The Right to Respect for Private Life vs Credit Risk Assessment

Premessa: tale scritto, a cura di Loredana Ionchese, fa parte del Legal Research Group di ELSA Napoli intitolato “Right to private life: challenges and perspectives” organizzato da ELSA Napoli e curato da Francesco De Santis (professore di diritto processuale civile e procedure di tutela internazionale dei diritti umani presso il Dipartimento di Giurisprudenza dell’Università di Napoli “Federico II”).

Summary: 1. Introduction 2. Right to private life and privacy. Bank secrecy. Bank information. 2.1 The concept of privacy. Banking documents as personal data within the meaning of Art. 8 ECHR. 2.2. Brief remarks on the historical evolution of bank secrecy regimes.2.3. Abuse of secrecy and interferences in individuals’ privacy. 3. Credit risk assessment. 4. GDPR and protection of data. 5. A case-study: the illegal report on Credit Information Systems in the Italian Legislation. 6. Conclusion.

1. Introduction

This article aims to analyse the relationship between right to respect for private life and credit risk assessment.

First of all, a precise analysis of Article 8 ECHR is fundamental, especially in order to scan the different meanings of the wording « right to private life ».

Actually, as it will be explained through this present analysis, Article 8 ECHR declines private life under different aspects, from physical to moral integrity, to privacy.

For this reason, the next paragraphs will provide an overview of the general principles of the right to private life and privacy, by focusing especially on the terms and conditions of the data flow. Moreover, a special focus on bank secrecy will be taken into consideration, starting from a look at the former legislations up to the present regime. Indeed, the special bond between privacy and bank secrecy will be considered in order to prove that bank documents of a person can be deemed part of their private life as well, as far as they contain sensitive information (Section 2 and its Sub-sections).

Furthermore, understanding which type of data can be collected by the financial institutions is very important, so the principles of credit risk assessment will be explained to prove that banks have to deal with a very significant amount of data in order to grant a mortgage or a loan (Section 3). Then, the paper will offer a sketch on the sanction regime (Section 4).

Eventually, a case-study will be presented, regarding illegal report on Credit Information Systems in the Italian Legislation and its consequences according to Italian laws and decisions (Section 5).

2. Right to private life and privacy. Bank secrecy. Banking information.

 Private life is a concept incapable of exhaustive definition, as the European Court of Human Rights has frequently remarked.

The notion of private life is not limited to an “inner circle” where individuals decide to live by excluding the outside relationships[1]. Given the very wide range of meanings that private life can embrace, cases falling under this notion have been grouped into three main categories: a person’s physical[2], psychological or moral integrity[3], their identity[4]  and their privacy [5].

It is very important to understand which information stand under the concept of privacy, in order to acknowledge what type of data need owner’s authorization in order to be processed or simply collected.

With respect to surveillance and the collection of private data by agents of the State, the Strasbourg Court said that “such information, when systematically collected and stored in a file held by agents of the State, falls within the scope of ‘private life’ for the purposes of Article 8 § 1 of the Convention. That is all the more so in the instant case as some of the information has been declared false and is likely to injure the applicant’s reputation”[6].

Particularly, if a public authority stores any kind of information relating to an individual’s private life, this situation falls under the scope of Article 8, especially where such information concerns a person’s distant past. Furthermore, “in determining whether the personal information retained by the authorities involves any of the private-life aspects … the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained”[7].

Regarding the context where information is acquired, in cases related to suspected terrorists, the Court has stated that States have a wider margin of appreciation, especially with regards to storage of information of individuals involved in past terrorist activities[8]. The Court has also found that recording and retaining basic personal details concerning the arrested person or even other persons present at the time and place of arrest falls within the legitimate bounds of the process of investigation of terrorist crime for the competent authorities [9].

• The concept of privacy. Banking documents as personal data within the meaning of Art. 8 ECHR.

Against the above written definitions, the analyse of whether banking documents can be considered as personal data is fundamental: for this reason, the deep meaning of “privacy” has to be explored in order to conclude that banking documents are related to it.

The concept of privacy, as seen through the lens of the case of the European Court of Human Rights and the EU Court of Justice, , has developed during the past decades, also thank to the interpretation of scholars.

In fact, privacy is considered «In terms of citizen’s ability to regulate information about themselves, and thus control their relationships with other human beings, such that individuals have the right to decide when, how, and to what extent information about them is communicated to others».[10]

The protection requirements are increased with the spread of computers capable of processing, cross-referencing and updating millions of personal data of people quickly and at cost. The advent of technological innovations and their interaction with the private life led legal scholars to analyse new dangers that may affect the private sector and, therefore, to adapt its protection instruments. It means that every element of reality, in fact, is represented not in paper form, but in data form. Nowadays, original data are digitalized and the costs of dissemination are identical for all, consequently the world of communication is submerged by data accessible by anyone anywhere.

The collection, processing and storage of the data found, systematically crossed and organized, allow to reconstruct habits, tastes, and preferences of consumers to whom the companies of marketing may offer the tailored products and services.

In Germany, for the first time in 80s, the need to protect the right to informational self-determination emerged[11]: the right to choose information which can circulate became a priority and it was read as a real and tangible right. Thus, this need for protection receives concrete form by the use of the concept of privacy, which is enriched with the meanings of data protection or control of information about oneself.

At the beginning, the concept of privacy included the highly individualistic view as a claim to the separation of the individual approach from the collectivistic one: in those terms, privacy was intended as any good that the owner had the right to enjoy exclusively, and that the same could defend using the repressive protection and sanction enshrined by law in case of injury.[12]

The strict link between the person and their private sphere has gradually attenuated with the advent of information technology. At the same time, the concept of ‘private sphere’ has been gradually extended, and now includes situations and interests previously excluded from the area of specific protection.

The concept of ‘private sphere’ projects itself far beyond the mere identification of a subject and its reserved behaviour. We can thus define the private sphere as that set of actions, behaviours, opinions, preferences, personal information on which the individual intends to maintain an exclusive control. The interest is no longer in keeping secret profiles, as a possible response to the massive dissemination of information conveyed by online networks, stored by public or private databases. Indeed, as the ECtHR has consistently held speaking about private life intended as privacy “the concept of private life extends to aspects relating to personal identity, such as a person’s name, photo, or physical and moral integrity; the guarantee afforded by Article 8 of the Convention is primarily intended to ensure the development, without outside interference, of the personality of each individual in his relations with other human beings. There is thus a zone of interaction of a person with others, even in a public context, which may fall within the scope of private life” ^[13]

In applying this principle, the Court has explained that “there are a number of elements relevant to consideration of whether a person’s private life is concerned by measures that take place outside a person’s home or private premises.”

The definition of privacy, intended as control of information about oneself, highlights the new feature of giving the parties concerned the power of autonomous control, which implies the provision of a right of access, in accordance with the provisions of the laws on data protection.

Actually, the respect of privacy and the concept of privacy as a right to protect, is a goal which has been acquired progressively during the decades.

The first comprehensive national data privacy law was the Sweden’s Data Act in 1973.Thanks to this act t the very first basic set of data privacy principles was implemented.

From April 2016 the development of data privacy laws has spread globally and fast especially if compared to the period started in 2000.

Before analysing this global growth, the meaning of ‘data privacy law’ should be clarified.

After that first attempt, privacy principles were elaborated more accurately by the OECD Privacy Guidelines of 1980 (the OECD Guidelines)[14] and the Council of Europe (CoE)[15] Data Protection Convention 108 of 1981 (Convention 108)[16].

In a comparison survey of all around the world countries’ data laws, it has been reported[17] that a data privacy law must include, as a minimum, access and correction rights (individual participation), some ‘finality’ principles (limits on use and disclosure based on the purpose of collection), security protections and, overall, at least eight of the ten principles already identified before.

The minimum standard for a data privacy law should also require, according to this opinion, some methods of officially backed enforcement (i.e. not only self-regulation). The most recent analysis carried out by the University of New South Wales, Faculty of Law (February 2015)[18] showed that the number of countries embracing these requirements had expanded by 10 to 109 since 2013.

Furthermore, after the development of the OECD Guidelines, the EU Data Protection Directive 95/46/EC[19] incorporated the previous principles, and developed new ones that may be found in national privacy laws: data export restrictions based on destination; minimal collection; ‘fair and lawful processing’; ‘prior checking’ of some systems; deletion; sensitive data protections; automated processing controls and direct marketing opt-out.[20]

All this considering, according to ECHR banking documents amount to personal data concerning an individual, as they usually contain sensitive information[21] concerning jobs, bank accounts, addresses, salaries, banking movements, or also budgeting situations and saving schemes. Furthermore, any individual has the right to ask the bank to access their banking documents, which confirms the strict relationship between privacy and banking documents.

2.2. Brief remarks on the historical evolution of bank secrecy regimes.

 Against this general perspective, it is fundamental to evaluate the general principle of banks all over the world, which is the respect of « secrecy », since it may be seen as an efficient way to protect customers’ banking documents and banking information, even if this is not always the case.

Bank secrecy or bank confidentiality consists of a legal obligation not to disclose customer information, with the consequence that banks cannot reveal the state of a customer’s account or information knew during a customer’s banking relationship.

The duty to keep customer information confidential affects banks on a daily basis. Bank secrecy regimes differ around the world and multinational banks can find themselves in conflicted positions with a duty to protect information in one jurisdiction and the opposite duty to disclose them in another.

During the 19th and the first half of the 20th centuries, public Authorities were not as sensitive as they are nowadays about the issue of bank secrecy, which usually was seen as a general principle that regulated the relationship between bank and customer.

The leading case in common law experience was certainly the Tournier’s case[22], which recognised that, in certain circumstances, the bank was entitled to divulge customer information, inter alia when such disclosure was ordered by a court or was needed or required in the bank’s own interest.

In many civil law jurisdictions, the issues related to bank secrecy were dealt with in specific statutes. These too were concerned mainly with the confidential nature of the relationship of banker and customer.

After the Second World War, the perception of bank secrecy changed drastically. Contributing factors of this change have been considered noteworthy.[23]

First, ever since the Bretton Woods Regime of 1945, Countries started to revoke exchange control laws. The United Kingdom, for instance, repealed the Exchange Control Act 1946 in 1980. Inevitably, the increase in remittances meant an increase in money laundering, especially in some sector, such as art market.

The second contributing factor was the internationalisation of the banking sector: lots of local or domestic banks have turned themselves into international banking institutions and have been engaged in retail banking in foreign Countries. Consequently, customers could move with no rules among not only offices all around the world, but also among different jurisdictions. In this context, money laundering was highly facilitated because of the easy mobility.

The third factor that has led to a change in approaches to bank secrecy is the rise of the web. Most banks acquired their own computer (or IT) facilities. In turn, this led to the advent of electronic banking and speeded up the decline in branch banking, and it also caused the very actual development of phishing, identity theft, and computer frauds.

On one hand the abuse of secrecy had led banks to facilitate the commission of crimes, on the other hand it became necessary for States to protect customers’ data from illegal use, especially when data were not implied in elusion of the laws.

That was the reason why legislators and judicial authorities started to be so sensitive about the problem of colleting data and the privacy protection, and have decided to approach them in a more secure way, trying to balance the importance of protection of one’s private life and the respect of laws[24].

Indeed, when secrecy is related to the protection of personal data, secrecy has to be protected and guaranteed to the benefit of the concerned person.

In fact, in order to respect bank secrecy and personal life, the Strasbourg Court has stated that personal bank account can be overviewed only after the authorization of the jurisdictional authority.[25] Particularly, the interference can be approved only if it is necessary in a democratic society, or in other words proportionate to the legitimate aim pursued. If these conditions are not met, the Court finds a violation of Article 8 ECHR and may request the State to pay non–pecuniary damage.

2.3. Abuse of secrecy and interferences in individuals’ privacy.

Respect for privacy has become a significant problem among the banks, but the obligation not to reveal sensitive data may extend, in some national jurisdictions, beyond banks to cover also other types of financial institutions, as it happens in Italy, where privacy needs to be respected among all the different financial intermediaries.

In the case M.N. and Others v. San Marino[26], the European Court of Human Rights considered that information retrieved from banking documents undoubtedly amounts to personal data concerning an individual, irrespective of it being sensitive information or not. Moreover, such information may also concern professional dealings and there is no reason to justify the exclusion of activities of a professional or business nature from the notion of “private life”, and more specifically of “privacy”.

It further noted that the storing of data relating to the “private life” of an individual constitutes interference for the purposes of Article 8 irrespective of who is the owner of the medium on which the information is held.[27] In particular, both the storing and the release of information related to private life, coupled with a refusal to allow an opportunity to refute it, amounts to an interference under Article 8 ECHR.

In the examined case, the applicant suffered an interference with his right to respect for their private life and correspondence. The Court considered that copying constitutes a way of acquiring and therefore seizing data irrespective of the fact that the original medium may have remained in place. Furthermore, the copying entailed the immediate and independent storage, by the authorities, of the data at issue.

In conclusion, in the case at hand, the Court concluded that banking data (retrieved from bank statements, cheques, fiduciary dispositions and emails) should be considered as falling under the notion of both “private life” and “correspondence”. Consequently, the storage of such data by the authorities, may constitute an interference for the purposes of Article 8 ECHR. Eventually, the Court requested the award of compensation for economic and non-economic damages for improper use of personal data by the bank.

3. Credit risk assessment.

The present paragraph aims at analysing the information acquired for customer credit risk assessment and the consequences for one own’s privacy in case of illegitimate use of these data.

Credit risk assessment commonly depends on credit scoring models based on credit industry, which is widely used to evaluate the default probability of an applicant. Nowadays, its economic importance is confirmed not only due to the increasing volume of individual unsecured loans, but also because of the growing probability of default risk.

The subprime mortgage crisis in 2008 is one example: the massive loss from the economic crisis caused alarm among financial institutions and professionals. The high rate of non-performing loans (NPL) has been considered – and it is still now – a universal problem. Taking China as an example, the number of bad loans is a rising trend at 1.67% by the end of the fourth quarter of 2015, based on the China Banking Regulatory Commission’s (CBRC) report. [28]

Credit risk assessment is used to classify the applicants into two types of groups: default and non-default. Then, the evaluator (normally a computerized system – even if with the supervision of a credit risk advisor) may decide to reject the loan application or to approve it. In the domain of individual credit risk assessment, practitioners and researchers use applicants’ personal socio-demographic information (such as age, gender, job, income) and loan application information (such as loan purpose, loan amount, and loan type etc.) to differentiate who would bankrupt or fail to pay back the loans. Individual socio-demographic information and loan application information have shown to be very important in evaluating a person’s credit risk status. Dynamic transaction history is also a very meaningful indicator of people’s financial behaviour. An applicant’s transaction history (which can be acquired from the applicant’s debit cards, credit cards, passbooks, and other accounts etc.) shows the applicant’s dynamic financial status and personal transaction behaviour: lack of funding, history with the bank, choice of way of payment (withdrawn on bank account), can actually have a very significant impact on the choice of bank to grant a loan or a mortgage.

Talking about Credit Risk Assessment, the authors interested in the subject have talked about the “5 c’s parameters”[29].

The first one is “Capacity”, which consists in the ability to repay liabilities out of income. The second one is “Capital”, which includes the financial resources available to meet commitments: they could be considered for one single person or as family; it is followed by the “Conditions”, that show how the current environment may impact upon the enterprise or the human being, in terms of whether competition, economic position, industry, or other factors. Another parameter is about the “Character” of the applicant, which consist of the analyse of his occupation, his credit history, and even his social circle in order to understand if the client is trustworthy.

Last C is “Collateral”, which considers the pledge of assets, guarantees from third parties, or other risk mitigation that could reduce or increase the risk of the operation.

The type of data used to design the client’s profile generally depends upon the amount (to be) borrowed, and the size of the obligor being assessed. Talking more specifically about the enterprises, there are two different types of data which are usually considered: the ‘loan amount’ and ‘firm size’. If both are small, the time and effort spent on the assessment will be less. The required information can comprehend payment histories, personal capacities or personal assessments – such as financial statements, duration of the employment, possibility of a guarantee, some time even living situation.

This type of information is fundamental to understand that banks and financial institutions have to deal with a very significant amount of data in order to decide whether or not granting an amount of money. For the banks, the process of data acquisition has to be authorized by the concerned person with an express consent, and this is the reason why the unauthorized diffusion of data such as the untrue contents related to the customers imply an infringement of the law.

Against this background, the next lines analyse how legislations are supposed to protect citizens from any abuse.

Directive 2008/48/CE[30] outlines important principles related to the process of data acquisition. These principles are pivotal for credit risk assessment in . Th Directive aims to regulate credit risk assessment, by basing on truth, proportionality, and non-discrimination of data acquisition. Particularly, the European Court of Justice (ECJ) has been recently called[31] to analyse this Directive and evaluate the importance of an accurate analysis by the banks to make an assessment of the creditworthiness.

The ECJ preliminarily recalled the relevant normative framework (especially articles 8[32] and 23[33] of the Directive)  and then stated that, before the conclusion of a credit agreement, the creditor is required to assess the merits consumer credit and such obligation may, where appropriate, include consultation of banks relevant data. In this respect, it should be recalled that this obligation pursues the objective to empower the creditor and to prevent the latter provides credit to defaulting consumers, in accordance with Recital 26 of that Directive.

According to the Court, this legal framework aims to protect consumers against the risks of over-indebtedness and insolvency, and contribute to the achievement of the objective of the Directive 2008/48 which, as stated in recitals 7 and 9 thereof, provides for, in consumer credit, complete and imperative harmonisation in a number of areas which is considered necessary to ensure to all consumers in the European Union a high and equivalent level of protection of their interests and to facilitate the emergence of an efficient internal market in consumer credit[34]. As a result, this obligation is incumbent on the consumer, a fundamental importance. Furthermore, the Court has also stated that “Articles 8 and 23 of Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC must be interpreted as imposing an obligation on a national court to examine, of its own motion, whether there has been a failure to comply with the creditor’s pre-contractual obligation to assess the consumer’s creditworthiness, provided for in Article 8 of that directive, and to draw the consequences arising under national law of a failure to comply with that obligation, on condition that they satisfy the requirements of Article 23. Articles 8 and 23 of Directive 2008/48 must also be interpreted as precluding national rules under which a failure by the creditor to comply with its pre-contractual obligation to assess the consumer’s creditworthiness is penalised by the nullity of the credit agreement, linked with an obligation on the consumer to return the principal sum to the creditor at a time appropriate to the consumer’s financial capacity, solely on condition that that consumer raises an objection of such nullity within a three-year limitation period.”

4. GDPR and protection of data.

EU Regulation 2016/679, well known as GDPR, was approved in 2016 and it has kind of revolutionised the way to approach, collect, store, use, consult, and delete personal data. First of all, it created new actors: controller[35] and processor[36] who can designate a Data Protection Officer, as well as recipient[37] and third parties.[38]

In particular, the institutionalisation of the “Right to erasure (‘right to be forgotten’)” is a a very important innovation . By this provision, people can actually ask for erasing their personal data when unnecessary[39], such as the possibility to resort to Supervisory Authorities in case of violations (“one stop ship principle”). The principle of accountability becomes a cornerstone of the regime, because in case of data breach the controller must notify any violation to the competent supervisory authority.

Briefly, according to the principle of accountability, controllers need to adopt specific policies in terms of privacy by design, privacy by default[40]and privacy impact assessment.[41]

The principle of accountability becomes crucial for the financial institutions, since according to it they must provide and adopt the right measures and assessment to prevent data breach: Data Privacy Impact Assessment becomes a very effective instrument to handle the massive flow of data banks receive and manage every day.

More specifically, the controller must carry out the Data Privacy Impact assessment, related to the impact of the envisaged processing operations on the protection of personal data, with the advice of the data protection officer.

The regulation of these actions is fundamental to create and develop a new integrated system where data are processed better than the past in all Member States in an equal and even way.

GDPR does not require written documents nor written consent, but “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” In any event, the data subject shall have the right to withdraw their consent at any time: that is the reason why every bank will need to have proof of the consent given.

The customer has furthermore the right to have his or her data erased with no delay not only on the local system of the bank that acquired the information, but also in every platform the data has transited.

The right to erase data is connected to the right to portability, in which the individuals have the right to receive the personal data they have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller. Indeed, the banks have to attend clients’ request in both cases, and in order to accomplish this duty, they need to collect, track and organise the data to guarantee the respect of client’s demands and the respect of laws.

The GDPR has also confirmed the treatment of data outside the European Union: they are expressively forbidden unless the non–EU State has a control protocol approved by European Commission.

The absence or the delay in the communication can cause the issuance of administrative penalties. In case of violation of the rules of the EU Regulation, the controller will be responsible for the damage caused to the person concerned in accordance with Article 82 and the Recital (146).

This responsibility is foreseen not only in case of breach of the provisions of the GDPR, but also if the controller has not implemented rules or delegated acts of the Member States.

In case of several managers involved, they will all be jointly responsible for the entire damage in order to guarantee full compensation, with the right to submit a request for redress against the others for their fare share.

The holder and the person responsible shall be relieved of liability if they demonstrate that the harmful event is not attributable to their conduct, or that they have taken all appropriate measures to prevent the damage.

Regarding the sanctions for violations of the provisions of the Regulation, they are provided in Rule No. 83 of the Rules of Procedure. Two levels of infringement are provided, which consider fines of up to EUR 20 million (or 4% group turnover as penalties) for the first level of infringements and up to EUR 10 million (or 2% turnover) for the second level of infringements. The first level of infringements concerns the basic principles of processing, including the conditions of consent, the rights of data subjects, the orders or limitations of the Guarantor, Special national legislation and data transfer outside the EU. The second level of infringements concerns safety and data breach, the principles of privacy by design and by default, consent of minors (16 years), the register of activities, cooperation with the guarantor and internal governance.

5. A case-study: the illegal report on Credit Information Systems in the Italian Legislation. Right to access.

 According to the Italian Privacy Code (D.lgs 196/2003)[42], personal data processing shall be accurate and relevant, especially not excessive in relation to the purpose, and it has to be kept in “a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.” Now this definition is part of Art. 5 of GDPR.

The concept of “non excessive” process has been related to the meaning of proportionality.[43]

In this sense, the controller cannot ask for data which are not expressively linked to the purpose of the mortgage, and it is necessary to acquire the consent of the customer to use his or her sensitive data.

Public and private information services, providing the intermediary with up-to-date information on the financial behaviour of entrusted entities, help to outline the client’s credit reference, or the reputation he or she enjoys with banks and financial intermediaries, which reflects the correctness of his or her behaviour in the area of financing relationships. The importance of this reference is immediately reflected in the level of access to credit, which will be easily facilitated for those with a positive reference, in relation, for example, to the regularity of payments of instalments or to the extinction of a debt, while it may be denied to the “bad payer”.
A negative reference, concerning delays, default or insolvency, moreover, can have negative effects both on the private economic initiative and social and professional relations. This matter requires a specific and detailed framework, essentially attributable to the instructions of the Bank of Italy for as regards the Risk Central[44] (Credit Information System), and the Code of Ethics signed by industry associations as regards the Credit Information System/Risk Control Panels.
The most important profiles are undoubtedly those related to the correctness and accuracy of collecting data.
In particular, the importance of the legitimacy of reporting is easily understood where it is considered that the main effect of the affixing in a Risk Control Panel is that the reported person is considered unreliable from the entire credit system. As a result of this notification, he will likely be required to return from entrustments from all the intermediaries he operates with and at the same time it will be difficult for him to obtain new financing.

The forms of protection available for this purpose are the deletion of the unlawful warning – as an inhibitory solution – and a compensation request (for non-monetary and non-material damage) which the customer may claim first by recourse to the ordinary court.

In the Italian system, the so called “Arbitro Bancario Finanziario” (the Banking and Financial Ombudsman, ABF) is a very powerful way to solve financial problems. This is an ADR Institution made up by the Bank of Italy: , used for claims up to 100.000 Euros[45].

The several decisions of this para-legal institution have distinguished between a client being consumer or not.

In the first case, if a client is a consumer, the Bank or the financial institution has to give advanced notice of the report to the Credit Information System: otherwise, the client will have the right to have their data cancelled from the System and to receive an economic compensation for the illegitimate report[46].

In the second case, if the client is not identified as a consumer, the lack of advanced notice legitimates the client to have only a monetary compensation but not the cancelation of the data.[47]

According to the Bank of Italy, the report could also be initially regular, but in the meantime it could not represent the reality anymore because some changes may occur and the client’s position becomes regular again, so that he should not be reported anymore.

According to and decisions of the Arbitro Bancario Finanziario, the illegitimate report is defined as a “dangerous activity” and for this reason the financial institution will have to prove that it had taken all the necessary measures to prevent damage.[48]

Furthermore, the illegal reporting can lead to a decision of awarding monetary compensation for economic or non-economic damages.

In the first case, according to the Italian legislation, the monetary compensation has to be provided for damage and loss of earnings, such as the loss for the withdrawal of commitments already granted.

In addition, it is often assumed that the company, having lost access to the credit, will not be able to complete business already started or to conclude new business which it would otherwise have been able to achieve: this situation could be redressed as well.

Illegal reporting of risks to the Risk Central can also result in the violation of the rights of the individual – such as the right to honour and personal reputation – which are protected by law as inviolable rights, with the consequent award of monetary compensation for non-material damage.

The burden of proof falls on the applicant who alleges this damage[49].

In 2019 the ABF dealt with disputes concerning the registration in the private Credit Information Systems (in Italian, SICs). The arbitrator reiterated that the reporting of a name in the SICs has to respect the following characteristics, as indicated in Art. 4 of the Code of Ethics and Good Conduct for Private Information Systems [50]: substantive truthfulness of the reported defaults (substantive precondition), and compliance with the procedural requirements demanding the notifier to inform the client of its imminent inclusion in the database (formal precondition).[51] The notice is a necessary condition for the lawfulness of the alert and the intermediary has to prove that  the recipient has sent and received notice shall be given by the intermediary, otherwise the report is considered illegal.[52]

Concerning the substantial precondition, the type of negative credit information – such as late payments – subsequently settled may be stored in a private database up to 24 months after the date of regularisation of the debtor’s position, as planned by Code of Ethics and Good Conduct for Private Information Systems.[53] In a case examined by the ABF Arbitrator  , it was established that the intermediary was obliged to cancel immediately negative information, not only because the formal precondition was not respected, but also because it was not given notice of the subsequent regularisation[54].

The ABF has stated that generally there is no obligation for intermediaries to grant credit or to review the conditions under which it has been granted; only the duty to respect the principle of fairness in contractual relations stands when assessing and responding to a client’s request for renegotiation. Assessing creditworthiness is part of the intermediaries’ operational autonomy,[55] but it must respect the right of the customer to know every part of the process of data acquisition. For this reason, the ABF has specified that the person has to know, free of charge, whether and which personal data concerning he or she have been processed: if this access right to access is not respected, the relevant privacy law has to be applied.[56]

Furthermore, Italian Courts and the ABF have analysed the right to access to all the documents signed with the bank, according to Article 119 of the Italian Consolidated Text on Banking law.

These jurisdictions clarified that the client has the right to
obtain the copy of any banking documents signed with the bank within the ten-year limit: they will just have to provide the bank with the minimum necessary elements to identify the requested documents. This is a substantive right, not merely a procedural one, and its objective must be to enhance the information and protection function of the customer, in accordance with guidelines previously provided by the Italian Supreme Court. It means that the right to receive a copy of the documents shall not cause an undue burden on the customer.[57]

6. Conclusion

The right to private life embraces different meanings, especially the concept of privacy as declined by ECtHR. Starting from this definition, the paper explained the meaning of credit risk assessment, and a closer look at the case law M.N. and Others v. San Marino[58], clarified that information retrieved from banking documents undoubtedly amounts to personal data, so that they fall under the protection of Article 8 ECHR.

For this reason, principles of accountability, proportionality and necessity have to be respected in order to collect and share data, according to the provisions of the GDPR.

This analysis highlighted that the right to private life sometime may sometime collide with the need to obtain and analyse information for credit risk assessment, as it happened in the case of the illegal report to Credit Information Systems. For this reason, examining the problem from the perspective of the Italian legal system, national legislation and judges have awarded monetary compensation for economic and non-economic damages, in order to avoid redress the client.

In conclusion, even if privacy sometime may be mortified for credit risk assessment purposes, it is undeniable that institutions are working in order to guarantee this right and, at the same time, to find a fair balance with between it and the economic need of a changing world.

***

[1] ECtHR, Botta v. Italy, Application no. 21439/93

https://hudoc.echr.coe.int/eng#{%22dmdocnumber%22:[%22696017%22],%22itemid%22:[%22001-58140%22]}

[2] ECtHR, CASE OF X AND Y v. THE NETHERLANDs Application no. 8978/80 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-57603%22]} ECtHR, Söderman v. Sweden, Application no. 5786/08) https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-128043%22]}

In this case, a step-father filmed a 14-year old and the Court found a violation of Art. 8, by considering « private life » the personal and phisical integrity of the children.

[3] ECtHR, A, B and C v. Ireland, Application no. 25579/05 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-102332%22]} where the Court has found that the prohibition of abortion is against the scope of the right to respect for one’s private life under Article 8., if the abortion is provided for reasons of health and/or well-being The Court has decided upon various cases in which the quality of an individual’s surrounding environment is at issue, and have stated that an individual’s well-being may be negatively impacted by unsafe or disruptive environmental conditions, see ECtHR, Hatton and others v The United Kingdom, Application no. 36022/97

 https://hudoc.echr.coe.int/eng?i=001-61188 , ECtHR , Salvetti v. Italy, Application no. 42197/98

 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-22636%22]} in this case, according to the Court’s reasoning, the use of compulsory minor tests without the consent of the patient may constitute a proportionate interference with Article 8. From a different point of view, see ECtHR, Pretty v. The United Kingdom, Application no. 2346/02 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-60448%22]} the applicant suffered from a motor neurone desease and wanted the impunity for her husband helping her suiciding: this impunity was denied by the DPP. The Court, in that case, stated that national law did not allow this practice, and that there had been no violation of Article 8 of the Convention. Particularly,  the Court concluded that the interference of the DPP in this case could be considered as justified as “necessary in a democratic society” for the protection of the rights of others and, accordingly, that there was  no violation of Article 8 of the Convention.

[4] ECtHR, X v. Iceland, Application no. 6825/74 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-74783%22]} ECtHR, Odièvre v. France, Application no. 42326/98 https://hudoc.echr.coe.int/eng?i=001-60935 ECtHR X, Y and Z v. The United Kingdom Application no. 21830/93 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-58032%22]}

[5] ECtHR , Von Hannover v. Germany Applications nos. 40660/08 and 60641/08 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-109029%22]} ECtHR P.G. and J.H. v. the United Kingdom, Application no. 44787/98 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-59665%22]}

[6] ECtHR ,Rotaru v. Romania Application no. 28341/95 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-58586%22]}

[7] ECtHR ,S. and Marper v. the United Kingdom, Applications nos. 30562/04 and 30566/04 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-90051%22]}

[8] ECtHR ,Segerstedt-Wiberg and Others v. Sweden, Application no. 62332/00 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-75591%22]}

[9] ECtHR, Murray v. the United Kingdom, Application no. 14310/88 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-57895%22]}

[10] Cfr. A. F.Westin, Privacy and Freedom, in «Michigan Law Review», Vol. 66, No. 5, Mar., 1968

[11] Volkszählungsurteil, Bundesverfassungsgericht 15-12-1983, 1 BvR 209/83

[12] E. ROPPO, Informatica, tutela della privacy e diritti di libertà, in «Giurisprudenza italiana», 1984, c. 168

[13] ECtHR, Von Hannover v. Germany, Applications nos. 40660/08 and 60641/08 https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-109029%22]}

[14] OECD, ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal

Data’ (23 September 1980) http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

[15] Council of Europe, ‘Convention for the Protection of Individuals with Regard to Automatic

Processing of Personal Data’, ETS No. 108 (28 January 1981), https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37

[16] According to the Guidelines and the Convention, the principles can be summarised as follows:

1. Data quality – relevant, accurate and up-to-date; 2. Collection – limited, lawful and fair; with consent or knowledge; 3. Purpose specification at time of collection; 4. Notice of purpose and rights at time of collection (implied); 5. Uses and disclosures limited to purposes specified or compatible; 6. Security through reasonable safeguards; 7. Openness regarding personal data practices; 8. Access – individual right of access; 9. Correction – individual right of correction; 10. Accountable – data controller with task of compliance.

[17] G. GREENLEAF, ‘Global Data Privacy Laws 2015: 109 Countries, with European Laws now

in a Minority’, Privacy Laws & Business International Report, 133 (2015), 14–7, online:

SSRN, http://ssrn.com/abstract=2603529 .

[18] G.GREENLEAF, ibidem.

[19] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281 , 23/11/1995 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=en

[20] S, BOOYSEN, . NEO,.idem.

[21] ECtHR, M.N. and Others v. San Marino Application no. 28005/12 https://hudoc.echr.coe.int/eng?i=001-128189

[22]Court of England and Wales, Tournier v National Provincial and Union Bank of England , 17 December 1923 https://uk.practicallaw.thomsonreuters.com/D-000-4103?transitionType=Default&contextData=(sc.Default)&firstPage=true&bhcp=1

[23] BOOYSEN, S., NEO, D. Can Banks Still Keep a Secret? Cambridge, 2017

[24] The balance between privacy and public interest to punish bank torts has led to many local legislations.

In Italy, for instance, Article 36 of law no.165/2005 regarding the obligation of banking secrecy reads as follows:

“1. Banking secrecy means that authorized individuals, are prohibited from divulging to third parties data and information obtained in the exercise of their specified functions.

5. Banking secrecy cannot be held against:
6. a) the criminal justice authorities. In such cases the acts of the judicial proceedings, in the inquiry stage, must be maintained rigorously secret.
7. b) the surveillance authorities (autorita’ di vigilanza) in the exercise of their functions of surveillance and the fight against terrorism and money laundering.”

[25] ECtHR, Sommer v. Germany, Application no. 73607/13 https://hudoc.echr.coe.int/fre#{%22tabview%22:[%22document%22],%22itemid%22:[%22001-173091%22]}

[26] Ibidem, cfr note 11.

[27] ECtHR, Valentino Acatrinei v. Romania, Application no. 18540/04,  https://hudoc.echr.coe.int/eng#{%22appno%22:[%2218540/04%22],%22itemid%22:[%22001-121615%22]}

[28] T. ZHANG, W. ZHANG, W. XU, K. HAO, Multiple instance learning for credit risk assessment with transaction data, in Knowledge-Based Systems Volume 161, 1 December 2018, Pages 65-77

[29] R. ANDERSON, Credit risk assessment:Enterprise-credit frameworks, 2007 https://www.researchgate.net/publication/265200010_Credit_risk_assessment_Enterprise-credit_frameworks/citation/download

[30] Directive 2008/48/CE https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008L0048&from=IT

[31] ECJ, OPR-Finance s.r.o. v GK (Case C-679/18) https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008L0048&from=IT

[32] Obligation to assess the creditworthiness of the consumer. 1.  Member States shall ensure that, before the conclusion of the credit agreement, the creditor assesses the consumer’s creditworthiness on the basis of sufficient information, where appropriate obtained from the consumer and, where necessary, on the basis of a consultation of the relevant database. Member States whose legislation requires creditors to assess the creditworthiness of consumers on the basis of a consultation of the relevant database may retain this requirement.

2.  Member States shall ensure that, if the parties agree to change the total amount of credit after the conclusion of the credit agreement, the creditor updates the financial information at his disposal concerning the consumer and assesses the consumer’s creditworthiness before any significant increase in the total amount of credit.

[33] Penalties. Member States shall lay down the rules on penalties applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.

[34] EctHR, LCL Le Crédit Lyonnais, C-565/12 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0565&from=IT

[35] The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

[36] A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

[37] Natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

[38] A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

[39] This legal prevision followed the very known case Grand Chamber, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, C- 131/12

http://curia.europa.eu/juris/liste.jsf?oqp=&for=&mat=or&lgrec=it&jge=&td=%3BALL&jur=C%2CT%2CF&num=C-131%252F12&page=1&dates=&pcs=Oor&lg=&pro=&nat=or&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&language=en&avg=&cid=1102862

[40] Recital 78 « The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.”

[41] Recital 85 « A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

[42] Art. 11- (Processing Arrangements and Data Quality)

1. Personal data undergoing processing shall be:
2. a) processed lawfully and fairly;
3. b) collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes;
4. c) accurate and, when necessary, kept up to date;
5. d) relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed;
6. e) kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.
7. Any personal data that is processed in breach of the relevant provisions concerning the processing of personal data may not be used.

[43] A. MAGNI, La responsabilità della banca per il trattamento dei dati biometrici, GDPR commentato, 2018 fasc. 2

[44] Public Database containing all personal information about a client: loans, payments, family situation and correlated risks.

[45] Arbitro Bancario Finanziario (ABF) isn’t a real judge, so its sentences are not mandatory. However, since it is emanated by the Bank of Italy, it is recognized as a very authoritarian organ, so that its decisions are always carried out and the banks pass seldom on ordinary judge after a ABF decision. That is the reason why ABF and Italian judges work in cooperation to develop an agreed position about banking conflicts, also in terms of unlawful reporting of data.

[46] Art. 125 al.3 of Italian Consolidated Banking law says that funders shall inform the consumer in advance when they first report to a database the negative information required by the relevant rules. The information is given together with the sending of reminders, other communications, or independently. https://www.bancaditalia.it/compiti/vigilanza/intermediari/Testo-Unico-Bancario.pdf

[47] MALARA, M.C. Centrale Dei Rischi E Giurisprudenza Dell’Arbitro Bancario Finanziario, Contratti, 2018, 1, 93 who refers to Bank of Italy Circular 139/1991.

[48] Arbitro bancario Finanziario, Decision of Naples Coordination, 4 november 2016, n. 10067 https://www.arbitrobancariofinanziario.it/decisioni/2016/11/Dec-20161114-10067.PDF

Furthermore, it has to be reported that Art. 2050 of the Italian Civil Code, which establishes that any person causing damage to others in the course of a dangerous activity, by his nature or by the nature of the means employed, shall be liable for compensation if he does not prove that he has taken all appropriate measures to avoid damage.

[49] Sezioni Unite della Cassazione nelle sentenze gemelle n. 26972 e n. 26973 dell’11 novembre 2007, http://www.tribunale.varese.it/files/File/documenti/BUFFONE_-_A_tre_mesi_dalle_SU_sul_2059_c_c.pdf

See also ABF Coordination Council decision 24 september 2012, n. 3089, https://www.arbitrobancariofinanziario.it/decisioni/2012/09/Dec-20120924-3089.pdf

[50] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9141941

[51] Arbitro Bancario Finanziario, dec. 26 february 2019, n. 5959, https://www.arbitrobancariofinanziario.it/decisioni/2019/02/Dec-20190226-5959.PDF

[52] ABF Coordination Council decision 17 January 2019 n. 1642 https://www.arbitrobancariofinanziario.it/decisioni/2019/01/Dec-20190117-1642.PDF

[53] Code of Good Conduct, allegato 2 (as precedent formula in art. 6, comma 2, lett. b).

[54] Abf Decision 15 April 2019, n. 10298 https://www.arbitrobancariofinanziario.it/decisioni/2019/04/Dec-20190415-10298.PDF

[55] Abf Decision 18 January 2018, n. 1577 https://www.arbitrobancariofinanziario.it/decisioni/2018/01/Dec-20180118-1577.PDF as indicated in The Banking and Financial Ombudsman: Annual Report https://www.arbitrobancariofinanziario.it/abf/relazione-annuale/index.html?com.dotmarketing.htmlpage.language=3

[56] ABF Decision 10 september 2019, n. 20994 https://www.arbitrobancariofinanziario.it/decisioni/2019/09/Dec-20190910-20994.PDF

[57] Cass., Sez. VI, ordinanza 30 ottobre 2019, n. 27769 in http://www.dirittobancario.it/sites/default/files/allegati/cassazione_civile_sez._vi_30_ottobre_2019_n._27769_.pdf

[58] Ibidem, cfr note 11.