Jusletter IT

The collection and analysis of credit information can be seen as a natural corollary of the development of the market economy. The rise of credit in the marketplace entailed a need to create services for lenders, services that, where information was concerned, tilted the relationship between lender and borrower in favour of the former.

The first systematic use of credit references is usually traced back to the latter half of the eighteenth century, with the practice then increasing in the nineteenth.¹ The path from this modest beginning to what today is a major commercial activity – one that in many countries serves purposes far beyond lending as such – has been an involved one. Similarly, the assessment of a person’s creditworthiness on the basis of a statistical analysis, typical in most countries today, has become a significant practice; here, too, we see an activity that is more than the mere collection and distribution of information.

Creditworthiness has become a general tool for assessing an individual. It is a measure that may have significant long- and short-term financial and social impacts. Accordingly, we must address the issue in terms of consumer policy and, more broadly, social policy as well. At the end of the day, the question is what assessment procedures we should apply. For present purposes, considering our topic, I will content myself with pointing out how complicated and problematic the assessment of creditworthiness is.

The growing international nature of credit references has prompted a need to harmonize practices and regulation globally.² Like other information, credit information – including that on private individuals – is needed as part of our changing economy and increasingly transnational activities. Sharing information – of almost every kind – is part and parcel of the new Network Society. From the legal point of view, we must take this seriously into consideration.³

We can most certainly describe the 1960s as the decade when the world slowly began to realize the need for personal data protection in contexts other than science fiction. The legislation to meet this need would, however, wait until the 1970s. Sweden can claim the honour of being the first country to enact a general data protection act, the datalag. The law was enacted in 1973 and came into effect in its full scope in 1974. At the same time, Sweden began drafting a Credit Reference Act, which also came into force in 1974, but is often – unfortunately – overlooked in the history of data protection legislation.⁴

As in the case of the datalag, the drafting work for the Credit Reference Act described how the increasing use of information technology posed threats to people’s privacy. In addition, it drew attention to the fact that the new Swedish legislation on openness made possible the extensive collection and use of data pertaining to individuals. The gathering of public information from different sources provided an opportunity to assess a person. Nordic openness had – and still has – its drawbacks when it comes to our right to privacy.

The European Personal Data Directive was adopted in October 1995. It has no special provisions on credit references. Partly for this reason, the interface between credit references and personal data protection has not always been noticed or remembered. Indeed, there is occasionally a failure to realize that Article 15 of the Directive applies expressly to credit references. The article in itself places significant restrictions on the automated evaluation of certain aspects relating to a person; it also mentions creditworthiness.⁵

What we see at work here is a general legal principle. But it also tells us of the concern voiced during the drafting of the Directive regarding the increasing automated evaluation of creditworthiness. When automated methods alone are used, there is a limit on how aspects of person may be evaluated. As information systems have developed, this has become an increasingly crucial consideration: Liberties that might be taken in information processing are restricted in order to protect the rights of the individual.

At this juncture, it is worth mentioning that the first case in Finland involving the automated assessment of individuals was a dispute concerning SMS loans. This is a type of credit that has rapidly become very common– and very problematical – in the country and that falls outside the scope of our credit legislation proper. The high interest charged on and collection problems associated with instant loans resulted in confusion over the legal issues they involve. Independently of this debate and given the lack of other legislation, the Data Protection Ombudsman noticed that loans were being granted through automated decisions without strong identification of the loan applicant. This was a violation of the Personal Data Directive and the Finnish Personal Data Act. Upon the application of the Ombudsman, the Data Protection Board, in its capacity as the highest data protection authority in Finland, prohibited this form of credit and the Supreme Administrative Court later took the same view. The Finnish Consumer Protection Act has since been amended to include an express requirement on strong authorization for applicants for credit in the case of SMS loans. The issue was seen as being a question of not only personal data protection but also consumer protection.

The new draft Data Protection Regulation of the European Commission does not specifically mention credit information and credit references.⁶ In fact, the word «credit» is nowhere to be found in the text. Information on a person’s financial status is nevertheless still unequivocally personal data. This being the case, the Regulation, if adopted as drafted, will also apply to credit references. It can be supplemented by special domestic laws on credit references and special provisions may be enacted at least for consumer protection and the banking sector.

To date such special laws are comparatively few, but a remarkable amount of other legislation can be found on the content and use of credit information in different situations, particularly in the area of banking. In addition, at the directive level, efforts are intensifying to provide guidance concerning the financial information that can be used when credit is being decided on.⁷ The regulation in this area is becoming fragmented and reflects a variety of objectives, but this should not be the case given that our aim is consistent personal data protection in the European constitutional state. Here we see an obvious challenge for the regulation of activities relating to credit references.

In recent years, the identities a person may acquire have taken on a heightened status legally. This is a natural aspect of the gradual development of the modern constitutional state. In the traditional administrative state, government shaped the identity of the individual as it saw fit. He or she individual was seen as being for administration and for society. Moreover, before the age of personal data protection, information could be gathered freely, even in the private sector. This was, as noted earlier, one of the key reasons why the 1973 Swedish Credit Information Act was enacted.

Today the situation is markedly different. We have progressed from the administrative state to the constitutional state. The importance of personal data protection has grown accordingly. The concept t is no longer novel and puzzling, nor is the term a misnomer.⁸ Personal data protection is an express European fundamental right. Any attempt to restrict it requires that a law be enacted for the purpose. And any such restrictions, in keeping with the modern conception of fundamental rights, must be set out in the most specific terms possible. Identities can no longer be created freely by the government or other parties as their desires and needs may dictate. It is first and foremost the individual, in keeping with the right to self-determination, who decides on his or her identity in relation to others. One of the crucial forms of the right to self-determination is and will continue to be informational self-determination.

Yet, in the Network Society it is easier than ever to create digital identities using the information that is available on information networks or in other sources. Where previously the industrious collection of credit information was a crucial element of credit analysis both operationally and financially, open information networks now offer a quick and cheap way to create identities. These may include financial information too.

The free creation of digital identities must necessarily be seen as a threat. Where credit information normally comprises official or other comparable, reliable information, there is generally no way of ensuring that content of a digital identity is correct. For this reason, the Finnish Act on Privacy in Working Life prescribes that an employer must first and foremost request information on job applicants from the applicants themselves. No information on an applicant may be obtained through searches of open networks without the applicant’s permission, and even where he or she consents, searches have to be restricted to information that is necessary for the task in question. Profiling via the Internet is forbidden in this situation.⁹ Credit information may only be requested from credit agencies in cases where the applicant is being considered for particular categories of duties that require special trustworthiness; these are set out expressly in the Act.

In an open society, everyone naturally has the right to freely create images of him- or herself. We can have different identities. Outside parties, however, may only have limited rights to create identities for another person that affect that person’s rights or obligations or to request personal data on another person that is not necessary for the intended use. An open society cannot be a society of monitoring and surveillance. This conception of the human being in the modern constitutional state was enshrined back in 1995 in the Personal Data Directive. It is prominently underpinned today in personal data protection, which enjoys the status of an express fundamental right in Europe and by all accounts will be further strengthened when the new European Personal Data Regulation is adopted.¹⁰ From the European point of view it is important to keep in mind that today the right to privacy and the right to data protection are different fundamental rights. Whenever we process personal data, we engage a fundamental right.

In my estimation, these crucial changes give good reason to reassess the significance of information on an individual’s financial status as personal data¹¹. The conventional distinction between ordinary and special (confidential) information which was adopted in the Directive leaves no room to accord special status to financial information. This information has thus been considered ordinary information, and this is the case in the Commission’s draft Regulation. Although we can describe the human being in the Network Society, with all of his or her financial commitments, as homo economicus, this fact is – at least partially – obscured in the Regulation. The grounds for the Regulation highlight the development of online trade but give little attention to the financial status of the individual.

Where the rights of the individual are concerned, it would, in my view, be better-advised to think of a new tripartite classification of personal data. This would mean enacting separate provisions on information pertaining to individuals’ financial situation, on the one hand, and on confidential information proper, on the other. In this classification, information on income, debt and payment defaults, as well as on guardianship, would form a category requiring special regulation of its own. This would then be reflected in special laws in the areas of credit information, consumer protection and banking. In this way, it would be possible to reduce the fragmented, disparate use of financial identification information on individuals. The importance of personal data protection would be further strengthened, better corresponding to the standard required by the other developments towards the constitutional state.

There are a variety of registers that have long formed a key element in the development of administration. Government gathers and processes information on citizens, ownership, infrastructure and organizations. For example, in Sweden-Finland the comprehensive registration of the population began back in the eighteenth century. Today the number of extensive registers for various purposes – from the census system to motor vehicle registers – is substantial.

In Finland some of the comprehensive national registers have come to be called «basic registers».¹² The idea behind this designation is that they provide information on the basic units of society that is as comprehensive as possible. These units are individuals, real property, buildings and judicial persons. The information in these registers forms society’s main store of basic data. These registers are supplemented by various extensive sector-specific registers maintained by the government, such as the motor vehicle register, pension register, patient information registers, as well as the registers of the tax administration. What these have in common is an indisputable societal significance. And, as a rule, they are maintained by the government.

In the digital network society, the significance of basic registers and of other national registers is increasing constantly both in principle and in practice. As part of the development of modern information government, ways of using the registers must be found which are flexible and entail as few administrative burdens as possible. The basic registers can no longer be separate registers that primarily produce paper documents. In this vein, the open data approach rather recently adopted as an objective in Europe urges that regulation and information systems be designed to better take into account the fundamental rights of individuals.¹³ We are no longer dealing merely with the long-disputed recycling of information gathered by the government, but rather with the broader issue of how registers could and should be used.

We would do well to ask which registers deserve particular attention as basic registers or registers of comparable status. This question necessarily prompts us to consider the significance of credit registers. Given the need for credit available and the extent of lending, credit registers become extensive personal data files – particularly when they contain positive information, that is, more than just a record of payment defaults.

If, as is the case in many countries, a lender is given the right to know the overall financial status of an applicant for credit and is thereby provided with information on the credit granted the applicant by other lenders, credit registers are ultimately comparable to basic registers. They are societally significant registers, ones that provide extensive details of an individual’s financial identity.¹⁴

In this perspective, it is worth reflecting on whether credit information should be seen as constituting a basic register which the government should be responsible for maintaining, directly or indirectly, and which should thus be legislated in detail. This idea in itself is not a novel one. In many countries, the central bank, for example, maintains credit registers and in this respect they are public registers.¹⁵ They are considered primarily as relating to systems of credit institutions. A more novel approach would be to create a comprehensive picture of the use of credit information for different purposes and to manage the register or registers with a broader purpose in mind.

If this approach were taken, it would clearly be possible to reduce the risks that are necessarily associated with loosely guided lending. At the same time, a credit register would serve to prevent individuals incurring excessive debt. In other words, such a register would have a range of functions. In fact, the World Bank has noted that credit information systems have become well established as part of the economic infrastructure¹⁶. Like other key infrastructures, a credit register should have adequate regulation. To date, however, we have lacked a shared conception of how information infrastructures are to be regulated. Rectifying this shortcoming is of crucial importance in the modern network society which we see in the constitutional state.

Credit reporting has traditionally been primarily a commercial activity. This is natural. There has always been a need for credit information as added value in business, initially and primarily in the operations of credit institutions. Moreover, one should also bear in mind the long history of credit references as a background factor in commerce.

Even back when the Swedish Credit Information Act was enacted, the drafters of the law addressed the question of how the provision of credit references should be regulated. They concluded that it would be regulated and made subject to a licence, but that no one would be given an exclusive right to the activity. Accordingly, Sweden has several significant companies engaged in providing credit references. Oversight of this activity is the responsibility of the Swedish Data Inspection Board.

In Finland, too, credit references are regulated by law. While they are not subject to licence, starting up such a service always has to be reported to the Data Protection Ombudsman. Moreover, the limits of the activity are comprehensively regulated in the Credit Information Act. It is a special law for personal data protection which sets out the permitted activities and their scope. Other special laws, such as the Act on Privacy in Working Life, also have provisions on what credit information may be used for in addition to considering applications for credit.

The boundaries thus drawn between different activities have been tested in the courts. The Data Protection Board and, following an appeal, the Supreme Administrative Court refused to grant a collection agency the right to hand over information it had for purposes of a credit reference even where the debtor requested that the agency do so (FHO:2011:16). This decision visibly reflects the clear lines of demarcation that have been established in the present regulation on credit references. An individual’s right of self-determination is restricted where there is reason to suspect that there is an imbalance between the parties to a contract.¹⁷ Here we can see the central principles of contract law and personal data protection converging.

A look at credit references in terms of the Network Society, the constitutional state and the new information government – which I have described above – indicates that there can be no obstacle to providing credit references as a commercial activity. A monopoly would be an alien notion in this line business. Equality among those using credit information and an information balance among different actors can be implemented even in a commercial context. And it does not necessarily require a system of licensing. It is sufficient to regulate the processing of credit information with the same precision as is applied in and required by personal data, whose protection is a fundamental right.

It is a different matter that if we view credit information registers as comparable to basic registers and their maintenance as the responsibility of government, this would necessarily change the nature of credit references as a commercial activity to some extent. This would be particularly the case with actors who have extensive registers that were compiled before any such change. Similarly, it would become essential to consider what information a credit reference provider could add to information obtained from basic registers. In the final analysis, the central element where credit references are concerned is the further processing of information by downstream users and the development of methods to assess creditworthiness. I will not take up these questions in any more detail here, however.

Information security figures prominently as a structural factor in the Network Society and in information government. The Network Society cannot function without solid information security.¹⁸ We have begun to realize this in practice - but only in recent years - as a result of numerous negative events. Progress has been slower on the levels of regulation. Most countries still lack general information security legislation and the EU Network and Information Security Agency (Enisa) was originally established on a temporary basis - albeit for largely political reasons. Information security is also one component of public security.

The Personal Data Directive brought with it an information security provision on the processing of personal data that was intended to have broad application. The message it conveys is clear enough: Information security must be ensured in all processing of personal data and the protection of our personal data cannot be implemented without appropriate information security. Yet, as the provision is based on the principle of proportionality and allows the controller itself to decide on the appropriate level of information security, its impact in practice has remained slight. With regard to credit references, the Finnish Credit Information Act today has a special information security provision, but in keeping with the soft principle of proportionality, its content is not particularly precise.

When and if we adopt a new attitude towards credit information as information that lies at the core of our fundamental rights and view the credit information system as a significant infrastructure, we will no doubt see new requirements emerge where information security is concerned. When this happens, in my view, not even the more precise provisions found in the new draft Personal Data Regulation will be enough.¹⁹ What we need are more precise standards and obligations when it comes to information security in the processing of personal data.

In describing and assessing credit reference systems, it has become customary to make a fundamental distinction between positive and negative credit information. A system of positive credit information contains not only information on payment defaults but also on the person’s general circumstances, finances, financial history and financial activities. This is used to form a comprehensive picture of his or her creditworthiness. A system of negative information is restricted to information on payment defaults. In practice, such information limits a person’s creditworthiness.

The vast majority of the credit information systems in use in Europe today include positive information. Finland is one of the rare countries where credit information is limited to information on payment defaults. A vote was taken on this matter in the Personal Data Committee in 1997, when the Personal Data Act was being drafted as part of implementing the Personal Data Directive. The approach allowing the inclusion of loan information was winning, but only by the slim margin of the vote of the chair of the Committee. Numerous objections to the committee report were submitted by the members emphasising that implementation of the Directive should not weaken domestic personal data protection. In the subsequent government bill brought before Parliament, the matter was not any more taken up. Finland was keeping the old solution remaining a country where credit registers were confined to negative credit information.

Later, in enacting the present Credit Information Act in 2007, Finland joined the rather small group of countries internationally in which the processing of credit information is regulated by a personal data act as a general law and a credit information act that complements this as a special personal data protection law.²⁰ Even with this legislative arrangement, the old model confining credit information to negative information was retained. The justification for the decision cited the difficulties in making a new system comprehensive enough, the costs of establishing such a system and uncertainty regarding its impacts.

At present, I am a rapporteur appointed by the Finnish Ministry of Justice to assess whether we should adopt a system of positive credit information in the country. This task is in keeping with the Government Programme. In my view, this reflects the societal significance of credit information systems and the heightened international dimension of the sector. Recent years have seen a great deal of activity in this area around the world. Our situation back when the Directive was being implemented was different to some extent.²¹

The line between positive and negative credit information is actually rather clear. Negative information consists of information on payment defaults and information directly connected with this. In this light, the most significant questions where regulation is concerned are time limits and drawing the line regarding the nature of defaults. Positive credit information - in general terms – comprises details of a person’s financial status and how he or she has managed his or her financial affairs. The basic question in legislative terms is what can be considered positive information and what information can be added to this later.²²

Even these general characterizations show that that we are not facing a simple choice between two straightforward alternatives. If negative credit information is supplemented by positive, we immediately run into a severe problem of definition. We have to ask what positive information is needed for a reliable description of an individual’s financial identity. Here we are dealing with the concept of credit information.²³ It is not, however, an independent or sector-specific concept. In terms of fundamental rights, of course, the objective must to define the smallest possible amount of information needed; this is dictated by the general principle of personal data protection. In terms of the acquisition of information, we are talking about profiling, on which the new Personal Data Regulation takes a negative view.²⁴

This problem was and is topical, for example in drafting the Directive on credit agreements relating to residential property. In that instrument, according to the Commission’s original proposal, the Commission would have the authority to stipulate through lower-level provisions the scope of the credit information that could be used.²⁵ In Finland, as part of the revision of provisions on SMS loans we are extending the obligation of the lender to ascertain the applicant’s financial status such that the obligation to do so may involve positive information as well. Both of these proposals are very problematic where fundamental rights are concerned.²⁶

Another problem, naturally, is where and how this information can be obtained. Financial conglomerates are a fairly simply solution technically, but they would only be a small part of the whole and even with them it would be necessary to change the boundaries of confidentiality. At the end of the day, a reliable and sufficiently expansive arrangement would require establishment of a new, uniform data store and regulation of the related telecommunications, or meticulously regulated joint use of a data store with many components and opening up new risks.²⁷

In many activities, information has often remained no more than raw material. Often what has been considered important is that this raw material should be cheap. The discussion of re-use and open data that has sprung up in recent years clearly reflects this attitude.²⁸ Occasionally the principle of the free flow of information as a significant societal principle has been overlooked.

In legal and governmental circles, decision-making has long been dominated by a document-oriented mentality. Decision making as a procedure and the resulting documents are viewed as being more important than the information processes on which the decision making is or should be based. Lawyers have not been so interested in knowing how information sources are created.

However, as society changed – first into an information society and further into a network society – the attitude towards information and how it is transmitted and used has slowly changed and continues to do so. There have been various reasons for this development.

In the area of economics, the research on asymmetric information and the Nobel prizes awarded for it have no doubt accelerated developments.²⁹ The idea of a balance of information vis-à-vis asymmetric information has become a routine way in research to examine the different impacts of information on the market.

Similarly, research in administration on information guidance has become an important topic. And in Legal Informatics, as one of the key areas of research in the field of law, we examine law in very great measure indeed in terms of information processes and the path of information. This is essential if we are to reduce gaps and unpredictable outcomes in the realization of our rights when designing and using information systems. An optimal information balance is one of the main goals when thinking about most legal problems and tensions. When we look at credit information and credit information systems, it is straightforward and simple to observe that their significance in society has changed. Changes in the economy necessarily create pressures to be able to more extensively and more reliably ascertain a person’s financial status in different situations. In the business world, these pressures relate to both the functionality of the marketplace and the management of risks. Yet, the needs of credit institutions are but a small part of the whole picture. Among other things, that picture includes the need to know in different situations information about the financial status and financial history of people who are being considered for different tasks. And it includes many other situations in which an individual’s financial identity is seen as being significant.

The era when credit information could be freely gathered, distributed and used is over, however, particularly where Europe is concerned; as a matter of fact, it has been over for a long time already. The beginning of personal data protection in the 1970s was only one milestone in the development. We are living in a society of increased and increasing regulation. And if we think of legislation, we cannot confine ourselves to the interests of the financing sector, consumer protection and the labour market. The principal focus in the constitutional state is fundamental rights. As personal data and a as a matter of the right to privacy, information on a person’s financial status and how this status has developed enjoys the protection accorded fundamental rights. We cannot gather information on or profile individuals at will.

In the developing constitutional state, this protection must be strong. Interfering in a person’s fundamental rights requires well-justified, precisely defined regulation. In every case, the identity of an individual is involved. A debtor identity could, if its creation were free, cause significant and often long-term detriments, ones that might be very difficult to remedy. For this reason, it would be important to elevate the status of credit information to the category of personal data requiring regulation. This change would be part of the realization of the importance of the new information justice in the Network Society. Well-regulated and well-organized credit reporting could be one part of the new active justice.

A society of increasing regulation has sometimes been called an artificial society. This no doubt the case in quantitative terms, but it is also true when regulation is fragmented, for example, among sectors. Requirements should be set for regulation that is enacted at different times in different ways and with different starting-points as regards the implementation of people’s rights in the constitutional state. This simple observation also applies to the regulation of credit references and the collection, distribution and use of credit information. The existence of a large number of partially conflicting pressures for change creates a situation where the significance of credit information and the regulation pertaining to such information must be considered as a broader whole. We need to develop general doctrines relating to the emergence, processing and effects of a debtor identity.

Here, one of the key issues to consider is whether the basic registers of society can or should include a uniform, precisely regulated data store of credit information. The issue is thus one of the development of modern information government and its suitability for the needs of the market and administration. On a general level it is clear than monitoring of a person’s debt and the assessment of its importance are essential. But this does not require information on the level of the individual. In contrast, prevention of excessive debt by using credit information is justifiable even on the level of the individual. Yet it does not as such justify slighting the protection of personal data protection. Fundamental rights are central guarantees of legal welfare.

One thing we must do is to establish a shared understanding of the purposes for which credit information can be released and in what form. This being the case, the principle of necessity and the principle of minimal interference – as legal principles which guide the processing of personal data – will play a central role. Merely speaking on a general level about the principle of proportionality exposes us to risks that jeopardize the rights of the individual.

It is only after considering these matters that we will have a sounder basis for determining what information on individuals and their status may be processed as credit information. The issue thus involves much, much more than a simple line of demarcation between positive and negative credit information. In the final analysis, but only as the last consideration, we must address the question of the economy of information.³⁰ This means asking what costs and administration burdens are involved in building a functioning, modern credit information and system. The matter seems simpler than it is. This problem cannot be explored in detail in this paper. Personal data protection always has its price – even in the Network Society.³¹ Credit reporting must be based on the modern human and fundamental rights. Financial effectiveness is only one element in the wholeness.

 

---

 

Ahti Saarenpää, Professor of Private Law, Director of the Institute for Law and Informatics.

 

---