Court of Justice to clarify the concept of excessive requests for the purposes of Article 57(4) of the GDPR

Today, official publication has been made of a request for a preliminary ruling from the Verwaltungsgerichtshof (Austria) lodged on 6 July 2023 concerning  the interpretation of the concept of excessive requests for the purposes of Article 57(4) of the GDPR: Österreichische Datenschutzbehörde (C-416/23).

In the case at hand, the interested party filed a data protection complaint with the Data Protection Authority under Article 77(1) of the General Data Protection Regulation (GDPR). The complaint was related to a breach of the right of access as outlined in Article 15 of the GDPR.

The interested party claimed that they had sent a request for information, as per Article 15 of the GDPR, to B O BV, a limited liability company in the Netherlands, on January 7, 2020. This request was delivered on January 13, 2020, but the party complained against failed to respond within the required one-month timeframe.

However, the Data Protection Authority declined to address the data protection complaint on April 22, 2020, citing Article 57(4) of the GDPR. The authority’s rationale was based on the fact that the interested party had submitted a total of 77 data protection complaints between August 28, 2018, and April 7, 2020. These complaints included requests for erasure and the right of access. The complaints often followed a pattern where the interested party initially sent requests to various data controllers, then lodged a complaint with the Data Protection Authority after the one-month response period had expired. Additionally, the interested party frequently contacted the Data Protection Authority by phone.

The interested party challenged the Data Protection Authority’s decision in court, specifically before the Bundesverwaltungsgericht (Federal Administrative Court). On December 22, 2022, the administrative court upheld the complaint and annulled the Data Protection Authority’s decision, primarily because it found that Article 57(4) of the GDPR did not clearly define when a request should be considered “excessive.” According to the court, an excessive request must not only involve frequent repetitions but also be “manifestly vexatious or abusive.” The Data Protection Authority had not demonstrated this in the case at hand.

Subsequently, the Data Protection Authority appealed this judgment before the Verwaltungsgerichtshof (Supreme Administrative Court), which is in this context, submitted the following questions to the Court of Justice:

1.Must the concept of ‘requests’ or ‘request’ in Article 57(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation — GDPR) (1) be interpreted as meaning that it also covers ‘complaints’ under Article 77(1) of the GDPR?

2.If Question 1 is answered in the affirmative:

Must Article 57(4) of the GDPR be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely addressed a certain number of requests (complaints under Article 77(1) of the GDPR) to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?

3. Must Article 57(4) of the GDPR be interpreted as meaning that, in the case of a ‘manifestly unfounded’ or ‘excessive’ request (complaint), the supervisory authority is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests (complaints) only in the event that charging a fee to prevent such requests is futile?

Read the official publication here.