Czech Republic: The amendment to the Consumer Protection Act has come into force as at the end of 2015.
A „Register on the solvency and trustworthiness of consumers” has been incorporated into the Consumer Protection Act (as a new, fifth Part in Sec. 20z and Sec. 20za) by way of amendment No. 378/2015 to the Act. This is essentially a database which allows businesses – i.e., in the terminology of the Consumer Protection Act, „sellers” – who hold loan receivables or other claims for long-term or repeat performances vis-a-vis consumers to exchange consumer identification data and information pertinent to the solvency, payment morale, and trustworthiness of consumers. Principally, the consumer’s consent is not required for this mutual exchange of information and the processing of personal data within the register.
Sec. 20z (1) boasts that the register was created „in the interest of sellers and consumers”, but in fact all that mattered were the commercial interests of businesses. By way of the amendment, the Czech lawmaker introduces a vehicle which not only duplicates in parts registers that have already existed (among them the banking register and non-banking register of customer information, known in Czech by the acronyms BRKI and NRKI – „Bankovní registr klientských informací” and „Nebankovní registr klientských informací”) but moreover supplements the data-gathering rage of internet giants such as Google, Facebook or Amazon with a homegrown register for customer screening. In so doing, the Czech lawmaker has done a grave disservice to consumer protection, for the possibilities of information exchange among sellers are very far-reaching. The law is based on the principle that the consumer’s explicit consent to processing of any of his or her data is not required; the consumer merely has the right to protest the use of its data ex post (but in order to be able to do so, he or she must first find out that such processing has been going on!).
The declared purpose of the register is to prevent fraudulent behavior on the part of consumers and to help businesses to assess the solvency (credit rating), payment morale, and creditworthiness (trustworthiness) of the consumer, also by developing computational models (Sec. 20z (2)) which assess the probability of fraudulent behavior or the ability and willingness of the consumer to honor their contractual obligations.
Using the data of consumers is principally limited to three years, but may continue without limitation beyond that date if the data has been anonymized – whereas even the underlying documentation may be archived (provided that the documents themselves are also anonymized – cf. Sec. 20z (11)). However, there are good reasons to doubt that this will work as intended.
On top of this, the compatibility of the new register with the data protection laws in force in the Czech Republic deserves to be reviewed (and the bill’s authors ought to have obtained an expertise by the Data Protection Office in this respect).
Ultimately, the new regulation leaves a sour aftertaste: the lawmaker either has no idea what it is doing, or, worse, it knows exactly what it is doing, in which case one has to ask oneself why it does these things. Consumer protection is the last thing one would associate with this new register.
Source: Amendment No. 378/2015 to the Consumer Protection Act (Act No. 634/1992 Coll.)