Clarity on ‘excessive’ requests for data – WF
On 12 September, Advocate General Maciej Szpunar (AG) provided an opinion in Case C-526/24 (Brillen Rottler), which concerned the abuse of data-subject access requests (DSARs) under the General Data Protection Regulation (GDPR), write Rachel Hayes, Leo Moore (pictured) and Jordie Sattar of William Fry.
The opinion also provided a legal evaluation on the scope of liability under article 82 of the GDPR, regarding the right of individuals to compensation.
The opinion held that:
1) An initial DSAR may be considered an abuse of rights in exceptional circumstances such as when a controller can objectively demonstrate an abusive intention on the part of the data subject making the request.
In this case, the facts involved an individual who agreed to the processing of personal data for the purpose of allegedly provoking a GDPR infringement to claim compensation under Article 82 of the GDPR.
2) Given that the right of access is a fundamental right, the threshold for proving abuse of access rights is high, and any exception to this right must be strictly interpreted. Any refusal to respond to a DSAR must be justified, proportionate, and documented by the controller.
For example, reliance on publicly available information which indicates that the data subject has submitted a large number of DSARs is not sufficient to meet that threshold.
3) The exercise of the right to compensation under article 82 of the GDPR cannot be considered abusive in itself. In principle, this right may arise from any infringement of the GDPR, even in the absence of unlawful processing.
For example, an unjustified refusal to respond to a DSAR may constitute an infringement of the GDPR. For a claim to be successful under article 82 of the GDPR: (i) mere infringement alone is not sufficient; (ii) there is no de minimus standard of loss to be suffered by an individual; and (iii) there must be a causal link between the damage suffered and the infringement (the burden of proof for this is on the claimant) – thereby restating the Österreichische Post case.
Case background
An Austrian individual (TC) subscribed to the newsletter of a family-run opticians in Germany (Brillen Rottler). Following that, 13 days later, TC submitted an access request under article 15 of the GDPR.
When Brillen Rottler refused the request, TC sought to rely on article 82 of the GDPR to claim compensation of €1,000.
Brillen Rottler grounded its refusal on the fact that "various online reports and lawyer blog posts" identified TC as "systematically and abusively making access requests for the sole purpose of obtaining compensation by alleging infringement of the GDPR".
Before the District Court of Arnsberg in Germany, TC argued that his right of access was free to be exercised unconditionally.
Brillen Rottler asserted that a curtailment of TC's rights under the GDPR should apply where TC was deliberately provoking infringements of those rights with a view to claiming damages.
The court held that any limitation on the right of access in the case of an initial request should be granted only in exceptional circumstances. The court further clarified that TC's subsequent intention to obtain compensation was insufficient grounds, in itself, to constitute grounds for a refusal to respond to his DSAR.
The court held that if it were sufficient for controllers to rely on public information showing that the data subject had submitted numerous access requests, limitations on the right of access could be subject to potential abuse by controllers.
The court referred the matter to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
The AG's opinion
1) The AG agreed with the referring court: while it cannot be ruled out that an initial access request may be considered an abuse of rights (and therefore, "excessive" under article 12(3) of the GDPR), this assessment can only apply in exceptional circumstances.
In arriving at this conclusion, the AG analysed two previous CJEU decisions: the FT decision and Österreichische Datenschutzbehörde.
In those cases, it was held that, while a data subject could not be compelled to give reasons for submitting an access request, this did not preclude a court from examining the intention behind the request.
To this end, the AG drew two conclusions with respect to Article 12(5) of the GDPR concerning the right of controllers to refuse to act on DSARs that are "manifestly unfounded or excessive":
- Firstly, when an initial access request is made under article 15 of the GDPR, such a request can be deemed "excessive" provided that the controller can objectively demonstrate an abusive intention on the part of the data subject. This intention is judged in light of the "relevant circumstances of the case". The AG believed that such an intention is present "when that person has consented to the processing of his or her personal data to be able to submit that access request and then claim compensation".
- Secondly, the AG concluded that a reliance by the controller on publicly available information that indicated that the data subject had asserted their right to compensation against other controllers "in a large number of cases" was not, in itself, sufficient to classify that a request to another controller as "excessive".
2) The AG assessed the wording of article 82 of the GDPR, and whether it should be interpreted as meaning that a data subject could claim compensation only where the damage to that data subject was caused by data-processing activities that infringed the GDPR.
The AG found, however, that this interpretation was too restrictive, on the basis that:
- It compromises the level of protection afforded to data subjects under the GDPR, undermining the underlying objective of "strengthening and clarifying the rights of data subjects", and
- If the legislature had intended the provision to operate so narrowly, it would have used more precise language.
Instead, the AG held that article 82(2) of the GDPR (which provides for liability of controllers where damage is caused by "processing" which infringes the GDPR) supplements article 82(1).
The AG concluded that proving the existence of damage, as opposed to the infringement giving rise to the damage itself, was the most decisive factor.
Therefore, a right to compensation exists if the damage suffered results either from data processing that infringes the GDPR, or from another infringement of the GDPR, provided that the existence of the damage is demonstrated.
The key takeaway for organisations on this point, therefore, is that damage suffered by a data subject as a result of an infringement of the GDPR will be eligible for compensation, even if the damage was not caused by unlawful processing.
The impact for controllers
While the CJEU will be the decision-maker in this case, the AG's opinion is likely to be persuasive once a judgment is made. If it is followed by the CJEU, it will be a welcome development for businesses, showing that the GDPR's right of access cannot be abused.
For businesses, the opinion is a meaningful insight into reliance on article 12(3) of the GDPR and the grounds that may (or may not) justify a refusal to respond to a DSAR. It also suggests that procedural failures by controllers to respond to DSARs, where reliance on article 12(3) GDPR is unjustified, may constitute an infringement of the GDPR.
Businesses should be aware that any refusal to respond to a DSAR must be made only in exceptional circumstances, given that the right of access is a fundamental right.
When seeking to rely on article 12(3) of the GDPR, businesses:
- Will need to objectively demonstrate that the underlying purpose of a DSAR is an abusive one, incompatible with the GDPR's objectives, to (legally) claim that a DSAR is "excessive" under article 12(5) of the GDPR, and
- A right to compensation for a data subject making a DSAR can arise from any infringement of the GDPR, not only from an unlawful processing activity.