CJEU - C‑416/23 - Österreichische Datenschutzbehörde

From GDPRhub
Revision as of 11:16, 10 September 2024 by Fb (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑416/23 Österreichische Datenschutzbehörde
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 52(4) GDPR
Article 57(1)(e) GDPR
Article 57(3) GDPR
Article 57(4) GDPR
Article 77(1) GDPR
Decided:
Parties: Datenschutzbehörde
Case Number/Name: C‑416/23 Österreichische Datenschutzbehörde
European Case Law Identifier:
Reference from: VwGH (Austria)
Ra 2023/04/0002
Language: 24 EU Languages
Original Source: AG Opinion
Initial Contributor: fb


AG De La Tour opined that a DPA cannot refuse to act on a complaint characterising it as "excessive" under Article 57(4) GDPR simply because the data subject has filed several complaints with the same DPA.

English Summary

Facts

On 17 February 2020, the data subject lodged a complaint with the Austrian DPA. He complained that the controller had not responded to his request for access within one month.

On 22 April 2020, the DPA refused to act on this complaint, arguing that it was “excessive” under Article 57(4) GDPR. The DPA observed in particular that, over a period of about 20 months, the data subject had sent it 77 complaints arguing that various controllers failed to respond within one month to his requests for access or erasure.

The data subject brought an action before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). On 22 December 2022, the BVwG the data subject’s action. It held that, in order for requests to be excessive” under Article 57(4) GDPR, it is not enough that these requests had been made repeatedly and frequently, but it is also needed that they had been manifestly vexatious or abusive.

The DPA appealed this judgement before the Supreme Administrative Court (Verwaltunsgerichtshof – VwGH). This court decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:

  1. Must the concept of “requests” in Article 57(4) GDPR be interpreted as meaning that it also covers “complaints” under Article 77(1) GDPR?
  2. Must Article 57(4) GDPR be interpreted as meaning that, for requests to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?
  3. Must Article 57(4) GDPR be interpreted as meaning that, in the case of a “manifestly unfounded” or “excessive” request, the DPA is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests only in the event that charging a fee to prevent such requests is futile?

Advocate General Opinion

On 5 September 2024, AG De La Tour issued his opinion.

First question

As for the first question, the AG proposes the Court to answer that the concept of "request" under Article 57(4) GDPR covers "complaints" referred to in Article 57(1)(f) and 77(1) GDPR.

First, the AG points out that Article 57(3) GDPR lays down the principle that the performance of the tasks of each supervisory authority shall be free of charge for the data subject. By saying that when requests are manifestly unfounded or excessive, the DPA may charge a reasonable fee, Article 57(4) GDPR creates an exception to the free-of-charge principle.

On this point, the AG noted that this principle applies also to the handling of complaints, which is a core task of a DPA. Therefore, adopting the opposite interpretation of Article 57(4) GDPR would deprive it of a large part of its useful effect.

Thirdly, the AG highlights that the wording “manifestly unfounded” used by Article 57(4) GDPR seems to refer more appropriately to complaints than to other types of requests, such as the ones provided for by Article 57(1)(e) GDPR.

Fourthly, the AG shared the referring court’s view about the fact that this interpretation could, at first sight, appear to conflict with the fact that DPAs must handle the complaint with all due diligence (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 56 and C-362/14, Schrems, para. 63) since the complaints procedure is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 58).

However, according to the AG, this interpretation could contribute to ensure a high level of protection of personal data. Indeed, necessarily having to examine complaints which are manifestly unfounded or excessive might take up the resources available to the authority and have negative effects on the time taken to handle requests submitted at the same time by other data subjects.

In other words, an interpretation excluding complaints from the scope of that provision could undermine the proper functioning of the supervisory authorities and, as a result, the objective of ensuring a high level of protection for the rights of data subjects under the GDPR.

Second question

As for the second question, the AG opined that the fact that a data subject has addressed a certain number of requests to a DPA is not sufficient to characterise a complaint as "excessive" under Article 57(4) GDPR, if no abusive intention is demonstrated by the DPA.

First, the AG noted that the wording of Article 57(4) GDPR, by using “in particular”, indicates that repetitive requests are only one example of excessive requests.

Secondly, the AG drew a parallel between Article 15 and 77 GDPR. He noted that the CJEU had stressed the importance of the right of access, which allows data subjects to assess the lawfulness of the processing (see C-579/21, Pankki S, para. 59) and has stated the principle that the first copy of the data should be free of charge (C-307/22, FT (Copies of medical records), para. 50).

Moreover, when a controller does not comply with Article 15 GDPR in combination with Article 12(3) GDPR, the data subject must be able to lodge a complaint with the DPA, so that the latter can order the controller, in accordance with Article 58(2)(c) GDPR, to comply with the data subject’s requests.

The AG was of the opinion that this principle applies also when a data subject has made access requests to several controllers: deciding otherwise, by setting a threshold beyond which a DPA could characterise such complaints as ‘excessive’, solely by reason of their number, would undermine the rights guaranteed by the GDPR.

Furthermore, the AG pointed out that Article 12(5) GDPR contains a provision which is analogous to the one in Article 57(4) GDPR. The former allows the controller to charge a reasonable fee or to refuse to act on the request. In C-307/22, FT (Copies of medical records), the CJEU ruled that those reasons relate to instances of abuses of rights (see para. 31).

The AG proposed to give the two provisions the same interpretation, since they have the same rationale (i.e. avoiding a situation in which the burden imposed on the controller or the supervisory authority is disproportionate and liable to interfere with their proper functioning).

The AG further noted that this provision must be strictly interpreted and limited to what is strictly necessary to avoid interfering with the proper functioning of the supervisory authorities. In particular, the AG believed that simply alleging that a data subject filed more complaints than usual and that this could increase the workload of the DPA is not enough, since Article 52(4) GDPR obliges Member States to ensure that the DPA has sufficient resources.

Third question

The AG proposed to answer that a DPA can choose between the two alternatives without one having the priority on the other.

First, the AG noted that, since the legislator used the word “or”, it is not possible to infer an order of priority as between those options.

However, this does not mean that the DPA can choose on a discretionary basis and without giving reasons. On the contrary, given the importance of the right to lodge complaints in relation to the objective of ensuring a high level of protection of personal data, the DPA should choose the most appropriate and proportionate alternative and motivate its choice.

Finally, the AG noted that the principle of proportionality might suggest that the charging of a fee is preferable, since it can have a dissuasive effect without totally impairing the data subject’s right under Article 77 GDPR.

Holding

The judgement has not been issued yet.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!