You’re trying to sign up for a new phone plan, maybe switching to Magenta or Drei. Or you’re clicking “buy now” on a Klarna installment plan. The screen churns for two seconds, then you see a cold, robotic message: “Your application could not be processed.”
No explanation. No real reason. Just a digital door slamming in your face.
CRIF, a company you’ve probably never even heard of, made that decision. And chances are, they judged you based on little more than your postcode, your age, and whether you’re a man or a woman. Not your income, not your bill-paying history, not whether you actually have a job.
That’s the reality noyb (none of your business), Max Schrems’ privacy watchdog, is trying to dismantle. And now, they’re inviting you to join what could become the biggest consumer class action in Austrian history.
The Shadow Register Nobody Signed Up For
Let’s get one thing straight: CRIF isn’t some obscure, small-time operation. The Italian credit agency is one of Austria’s largest Kreditauskunfteien (credit reference agencies). But for all its reach, it has operated almost entirely in the shadows.
According to noyb’s research, CRIF has compiled personal data, names, dates of birth, home addresses, on nearly 9.7 million adults in Austria. That’s basically the entire adult population. They’ve built what Schrems calls a private “Schattenmelderegister” (shadow registry).
Here’s where it gets concerning: for 90% of those 9.7 million people, CRIF has absolutely zero financial information. No records of your income, no payment histories, no defaults, no signs of being good or bad with money. And yet, they still assign you a score between 250 and 700.
That score is cobbled together from, essentially, your address, gender, and age.
Let that sink in. Your ability to get a phone contract, a loan, or a Klarna payment plan may hinge on your postcode.
Not Just Unfair, Potentially Illegal
noyb isn’t just waving their hands and calling this immoral. They’re pointing to specific violations of the Datenschutz-Grundverordnung (GDPR).
Three major legal problems stand out:
- Purpose Limitation Violation: Much of CRIF’s data comes from address brokers like AZ Direct (part of the Bertelsmann group) and Compass Verlag. Under Austrian trade law, these brokers can sell addresses for marketing purposes, not for credit scoring. Multiple court rulings, including this one from the BVwG, have backed that up. CRIF, noyb argues, is using that data for something completely different.
- No Consent, No Transparency: You never ticked a box saying “Sure, CRIF, feel free to run a credit assessment on me.” And CRIF’s response? They claim it’s impractical to inform everyone individually. That “too cumbersome” defense doesn’t exactly scream GDPR compliance.
- The Scoring Itself Is Dubious: CRIF’s own documents show that for 90% of people, the score is built from just those three demographic data points. A noyb investigation tested actual CRIF scores against people’s real financial situations. The conclusion? No meaningful correlation. Your score changes if you move from the countryside to the city. Women get higher scores than men. Not exactly a reliable indicator of whether you’ll pay your bills.
As one affected person put it, “My credit cards or consumer loans were repeatedly rejected during the automatic CRIF query, but when I spoke to a bank advisor in person, it was fine.” The system makes automated decisions that a human advisor would overturn in seconds.
Who’s Buying This Data?
CRIF has roughly 550 active clients in Austria. The list includes big names you definitely interact with:
- Mageneta and Drei (mobile operators)
- Erste Bank and Santander (banks)
- Verbund (energy supplier)
- Zalando (online retail)
- Klarna (payment services)
noyb’s full list of data buyers runs surprisingly long. And here’s the pattern: you don’t need to have any financial history with these companies. They just ping CRIF, get a score, and decide right there.
So if you’ve ever been rejected for a “simple” mobile contract, there’s a solid chance this is why.
The Two-Step Legal Plan
noyb isn’t messing around. They’ve structured this as two distinct legal moves:
Step 1: The Unterlassungsklage (Injunction)
Filed on June 9, 2026. This action demands that CRIF stop its unlawful data processing practices immediately. It also freezes the statute of limitations, protecting everyone’s right to claim damages later.
Step 2: The Abhilfeklage (Class Action for Damages)
Expected later this year. This is where you come in. If successful, noyb estimates each affected person could receive around €500 in damages. There’s a statutory participation fee of €39, but that’s only deducted from your payout if the case is won. If noyb loses, you pay nothing.
You can register for the class action right now at crif.noyb.eu.
The Counter-Argument from Austria’s Wirtschaftskammer
Predictably, CRIF isn’t sitting quietly. Their response boils down to: “This is standard industry practice. We have a legitimate interest.”
CRIF claims the scoring is necessary for Betrugsprävention (fraud prevention). They point to examples like 70 people being registered at one apartment address, a pattern that screams fraud. They also argue that companies don’t rely solely on CRIF scores, it’s just one of many tools.
But here’s the thing: the Austrian Datenschutzbehörde (Data Protection Authority) has already backed the business model of CRIF’s competitor, KSV1870. But that same authority hasn’t given a blanket green light. And the AK (Arbeiterkammer, or Chamber of Labour) is openly supporting noyb, calling the scoring a “Blackbox.”
The Wirtschaftskammer (Economic Chamber) has reportedly warned its members about the potential fallout from this case. The entire industry is nervous.
What This Means for You (And Why You Should Care)
This case is bigger than just CRIF. It’s one of the first proceedings under the EU’s new Verbandsklagen-Richtlinie (Representative Actions Directive). The outcome could reshape how credit scoring works across the continent.
Here’s what you should do right now:
- Join the class action: It’s risk-free. noyb covers the legal costs. If you’ve lived in Austria as an adult, you’re almost certainly in CRIF’s database. Sign up here.
- Request your data from CRIF: Even if you don’t join the lawsuit, you have the right under GDPR to know what CRIF has on you. The process is more accessible now after noyb’s data access campaign last year.
- Be skeptical of instant rejections: If you get turned down for a contract that seems like a no-brainer (you have a salary, you’re not in debt, etc.), don’t just assume it’s you. It might be a CRIF score based on nothing real.
The financial system can already feel rigged. That’s true how financial systems can unfairly impact low-income people, as we’ve seen in other contexts across the DACH region. But when a company profiles you based on your neighborhood and assigns you a secret grade that decides whether you can buy a phone? That’s not just unfair, it’s a textbook case of why GDPR exists in the first place.
Max Schrems has a history of taking on Goliaths. He brought down the EU-US Privacy Shield. He won a landmark case against Meta. Now he’s going after the quiet, invisible machinery that decides your everyday financial fate.
The question is: will you join him?
Because the only thing worse than a secret scoring system is letting it keep scoring you without a fight.
