FRANKFURT (Reuters) - Big companies are used to harvesting vast amounts of data from customers to find out what makes them tick. Now, as Europe’s new data protection law comes into effect this week, activists are looking to turn the tables.
In what is seen as a test case, freedom of information activists are requesting masses of data from German personal credit rating agency SCHUFA in a bid to unearth the secret algorithm it uses to decide who is a bad risk.
While laws in Germany and some other European countries already allowed individuals to see what data companies held about them, the EU’s General Data Protection Regulation (GDPR) coming in on May 25 has more teeth.
The law requires firms doing business in the EU’s 28 member states to provide personal data in an understandable form for free and carries stiff fines of up to 4 percent of a company’s annual turnover if it fails to comply.
The OpenSCHUFA has recruited more than 20,000 volunteers to ask SCHUFA for their personal data. A team of data scientists plans to reverse-engineer the results and publish its first findings next month.
“By getting thousands of people involved, it’s already a success,” said freedom of information activist Arne Semsrott, 30, who works for the Open Knowledge Foundation in Berlin.
Founded 91 years ago, SCHUFA (Schutzgemeinschaft fuer allgemeine Kreditsicherung) is a private firm that holds data on about 70 million people in Germany and is the leading provider of credit ratings for individuals who, for example, want a loan, to rent an apartment or sign a smartphone contract.
SCHUFA has called the campaign “misleading”, saying it has disclosed its credit scoring methods to Germany’s financial and data-protection authorities. Anyone trying to expose the formula it uses would be playing into the hands of fraudsters, it said.
Semsrott suspects the model used by SCHUFA may be discriminatory and hopes the project will be able to show individuals if it is fair, and also if scores are based on mistakes in personal credit histories.
Volunteers taking part in OpenSCHUFA are being asked to share personal information with the campaign such as age, gender, country of birth, income, postcode, number of children and some of their credit history - to help the data scientists analyze better how SCHUFA’s model comes to its decisions.
Participants can provide as much or as little data as they wish, and don’t have to provide their names or addresses.
The data protection authority in the German state of Hesse, which oversees SCHUFA, expressly advises people against taking part because, as it sees it, they would actually be taking risks with their own privacy in doing so.
“Anyone who voluntarily makes use of such a platform should be aware of the risks they are taking,” the authority said.
The GDPR is the biggest overhaul of data privacy laws in more than 20 years and aims to redress the balance between companies and individuals in the Internet age.
Semsrott sees potential for OpenSCHUFA to be, “scaled up or taken over by others”, so that its methods could be used on other companies now the same privacy rules will apply across the European Union.
To view a graphic on how the new EU privacy regime works, click on: tmsnrt.rs/2DhT0XL)
Others are working on similar projects. Paul-Olivier Dehaye, founder of personaldata.io, has created "Chommy", an online agent that has helped hundreds of individuals to format and submit data requests to companies.
“It’s a platform approach to the platform problem,” said the Stanford-educated mathematician who is now based in Switzerland.
The project started out as a sideline but snowballed, and Dehaye plans to register it as a non-profit. Eventually, facilitating such data requests in bulk could become a commercial proposition, he said.
Dehaye has already made a name putting in requests to dating site Tinder, ride-hailing app Uber and Cambridge Analytica, the political consultancy that was found to have procured data on millions of Facebook (FB.O) users without consent.
In the case of Cambridge Analytica, Dehaye assisted U.S. academic David Carroll in filing a request to see what information the company - which advised President Donald Trump’s campaign team - held on him.
Cambridge Analytica’s parent, SCL Elections, rejected the request. In a landmark ruling, the UK Information Commissioner’s Office found in Carroll’s favor because the firm processing his data was based in the United Kingdom.
“My story can bring awareness,” Carroll, associate professor of media design at Parsons School of Design in New York, told Reuters.
Ravi Naik, a lawyer who works for London firm ITN Solicitors and is representing Carroll, said the case was a precedent that should help others assert their data rights independently.
“I don’t think people should be spending thousands of pounds on lawyers like me,” Naik told Reuters. “It should be straightforward.
Additional reporting by Julia Fioretti in Brussels; editing by David Clarke