EU agency advises against using search & browsing history for credit scores

The European Union’s lead data protection supervisor has recommended on Thursday that personal data such as search queries & internet browsing history should not be used for the assessment of credit scores and creditworthiness.

The recommendation comes from the European Data Protection Supervisor (EDPS), an independent agency attached to the EU that advises policymakers “on all matters relating to the processing of personal data.”

“[T]he EDPS considers that inferring consumers’ credit risk from data such as search query data or online browsing activities cannot be reconciled with the principles of purpose limitation, fairness and transparency, as well as relevance, adequacy or proportionality of data processing. Therefore, the EDPS recommends explicitly extending the prohibition to search query data or online browsing activities,” the EDPS said in a document published on Thursday.

In addition, the agency advises that providers of financial and credit services should also not be allowed to use health data, such as cancer data, as well as any special category of personal data under Article 9 of the GDPR for the calculation of credit scores.

“Ensuring compliance with the principle of proportionality in the processing of personal data would also help protect consumers from being targeted at moments of vulnerability with unfair credit offers (for instance, high-cost payday loans),” the agency added.

The EDPS recommendations come after the European Commission has proposed revisions of two sets of EU rules on June 30, 2021, including an update to the EU’s older directive (2008/48/EC) on credit agreements for consumers.

Responding to a controversial IMF blog post

Of note is that while the EDPS recommendations touch on a large number of topics, the agency’s officials addressed the subject of using online browsing history for credit assessments for a reason.

Namely, the agency was addressing a controversial blog post from the International Monetary Fund, published last December, where IMF researchers argued that credit scores would be far more accurate if financial assessments would be enriched with nonfinancial data points, such as “the type of browser and hardware used to access the internet, the history of online searches and purchases.”

The IMF recommendation, which was universally panned and considered downright creepy, showed, however, the underlying fear of most of the banking sector—that they are losing ground to tech companies like Amazon, Facebook, and Google.

While the EDPS has no legislative role, the agency’s recommendations have been a major contributing factor to the core principles behind the EU General Data Protection Regulation (GDPR) and may signal that, at least the EU, is not ready for the surveillance nightmare future the IMF is apparently happy to embrace on behalf of its banking sector members.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Group-IB helps Italian officials take down scammers selling COVID-19 docs via Telegram

Italian police announced that they had broken up a criminal gang selling hundreds of fake…

18 hours ago

US sanctions 28 quantum computing entities in China, Russia, Pakistan, Japan

The US Department of Commerce has sanctioned 28 organizations from China, Russia, Pakistan, Japan, and…

2 days ago

North Korean hackers posed as Samsung recruiters to target security researchers

North Korean state-sponsored hackers posed as Samsung recruiters and sent fake job offers to employees…

2 days ago

China’s top policymaking body charts plan for science and technology ‘self-sufficiency’

China's top leadership unveiled a plan for developing homegrown science and technology with an eye…

3 days ago

Israel restricts cyberweapons export list by two-thirds, from 102 to 37 countries

The Israeli government has restricted the list of countries to which local security firms are…

3 days ago

China agency tells Tencent their apps have to be approved before they go live or update

Chinese regulators have told video game giant Tencent that it will need to submit its…

3 days ago