Posted on by CreationsAustin

FRCA v GDPR – USA Scattered Privacy Protections

In this post, I will explore a bit of USA Scattered Privacy Protections as compared to the GDPR. It is important to note- the United States doesn’t have individual privacy protections within the constitution, nor has Congress considered it a priority enough to develop such. Due to this, the laws regarding cyber, and the laws regarding your privacy are being protected in a scattershot fashion, using existing laws. One such law is the FCRA or Fair Information Credit Reporting Act.

How does the FCRA compare with the GDPR

Privacy Protection

When comparing Fair Credit Reporting Act to the General Data Protection Regulation, one must first recognize the FCRA is about banking and credit reporting, not about privacy. In contrast, the GDPR identifies privacy as a human right, and is a regulation specifically about privacy of individuals.

FCRA Purpose

The purpose of FRCA is to protect the banking system and prevent impact on “… the efficiency of the banking system… [and] continued functioning of the banking system.”1 The FCRA doesn’t identify persons as the data subject, and instead defines a person to be “…any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision”. The definitions continue, clarifying “…’consumer’ means an individual.”2

The FRCA is about the appropriate passage of reports to and from the banking system, specifically regarding credit worthiness of consumers. It holds some limits on what a report can contain, and the approved reasons for transmission. In this limited scope, it has impacts on privacy, and does allow for data subjects to review and dispute.

GDPR Purpose

Compare that definition to the GDPR, where it is “designed to protect the fundamental rights and freedoms of natural persons…” and in the Definitions section, “…’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified…”3

The GDPR is about the rights of the data subject including the right of access, the right to rectification, the right to erasure or restrict processing, and the right to not be the subject to automated decision making.

EU Credit Measuring and Privacy

The different EU nations measure and manage credit differently, but they are obligated to protect privacy in accordance with the EU GDPR.

This paper recognizes that EU has a law regarding credit rating agencies, however Regulation (EC) No 1060/2009 on Credit Rating Agencies is not about individuals or persons  and is not relevant to credit scores or reports as discussed in this paper. 4

EU and Individual Persons Credit – Different in Each Country

The EU is made up of 27 member states, representing varied credit monitoring methodologies and laws different from the United States. For example, Germany has the SCHUFA that holds data on persons over 18, and all persons start with a score of 100 and then can have deductions of points based on debts. Spain Risk Management Center tracks debts, and can make customer lists from loans for up to 6 years5, and France is entirely dependent on relationships with banks6; an individual must open an account with a bank to build a relationship, and banks don’t share customer information with other banks.

Individual Credit ranking systems in EU are managed within each country, and don’t travel well between countries; many of them vastly different than any credit reporting methodologies in the USA. The laws regarding these different credit methodologies vary, but then must comply with the GDPR regarding privacy.

There have been consequences when an EU nation-states banking/credit/loan system did not comply with the GDPR; in 2021, the Court of Justice of the European Union (CJEU) delivered a judgment regarding “automated decision making” within the GDPR, finding that credit scoring by the SCHUFA constitutes automated decision making, and profiling7. The decision was disputed, but held in 2024.

Regulatory Limitations & Consent Mechanisms

Regulatory

The FRCA provides instances where the data subject has input over the information within a report, as well as rules over the sharing.

FCRA defines legal limits on material in reports, including exclusion of material over seven years old, and much health care information8. The data subject has the right to dispute the accuracy of a report9; it falls to the credit monitoring institution to “reinvestigate” the information for veracity, including reaching out to the source of the disputed information to review the dispute10

While both GDPR and FRCA have the right to dispute and correct, there are some dramatic differences.

Article 5 GDPR Recital 1 lists the provisions that are specifically about the capture of a data on an individual, how long it can be held on to, and how it can be used. The data collected by a business in within the GDPR zone, must be anonymized, used for the purpose of the transaction, and the companies must have a disposal of data plan. Further, the information should not be stored and used for purposes outside of the initial scope of the transaction for which it was gathered, or be subject to automated decision making.

Under both laws the data subject does have the right to file a lawsuit, against a credit bureau/controller for inaccurate information if they have filed for corrections, the corrective actions prescribed by law were not met, and the data subject then suffered material harm due to this. In addition to this, within the GDPR, the rights for suite extend over a wider range; individuals do have that the right to sue the controller, and the legal compliance organizations within the EU for failure to enforce the rules of the GDPR.11 Lastly, the right to suite is not limited to material harm within the GDPR.

Level of Protection – FRCA Limitations

The level of protection offered by the Fair Credit Reporting Act (FRCA) is limited in scope, as defined by the law itself. The rules within the FRCA apply to, and are limited to, Credit Reporting entities and the data shared by them to other entities. Transactions outside of the Credit Reporting market are not within the scope of the law, and thus, not protected; I.E., a user’s search engine data, purchases made on an online retailer or millions of other potential out of scope transactions.

Harm Definitions and Treatments

FRCA defines harm and the ability to sue for harm to be a measurable material harm. For example, FRCA §616 lists civil noncompliance, with limitations of damages to to match the material harm.

Where the GDPR allows for suite from “Any person who has suffered material or non-material damage…”12; non material damage can include non-tangible effects like mental duress.

Accountability Measures

Within the FRCA, the accountability is much more about the banking system and information flows between industry sources than about the individual to from which the reports are made.  Within the GDPR, there are enforcement measures from all levels. Governing bodies have enforcement levers (similar to FCRA) but the data source has many more enforcement levers, and greater potential financial returns due to the vastly different definition or scope of what is “harm.”

Consent

FRCA Default Data Collection and Distribution on Data Subject

Consent is a tricky concept in the flow of information within the FCRA. Within the rules of FCRA, a credit monitoring company may be asked for, and provide a report on the data subject, and where the consumer of the report is an entity that has legal permission to request the report, both entities are engaging in this transaction in an informed manner. We can clearly see a request and reply to the request between two entities that have what could be considered an informed data flow; yet the data subject may not be not part of this communication flow.

Within the FRCA, it is allowable for parties to get credit reports from reporting agencies for establishing consumer’s eligibility for credit, insurance, employment, and other purposes13 which includes things like court orders, credit transactions, insurance, licenses or government required by law, and, notably “otherwise has a legitimate business need14”. FRCA §604(c) allows for acquiring a consumer report not initiated by the consumer15. Interested parties can get a credit report on selected individuals not only without the individual’s direct consent, but even without the data subjects’ awareness. This takes the data subject of the report right out of the equation. By being able to collect a report on a subject, while excluding the data subject from participation in the transaction, the credit report is removed from any contextual integrity heuristic with the data subject.

A data subject has two ways to control the flow of their information. The first is if there is a fraud alert they are informed of, and the consumer then requests an “extended” alert16, which would begin a five-year period of “exclude the consumer from any list of consumers prepared by the consumer reporting agency and provided to any third party… as part of a transaction that was not initiated by the consumer.”17

Another method is for the consumer to enact a freeze18 on their credit, which prohibits a reporting agency from sharing a report on the data subject to any entity requesting a report. It becomes the responsibility of the consumer to then turn on, off, or temporarily suspend a freeze when initiating a transaction where the data subject approves sharing a credit report.

By use of the alert or freeze lever, the data subject inserts themselves in the communication flow between the credit monitoring company, and the entities whom receive the reports, making any of those transactions then require the participation and consent of the data subject.

The limitation remains, that this is it is specific to the credit reporting, and leaves out any other sort of data collection or distribution on the data subject.

Consent GDPR- Privacy by Default

Where it falls entirely upon the data subject to initiate controls for consent within the FCRA, the GDPR instead clearly protects the data subject by changing the dynamic; privacy is the default, and consent must be established for data collection. Data on a data subject must not be processed further than the purpose of the initial transaction, and those purposes must be listed, made in clear language, and transparent19. A data subject can change their mind about consent, revoke consent, and grant consent. The largest, and most defining point here is that within the GDPR, privacy is the default, and notice from the data subject is required for any variation. This process is across the board for all transactions, and is not limited to banking or credit monitoring.

Contextual Approach to Privacy Protection

In the above review and comparison of differences between FCRA and GDPR, we have lightly touched on some key principles and differences between the two legislations, and noted a difference in the contextual approach to privacy.

FCRA and a Contextual Approach

When considering the FCRA, if only looking at the information flows between the credit monitoring company and the recipient of credit reports, we see a clearly defined information flow. The material being asked for and provided matches, and falls within expected norms between those two entities. Where this information flow is broken, is that the material being provided is about a data subject, the data subject doesn’t ask for the report to be made, and the transaction between the reporting agency and the consumer of the report may even fall outside of the knowledge of the data subject.

Consent of the data subject for the collection of the material within a credit report is not even considered, and the data protections in the FRCA are limited specifically to transactions regarding credit reporting and monitoring. Within those limitations, the FRCA does offer the data subject does some default protection regarding their health care information20. This protection could be considered, within a contextual approach, as a natural limit on the information flow.

While privacy is not directly considered in most of the FRCA, there are actions a data subject can take that put them into the communication flow, like alerts and freezes. The data subject becomes a participant of all credit report communication flows, and the provided information transfer would thus be considered within context.

GDPR and a Contextual Approach

The GDPR is built with a contextual approach, as can be seen in several of the recitals and directives within the document. For example, “Personal data shall be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes..”21. If the looking at contextual integrity as a privacy heuristic, then the entire Article 5, Recital 1 could be considered a method to define, in law, what acceptable information flows are expected to be within an individual’s privacy rights and controllers’ responsibilities with regards to the rights of the data subject.

Preferences

The contextual approach within the GDPR is a much more active and supportive privacy law. GDPR recognizes privacy as a human right, and concern, and defines individuals as natural persons!

FRCA is limited in scope due to being specific to Credit Reporting. Today’s world of data gathering is far past credit monitoring, and the use of FRCA as a privacy tool is like using a fly swatter to stop the rain. When considering today’s data landscape, the data gathered on people is much larger, and gathered from more sources, aggregated, and used for automated decision making, far past the scope of FRCA.

The tools that are in the FRCA that are most handy are also within the GDPR; the right to dispute, and even to file suit. However, the scope of protections are completely different, in part because FRCA is about the banking stability, where GDPR is about persons information and how far that information should be allowed to go, how long it should linger, and even a person’s right to be forgotten22. GDPR defines itself recognizes individuals’ privacy “… must be considered in relation to its function in society and be balanced against other fundamental rights…23”.

While some argue that data is already out, I would counter that simply because a boat has already taken on water, doesn’t discount the need for patching it.

A person’s ability to lead productive and participatory lives safely in an open and free society can be dependent on data not being exposed. Freedom of expression, of movement, ability to participate in a society, can be dependent on expiration of information.

Under the FRCA a consumer who went bankrupt, or had a lien that defaulted, can count on that information expiring (being removed) from their report in 7 years. However, for data outside of credit reporting, if it is in a newspaper, web shopping, app tracking and more, there is no right to be forgotten; this can haunt people moving forward. If an individual has to move to become safe from persecution, be it from an institution or an individual, there are no protections under the FRCA. Under the GDPR, an individual is protected under both circumstances; and their ability to participate in society is not hampered by data following them indefinitely.

Per GDPR Recital 2, Respect of the fundamental Rights and Freedoms:

“… This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.”24 [italics added for emphasis]

Footnotes

  1. FCRA §602 Congressional findings and statement of purpose [15 U.S.C. §1681] ↩︎
  2. From the Fair Credit Reporting Act, Definitions §603(b) and §603(c) [15 U.S.C.§1681a] ↩︎
  3. From GDPR, Chapter 1, Article 4, Recital 1 ↩︎
  4. Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies,  Article 2 (2)(a) This regulation is high level guidance and directives for the banking sector specific to investing and credit ratings within and across banks specific the investing landscape; formed from the needs found after the collapse of the banking markets in 2011. ↩︎
  5. Chase.com Do other countries have credit scores? ↩︎
  6. finmasters What Countries Have Credit Scores and How Do They Work? ↩︎
  7. Case C-634/21 – SCHUFA where the judgment of the court was that the automation within the SCHUFA (German Credit agency) and then used heavily in the application of a loan was in conflict with the GDPR under Article 15(1)(h) and Article 22. ↩︎
  8. FRCA §605(a) Information Excluded from Consumer Reports ↩︎
  9. FCRA §609(c) Summary of Rights to Obtain and Dispute Information ↩︎
  10. FCRA, §611 Procedure in case of disputed accuracy [15 U.S.C. § 1681i] ↩︎
  11. GDPR, Chapter 8, Articles 77, 78, and 79 ↩︎
  12. GDPR, Chapter 8, Article 82, Recital 1 This link takes to a really easily searched GDPR by the Horizon 2020 Framework Programme of the European Union. ↩︎
  13. FCRA §604 lists the permissible purposes of consumer reports. ↩︎
  14. FCRA §604(a)(3)(F) ↩︎
  15. Page 72, FCRA 615(d) calls to 604(c)(1)(B)[§1681b] ↩︎
  16. FCRA §605A(b) Extended Alerts ↩︎
  17. FCRA §605A(b)(1)(B) ↩︎
  18. FCRA §605(i) National Security Freeze ↩︎
  19. GDPR Chapter 2, Article 5, 6, and 7 ↩︎
  20. FRCA §603(d)(3) Restriction on sharing of medical information and §604(g) Protection of Medical Information ↩︎
  21. GDPR Chapter 2, Article 5, Recital 1(b) ↩︎
  22. GDPR Chapter 3, Article 17 ↩︎
  23. GDPR Chapter 1, Article 1, Recital 4 ↩︎
  24. GDPR, Chapter 1, Article 1, Recital 2 ↩︎

References

108th Congress (2003-2004). (2003, December 4). H.R.2622 – Fair and Accurate Credit Transactions Act of 2003. Retrieved from Congress.Gov: https://www.congress.gov/bill/108th-congress/house-bill/2622/text

Consumer Financial Protection Bureau. (n.d.). § 1022.1 Purpose, scope, and model forms and disclosures. Retrieved from CFPB, Consumer Financial Protection Bureau: https://www.consumerfinance.gov/rules-policy/regulations/1022/1/

Consumer Financial Protection Bureau. (n.d.). Appendix K to Part 1022 – Summary of Consumer Rights. Retrieved from CFPB, Consumer Financial Protection Bureau: https://www.consumerfinance.gov/rules-policy/regulations/1022/k/

European Parliment, Council of the European Union. (1995, October 24). Directive – 95/46 – EN – Data Protection Directive – EUR-Lex. Retrieved from EUR-Lex | Access to European Union Law: https://eur-lex.europa.eu/eli/dir/1995/46/oj

European Parliment, Council of the European Union. (2000, June 8). Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’). Retrieved from EUR-Lex | Access to European Union Law: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000L0031

European Parliment, Council of the European Union. (2016, April 05). General Data Protection Regulation (Document 32016R0679) | Regulation – 2016/679 – EN – gdpr – EUR-Lex. Retrieved from EUR-Lex | Access to European Union Law: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

European Parliment, Council of the European Union. (n.d.). GDPR.EU – General Data Protection Regulation (GDPR). Retrieved from GDPR.EU: https://gdpr.eu

European Securities and Markets Authority. (2022, October 28). Guidelines on the Scope of the CRA Regulation. Retrieved from ESMA | European Securities and Markets Authority: https://www.esma.europa.eu/sites/default/files/library/esma80-196-6345_guidelines_on_the_scope_of_the_cra_regulation.pdf

Federal Trade Commission. (2023, May). Fair Credit and Reporting Act. Retrieved from Federal Trade Commission: https://www.ftc.gov/system/files/ftc_gov/pdf/fcra-may2023-508.pdf

Gesley, J. (2024, 01 10). European Union: Court of Justice Rules Credit Scoring Constitutes ‘Automated Individual Decision-Making’ under GDPR. Retrieved from Library of Congress: https://www.loc.gov/item/global-legal-monitor/2024-01-10/european-union-court-of-justice-rules-credit-scoring-constitutes-automated-individual-decision-making-under-gdpr/

Institute, L. I. (n.d.). Cornell Law School, Legal Information Institute, LII>U.S. Code > Title 22 > Chapter 78. Retrieved from Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/uscode/text/22/chapter-78

Karst, K. L. (1966, Spring). The Files: Legal Controls Over the Accuracy and Accessibility of Stored Personal Data. Retrieved from Duke Law – Law and Contemporary Problems: https://scholarship.law.duke.edu/lcp/vol31/iss2/8/

Legal Information Institute. (n.d.). Cornell Law School, Legal Information Institute, LII >U.S.Code>Title 15>Chapter 41>Subchapter III. § 1681b. Retrieved from Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/uscode/text/15/1681b

Legal Information Institute. (n.d.). Cornell Law School, Legal Information Institute, LII>U.S.Code>Title 11. Retrieved from Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/uscode/text/11

Official Journal of the European Union. (2024, 01 09). Consolidated Version of the Treaty on the Functioning of the European Union. Retrieved from EUR-Lex | Access to European Law: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12016E/TXT&qid=1732727796448