A recent judgment of the Court of Justice of the European Union (CJEU) (Case C-416/23 Österreichische Datenschutzbehörde v FR) sheds light on the threshold for requests submitted to a data protection supervisory authority to be considered manifestly excessive, in a ruling that will also be of interest to controllers considering the extent of their obligations in the context of data subject right requests.

Background

In April 2020, the Austrian supervisory authority (the DSB) refused to act on a complaint from a data subject (FR) on the basis that it was excessive in nature. FR had made 77 similar complaints regarding different controllers to the DSB within a period of 20 months and had regularly contacted the DSB by phone to make additional requests.

Under Article 57(1)(e) GDPR, supervisory authorities are obliged to provide information to data subjects, at their request, in relation to their rights under the GDPR.  Article 57(1)(f) requires supervisory authorities to handle complaints lodged with it. Article 57(4) GDPR provides an exemption, stating that where “requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs or refuse to act on the request”.

The matter ultimately reached Austria’s Supreme Administrative Court, which referred several questions to the CJEU.  The European Court of Justice (ECJ) held that the concept of a “request” under Article 57(4) GDPR also covered complaints submitted by data subjects, before considering the application of the “manifestly excessive” exemption.

Key findings by the ECJ

• The setting of a numerical threshold, above which complaints could automatically be classified as excessive, could undermine the rights guaranteed by the GDPR.
  
• To rely on Article 57(4) GDPR, the supervisory authority concerned must establish, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the person in question, as the number of complaints made by that person is, in itself, insufficient. A finding of an abusive intention may be made if a person has lodged complaints in circumstances where it was not objectively necessary to do so in order to protect his or her rights under the GDPR.
  
• Taking the number of complaints into account in isolation could lead to an arbitrary infringement of the rights that the person derives from the GDPR. As such a finding of the existence of excessive requests, within the meaning of Article 57(4), must demonstrate an abusive intention on the part of the person who lodges such complaints.
  
• A supervisory authority receiving a large number of complaints must demonstrate, on the basis of the particular circumstances of each case, that the number of requests is not explained by the data subject wishing to obtain protection of his or her rights under the GDPR, but in terms of some other purpose, unconnected with the protection of those rights.
  
• The ECJ did recognise that a large number of complaints made by a person may be an indication of excessive requests where it appears that those complaints are not objectively justified by considerations relating to the protection of the data subject’s rights under the GDPR.
  
• The ECJ concluded: “Article 57(4) of the GDPR must be interpreted as meaning that requests cannot be classified as ‘excessive’, within the meaning of that provision, solely on account of their number during a specific period, since the exercise of the option provided for in that provision is subject to the supervisory authority’s demonstrating the existence of an abusive intention on the part of the person who submitted those requests”.

Wider implications for controllers

While the judgment relates to the refusal of a data subject’s request by a supervisory authority on the basis of it being “manifestly excessive” under Article 57(4) GDPR, the wording of the Article 57(4) exemption is similar to that of Article 12(5) GDPR, which permits controllers to refuse certain requests from data subjects that are “manifestly excessive or unfounded”.

In light of this, the judgment will also be of interest to controllers considering the extent of their obligations in the context of data subject rights requests (in particular access requests under Article 15 GDPR) in cases where they have received a high volume and / or frequency of similar requests from the same data subject. While, arguably, different considerations apply to the refusal of a data subject’s request by a supervisory authority – as opposed to a controller – on the basis that it is manifestly excessive, controllers would be wise to take stock of the ECJ’s comments in the present case when considering whether to rely on the “manifestly excessive” exemption.

The authors would like to thank Emily Birchall for her contribution to this briefing.