The rules on automated credit scoring in the EU are entering a phase of profound transformation. The European Court of Justice’s so-called SCHUFA judgment has significantly broadened the scope of Article 22 of the General Data Protection Regulation (GDPR), resulting in widely used scoring practices being placed under greater legal scrutiny.
At the same time, the EU’s AI Act introduces a parallel framework that classifies AI systems used for credit scoring as high-risk, imposing far-reaching compliance obligations. This dual regulatory regime creates overlapping – and at times conflicting – requirements for financial institutions, raising serious concerns about legal certainty, operational feasibility and the future of algorithmic innovation in credit markets.
This ECRI In-Depth Analysis paper examines the interaction between the GDPR and the AI Act in the context of credit scoring. It shows why relying on consent or contractual necessity under the GDPR could be challenging and argues that a sector-specific legal basis would provide a more stable and scalable solution. It also identifies ambiguities in the AI Act’s scope – particularly regarding what constitutes an ‘AI system’ – and calls for early supervisory guidance to prevent the overregulation of well-established statistical models and a possible increase in fragmented interpretation by EU Member States (and even within different authorities in the same Member State). Finally, it proposes practical steps to ensure effective coordination between data protection and AI authorities.
This ECRI In-Depth Analysis paper concludes that safeguarding consumer protection and enabling responsible innovation are not mutually exclusive goals, but achieving both requires targeted legal reform, interpretative clarity, regulatory coherence and harmonisation across the entire EU.
