Earthquake or tumbleweed? Implications of the CJEU's Brillen Rottler decision for DSARs

In 2023, German-based family run optician Brillen Rottler claimed it was unknowingly targeted by an individual who "systematically and abusively" made requests for access to his personal data "for the sole purpose of obtaining compensation by alleging infringement of the EU General Data Protection Regulation." 

The optician said the individual, who is referred to as TC and appeared to have had no other connection with the company, sent a data subject access request within one month of registering for Brillen Rottler's newsletter through its website.

However, rather than comply with the DSAR, Brillen Rottler refused and declared the DSAR was manifestly unfounded or excessive, relying on Article 12(5) of the GDPR. In support of its view, Brillen Rottler pointed to publicly available reports, blogs and lawyers' newsletters highlighting TC's apparent modus operandi, which demonstrated no real purpose to exercise his rights. 

TC disputed this and requested compensation of 1,000 euros. 

Brillen Rottler submitted a claim to a German court seeking a declaration that TC's compensation claim was invalid. TC maintained his right to access under Article 15 of the GDPR was legitimate and continued to seek compensation. The local court referred several questions to the Court of Justice of the European Union.

What was the CJEU's view?

The CJEU published its decision 19 March. Core issues for consideration by the court included: whether making a single DSAR could be characterized as excessive, and therefore an abuse of rights; in coming to that view, could a controller rely on publicly available information about the requester; and what are the rules around eligibility for compensation.  

The court reasoned that data protection is not an absolute right and the wording in Article 12(5) permitting a controller to refuse a DSAR where it is manifestly unfounded or excessive recognizes that a DSAR is not an absolute right that takes precedence over all circumstances. There are situations where the behavior of the requester justifies a controller in denying their DSAR. 

As most privacy practitioners know, however, relying on Article 12(5) is no easy matter as regulators emphasize the high bar required. For instance, Ireland's Data Protection Commission states Article 12(5) is "a high threshold to meet," adding, "There should be very few cases where a controller can justify a refusal of a request on this basis."

In considering whether a one-off DSAR could be deemed excessive, the CJEU was persuaded by the opinion by the Advocate General that Article 12(5) refers to repeated requests only as an example of a type of excessive request. Therefore, there was nothing on the face of it that meant an initial DSAR could not be regarded as "excessive." 

Significantly, the CJEU also considered the interpretation of "excessive requests" made to data protection authorities. Here, the court held that the identical wording in Article 57(4) of the GDPR underlined the "general principle of EU law to the effect that EU law cannot be relied on for abusive or fraudulent ends." In effect, since DPAs can refuse requests due to an "abusive intention," so can controllers. 

The court continued that the finding of abusive conduct should be assessed qualitatively and is not dependent solely on the number of DSARs made by an individual. It noted, however, that such a finding should be made "only exceptionally," and there must be strict criteria for defining a first request as excessive. 

What DSARs are excessive?

In order to characterize a DSAR as excessive, the court indicated that proof of an abusive practice — to be proven by the controller — requires both objective circumstances and a subjective element where the data subject's intent is "to obtain an advantage from EU rules by artificially creating the conditions laid down for obtaining it." Significantly, that "requires account to be taken of all the facts and circumstances of the case." In other words, looking behind the mere DSAR being made to understand its context. 

Historically many practitioners have treated DSARs as "motive blind." So, a controller does not speculate or take into account what it knows of the data subject's intentions. In reality, however, this approach is usually a bit of a fiction. Most companies will be aware of the context if a DSAR is made by an unhappy employee or an angry customer and will take that into account as part of their response.

The CJEU stated that a controller can find an abusive intention "where the data subject has made that request for a purpose other than that of being aware of the processing of those data and verifying the lawfulness of that processing." The controller must demonstrate "unequivocally" that the individual has made the DSAR for the purpose of artificially created conditions laid down for obtaining compensation from them. It can take into account all the circumstances, such as that the individual voluntarily provided their data, the aim of providing the data, the time that elapsed between providing the data and making the DSAR, and their conduct. 

Interestingly the court was more hesitant about admitting public information about the requester into the mix but allowed that this could be considered relevant provided it was supported by other material. 

The CJEU's findings echo the proposal concerning abusive DSARs put forward by the European Commission in the draft Digital Omnibus Regulation. Recital 35 explicitly states that "an abuse of the right of access would arise where the data subject intends to cause the controller to refuse an access request, in order to subsequently demand the payment of compensation." Significantly, the recital goes on to state that "controllers should bear a lower burden of proof regarding the excessive character of a request" so that the controller is only required to prove abuse to a reasonable level — which moves away from the "high threshold" mentioned above. 

On the questions around claiming compensation, the CJEU confirmed that compensation can be sought even if there is no data processing. The court confirmed that "the causal link between the alleged infringement and the alleged damage may be broken by the conduct of the data subject, provided that the conduct proves to be the determining cause of the damage." What undermined TC's compensation claim was his own conduct. 

So what? 

The decision could well encourage controllers to be more bullish in relying on the manifestly excessive ground to refuse DSARs. However, not all requesters will behave like TC, and this decision does not give carte blanche for controllers to refuse DSARs when the requester is difficult to deal with. 

What this decision affirms is that, just like other EU rights, GDPR rights cannot be abused. In that sense, there is nothing new. 

However, the decision does strengthen the hands of controllers in refusing DSARs where they can point to evidence that the scenario has been artificially created by the requester. And, for some controllers dealing with some DSARs, that is a knock-out blow.