CJEU - C-416/23 Österreichische Datenschutzbehörde
CJEU - C‑416/23 Österreichische Datenschutzbehörde | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 52(4) GDPR Article 57(1)(e) GDPR Article 57(3) GDPR Article 57(4) GDPR Article 77(1) GDPR |
Decided: | 09.01.2025 |
Parties: | Datenschutzbehörde |
Case Number/Name: | C‑416/23 Österreichische Datenschutzbehörde |
European Case Law Identifier: | ECLI:EU:C:2025:3 |
Reference from: | VwGH (Austria) Ra 2023/04/0002 |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | fb |
The CJEU held that a DPA cannot refuse to act on a complaint by characterising it as "excessive" under Article 57(4) GDPR simply because the data subject has filed several complaints with the same DPA.
English Summary
Facts
On 17 February 2020, the data subject lodged a complaint with the Austrian DPA. He complained that the controller had not responded to his access request under Article 15 GDPR for access within one month.
On 22 April 2020, the DPA made the decision to refuse to act on this complaint, arguing that it was “excessive” under Article 57(4) GDPR. The DPA observed in particular that, over a period of about 20 months, the data subject had sent it 77 complaints arguing that various controllers failed to respond within one month to his requests for access or erasure. Also, the DPA highlighted the fact that the data subject regularly contacted the DPA by telephone in order to report additional facts and to make additional requests.
The data subject brought an action before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). On 22 December 2022, the BVwG upheld the data subject’s action. It held that, in order for requests to be "excessive” under Article 57(4) GDPR, it is not enough that these requests had been made repeatedly and frequently, but it is also needed that they had been manifestly vexatious or abusive.
The DPA appealed this judgement before the Supreme Administrative Court (Verwaltunsgerichtshof – VwGH). This court decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:
- Must the concept of “requests” in Article 57(4) GDPR be interpreted as meaning that it also covers “complaints” under Article 77(1) GDPR?
- Must Article 57(4) GDPR be interpreted as meaning that, for requests to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests to a DPA within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?
- Must Article 57(4) GDPR be interpreted as meaning that, in the case of a “manifestly unfounded” or “excessive” request, the DPA is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the DPA take into account? In particular, is the DPA obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests only in the event that charging a fee to prevent such requests is futile?
Advocate General Opinion
On 5 September 2024, AG De La Tour issued his opinion.
First question
As for the first question, the AG proposes the Court to answer that the concept of "request" under Article 57(4) GDPR covers "complaints" referred to in Article 57(1)(f) and 77(1) GDPR.
First, the AG points out that Article 57(3) GDPR lays down the principle that the performance of the tasks of each DPA shall be free of charge for the data subject. By saying that when requests are manifestly unfounded or excessive, the DPA may charge a reasonable fee, Article 57(4) GDPR creates an exception to the free-of-charge principle.
On this point, the AG noted that this principle applies also to the handling of complaints, which is a core task of a DPA. Therefore, adopting the opposite interpretation of Article 57(4) GDPR would deprive it of a large part of its useful effect.
Thirdly, the AG highlights that the wording “manifestly unfounded” used by Article 57(4) GDPR seems to refer more appropriately to complaints than to other types of requests, such as the ones provided for by Article 57(1)(e) GDPR.
Fourthly, the AG shared the referring court’s view about the fact that this interpretation could, at first sight, appear to conflict with the fact that DPAs must handle the complaint with all due diligence (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 56 and C-362/14, Schrems, para. 63) since the complaints procedure is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 58).
However, according to the AG, this interpretation could contribute to ensure a high level of protection of personal data. Indeed, necessarily having to examine complaints which are manifestly unfounded or excessive might take up the resources available to the authority and have negative effects on the time taken to handle requests submitted at the same time by other data subjects.
In other words, an interpretation excluding complaints from the scope of that provision could undermine the proper functioning of the DPAs and, as a result, the objective of ensuring a high level of protection for the rights of data subjects under the GDPR.
Second question
As for the second question, the AG opined that the fact that a data subject has addressed a certain number of requests to a DPA is not sufficient to characterise a complaint as "excessive" under Article 57(4) GDPR, if no abusive intention is demonstrated by the DPA.
First, the AG noted that the wording of Article 57(4) GDPR, by using “in particular”, indicates that repetitive requests are only one example of excessive requests.
Secondly, the AG drew a parallel between Article 15 and 77 GDPR. He noted that the CJEU had stressed the importance of the right of access, which allows data subjects to assess the lawfulness of the processing (see C-579/21, Pankki S, para. 59) and has stated the principle that the first copy of the data should be free of charge (C-307/22, FT (Copies of medical records), para. 50).
Moreover, when a controller does not comply with Article 15 GDPR in combination with Article 12(3) GDPR, the data subject must be able to lodge a complaint with the DPA, so that the latter can order the controller, in accordance with Article 58(2)(c) GDPR, to comply with the data subject’s requests.
The AG was of the opinion that this principle applies also when a data subject has made access requests to several controllers: deciding otherwise, by setting a threshold beyond which a DPA could characterise such complaints as ‘excessive’, solely by reason of their number, would undermine the rights guaranteed by the GDPR.
Furthermore, the AG pointed out that Article 12(5) GDPR contains a provision which is analogous to the one in Article 57(4) GDPR. The former allows the controller to charge a reasonable fee or to refuse to act on the request. In C-307/22, FT (Copies of medical records), the CJEU ruled that those reasons relate to instances of abuses of rights (see para. 31).
The AG proposed to give the two provisions the same interpretation, since they have the same rationale (i.e. avoiding a situation in which the burden imposed on the controller or the DPA is disproportionate and liable to interfere with their proper functioning).
The AG further noted that this provision must be strictly interpreted and limited to what is strictly necessary to avoid interfering with the proper functioning of the DPAs. In particular, the AG believed that simply alleging that a data subject filed more complaints than usual and that this could increase the workload of the DPA is not enough, since Article 52(4) GDPR obliges Member States to ensure that the DPA has sufficient resources.
Third question
The AG proposed to answer that a DPA can choose between the two alternatives without one having the priority on the other.
First, the AG noted that, since the legislator used the word “or”, it is not possible to infer an order of priority as between those options.
However, this does not mean that the DPA can choose on a discretionary basis and without giving reasons. On the contrary, given the importance of the right to lodge complaints in relation to the objective of ensuring a high level of protection of personal data, the DPA should choose the most appropriate and proportionate alternative and motivate its choice.
Finally, the AG noted that the principle of proportionality might suggest that the charging of a fee is preferable, since it can have a dissuasive effect without totally impairing the data subject’s right under Article 77 GDPR.
Holding
Regarding the first question
First, the court held that the wording of the provisions concerning ‘complaints’ permits the inference that complaints lodged under Article 77(1) GDPR fall within the concept of ‘requests’ within the meaning of Article 57(4) GDPR.
Second, the court found that the context of Article 57 GDPR corroborates this broad understanding as Article 57(4) GDPR establishes an exception to the ‘free-of-charge’ principle laid down in Article 57(3) GDPR, which must be interpreted restrictively. Additionally, Article 57(3) GDPR applies to all tasks of DPAs including the essential task of the handling of complaints; therefore Article 57(4) GDPR should also apply to complaints. Otherwise, Article 57(4) GDPR would be largely deprived of its effectiveness which would run counter to the effective protection of the rights guaranteed by that regulation.
Third, the court argues that the contextual interpretation is consistent with the objectives of the GDPR. As indicated by the goals of the GDPR as a whole in Recitals 10 and 11, Article 57(2) and (3) GDPR are intended to facilitate enforcement of the rights derived from the GDPR. The court held that the provision offers DPAs the possibility of better management of those complaints in order to ensure a high level of protection of personal data.
Consequently, Article 57(4) GDPR must be interpreted as meaning that the concept of a ‘request’ contained in that provision covers the complaints referred to in Article 57(4) GDPR and Article 77(1) GDPR.
Regarding the second question
As the concept of ‘excessive requests’ is not defined in the GDPR, the court first referred to the usual meaning of 'excessive' in everyday language as something which exceeds the ordinary or reasonable amount or which exceeds the desirable or permissible amount. However, a literal interpretation of that provision does not make it possible to determine whether a repetitive nature and, consequently, the number of applications lodged alone is sufficient to justify such a classification. Accordingly, the court examined the scope of that provision in the light of its context and the objectives.
The court held that the setting of an absolute numerical threshold, above which complaints could automatically be classified as excessive, could undermine the rights guaranteed by Article 12 GDPR and Article 15 GDPR. Additionally, as Article 57(4) GDPR is an exception to the principle in Article 57(3) GDPR, according to which the DPAs perform their tasks free of charge, exceptional circumstances are required for its invocation. Furthermore, the court agrees with the AG that complaints aid the DPAs’ awareness of GDPR infringements and therefore contribute to safeguarding the rights of data subjects.
Therefore, the court held, Article 57(4) GDPR must be interpreted as meaning that requests cannot be classified as ‘excessive’ solely on account of their number during a specific period, since the exercise of the option provided for in that provision is subject to the DPA demonstrating the existence of an abusive intention on the part of the person who submitted those requests. A finding of such an abusive intention may be made, where the particular circumstances of the case show that the number of complaints is intended to interfere with the proper functioning of the DPA by abusively taking up its resources or where complaints are objectively not necessary to protect a data subject’s rights under the GDPR.
The court additionally stated that a DPA cannot base its refusal to act on a complaint, on the fact that a person lodging significantly more complaints than the average occupies the resources of the DPA to the detriment of other complainants. This is because according to Article 52(4) GDPR, Member States must provide the DPAs with the appropriate resources (and if necessary increase them) to process all complaints submitted.
Regarding the third question
The court argues that firstly, the wording of Article 57(4) GDPR supports the interpretation that the DPA, once it has established that the requests submitted to it are excessive, has the freedom to choose one or the other of those options i.e. to charge a reasonable fee or to refuse to act on the request. Secondly, as shown in Recital 59 ‘modalities should be provided for facilitating the exercise of the data subject’s rights’. Therefore, a choice in favour of one of the two options may be made if, in any event, the effective exercise of the right to lodge complaints is ensured. Thirdly, the court held that, to ensure the GDPR’s objectives, the DPA is required to impartially and fairly assess whether a request is manifestly unfounded or excessive, and to ensure that its choice is appropriate, necessary and proportionate.
Consequently, Article 57(4) GDPR must, according to the court, be interpreted as meaning that, when faced with excessive requests, a DPA may choose, by reasoned decision, between charging a reasonable fee based on administrative costs and refusing to act on those requests, taking account of all the relevant circumstances and satisfying itself that the chosen option is appropriate, necessary and proportionate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!