Data trading under scrutiny at European Court of Justice

There are many companies operating in the Netherlands that collect data on people in order to use it to advise customers on their creditworthiness. They collect personal data behind people's backs.

In the Netherlands, credit information agencies Graydon, Experian, Focum and EDR, among others, are active. In Germany, the company Schufa is known for its credit ratings ('Bonitätsscore'). In a court case against Schufa, questions have now been put to the European Court by the judge, which we will address after an introduction.

Financial personal data is the "new gold"

Companies like Schufa collect people's financial and other personal data on a large scale and distribute that data in many places without data subjects' knowledge.

That personal data, especially financial personal data, is the new 'gold' that big companies and governments are eager to mine. That new gold therefore deserves high-quality protection. That protection is currently lacking. That is why Privacy First pays attention to it, as part of our financial privacy focus area.

People do not know what data the credit rating agency has received about them

Typically, credit rating agencies are completely shadowy about where they get their data on people. Their terms and conditions state that they get their information from public sources, such as the commercial register and insolvency register. They also source their information from non-public sources, such as their own customers and others who have a business or financial relationship ('third-party suppliers'). These may be telecom companies, but also advertising companies such as Google, Meta and their subsidiaries. The people concerned are not informed by the credit rating agencies about the data received. This means that it is not possible to verify whether the data received from third-party suppliers is correct and whether those third-party suppliers were allowed to provide that data.

It is unknown who the data will end up with

It is also shadowy to whom the credit bureaus provide the data. When the affected person makes a credit application to a financial institution or enters into a phone subscription, he or she is sometimes informed by the party with whom the application is made or the subscription is entered into.

The credit rating agency may also provide the personal data to other customers without the knowledge of the data subject. In this way, confidential data may end up with parties who have no right to it. The data may even end up in criminal hands, as happened in the US with an Experian subsidiary.

'Justified interest'

The credit rating agencies hide behind an alleged "legitimate interest" to receive the personal data from third-party suppliers, without informing the individuals concerned. They use the same argument when providing financial personal data to their customers.

Risky trading

Trading in financial personal data is not regulated. Credit rating agencies only have to deal with the AVG (GDPR). They are flouting that one, it was revealed in the autumn of 2024 via coverage by the Financial Daily newspaper ^[1]. It showed that Experian and Focum were imposed high fines by the Personal Data Authority. Unfortunately, those fines were not made public (unlike in financial law where fines are compulsorily published).

It has long been known that data trading poses major risks to people. For example, BNR wrote in 2024 about the sale of location data from mobile phones ^[2] and RTL published an article on address trading, including secret addresses ^[3], and Cracked Labs announced that data trader LiveRamp has created a population registry of all citizens in the world ^[4]. Data breaches also occur among data traders, an example being World-Check, supplier of personal data for anti-money laundering purposes ^[5].

Core AVG principle: you should know what is being done with your financial personal data

One of the core principles of the AVG ^[6] is that, as a citizen, you should be informed of the dissemination of your data and be able to access that data. This is important, firstly, to be able to see whether the data is correct and, secondly, to verify whether that data has rightly reached the receiving party (such as a credit rating agency). Linked to this are, among other things, the right to inspect, the right to rectify and the right to erase. If you do not know that a data merchant has your data, you also cannot verify whether the data is correct and exercise your other rights.

Hiding behind 'legitimate interest'

Credit rating agency Schufa and third-party providers also hide behind "legitimate interest" to pass on financial data behind people's backs. A case before a German court (the Landgericht Lübeck) addressed this position. A customer of a telecom company (Vodafone) discovered that Vodafone had passed on data about him to Schufa without his consent. This included his name, date of birth, address, date of conclusion of the telecom contract and contract number. The customer disagreed and started court proceedings, demanding, among other things, that Vodafone stop providing data to credit rating agencies such as Schufa.

This prompted the German court to ask questions of the European Court on the interpretation of European privacy rules. The court questions whether Vodafone can invoke legitimate interest at all, as that provision does not seem to have been written for mass transfers of personal data, such as by telecom companies to credit rating agencies. Furthermore, the court asks the Court whether the transfer by Vodafone becomes unlawful now that Schufa is using the data for profiling (establishing a credit rating). Finally, it asks whether citizens can also claim damages if no consent has been sought but the telecom company has notified that it will provide personal data to the credit rating agency. More information can be found in the German court's German-language news release ^[7], referring to the ruling.

Privacy First is curious to see how the European Court will rule.

Privacy First position on data trading

Privacy First has been dealing with the topic of data trading for some time, with a particular focus on financial privacy. In 2023, Privacy First participated in a legislative consultation on the future of credit registration in the Netherlands, see our article Credit registration in the Netherlands: BKR in current form should disappear and us consultation document at the time. In it, Privacy First advocated regulation of data trading. In 2024, Privacy First also sent a position paper^[8] to the Digital Affairs Committee of the House of Representatives, in which we reiterated our call for regulation of data trading and improved enforcement.

It is now high time to end the Wild West of personal data trafficking. To that end, the ball is now in the European Court's court.

^[1] Reported in this article: https://privacy-web.nl/nieuws/ap-treedt-op-tegen-privacypraktijken-kredietinformatiebureaus-experian-focum-en-edr/

^[2] https://www.bnr.nl/nieuws/technologie/10537256/nederlandse-telefoons-onlinestiekem-te-volgen-extreem-veiligheidsrisico

^[3] https://www.rtl.nl/boulevard/crime/artikel/5425259/geheime-adressen-bedreigde-journalisten-politici-en-advocaten-te

^[4] http://crackedlabs.org/dl/CrackedLabs_IdentitySurveillance_LiveRamp.pdf

^[5] https://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/

^[6] Articles 13 and 14 AVG (GDPR), https://eur-lex.europa.eu/legal-content/NL/TXT/HTML/?uri=CELEX:32016R0679#cpt_III.sct_2

^[7] See this news item from Landgericht Lübeck dated 9 September 2025. Case number at EU Court: C-594/25.

^[8] See Privacy First paper on roundtable discussion Data Protection Collection Act 4 December 2024 (pdf).