Privacy & Information Security Law Blog

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case Österreichische Datenschutzbehörde (C‑416/23). In this case, the CJEU was asked to determine when a request to a supervisory authority could be considered as excessive, in particular because of its repetitive character, allowing the supervisory authority to reject the request or charge a fee to process it.

Background

The case arose from the refusal by the Austrian Data Protection Authority (“DSB”) to act on an individual’s complaint due to its excessive nature. The DSB’s refusal was based on the fact that the concerned individual had sent 77 similar complaints to the DSB directed against different controllers within a period of approximately 20 months. The individual contested the DSB’s decision and the matter was eventually brought before the Austrian Supreme Administrative Court. The Court requested the following clarifications from the CJEU:

• Whether the exception allowing supervisory authorities to charge a reasonable fee based on administrative costs or to refuse to act on a request based on its excessive or unfounded nature also applies to complaints?
• Whether for a request to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests concern different controllers, or if an abusive intention on the part of the data subject is required in addition to the frequent repetition of requests?
• Whether in case of “manifestly unfounded” or “excessive” requests, the supervisory authority is free to choose between charging a reasonable fee based or refuse to process the request?

The CJEU’s Decision

In its decision, the CJEU started by clarifying that the term “request” should be considered as including complaints lodged with supervisory authorities and, hence, should be subject to Article 57(4) of the GDPR.

With respect to the excessive nature of complaints, the CJEU took the view that setting an absolute numerical threshold, above which complaints are automatically classified as excessive, is not acceptable. According to the CJEU, this approach could undermine rights granted to individuals under the GDPR. Instead, the supervisory authority is required to establish that the concerned individual has an abusive intention. A large number of complaints made by the same individual may be an indication of an excessive request, provided that those complaints are not objectively justified by considerations relating to the protection of the data subject’s rights under the GDPR.

When faced with an excessive request, the CJEU considers that the supervisory authority may take a reasoned decision to charge a reasonable fee based on administrative costs or refuse to act on those requests, taking into account all relevant circumstances and satisfying itself that the chosen option is appropriate, necessary and proportionate. According to the CJEU, the supervisory authority may consider initially opting to charge a reasonable fee to bring an end to the abusive practice, as this option has lesser adverse effects on the GDPR rights of the individual. However, the supervisory authority is not required to always apply this measure first.

Read the CJEU’s decision.