

Bibliography

237

http://www.dataprotection.gov.uk/. http://www.doingbusiness.org/. http://www.dti.gov/uk/. http://www.ecri.be/. http://www.equifax.co.uk/. http://www.europa.eu.int/. http://www.experian.co.uk/. http://www.ftc.gov/. http://www.homeofficeqsi.gov.uk. http://www.identity-theft.org.uk/. http://www.informationcommissioner.gov.uk/. http://www.law.nyu.edu/centralbankscenter/. http://www.oecd.org/. http://www.privacy.it/. http://www.privacyinternational.org/. http://www.privacyrights.org/. http://www.tiresias.gr/. http://www.transunion.com/. http://www.un.org/. http://www.which.net/.

Newspapers/ Newsletters ECRI Consumer Credit Newsletter, Issue 05 (European Credit Research Institute 2002). ECRI Consumer Credit Newsletter, Issue 16 (European Credit Research Institute 2005). ECRI Consumer Credit Newsletter, Issue 22 (European Credit Research Institute 2006). Economist, ‘Cracks in the facade’ (24–30 March 2007), 87–89. Economist, ‘The trouble with the housing market’ (24–30 March 2007), 11. Economist, ‘When the tide goes out’ (24–30 March 2007), 36. Guardian – Jobs & Money, ‘New rules boost chance of credit’ (30 October 2004), 3. Guardian Money, ‘On the lukewarm trail of the doppelgangsters’ (3 February 2007), 3. Guardian Money, ‘Watch out, they are still about’ (3 February 2007), 1. Guardian, ‘Bad debts force Lloyds TSB to raise cover’ (30 July 2005), 26. Guardian, Jobs & Money, ‘Total History of Your Dealings’ (30 October 2004). LA Times, ‘Losing Faith in Credit Files’ (22 July 1991), A1. New Law Journal, ‘News’ (8 October 2004), 154. Newsweek, ‘It’s Just Too Easy’ (November 2002). New York Times, ‘For Victims, Repairing ID Theft Can Be Grueling’ (1 October 2005).

Index

Abusive practices 42 Access to credit 128, 201 Account takeover 25–6 Accountability 51, 205–6 Accuracy 57, 64–5, 170–3 Adverse selection 13, 14, 32, 34, 42, 43 Advertising 186 Anonymous data 173 Anti-discriminatory laws 40 Anti-inflationary policy 79 Application fraud 26 Article 29 Working Party 133, 149 Artificial intelligence 20, 183 Association of Consumer Credit Information Suppliers (ACCIS) 90 Asymmetric or asymmetrical information 1, 10, 13, 31, 32, 37, 42–3, 49, 52, 177 Austria 70, 86, 90, 97, 103 Average consumer 160 Bad debts 13 Bad selection 1 Balance sheets 187 Bank account 15 Bank of Italy 213 Bank secrecy 2, 73, 74, 94–9, 154, 155, 165, 175, 179, 210–13 Banking supervision and regulation see Prudential regulation Banking Supervision Committee of the European System of Central Banks 90, 206 Bankruptcy(ies) 16, 23, 80 Barings and Brown Brothers 54 Barriers 78, 79, 94 Basel Committee on Banking Supervision 4 Belgium 70, 83, 86, 90, 97, 103

Biographical footprint checking 28 Black information see Negative information Black market 182 Blacklist(s) 13, 133–4, 144, 182 Bodily privacy 136 Borrower discipline 35 Brandeis, Louis 135 Broker(s) 42, 52, 152–3, 156, 158 Building societies 10 Bulgaria 70, 86, 103 Business credit history 36 Business credit reporting 3, 5, 36, 45, 50, 53–8, 63, 91 Business-to-business lending 53 Calumny 190 Capital flows 79 Capital movement 79 Cartel(s) 93, 193, 203 Categorisation 139, 197 Catholicism 68 Central bank(s) 81, 82–3, 91, 96, 204 Centre for European Policy Studies (CEPS) 20 Charge cards 15 Charter of Fundamental Rights of the European Union 101, 137 Citizenship directive 199, 201 Civil law 95–9 Civil liberties and rights 2, 3, 41, 44, 45, 47, 72, 75, 77, 137–8, 160, 164, 182, 196, 203, 204–8, 223 Civil War 58 Code(s) of conduct or practice 94, 168, 214–23 Co-decision procedure 126 Collateral 14, 16, 19, 38, 49

240

Index

Commercial credit reporting see Business credit reporting Committee of Governors of the European Central Bank 82 Common law 95–9 Common Market 77, 130, 136–7, 141, 192, 198–204 Communism 136 Community directive 6, 144 Commuting 186 Competition 14, 34, 79, 82, 84, 88, 91, 93, 121, 126, 190–5 Compliance 2, 93, 129, 130, 134, 142, 146, 148, 149, 151–76, 172, 175, 177, 191, 213 Congress 64 Consent 96, 99, 138, 141, 161, 162, 165, 167, 170, 173, 175, 178, 179–81, 182, 183, 190–5, 197–8, 213 Constitutional Treaty 137 Consumer confidence 192, 193 Consumer Credit Act 1974 and 2006 68, 121, 209–13 Consumer credit directive 6, 79, 80, 122–6, 203 Consumer credit laws 103–26 Consumer education 186, 189 Consumer protection 5, 80, 186, 187 Consumptive debt 60 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data 100 Cooperative associations or organisations 62, 63 Council of Economic and Financial Affairs (ECOFIN) 206 Council of Europe 100, 142 Council of Ministers 126 County court judgement 16, see also National court judgement Court administration order 16 Coverage 88 Credit application 10, 11, 152–3 Credit Bureau 3, 5, 11 Credit card(s) 10, 15, 63, 188–9 Credit history 11, 13, 14, 16, 17, 18, 22, 34, 36, 56, 183, 185 Credit Rating Agency 4 Credit rationing 32 Credit Registry 3 Credit report 2, 11, 13, 18, 19, 39 Credit Reporting Agency 3

Credit scoring 19–23, 38, 40, 82, 142, 167, 175, 183 Creditors’ rights 143 Crime, criminals, or Criminal law 25–6, 141, 145, 154, 189, 190 Cross-border exchange (of data or information) 77, 78, 81, 89–91 Cross-border lending 78 Culture 3, 5–6, 7, 40, 45, 47, 49–75, 77, 78, 79, 85, 143, 189 Customer care 42 Cyprus 70, 86, 103 Czech Republic 70, 86, 96, 104, 129 Data manipulation 88, 139, 142 Data mining 82, 88, 142, 183, 189 Data quality 88 Death 164 Debt collection 56, 81 Decree 16 Defamation 57, 190 Defence 141, 145 Denmark 70, 86, 97, 104–5 Department of Work and Pensions 28 Deutsche Bundesbank 91 Dignity 135, 139, 149, 215 Discipline device 14, 131 Disclaimers 57 Discrimination 32, 128, 132–4, 139, 182, 197, 223 Disproportionate effort 159 Distress 190 Divorce 169, 186 Dominant position 139, 193 Donne, John 149 Drinking habits 56 Driver and Vehicle Licensing Agency 28 Economic and Social Research Council (UK) 22 Economic sufficiency test 199 Economies of scale 87 Effet utile, see Useful effect Electoral roll 16 Electronic footprint 25, 27 Employment monitoring 28 Employment screening 28 England 28, see also United Kingdom Equal Credit Opportunity Act (ECOA) 65, 68, 94 Essential information 169 Estate agents 10 Estonia 70, 86, 105 Ethnicity or ethnic origins 155, 182

Index 241 Euro 89, 206 European Central Bank 90, 206 European Commission 124, 125, 151 European Convention for the Protection of Human Rights and Fundamental Freedoms 45, 100, 136 European Court of Justice (ECJ) 194–5, 199, 200 European Credit Research Institute (ECRI) 20, 21 European Parliament 126 European System of Central Banks 206 Exclusion 128, 132, 133, 137, 148, 182, 190 Expanding purposes see Secondary uses Failure 132 Fair Credit Reporting Act (FCRA) 41, 64–5, 68, 94 Fascism 136 Federal pre-emption 41 Federal Reserve Board 171 Fidelity cards see Store cards Finance houses 10 Financial capability 186, 187, 189 Financial connection 17 Financial forecasts 187 Financial supervision and regulation see prudential regulation Finch 4 Finland 70, 86, 97, 105–6 Ford, Henry 61 France 66, 68, 70, 80, 83, 86, 90, 97, 106, 202 Fraud 24, 145, 156, 157, 167, 188–90 Free market 42 Free movement of personal data 101, 102 Freedom 128, 135, 139, 140, 149, 160, 164, 179, 195, 196, 215, 223 Freedom of establishment 89, 93, 198–200 Freedom of expression 46 Freedom of movement 89, 93, 127, 198–200, 203 Freedom to provide services 200, 203 Freedom to receive services 200, 203 Gambling 56, 186 Gender recognition 128 General Motors 61 Geographical distance 79 Germany 41, 69, 70, 80, 83, 86, 90, 97, 106–7 Gifts 187

Gossip 51–3, 71, 133 Governance of power 205 Great Depression 61 Greece 69, 70, 86, 97, 107–8 Grey information 18 Guatemala 36 Harmonisation 47, 79, 89, 101, 122, 126, 154 Health 155, 169 High street retailers 10 Hire purchase 67 History 5, 47, 49–75 Home Office 28 Horizontal direct effect 146–7 Human right(s) 2, 41, 45, 72, 128, 136, 139–41, 147, 164, 177, 197, 204 Hungary 70, 86, 108–10, 129 Identifier(s) 173 Identity 132, 139, 156, 157, 215 Identity card (ID) 25, 28 Identity theft 25–7, 167, 189 Identity verification 25–6, 156, 167 Illness 164, 169 Immigrants 60 Inclusion 132, 133, 148, 197 Indebtedness 1, 29, 31, 83, 84, 91, 156, 157, 186, 187 Industrial organisation 77, 78, 79, 85–9, 126, 147, 151 Industry-specific legislation 75, 94, 127, 177, 197–8, 223 Inequality 182, 191 Inheritances 187 Innovation 193 Insolvency 23 Instalment selling 61 Institutional arrangements, framework or structure 3, 6, 73, 77, 81–5, 126, 147, 151 Institutional experimentation 56 Insurance 28, 186 Intelligibility 159 Interest(s) or interest rates 14, 24, 32, 53, 78, 79, 80, 84, 130, 169, 175, 184, 187 Inter-ministerial Committee for Credit and Savings (CICR) – Italy 213 Internal market see Common Market Internet service providers 10 Intimacy 139, 149, 169 Ireland 70, 86, 97, 110, Italy 7, 66, 70, 80, 83, 86, 90, 92, 97, 110–11, 202, 203, 213–24

242

Index

Jack Report 211 Jews 99 Job application 28 Job loss 164 Judicial proceeding(s) 132 Junk mail 197 Key Factor System 90, 92 Know-how 92, 193 Language 78, 79 Latin America 37, 41 Latvia 70, 86, 111–12 Lawsuits 57 Leasing 10 Legal Affairs Committee of the European Parliament 124 Legal certainty 142, 198 Legality principle 205 Lender (definition) 10 Letters of recommendation 54 Libel 57 Liberty see Freedom Lithuania 70, 86, 112–14 Loan accounts 15 Luxembourg 70, 86, 98, 114 Mail order accounts 15 Malta 70, 86, 114–15 Market governance 87 Marketing 12, 15, 24, 157, 167, 176, 186, 189, 193, 196, 197 Medical expenses 186 Mediterranean countries 68 Mercantile credit 53 Mercantile credit reports 35–36 Mergers and acquisitions 90 Micro-lending 35 Migrant(s) 198–204 Modern consumer credit 59–60, 69 Money laundering 25, 27–8, 95 Monopoly(ies) 87, 89, 126, 128 Monte di pieta 66 Monts-de-piétés 66 Moody’s 4 Moral hazard 1, 13, 14, 177 Mortgages 15, 84, 186, 187 Mutual cooperation 54 Mutual protection societies 54, 55 National court judgement 16 National directories 16 National Federation of Retail Credit Agencies 62

National supervisory authorities 147 Nazism 99, 136 Negative information or data 18, 34, 35, 61, 85, 133, 170, 174, 210–12 Neural networks 20 New York 55 Non-discrimination 93, 125, 127, 200–4 Northern European Countries 68 Notaries 52 Objective control system 80 Office of Fair Trading (OFT) 209 Off-white information see Grey information Oligopoly(ies) 89, 128 Omni-comprehensive law 94, 134 Opt-in 179 Opt-out 179, 193 Outsourcing 157 Over-indebtedness 1, 22, 23–4, 145, 163–4, 167, 184–8, 203 Paris 52 Passport Service 28 Passport(s) 28, 160 Pawnbrokers 59, 66, 67 Payment history see Credit history Penalties 184, 192 Personality right or interest 137, 143 Poland 70, 86, 115–17 Political opinions 155 Portugal 70, 86, 90, 98, 117 Positive information or data 18, 35, 38, 85, 133, 170, 174, 183, 184, 210–12 Prejudice 132, 149 Pre-screening see Screening Price 88 Privacy of communications 136 Private investigators 43 Private sector 139–41 Privilege 57 Privileged communication 57 Productive debt 60 Professional unions 82 Profile or Profiling 139, 182, 188, 187, 196, 197 Property prices 84 Property rentals 28, 186 Proportionality principle 168 Protestantism 68 Prudential regulation or supervision 4, 30, 46, 69, 74, 83–4, 96, 145, 163, 176, 204–8, 213

Index 243 Public Credit Registry (PCR) 4, 5, 36, 37, 38, 46, 69, 74, 81, 82–5, 90–1, 92, 123, 125, 145, 159, 161, 176, 204–8 Public function 83, 96, 127 Public information 16 Public interest 74, 85, 95, 163–4, 181, 205–8 Public Interest Research Group 171 Public safety 141, 145 Public sector 139–41 Race or racial origins 155, 182 Recession 187 Reciprocity 202 Reciprocity principle 12 Reform Treaty 137 Regulatory policy 37–40 Relevance 170–3 Religion 59, 66, 155 Rentals see Property rentals Reputation 14, 19, 26, 34, 35, 38, 42, 49, 51, 129–49, 183, 187, 190 Responsible lending 123–4, 125, 185 Returns on investments 187 Risk and instant society 142 Roman Empire 94 Romania 70, 86, 117–18 Rule of law 131, 133, 142–4, 149, 182, 190, 198 Rules of participation 83 Savings 187 School fees 186 Scientific research 159 Scorecards see Credit scoring Screening 10, 33, 34, 63, 196 Searches 16, 158, 180 Second World War 62, 69, 99 Secondary uses (of data) 12, 19–29, 46, 88, 166, 173, 175, 178, 184–90 Sectoral law see Industry-specific legislation Self-determination 72, 135–7, 140, 178 Self-employed 199 Sensitive data 154, 155 Sex life 155 Shareholders 81 SIA S.p.A. 213 Single market see Common Market Slander 57 Slovak Republic 70, 86, 118–19 Slovenia 70, 86, 119 Social acceptance 6, 75, 198 Social accountability 131, 132

Social control 51, 132, 148 Social equality 182 Social justice 3 Social relations 65, 131, 132, 141 Societal norms 6, 73 Socio-cultural diversity 75 Solvency 84 South America see Latin America Spain 69, 70, 80, 83, 87, 90, 98, 119–20 Standard & Poor 4 Standard terms of business 191 State security 141, 145 Statistics 19–23, 31, 159, 164, 169, 223 Stigma or stigmatisation 71, 73, 132–4, 149, 182 Stock market 187 Store cards 15, 193 Subjective control system 80 Subprime lending 24 Subscribers 84 Subsidiarity principle 144 Surveillance 132, 133, 140 Sweden 70, 87, 98, 120, 129 Switzerland 69 Tax evasion 95, 96, 99 Taxes 186 Technologies 138–9 Telecom 10, 28 Territorial privacy 136 The Netherlands 69, 70, 87, 98, 120–1 Third-country nationals 199–204 Torture 197 Trade credit history see Business credit history Trade Unions 155 Transient associations 18 Transparency 2 Trial 190 Trust 51, 130–4, 148 Trustworthiness see Trust Undemocratic regimes 39 Unequal bargaining power 191 Unilateral act 180 United Kingdom (UK) 7, 22, 25, 27, 28, 29, 54, 60, 66–9, 70, 80, 87, 92, 98, 121–2, 191, 202, 209–13 United States (US) 22, 35, 37, 38, 39, 40, 41, 45, 46, 50, 53–65, 94, 127, 140, 143, 171, 177, 198 Universal Declaration of Human Rights 136 Updating 170–3

244

Index

Useful effect 147 Usury 62, 68, 80, 182 Utilities or utility companies 10, 15 Utility bills 186 Vertical direct effect 146–7 Victorian era 59 Voters’ roll 16, see also Electoral roll

Wales (see United Kingdom) 28 Warren, Samuel 135 Water industry 29 White information see Positive information Word-of-mouth 54 Worker(s) 198–204 Working Group on Credit Registries (WGCR) 90 World Bank 14, 16, 31, 37, 38, 52