Advocate General (“AG”) Spunzar, in case C-526/24, recently delivered a significant opinion on when a data subject access request (“DSAR”) may be deemed to be an abuse of one’s data protection rights and “excessive” under Article 12(5) GDPR. The Opinion provides some further clarity in regard to the limits to the exercise of the right of access under Article 15 GDPR, and the right to compensation under Article 82 GDPR, where these rights are invoked in an abusive manner.
The AG opined that the mere fact that a person has made similar claims for damages for GDPR infringements in the past is not, in itself, sufficient to prove abusive intent. The decisive factor is the underlying purpose of the data subject’s actions, such as deliberately creating a relationship with the controller for the purpose of exploiting their data protection rights, and causing the controller to refuse the DSAR.
The AG further opined that Article 82 GDPR should be interpreted broadly, so that a right to compensation can arise from damage resulting from any infringement of the GDPR (including unjustified refusal to act on DSAR), even if that damage was not caused by processing the data subject’s personal data. The AG opinion also reaffirms the principle that a mere GDPR infringement alone does not automatically give rise to a right to compensation. The claimant bears the burden of proof of establishing that they incurred actual material or non-material damage as a result of the GDPR infringement.
Background
In this case, the CJEU was asked to specify the limits to the exercise of the right of access and the right to compensation under the GDPR. This CJEU reference, in particular, focuses on whether a DSAR, allegedly made in order to provoke a claim for damages against the controller, can justify refusal on the grounds that it is “excessive” under Article 12(5) GDPR.
The data subject subscribed to the controller’s newsletter, by entering their personal data on the registration form on the controller’s website, and consented to the processing of that personal data. Thirteen days later, the data subject submitted a DSAR under Article 15 GDPR.
The controller refused to comply with the DSAR, on the grounds that it was unlawful, as it constituted an abuse of rights and was “excessive” pursuant to Article 12(5) GDPR. However, the data subject persisted with the DSAR and submitted a civil claim for €1,000 in damages under Article 82 GDPR.
The controller commenced proceedings seeking a declaration from the German District Court that the data subject was not entitled to claim compensation. The controller claimed that it was evident from various online posts that the data subject was “systematically and abusively making access requests for the sole purpose of obtaining compensation by alleging infringement of the GDPR”. The controller asserted that a curtailment of the data subject’s rights under the GDPR should apply where they were deliberately provoking infringements of those rights with a view to claiming damages.
The German District Court referred several questions to the CJEU, in order to clarify the circumstances under which the exercise of a right of access can be considered an abuse of rights and “excessive” under Article 12(5) GDPR.
AG Opinion
The AG opined as follows:
- While it cannot be ruled out that an initial DSAR may be considered an abuse of rights, and therefore, “excessive” under Article 12(3) GDPR, this assessment can only apply in exceptional circumstances. In order to rely on the exception in Article 12(5) GDPR to refuse a DSAR or charge a reasonable fee, the controller must objectively demonstrate “an abusive intention” on the part of the data subject making the request;
- An abusive intention arises where a person consents to the processing of their data, in order to be able to submit a DSAR and then claim compensation for refusal of the DSAR;
- Any refusal to respond to a DSAR must be justified, proportionate, and documented by the controller. Accordingly, the mere fact that it appears from publicly available information that the data subject has asserted their right to compensation against a controller in a large number of cases for GDPR infringement, is not in itself sufficient to demonstrate an abusive intention and to characterise a DSAR as “excessive”. Article 82 GDPR specifically confers the right to seek compensation for damage in the event of a GDPR infringement, and the exercise of the right cannot be presumed to be abusive;
- The AG adopted a broad interpretation of Article 82(2) GDPR. Pursuant to that provision, a controller is liable for the damage caused by any “processing” of personal data which infringes the GDPR. The AG noted that any damage suffered in this case would be caused not by “processing” the data subject’s data, but rather from the unjustified refusal to act on the DSAR. However, the AG opined that this provision should be interpreted so as to provide a right to compensation for damage suffered by a data subject as a result of any infringement of the GDPR (including an unjustified refusal to act on a DSAR), and not just from damage caused by processing the data subject’s personal data;
- The AG further reaffirmed the principle that a mere GDPR infringement is not sufficient to warrant compensation, and that the data subject bears the burden of proof in establishing actual material or non-material damage resulting from the GDPR infringement. In respect of the data subject’s compensation claim for €1,000, the AG found that it was for the referring court to determine whether the data subject had demonstrated that any infringement of their right of access had negative consequences for them, and whether those consequences constituted non-material damage within the meaning of Article 82 GDPR.
Comment
The AG opinion suggests a high threshold for seeking to rely on Article 12(5) GDPR, but helpfully clarifies that it can apply to initial DSARs and not just repeated ones. Since an unjustified refusal to provide access can potentially result a GDPR infringement and a damages claim, controllers should exercise caution before refusing a DSAR on the grounds that the request is manifestly unfounded or excessive. The final decision of the CJEU is still pending in this case.
Interestingly, the draft Digital Omnibus Regulation 2025/0360 proposes amending Article 12(5) GDPR to further clarify when a DSAR constitutes an abuse of law and exploitation of a data subject’s rights (thereby amounting to a “manifestly unfounded or excessive” request). The amendment appears to be aimed at alleviating the burden of responding to abusive requests from data subjects, in particular DSARs, which often cause significant disruption to a controller’s business.
Recital 35 of the draft Regulation provides an example of an abusive DSAR which is in line with the situation which arose in the current case. That Recital provides: “…an abuse of the right of access would arise where the data subject intends to cause the controller to refuse an access request, in order to subsequently demand the payment of compensation, potentially under the threat of bringing a claim for damages”.
Recital 35 goes on to provide other examples of abusive DSARs as including: “where data subjects make excessive use of the right of access with the only intent of causing damage or harm to the controller or when an individual makes a request, but at the same time offers to withdraw it in return for some form of benefit from the controller”. The Recital further helpfully proposes that: “In any event, while requesting access under Article 15 of Regulation [GDPR], the data subject should be as specific as possible. Overly broad and undifferentiated requests should also be regarded as excessive.”
The Irish DPC has also recently confirmed that it is in the process of updating its DSARs Guidance (last updated in October 2022) in order to further clarify the scope of the Article 12(5) GDPR exception, as well as to provide for other clarifications. It is hoped that these clarifications will help businesses to be able to justify reliance on the “excessive” request exception, in order to refuse or charge a reasonable fee in respect of abusive access requests. We will update you when this updated Guidance is published.
Contact Us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.