CJEU - C‑416/23 - Österreichische Datenschutzbehörde
CJEU - C‑416/23 Österreichische Datenschutzbehörde | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 52(4) GDPR Article 57(1)(e) GDPR Article 57(3) GDPR Article 57(4) GDPR Article 77(1) GDPR |
Decided: | |
Parties: | Datenschutzbehörde |
Case Number/Name: | C‑416/23 Österreichische Datenschutzbehörde |
European Case Law Identifier: | |
Reference from: | VwGH (Austria) Ra 2023/04/0002 |
Language: | 24 EU Languages |
Original Source: | AG Opinion |
Initial Contributor: | fb |
AG De La Tour opined that a DPA cannot refuse to act on a complaint characterising it as "excessive" under Article 57(4) GDPR simply because the data subject has filed several complaints with the same DPA.
English Summary
Facts
On 17 February 2020, the data subject lodged a complaint with the Austrian DPA. He complained that the controller had not responded to his request for access within one month.
On 22 April 2020, the DPA refused to act on this complaint, arguing that it was “excessive” under Article 57(4) GDPR. The DPA observed in particular that, over a period of about 20 months, the data subject had sent it 77 complaints arguing that various controllers failed to respond within one month to his requests for access or erasure.
The data subject brought an action before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). On 22 December 2022, the BVwG the data subject’s action. It held that, in order for requests to be excessive” under Article 57(4) GDPR, it is not enough that these requests had been made repeatedly and frequently, but it is also needed that they had been manifestly vexatious or abusive.
The DPA appealed this judgement before the Supreme Administrative Court (Verwaltunsgerichtshof – VwGH). This court decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:
- Must the concept of “requests” in Article 57(4) GDPR be interpreted as meaning that it also covers “complaints” under Article 77(1) GDPR?
- Must Article 57(4) GDPR be interpreted as meaning that, for requests to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?
- Must Article 57(4) GDPR be interpreted as meaning that, in the case of a “manifestly unfounded” or “excessive” request, the DPA is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests only in the event that charging a fee to prevent such requests is futile?
Advocate General Opinion
On 5 September 2024, AG De La Tour issued his opinion.
First question
First, the AG noted that no provision of the GDPR defines the concept of “request”. On the other hand, according to a French dictionary, its usual meaning in everyday language is “‘the act of making known that one wishes to obtain something”.
Secondly, the AG points out that Article 57(3) GDPR lays down the principle that the performance of the tasks of each supervisory authority shall be free of charge for the data subject. By saying that when requests are manifestly unfounded or excessive, the DPA may charge a reasonable fee, Article 57(4) GDPR creates an exception to the free-of-charge principle.
On this point, the AG noted that this principle applies also to the handling of complaints, which is a core task of a DPA. Therefore, adopting the opposite interpretation of Article 57(4) GDPR would deprive it of a large part of its useful effect.
Thirdly, the AG highlights that the wording “manifestly unfounded” used by Article 57(4) GDPR seems to refer more appropriately to complaints than to other types of requests, such as the ones provided for by Article 57(1)(e) GDPR.
Fourthly, the AG shared the referring court’s view about the fact that this interpretation could, at first sight, appear to conflict with the fact that DPAs must handle the complaint with all due diligence (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 56 and C-362/14, Schrems, para. 63) since the complaints procedure is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 58).
However, according to the AG, this interpretation could contribute to ensure a high level of protection of personal data. Indeed, necessarily having to examine complaints which are manifestly unfounded or excessive might take up the resources available to the authority and have negative effects on the time taken to handle requests submitted at the same time by other data subjects.
In other words, an interpretation excluding complaints from the scope of that provision could undermine the proper functioning of the supervisory authorities and, as a result, the objective of ensuring a high level of protection for the rights of data subjects under the GDPR.
Therefore, the AG proposes the Court’s answer to the first question referred should be that the concept of "request" under Article 57(4) GDPR covers "complaints" referred to in Article 57(1)(f) and 77(1) GDPR.
Second question
First, the AG noted that the wording of Article 57(4) GDPR, in stating “excessive, in particular because of their repetitive character”, signals that requests can properly be regarded as excessive on the basis that they are repetitive in character. However, by using “in particular”, the provision indicates that repetitive requests are only one example of excessive requests.
Secondly, the AG drew a parallel between Article 15 and 77 GDPR. He noted that the CJEU had stressed the importance of the right of access, which allows data subjects to assess the lawfulness of the processing (see C-579/21, Pankki S, para. 59) and has stated the principle that the first copy of the data should be free of charge (C-307/22, FT (Copies of medical records), para. 50). According to the AG, given the importance attached by the GDPR to the right of access, the exercise of it must not be made subject to conditions which are overly strict.
Moreover, when a controller does not comply with Article 15 GDPR in combination with Article 12(3) GDPR, the data subject must be able to lodge a complaint with the DPA, so that the latter can order the controller, in accordance with Article 58(2)(c) GDPR, to comply with the data subject’s requests.
The AG was of the opinion that this principle applies also when a data subject has made access requests to several controllers: deciding otherwise, by setting a threshold beyond which a DPA could characterise such complaints as ‘excessive’, solely by reason of their number, would undermine the rights guaranteed by the GDPR.
Furthermore, the AG pointed out that Article 12(5) GDPR contains a provision which is analogous to the one in Article 57(4) GDPR. The former allows the controller to charge a reasonable fee or to refuse to act on the request. In C-307/22, FT (Copies of medical records), the CJEU ruled that those reasons relate to instances of abuses of rights (see para. 31).
The AG proposed to give the two provisions the same interpretation, since they have the same rationale (avoid a situation in which the burden imposed on the controller or the supervisory authority is disproportionate and liable to interfere with their proper functioning).
Therefore, the number of complaints is not in itself sufficient, without an abusive conduct being proved, to trigger the exception provided for by Article 57(4) GDPR.
The AG further noted that this provision must be strictly interpreted and limited to what is strictly necessary to avoid interfering with the proper functioning of the supervisory authorities. In particular, the AG believed that simply alleging that a data subject filed more complaints than usual and that this could increase the workload of the DPA is not enough, since Article 52(4) GDPR obliges Member States to ensure that the DPA has sufficient resources.
Third question
First, the AG noted that, since the legislator used the word “or”, it is not possible to infer an order of priority as between those options.
However, this does not mean that the DPA can choose on a discretionary basis and without giving reasons. On the contrary, given the importance of the right to lodge complaints in relation to the objective of ensuring a high level of protection of personal data, the DPA should choose the most appropriate and proportionate alternative and motivate its choice.
Finally, the AG noted that the principle of proportionality might suggest that the charging of a fee is preferable, since it can have a dissuasive effect without totally impairing the data subject’s right under Article 77 GDPR.
Holding
The judgement has not been issued yet.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!