EU High Court: Privacy Watchdogs Can't Limit Number of Valid GDPR Complaints
Data protection authorities (DPAs) may not limit the number of complaints a person files during a certain period under the EU General Data Protection Regulation (GDPR) unless they find that person is abusing the process, the European Court of Justice held Thursday (Case C-416/23). DPAs seeking to rid themselves of complaints is an EU-wide issue, though this case arose in Austria, said Austrian privacy campaigner Max Schrems.
Sign up for a free preview to unlock the rest of this article
The case centered around a complaint lodged with the Austrian Data Protection Authority (DSB), in February 2020, by a man, identified as FR, who claimed that a company failed to respond to his request for access to his personal data within a month, the court wrote. The DSB refused to act on the complaint because it said FR had sent 77 similar complaints against different data controllers within around 20 months and had also contacted the DSB by phone with additional requests.
FR challenged that decision before the Federal Administrative Court, Austria, which upheld his complaint and tossed out the DSB's action. It held that the term "excessive" under the GDPR meant not only requests that had been made repeatedly and frequently, but also those that were vexatious or abusive. It also noted that the reasons the DSB gave for refusing to act on FR's complaints didn't indicate any abusive conduct on his part.
The administrative court also said a DPA faced with excessive requests may not choose between the GDPR's two options -- either charging a reasonable fee or refusing to act on the requests -- without justifying its decision, which the DSB had not done.
The DSB appealed to the Austrian Supreme Administrative Court, which referred the case to the ECJ for interpretation under the GDPR. The ECJ ruled that under the regulation, requests can't be classified as excessive simply because of the number filed within a certain period. Moreover, it said, when faced with excessive complaints, a DPA may choose between charging a reasonable fee based on administrative costs or refusing to act on the request, as long as it's satisfied that the chosen option is appropriate, necessary and proportionate.
The DSB arbitrarily set the number of complaints data subjects could file to two per month, Schrems posted. But "you always have fundamental rights -- not just twice a month."
The problem concerns DPAs across Europe, Schrems said. In 2022 (the most recent EU-wide numbers), "European DPAs had a combined ... 140,106 proceedings -- but only issued 1,819 fines against companies." That means in just 1.3% of cases there was a serious consequence, he added. "This clearly shows that there is an EU-wide problem with DPA inactivity and authorities dragging out proceedings."