Data requests to support compensation claims can be refused

The Court of Justice of the EU (CJEU) confirmed the position in a case referred to it from a local court in Germany where a dispute has arisen between an opticians and an Austrian man over rights provided for under the EU General Data Protection Regulation (GDPR).

According to the CJEU, after the man subscribed to the company’s newsletter, he filed a DSAR. The opticians refused to act on the request citing reports, blogs and lawyers’ newsletters that it asserted showed the man “systematically and abusively” files DSAR requests “for the sole purpose of obtaining compensation for an alleged infringement, which he deliberately provokes, of his rights under the GDPR”. 

The man has claimed that the opticians is unlawfully restricting his rights under the GDPR and has raised a compensation claim against the company before the German court. The company has asked the court to declare that the man is not entitled to compensation. To help it resolve the case, the German court asked the CJEU for help in interpreting the GDPR.

Individuals have a general right, under the GDPR, to access information from organisations about the personal data they hold about them and pertaining to the processing of their personal data. Where DSARs are made, they must be handled in accordance with strict rules set out in the regulation. However, the GDPR provides an exception to the obligation to respond to a DSAR where the requests are “manifestly unfounded or excessive”. As an exception it is narrowly interpreted, and the burden is on the controller to prove that it applies.

In its ruling, the CJEU cited its own case law and said the idea that a DSAR can be ‘excessive’ under the GDPR is “an expression of the general principle of EU law to the effect that EU law cannot be relied on for abusive or fraudulent ends”. It said a DSAR can be deemed as being excessive where there is “abusive intention” on the part of the requester, which it said might be found if the data subject makes a DSAR for the purpose of “artificially creating the conditions laid down for obtaining advantage from” the GDPR. This, the court said, includes using a DSAR to pursue compensation claims.

The CJEU clarified that such abusive intent may be evident from an individual’s first DSAR to an organisation if “publicly available information” substantiates that and that information is “supported by other relevant material”.

Paris-based data protection law expert Anne-Sophie Mouren of Pinsent Masons said: “In France, the potentially abusive nature of DSARs has become a particularly topical issue, especially from an employment law perspective. Employers are frequently frustrated by the obligation to respond to DSARs which, in practice, are clearly not intended to verify the lawfulness of personal data processing, but rather to collect evidence in the context of litigation or anticipated disputes.”

“While this decision is helpful in clarifying the scope of what may qualify as ‘excessive’ or ‘abusive’ requests, it is unlikely to represent a real game changer for employers, given the very specific factual circumstances at hand. That said, this decision – like the draft Digital Omnibus – is nonetheless a positive development, as it reflects a growing focus on the purpose for which access rights are exercised,” she said.

Munich-based Anna Vollmer and Janett Bachmann, also of Pinsent Masons, said the judgment will help businesses better assess and respond to strategically motivated DSARs and related claims.

“The decision provides for greater legal certainty in handling DSARs and reduces the risk of commercially driven and abusive claims that became a business model for frequent claimants,” said Voller.

Bachmann added: “Especially in the area of mass claims, claimants sometimes exploit the instruments of the GDPR strategically and commercially, so that companies are exposed to a large number of time-consuming and cost-intensive court proceedings. This decision should help to ensure that vital resources are not tied up by abusive requests.”

Manchester-based Stephanie Lees of Pinsent Masons said the decision represents a shift in emphasis from the approach taken in guidance issued by the UK’s data protection authority, the Information Commissioner’s Office (ICO). That guidance, she said, “emphasises that ‘excessive’ requests normally arise from factors such as repetition, overlap and proportionality”.

However, she said the ICO does state that that a DSAR may be ‘manifestly unfounded’ where several factors indicate a pattern of behaviour which supports that the DSAR is being raised for a collateral purpose, but this is a high threshold. Based on the facts of the case referred to the CJEU, it may have been one that would have met that threshold had it been considered in the UK, according to Lees.

“In the UK, the ICO and UK case law caution controllers not to speculate about the requester’s motive,” Lees said. “Requests must be treated purpose‑blind, and controllers should not assume collateral litigation motives, even though courts may take motive into account when assessing whether to exercise their jurisdiction to enforce a DSAR. This CJEU case appears confined to its facts as the DSAR itself was a clear abuse of process: they were only raising a DSAR to raise a GDPR compensation claim. This is distinct to an individual raising a DSAR where they have a pre-existing dispute and they are seeking access to personal data to assist with the dispute or litigation.”