Mass data subject access requests (“DSARs”) for information under Article 15 of the GDPR have increasingly become a significant challenge for many website and platform operators. These requests are not only straining resources but have also emerged as a business model for certain law firms and claimants, making it nearly impossible to respond to all inquiries within the prescribed one-month timeframe. However, according to Article 12 (5) b) GDPR, a controller may refuse to act on a request if it is deemed "manifestly unfounded or excessive." Yet, the interpretation of when a DSAR can be considered "excessive" under Article 12 (5) GDPR remains unclear.
In a pivotal court order, the Local Court of Arnsberg (file number: 42 C 434/23) has referred several questions to the European Court of Justice (“CJEU”), seeking clarification on the interpretation of Art. 15 GDPR; in particular on when a DSAR may be considered excessive under Article 12 (5) GDPR. The questions focus on the conditions under which a request for information can be deemed excessive and whether a refusal to provide information can be justified if the request is intended to provoke a claim for damages.
One of the key questions referred is:
“Is the second sentence of Article 12 (5) GDPR to be interpreted as meaning that the controller may refuse a request for information from the data subject if the data subject intends to use the request for information to provoke claims for damages against the controller?”
The case under review is particularly noteworthy because the lawsuit was initiated by the alleged controller, not the data subject. The facts are as follows: The data subject had registered on a website using his personal data to receive a newsletter. Later, he submitted a DSAR under Article 15 of the GDPR, requesting information about what personal data was being processed about him. The website operator refused to comply, citing an abuse of rights. Subsequently, the operator filed a negative declaratory judgment action, arguing that the data subject had developed a business model aimed at provoking GDPR violations through such requests to claim damages. The website operator claimed to have evidence supporting this assertion, including blog posts and reports from lawyers documenting similar actions in various cases.
The CJEU is now tasked with deciding on this matter, which could become a landmark decision in defining the limits of data subjects’ right to access under the GDPR. This ruling will be a crucial milestone in determining where the right to access information ends and where potential abuses of that right begin.
We will keep you informed on this case.
*********
The following questions have been referred to the Court of Justice of the European Union for a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (TFEU):
- Is the second sentence of Article 12 (5) GDPR to be interpreted as meaning that an excessive request for information by the data subject cannot be made at the time of the first request to the controller?
- Is the second sentence of Article 12 (5) GDPR to be interpreted as meaning that the controller may refuse a request for information from the data subject if the data subject intends to use the request for information to provoke claims for damages against the controller?
- Is the second sentence of Article 12 (5) GDPR to be interpreted as meaning that publicly available information about the data subject that allows the conclusion that the data subject will assert claims for damages against the controller in a large number of cases of data protection violations can justify a refusal to provide information?
- Is Article 4 (2) GDPR to be interpreted as meaning that a data subject's request for information from the controller pursuant to Article 15 (1) GDPR and/or a response to that request constitutes processing within the meaning of Article 4 (2) GDPR?
- Is Art. 82 para. 1 GDPR in view of recital 146 p. 1 GDPR be interpreted as meaning that only those damages are eligible for compensation which the data subject suffers or has suffered as a result of processing? Does this mean that for a claim for damages under Art. 82 para. 1 GDPR - assuming the existence of causal damage to the data subject - the processing of the data subject's personal data must have taken place?
- if question 5 is answered in the affirmative: Does this mean that the data subject - assuming the existence of causal damage - is not entitled to a claim for damages under Art. 82 (1) GDPR solely on the basis of the breach of his right of access under Art. 15 (1) GDPR?
- Is Article 82 (1) GDPR to be interpreted as meaning that the controller's objection of abuse of rights in relation to a request for information by the data subject cannot, with regard to EU law, consist in the fact that the data subject has brought about the processing of his personal data solely or inter alia in order to assert claims for damages?
- If questions 5 and 6 are answered in the negative: Does the mere loss of control and/or uncertainty about the processing of the data subject's personal data associated with a breach of Art. 15 (1) GDPR constitute non-material damage to the data subject within the meaning of Art. 82 (1) GDPR or does it also require a further (objective or subjective) restriction and/or (tangible) impairment of the data subject?