On 9 January 2025, the Court of Justice of the European Union ("CJEU”) delivered its decision in Österreichische Datenschutzbehörde (Case C-416/23) providing guidance on when requests / complaints submitted to data protection supervisory authorities (“DSAs”) may be considered to be manifestly excessive. In summary, the CJEU held that requests / complaints submitted to DSAs will not be considered manifestly excessive based simply on their volume, and that DSAs cannot refuse to act on a complaint by characterising it as “excessive” under Article 57(4) GDPR simply because the requestor has filed several complaints with the same DSA. Instead, the CJEU determined that whether requests are excessive will be determined by reference to the requestor’s intent.
Facts
In 2020, the data subject lodged a complaint with the Austrian data protection authority (the “DSB”) under Article 77(1) GDPR. He complained that the controller had not responded to his access requests within the one month statutory timeframe.
The DSB refused to act on this complaint on the basis that it was “excessive” under Article 57(4) GDPR. That provision states that: “Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.” The DSB submitted that over a period of 20 months, the data subject had filed 77 complaints to the DSB, claiming that controllers had failed to respond within one month to his requests for access or erasure under the GDPR. Further, it was observed that the data subject regularly contacted the DSB by telephone in order to make additional requests.
The data subject challenged the DSB’s decision to decline to address his complaint before the Bundesverwaltungsgericht (the Federal Administrative Court of Austria (“FAC”)). The FAC found for the data subject and annulled the DSB’s decision, finding that in order for requests to be considered “excessive” under Article 57(4) GDPR, they must not only be made repeatedly and frequently, but must also be manifestly vexatious or abusive. In the present case, the reasons given by DSB for refusing the data subject’s request did not indicate that there had been any abusive conduct on his part.
Following an appeal by the DSB to the Austrian Supreme Administrative Court, the following questions were referred to the CJEU for a preliminary ruling:
(i) Must the concept of “requests” or “request” in Article 57(4) GDPR be interpreted as meaning that it also covers “complaints” under Article 77(1) GDPR?
(ii) If the answer to (i) is yes, then must Article 57(4) GDPR be interpreted as meaning that, for requests to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests to a data protection authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?
(iii) Must Article 57(4) GDPR be interpreted as meaning that, in the case of a “manifestly unfounded” or “excessive” request, the data protection authority is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the data protection authority take into account? In particular, is the data protection authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests only in the event that charging a fee to prevent such requests is futile?
Excessive Requests
The CJEU made the following findings in respect of these questions:
- Article 57(4) GDPR must be interpreted as meaning that the concept of “request” covers complaints referred to in Article 57(1)(f) and Article 77(1) GDPR.
- The concept of “excessive requests” is not defined in the GDPR. As such, the court referred to the meaning of “excessive” in everyday language as something which “exceeds the ordinary or reasonable amount or which exceeds the desirable or permissible amount.”
- If it were to set a numerical threshold above which complaints could automatically be classified as excessive, the rights guaranteed by Article 12 GDPR and Article 15 GDPR could be undermined.
- Article 57(4) GDPR must be interpreted as meaning that requests cannot be classified as ‘excessive’ based solely on their number during a specific period. The DSA must establish, having regard to all the circumstances, that there is an abusive intention on the part of the requestor. A finding of such an abusive intention may be made, where the particular circumstances of the case show that the number of complaints is intended to interfere with the proper functioning of the DSA by abusively taking up its resources or where complaints are objectively not necessary to protect a data subject’s rights under the GDPR.
- A large number of complaints made by one person may be an indication of excessive requests where it appears that those complaints are not objectively justified by considerations relating to the protection of data subjects’ rights.
- The wording of Article 57(4) GDPR supports the interpretation that the data protection authority, once it has established that the requests submitted to it are excessive, has the freedom to choose one or the other of those options (i.e. to charge a reasonable fee or to refuse to act on the request). Therefore, a choice in favour of one of the two options may be made if, in any event, the effective exercise of the right to lodge complaints is ensured.
Comment
In short, it will not be possible for data protection authorities to refuse to deal with requests / complaints from data subjects under Article 57(4) GDPR simply on the basis that the data subject has submitted a high number of them in a specified period of time. Instead, data protection authorities will need to establish an abusive intention on the part of the requestor, which may be difficult in many instances.
Whilst the decision relates to data protection authorities, it is arguably of broader relevance to controllers also who receive large volumes / repeated requests from data subjects, in circumstances where Article 12(5) GDPR provides a similar provision to Article 57(4) enabling controllers to refuse certain requests from data subjects (including access requests (Article 15) and erasure requests (Article 17)).
For more information, please contact Davinia Brennan, Connor Cassidy or any member of our Technology and Innovation Group or Commercial Litigation Group or your usual Matheson contact.