Information technology must respect the human identity, the human rights, privacy and liberties.

Contenu

Credit and housing

What about the legal right to housing?

The creation of data files enabling all players in a given business sector, whether credit institutions or professional lenders, to obtain information on risks linked to personal solvency and credit worthiness is followed up by CNIL with sharp vigilance in view of the obvious risks of social exclusion for the individuals concerned.

The question of the legitimacy and proportionality of introducing a “centralised positive credit record” addresses both the issues of breach of privacy and of cost and efficiency. The Commission has always refused to recognise any legitimacy to the implementation of such centralised records in the absence of any specific legal framework (see Report on “Centrales Positives” of January 2005; Activity Report 2005).

It considers that the lawmaker alone has competence to decide on the social usefulness of a “positive record” as related to credit issues, and to define the purposes and contents of such a database. In line with this stance, CNIL refused to authorise the creation of a centralised credit record requested by Experian (Decision of 8 March 2007).

CNIL further refused to authorise the company Infobail to process two databases intended for information to real estate professionals, related to inventories of tenants with unpaid rents and of tenants meeting their rent payment obligations. The Commission considered that such data records could violate the “legally enforceable right to housing” voted by lawmakers who have sole competence to decide on the compilation of both “negative” and “positive” records in housing matters (Decision of 10 July 2007).

Questions to Philippe Nogrix

Senator of Ille-et-Vilaine

Commissioner in charge of the “Currency and Credit” sector


Why did you refuse to authorise the Experian centralised credit record?

The rejection was based on three grounds :

  • data covered under a legally protected confidentiality, i.e. the banking secrecy, would have been massively transferred, without any legal protection framework, to a service provider not bound by banking law and whose business is not bound by the rule of banking secrecy,
  • clients would not have been informed under satisfactory conditions of the consequences of signing a release clause waiving the banking secrecy,
  • the transmission, to the centralised record member institutions, of data relative to an individual for purposes of processing a loan application, to be supplied in the form of a highly detailed report listing outstanding loans or loans repaid within at least the past three years, would have enabled the economic profiling of the private individuals concerned. Such data are liable to be retained in the computer files of the recipient credit institutions and could therefore end up being used for reasons other than processing a loan application, in particular for commercial purposes.

Yet, CNIL has authorised data exchanges within banking groups. How is that different from the Experian case?

CNIL has indeed authorised several subsidiaries of banking groups, specialised in consumer credit (Crédit Agricole in 2005 with Finaref and Sofinco; BNP Paribas in 2006 with Cetelem and Cofinoga) to share data on their borrowers for purposes of bad debt prevention, based on five criteria, with which Experian was unable to fully comply :

  • legitimacy of purpose: i.e. prevention of fraud and bad debts;
  • occasional and restricted nature of data exchanges between the credit institutions: no centralised database is created. Client records kept by the institutions cannot be fuelled with any data transferred via the query system;
  • quality of institutions granted authorisation to exchange data: all are consumer credit specialist companies, hence all bound by the banking secrecy;
  • existence of a shared financial risk between these institutions, reflected in an effective control by certain companies over others, or in third-party risk management;
  • explicit authorisation given by the client to share data covered by the banking secrecy, requiring among other that the client be clearly informed of the purposes and recipients of the shared data.

Central credit record or “positive” record. What is it?

All data on the financial status of individuals, whether or not they have outstanding debts, are retained in a central credit record, commonly called “positive record” by opposition to the “negative record” containing only credit-related payment incidents.