EU agency advises against using search & browsing history for credit scores
The European Union's lead data protection supervisor has recommended on Thursday that personal data such as search queries & internet browsing history should not be used for the assessment of credit scores and creditworthiness.
The recommendation comes from the European Data Protection Supervisor (EDPS), an independent agency attached to the EU that advises policymakers "on all matters relating to the processing of personal data."
"[T]he EDPS considers that inferring consumers' credit risk from data such as search query data or online browsing activities cannot be reconciled with the principles of purpose limitation, fairness and transparency, as well as relevance, adequacy or proportionality of data processing. Therefore, the EDPS recommends explicitly extending the prohibition to search query data or online browsing activities," the EDPS said in a document published on Thursday.
In addition, the agency advises that providers of financial and credit services should also not be allowed to use health data, such as cancer data, as well as any special category of personal data under Article 9 of the GDPR for the calculation of credit scores.
"Ensuring compliance with the principle of proportionality in the processing of personal data would also help protect consumers from being targeted at moments of vulnerability with unfair credit offers (for instance, high-cost payday loans)," the agency added.
The EDPS recommendations come after the European Commission has proposed revisions of two sets of EU rules on June 30, 2021, including an update to the EU's older directive (2008/48/EC) on credit agreements for consumers.
Responding to a controversial IMF blog post
Of note is that while the EDPS recommendations touch on a large number of topics, the agency's officials addressed the subject of using online browsing history for credit assessments for a reason.
Namely, the agency was addressing a controversial blog post from the International Monetary Fund, published last December, where IMF researchers argued that credit scores would be far more accurate if financial assessments would be enriched with nonfinancial data points, such as "the type of browser and hardware used to access the internet, the history of online searches and purchases."
The IMF recommendation, which was universally panned and considered downright creepy, showed, however, the underlying fear of most of the banking sector—that they are losing ground to tech companies like Amazon, Facebook, and Google.
While the EDPS has no legislative role, the agency's recommendations have been a major contributing factor to the core principles behind the EU General Data Protection Regulation (GDPR) and may signal that, at least the EU, is not ready for the surveillance nightmare future the IMF is apparently happy to embrace on behalf of its banking sector members.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.