Austrian Supreme Court asks EU’s top court to clarify rules on automated credit checks
The Austrian Supreme Court has asked the EU’s top court to clarify whether online retailers can legally use automated credit checks to limit customer payment options without violating data protection rights. The case centers on whether such decisions—like refusing installment payments based solely on algorithmic scoring—significantly affect consumers under Article 22 of the GDPR. The outcome could set a major precedent for how e-commerce companies across Europe use automation in financial decisions.
The Austrian Supreme Court (Oberster Gerichtshof) has asked the Court of Justice of the European Union (CJEU) to clarify how EU data protection laws apply to automated decisions made by online retailers about customer payment options. This comes as part of a legal dispute between Austria’s main consumer protection association and a national mail-order company.
The case in brief
The Verein für Konsumenteninformation (VKI), a consumer protection body, sued an Austrian online retailer for automatically restricting customers’ ability to pay by invoice or in instalments if their creditworthiness was deemed insufficient. These decisions were made without human input, based on automated scoring systems or negative responses from a credit agency.
Instead of rejecting the order, the retailer would only allow payment by credit card or PayPal. VKI argues that this practice violates Article 22 of the EU General Data Protection Regulation (GDPR), which gives individuals the right not to be subject to decisions made solely by machines that significantly affect them, unless certain conditions are met.
What the court wants clarified
The Austrian Supreme Court has paused its proceedings and sent several questions to the CJEU to determine whether the retailer’s actions are lawful under EU data protection rules. The key issues include:
- Does limiting payment options count as a serious decision?
The court wants to know if refusing invoice or instalment payments—while still offering other payment methods—has a ‘legal effect’ or ‘significant impact’ under Article 22 GDPR. - Is the automated decision truly necessary for the contract?
The court is asking if such automation is essential to fulfilling the contract or if the company could reasonably provide a manual review instead. - Are the scoring methods appropriate and fair?
The justices want guidance on whether the data used to judge a customer’s credit risk (such as address, age, and type of goods ordered) must be proven to be objectively suitable, and who is responsible for proving that. - Should the company offer human review options?
Even if automation is used, does the company have to provide an easy way for customers to challenge the decision and explain their situation?
What’s at stake
The outcome could shape how companies across Europe handle automated decisions in online transactions. Many retailers use similar systems to protect against non-payment, but this case asks where the line should be drawn between operational efficiency and consumer rights.
Until the EU Court responds, the Austrian case will remain on hold. The answers could impact not only this company but also broader industry practices in credit checks and automated decision-making under GDPR.
