Provisional text
OPINION OF ADVOCATE GENERAL
RICHARD DE LA TOUR
delivered on 5 September 2024 (1)
Case C‑416/23
Österreichische Datenschutzbehörde
other parties:
FR,
Bundesministerin für Justiz
(Request for a preliminary ruling from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria))
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 57(4) – Tasks of the supervisory authority – Request – Meaning – Excessive requests – Meaning – Article 77(1) – Right to lodge a complaint – Payment of a reasonable fee based on the administrative costs or refusal by the supervisory authority to act on the request – Criteria which may guide the supervisory in making its choice )
I. Introduction
1. Article 57(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2) (‘the GDPR’) offers the supervisory authorities, when confronted with requests which are manifestly unfounded or excessive, in particular because of their repetitive character, the possibility of charging a reasonable fee based on the administrative costs or of refusing to act on those requests.
2. The logic underlying this procedural mechanism is based on the idea that, while data subjects must of course be able to claim from the supervisory authorities, without difficulty, compliance with their rights under the GDPR, those authorities must, for their part, be able to treat excessive requests in a particular way, in order to ensure their proper functioning and protect their ability to carry out their tasks in full.
3. It remains necessary, however, to define the term ‘excessive’ in this context. That is the main issue raised by the present request for a preliminary ruling.
4. The request has been made in proceedings between Österreichische Datenschutzbehörde (Data Protection Authority, Austria) (‘the DSB’) and FR, concerning the refusal of that authority, based on Article 57(4) of the GDPR, to act on a complaint lodged by FR pursuant to Article 77(1) of that regulation.
II. The facts of the dispute in the main proceedings and the questions referred for a preliminary ruling
5. On 17 February 2020, FR lodged a complaint with the DSB, pursuant to Article 77(1) of the GDPR, for infringement of his right of access under Article 15 of that regulation, on the ground that the controller had not responded to his request for access within one month.
6. On the basis of Article 57(4) of that regulation, the DSB refused, by decision of 22 April 2020, to act on that complaint, characterising it as ‘excessive’. In that regard, it observed in particular that, over a period of about 20 months, FR had sent it 77 complaints challenging the failure, on the part of various controllers, to respond within one month to his requests for access or erasure. (3) Furthermore, FR had regularly contacted that authority by telephone in order to report additional facts and consult it with a view to potentially lodging further complaints.
7. FR brought an action against that decision before the Bundesverwaltungsgericht (Federal Administrative Court, Austria). By judgment of 22 December 2022, that court upheld the action and annulled the decision of the DSB. It held, in essence, that the term ‘excessive’, within the meaning of Article 57(4) of the GDPR, entailed not only that requests had been made repeatedly and frequently, but also that they had been manifestly vexatious or abusive. According to that court, the reasons given by the DSB for refusing to act on FR’s complaint did not indicate that there had been any abusive conduct on his part. Furthermore, that authority could not choose based on its own convenience between charging a reasonable fee for an ‘excessive’ request and refusing to act on such a request. The DSB was required to justify that choice, which it had not done in the present case.
8. The Verwaltungsgerichtshof (Supreme Administrative Court, Austria), which has before it an appeal on a point of law, brought by the DSB against that judgment, and which is the referring court in the present case, seeks to ascertain, first, whether the concept of a ‘complaint’ as referred to in Article 77(1) of the GDPR can be equated with that of a ‘request’ within the meaning of Article 57(4) of that regulation.
9. In that regard, the Verwaltungsgerichtshof (Supreme Administrative Court) observes that a negative answer to that question would mean that a supervisory authority was unable to refuse, on the basis of that provision, to act on complaints or charge a reasonable fee for handling them, even if they were unfounded or excessive. However, in the view of that court, the strongest arguments militated in favour of including the complaints referred to in Article 77(1) of the GDPR within the scope of Article 57(4) of that regulation.
10. Secondly, the referring court is in doubt as to the meaning to be given to the concept of ‘excessive requests’, for the purposes of the latter provision. In particular, that court states that, while requests of a repetitive character are given as an example of excessive requests, account must be taken of the fact that, if a supervisory authority is able to refuse to act on a complaint, this will significantly undermine the protection that data subjects are entitled to claim under the GDPR. That would be contrary to the regulation’s objective of ensuring a high level of protection of personal data. As an exception to the obligation of supervisory authorities to process complaints submitted to them, the possibility of refusing to act on a complaint must be interpreted narrowly.
11. Thus, the Verwaltungsgerichtshof (Supreme Administrative Court) doubts that the simple fact that a data subject has made use of the possibilities offered by the GDPR by making a very high number of complaints, compared to other persons, particularly where those complaints relate to different controllers, can be a sufficient basis for characterising those requests as ‘excessive’, in the absence of other circumstances demonstrating the existence of an abusive intention.
12. Similarly, according to the referring court, the simple fact that the processing of certain complaints constitutes, for the supervisory authority, an above-average burden in terms of work and time, cannot justify charging a fee or refusing to act on the complaint pursuant to Article 57(4) of the GDPR.
13. Thirdly, that court seeks to ascertain whether a supervisory authority has a free choice, in the case of manifestly unfounded or excessive requests, between charging a reasonable fee based on the administrative costs and refusing to act on those requests.
14. In those circumstances the Verwaltungsgerichtshof (Supreme Administrative Court) decided to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must the concept of “requests” or “request” in Article 57(4) of [the GDPR] be interpreted as meaning that it also covers “complaints” under Article 77(1) of the GDPR?
(2) If Question 1 is answered in the affirmative, must Article 57(4) of the GDPR be interpreted as meaning that, for requests to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests (complaints under Article 77(1) of the GDPR) to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?
(3) Must Article 57(4) of the GDPR be interpreted as meaning that, in the case of a “manifestly unfounded” or “excessive” request (complaint), the supervisory authority is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests (complaints) only in the event that charging a fee to prevent such requests is futile?’
15. Written observations were submitted by FR, the DSB, the Bundesministerin für Justiz (Federal Minister for Justice, Austria), the Austrian and Czech Governments and the European Commission.
III. Analysis
A. The first question referred
16. By its first question, the referring court asks the Court, in essence, whether the concept of ‘requests’ or ‘request’ which appears in Article 57(4) of the GDPR covers ‘complaints’ referred to in Article 57(1)(f) and Article 77(1) of that regulation. (4)
17. In refusing, pursuant to Article 57(4) of the GDPR, to act on the complaint lodged by FR in relation to the alleged infringement of his right of access under Article 15 of that regulation, the DSB adopted a decision which rests on the proposition that complaints made by data subjects pursuant to Article 77(1) of that regulation are to be regarded as ‘requests’ within the meaning of Article 57(4) thereof.
18. The referring court considers that it is necessary to verify that proposition with the Court given that, if it is false, a supervisory authority is unable to refuse to act on complaints or to charge a reasonable fee for handling them pursuant to Article 57(4) of the GDPR.
19. As a preliminary remark, I would observe that, according to settled case-law of the Court, the terms of a provision of EU law which makes no express reference to the law of the Member States for the purpose of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union. (5) Furthermore, in interpreting a provision of EU law, it is necessary to consider not only its wording, by reference to its usual meaning in everyday language, but also the context in which it occurs and the objectives pursued by the rules of which it is part. (6)
20. A literal, contextual and purposive interpretation of Article 57(4) of the GDPR leads me to the conclusion that the concept of ‘request(s)’ which appears in that provision covers the ‘complaints’ referred to in Article 57(1)(f) and Article 77(1) of that regulation.
21. With regard, first, to the wording of Article 57(4) of the GDPR, that provision states that ‘where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request’.
22. As for Article 77(1) of the GDPR, it provides that ‘without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation’.
23. No provision of the GDPR defines the concept of ‘request(s)’ for the purposes of Article 57(4) of that regulation. If I turn to consider its usual meaning in everyday language, this is particularly broad. It potentially covers any act by which a person or entity asks for something. The Larousse dictionary defines the equivalent French term as ‘the act of making known that one wishes to obtain something; the act of asking [for something]; a document which does so’, giving the term equivalent to ‘complaint’ as one of its synonyms. Complaints made pursuant to Article 77(1) of the GDPR are therefore, in my view, a category of ‘request(s)’ within the meaning of Article 57(4) of that regulation.
24. That textual analysis is corroborated, secondly, by the context of the provision. In that regard, I note that Article 57 of the GDPR describes the functions of the supervisory authorities and the conditions under which they are to be exercised. Among those functions:
– Article 57(1)(a) of the GDPR provides that each of those authorities is to ‘monitor and enforce the application of [that] Regulation’;
– Article 57(1)(e) of the GDPR provides that each of those authorities is to, ‘upon request’, ‘provide information to any data subject concerning the exercise of their rights under [that] Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end’; (7)
– Article 57(1)(f) of the GDPR provides that each supervisory authority is to ‘handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary’. (8)
25. Under Article 57(2) of the GDPR, ‘each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication’. (9)
26. Furthermore, Article 57(3) of the GDPR lays down the principle that ‘the performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer’.
27. In providing that the supervisory authorities may, when confronted with requests which are manifestly unfounded or excessive, charge a reasonable fee based on the administrative costs, or refuse to act on a request, Article 57(4) of the GDPR creates an exception to the free-of-charge principle laid down by Article 57(3) of that regulation and to the obligation incumbent on those authorities to act on requests submitted to them.
28. Contrary to FR’s submissions, it cannot be concluded, in my view, from the fact that these provisions appear next to one another, that Article 57(4) of the GDPR, in so far as it employs the concept of ‘request(s)’, applies only to the requests referred to in Article 57(1)(e) of that regulation. In other words, I do not think that it follows from the fact that the concept of ‘request(s)’ is employed in that provision that the scope of Article 57(4) of the regulation is limited to the task of supervisory authorities for which it provides. Moreover, the fact that Article 57(2) of the regulation concerns ‘complaints’ does not mean that it is the only provision intended to govern the conditions under which complaints are lodged with the supervisory authorities.
29. I note that Article 57(3) of the GDPR, which lays down the principle that the supervisory authorities perform their tasks free of charge, applies to all their tasks, including the handling of complaints as provided for by Article 57(1)(f) of the GDPR. Logically and by parallel reasoning, Article 57(4) of the GDPR, in so far as it creates an exception to the free-of-charge principle, without restricting it to certain specific functions of the supervisory authorities, should also apply to such handling of complaints.
30. That is all the more so for the fact that the handling of complaints, provided for in Article 57(1)(f) of the GDPR, is a core task of the supervisory authorities. (10) The free-of-charge principle and the obligation to facilitate the submission of complaints, provided for by Article 57(2) and (3) of that regulation, are, moreover, intended to enable any data subject to claim from a supervisory authority compliance with his or her rights under the GDPR.
31. Accordingly, the interpretation on which the concept of ‘request(s)’ referred to in Article 57(4) of the GDPR only covers requests under Article 57(1)(e) of that regulation, and not complaints as referred to in Article 57(1)(f) and Article 77(1) of that regulation, would deprive the first of those provisions of a large part of its useful effect.
32. Furthermore, it appears to me that complaints as referred to in Article 57(1)(f) and Article 77(1) of the GDPR are more readily described, where appropriate, as ‘manifestly unfounded’ than requests made pursuant to Article 57(1)(e) of that regulation, by which data subjects seek to obtain information from the supervisory authorities concerning the exercise of their rights under the GDPR.
33. I would add that the interpretation on which Article 57(4) of the GDPR also covers the handling of complaints lodged under Article 77(1) of that regulation is shared by the European Data Protection Board (EDPB), which considers the admissibility of complaints by reference to the first of those provisions. (11)
34. Consequently, while it is true that, in so far as it creates an exception to the free-of-charge principle and the obligation of supervisory authorities to act on requests submitted to them, Article 57(4) of the GDPR must be interpreted strictly, (12) this does not mean, in my view, that it cannot be applied to complaints made under that regulation.
35. Thirdly, in my view the interpretation that I propose to the Court enables the objectives pursued by the GDPR to be attained. In that regard, I would note that the purpose of that regulation, as indicated by recitals 10 and 11 thereof, is to ensure a consistent and high level of protection of natural persons within the Union, as well as to strengthen and set out in detail the rights of data subjects. (13)
36. It is undoubtedly true that, as the referring court observes, the interpretation on which complaints are included in the scope of Article 57(4) of the GDPR could, at first sight, appear to conflict with those objectives and with the obligations which are incumbent on the supervisory authorities.
37. As I have stated above, under Article 57(1)(f) of the GDPR, each supervisory authority is required, on its territory, to handle the complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and to investigate the subject matter of such complaints to the extent appropriate. The supervisory authority must deal with such complaints with all due diligence. (14)
38. Thus, the complaints procedure is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects. (15)
39. Hence, the inclusion of complaints within the scope of Article 57(4) of the GDPR means that the supervisory authorities can limit their obligation to handle such complaints and to apply the free-of-charge principle to their handling of them.
40. However, where a supervisory authority is confronted with requests which are manifestly unfounded or excessive, the ability to charge a reasonable fee or to refuse to act on the request is, in my view, such as to ensure a high level of protection of personal data.
41. The pursuit of that objective requires that the proper functioning of the supervisory authorities be guaranteed by ensuring that it is not hindered by the lodging of complaints which are manifestly unfounded or excessive, within the meaning of Article 57(4) GDPR. That provision thus offers supervisory authorities the possibility of handling such complaints in a specific way, thus reducing the workload they impose on them. Supervisory authorities may, accordingly, decide not to handle complaints which are manifestly unfounded or excessive in the normal way – which, by taking up the resources available to the authority for no legitimate reason, could have negative effects on the time taken to handle requests submitted at the same time by other data subjects, and on how well such requests are handled, and thus on the level of protection which is required to be guaranteed.
42. Thus, taking account of the importance of the right to lodge complaints with regard to the objective of ensuring a high level of protection of personal data, and of the fact that handling such complaints is one of the core tasks assigned to the supervisory authorities, it is important to avoid manifestly unfounded or excessive use of that right, which might result, if it were not possible to use the procedural mechanisms provided for in Article 57(4) of the GDPR, in the supervisory authorities being prevented from properly carrying out their tasks. It follows that an interpretation excluding complaints from the scope of that provision could undermine the proper functioning of the supervisory authorities and, as a result, the objective of ensuring a high level of protection for the rights of data subjects under the GDPR.
43. Furthermore, I note that there are procedural safeguards attached to the application of that provision which strictly regulate its use by the supervisory authorities. Thus, the burden of demonstrating the manifestly unfounded or excessive character of requests lies on the supervisory authority. Also, an effective judicial remedy is available, under Article 78(1) of the GDPR, in respect of a decision by the supervisory authority to charge a reasonable fee or to refuse to act on a request. Similarly, where a supervisory authority does not handle a complaint, without taking any decision in that respect, the data subject has the right to an effective legal remedy, in accordance with Article 78(2) of that regulation.
44. In addition, under Article 79(1) of the GDPR, each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under that regulation have been infringed as a result of the processing of his or her personal data in non-compliance with that regulation.
45. As the Court held in its judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, (16) Article 77(1), Article 78(1) and Article 79(1) of the GDPR, read in the light of Article 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as permitting the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and Article 79(1) thereof, on the other, to be exercised concurrently with and independently of each other. (17)
46. In the light of those considerations, I propose that the Court’s answer to the first question referred should be that the concept of ‘requests’ or ‘request’ which appears in Article 57(4) of the GDPR covers ‘complaints’ referred to in Article 57(1)(f) and Article 77(1) of that regulation.
B. The second question referred
47. By its second question, the referring court asks the Court, in essence, whether requests can be characterised as ‘excessive’, within the meaning of Article 57(4) of the GDPR, solely on the basis of the number submitted within a given period, or whether it is also necessary for an abusive intention to be demonstrated on the part of the person submitting such requests to a supervisory authority.
48. In order to answer that question, I will first examine the wording of that provision, on the basis of which I make the following observations.
49. First, as ‘excessive requests’ is not defined in the GDPR, it is necessary to consider its usual meaning in everyday language. The French equivalent of ‘excessive’ denotes something which exceeds the ordinary or reasonable amount (Larousse dictionary) or which exceeds the desirable or permissible amount (Le Robert dictionary). To do something to excess means to do it without moderation.
50. Secondly, it should be pointed out that the wording of Article 57(4) of the GDPR does provide some indication in that, in referring to ‘requests [which] are manifestly unfounded or excessive, in particular because of their repetitive character’, that provision signals that requests can properly be regarded as excessive on the basis that they are repetitive in character.
51. Thirdly, and in the same vein, in so far as the phrase ‘in particular’ indicates that requests which are repetitive in character are only one example of excessive requests, this means that there can be other examples, unrelated to the number of requests.
52. That having been said, I do not think it is necessary to give an exhaustive list, in this Opinion, of all the situations in which requests could be characterised as ‘excessive’. Rather, I will focus my analysis on the specific question that the referring court has submitted to the Court, which seeks to clarify what is to be gleaned from the fact that requests which are repetitive in character are given as an example of excessive requests. Thus, it must be determined whether a high number of complaints is sufficient, in itself, for requests to be characterised as ‘excessive’ on the basis of their repetitive character.
53. It is apparent from the material available to the Court that it was indeed on the basis of the number of complaints lodged by FR over a given period that the DSB, considering that number to be too high, refused to act on a complaint, characterising it as ‘excessive’. Essentially, that authority considered that an acceptable quantitative threshold of complaints had been reached, such that it was appropriate to cease acting on complaints submitted to it by FR. The authority also sought to justify its decision on the basis of a fear that FR would continue to lodge significant numbers of complaints in future. However, it did not raise any issue as to the well-foundedness of the complaints which FR had submitted to it up to then.
54. Like FR, the Federal Minister for Justice, the Austrian Government and the Commission, I consider that the number of requests made by a data subject to a supervisory authority, however high it may be, cannot suffice, in itself and contrary to what might be inferred, at first glance, from the wording of Article 57(4) of the GDPR, as a basis for a finding of ‘excessive requests’ within the meaning of that provision. I base that view on an examination of the context of that provision and on the objectives pursued by the GDPR.
55. As regards the context of Article 57(4) of the GDPR, I note that Article 12 of that regulation imposes general obligations on controllers as regards transparent information and communication, as well as modalities for the exercise of the rights of the data subject.
56. Article 15 of the GDPR, which forms part of Section 2 of Chapter III thereof, concerning information and access to personal data, complements the framework of transparency of that regulation by granting the data subject a right of access to his or her personal data and a right to information regarding the processing of those data.
57. In particular, Article 15(1) of that regulation provides that the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information about the purposes of the processing and the recipients or categories of recipient to whom the personal data have been or will be disclosed.
58. That right of access must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner. (18)
59. As the Court has stated, the right of access provided for by Article 15 of the GDPR is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16 to 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, and right of action where he or she suffers damage, laid down in Articles 79 and 82 of the GDPR. (19)
60. Accordingly, Article 15(1) of the GDPR is one of the provisions intended to ensure transparency vis-à-vis the data subject of the manner in which personal data are processed, without which that data subject would not be in a position to assess the lawfulness of the processing of his or her data or to exercise the rights provided for, inter alia, in Articles 16 to 18, 21, 79 and 82 of that regulation. (20)
61. It is with that in mind that Court has stated that the principle that the first copy of the data should be free of charge and the lack of a need to rely on a specific reason to justify the request for access necessarily contribute to facilitating the exercise, by the data subject, of the rights conferred on him or her by the GDPR. (21)
62. Given the importance attached by the GDPR to the right of access to personal data undergoing processing, as guaranteed by Article 15(1) of that regulation, in order to attain the objectives pursued by the regulation, the exercise of that right must not be made subject to conditions which are overly strict.
63. In my view, the same must apply to the right of data subjects to lodge complaints under Article 77(1) of the GDPR.
64. Under Article 12(3) of that regulation, the controller must provide information on action taken on a request under Articles 15 to 22 of that regulation to the data subject without undue delay and in any event within one month of receipt of the request. If the controller does not comply with that obligation, the person who has submitted the request to the controller must be able to lodge a complaint with a supervisory authority, so that that authority can, where appropriate, order the controller, in accordance with Article 58(2)(c) of the GDPR, to comply with the data subject’s requests to exercise his or her rights pursuant to that regulation.
65. Where a person has made a request for access or erasure to several controllers, as appears to be the case here, it must be possible for the number of complaints submitted to a supervisory authority to equal the number of refusals received by that person from those controllers. To decide otherwise, by setting a threshold beyond which a supervisory authority could characterise such complaints, solely by reason of their number, as ‘excessive’, would undermine the rights guaranteed by the GDPR and referred to above.
66. I would also point out that, as stated in recital 63 of the GDPR, that regulation expressly grants data subjects the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals. That means, in my view, that data subjects may exercise that right several times in respect of the same controller, without the fact that the data subject has made repeated requests being characterisable, in itself, as ‘excessive’. In a situation where that right has not been complied with by the controller or controllers to whom multiple requests have been submitted, data subjects must, in my view, be able to submit several complaints to a supervisory authority in relation to that controller or those controllers, pursuant to Article 77(1) of the GDPR.
67. Furthermore, I note that a provision analogous to Article 57(4) of that regulation is contained in Article 12(5) thereof, which, in a similar way, grants the possibility – in this case to a controller confronted with requests which are manifestly unfounded or excessive – either to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or to refuse to act on the request. (22)
68. In its judgment of 26 October 2023, FT (Copies of medical records), (23) the Court stated that Article 12(5) of GDPR establishes the principle that the exercise of the data subject’s right of access to his or her data undergoing processing and to the information relating thereto is not to entail any cost for the data subject. Furthermore, that provision envisages two reasons why a controller may either charge a reasonable fee taking into account administrative costs or refuse to act on a request. The Court stated that those reasons relate to instances of abuses of rights. (24) Having made that observation, the Court noted that, according to the referring court, the data subject’s request was not abusive. (25)
69. In so far as Article 12(5) and Article 57(4) of the GDPR are analogous in their drafting and have the same rationale, which is to avoid a situation in which the burden imposed on the controller or the supervisory authority, as the case may be, is disproportionate and liable to interfere with their proper functioning, I consider that those two provisions must be given the same interpretation.
70. It follows in my view that, in order to make use of the possibility offered by Article 57(4) of that regulation, the supervisory authority must establish, having regard to all the relevant circumstances of the individual case, that there has been abusive conduct on the part of the data subject, (26) the number of complaints made by that data subject being, in itself, insufficient.
71. From that point of view, both Article 12(5) of the GDPR and Article 57(4) of that regulation reflect the settled case-law of the Court in accordance with which there is, in EU law, a general legal principle that EU law cannot be relied on for abusive or fraudulent ends. (27) In the context of the latter provision, a finding of abusive conduct may be made if a person has lodged complaints in circumstances where it was not objectively necessary to do so in order to protect his or her rights under the regulation.
72. Article 57(4) of the GDPR is thus an expression of the principle of proportionality: while the supervisory authorities are, in principle, required to examine every complaint with all due diligence, the burden imposed on them in that respect cannot go beyond what is necessary to protect the rights of data subjects under the regulation. That provision thus enables supervisory authorities to reconcile the interests of the data subject making the request with the interest served by good administration.
73. I would add that, as I have stated above, Article 57(4) of the GDPR must be strictly interpreted, which means that its operation must be limited to what is strictly necessary to avoid interfering with the proper functioning of the supervisory authorities, that being the objective pursued by that provision. It seems to me that a strict interpretation dictates that consideration of the number of complaints, however high it may be, cannot provide a sufficient justification for a supervisory authority to invoke that provision.
74. In accordance with Article 8(3) of the Charter of Fundamental Rights, compliance with the rules on the protection of personal data is subject to control by an independent authority. In that context, the Member States are obliged, under Article 52(4) of the GDPR, to ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. It follows that those resources must be adapted to the use that data subjects make of their right to make complaints to the supervisory authorities. It would be paradoxical if the EU legislature, despite wishing, as can be seen from Article 57(2) of the GDPR, to facilitate the submission of complaints, which amounts to encouraging them, had, at the same time, permitted the supervisory authorities to refuse to act on such complaints where it considers them to be too high in number.
75. Thus, in order to establish that requests are excessive because of their repetitive character, it is not sufficient for a supervisory authority to receive, from a data subject, a number of complaints which is appreciably above the average number of complaints made by each data subject, thus imposing a heavier-than-average processing workload on that authority. It is incumbent on the Member States to provide the supervisory authorities with the appropriate resources to process all complaints submitted to them, if necessary by increasing those resources in the light of the use made by data subjects of their right to lodge complaints under Article 77(1) of the GDPR. Thus, a supervisory authority cannot argue, in support of its refusal to act on a complaint under Article 57(4) of that regulation, that a data subject who lodges a large number of complaints takes up a significant share of its resources, to the detriment of the handling of other complaints submitted by other data subjects.
76. In addition, complaints under Article 77(1) of the GDPR play an important role in terms of the supervisory authorities’ awareness of infringements of the rights protected by that regulation. (28) They are therefore essential to the proper performance of their task of ensuring the correct application of the regulation. Such complaints thus make a significant contribution to ensuring a consistent and high level of protection of data subjects within the European Union and to strengthening and setting out in detail the rights of data subjects.
77. Accordingly, allowing the supervisory authorities to make a finding of excessive requests on the sole basis that a large number of complaints have been made would, in my view, be liable to undermine the attainment of that objective. As I have stated above, a large number of complaints may be a direct consequence of a large number of failures, on the part of one or more controllers, to respond to requests for access made by data subjects with a view to protecting their rights, or refusals by such controllers to act on such requests. In addition, it is difficult to lay down a quantitative threshold beyond which complaints could be characterised, on the basis of their number, as ‘excessive’. In that regard, to proceed on the sole basis of the number of complaints could lead to an arbitrary weakening of the legal protection to which data subjects are entitled under the GDPR. That is why a finding of excessive requests must, in my view, be conditional on an abusive intention being demonstrated on the part of the data subject lodging such complaints.
78. It follows from the above considerations that, in so far as the general rule is that supervisory authorities must process complaints submitted to them with all due diligence, those authorities can, in my view, be authorised to invoke Article 57(4) of the GDPR only in exceptional cases, particularly in view of the fact that it is not, in principle, appropriate that account should be taken of the amount of work entailed by the exercise of the applicant’s right to lodge complaints under Article 77(1) of that regulation and of the interest of the data subject in order to vary the scope of that right. (29) The exceptions to the supervisory authorities’ obligation to handle complaints should, consequently, be interpreted restrictively, in such a way that the public interest served by the handling of complaints is weighed against the interest served by the refusal to handle them. (30)
79. It is thus incumbent on a supervisory authority receiving a large number of complaints to demonstrate, on the basis of the particular circumstances of each case, that that number is not to be explained in terms of the data subject wishing to obtain protection of his or her rights under the GDPR, but in terms of some other purpose, unconnected with the protection of those rights. That is so, in particular, where the particular circumstances of the case show that the large number of complaints is intended to interfere with the proper functioning of the supervisory authority by taking up its resources for no legitimate reason.
80. In that regard, a large number of complaints may be an indication of excessive requests on the part of a data subject where it appears that those complaints are not objectively justified by considerations relating to the protection of the data subject’s rights under the GDPR. That may be the case, for example, if the complaints relate to the same controller, are all the same in content, relate to the same obligations under the GDPR and are lodged at exaggeratedly short intervals which are not justified by a change in the factual circumstances, thus demonstrating that the intention of the data subject is to impede the proper functioning of the supervisory authority, and not to seek the protection of his or her rights under the GDPR. Another case of requests being excessive because of their repetitive character might concern the situation in which a data subject lodges such a large number of complaints with a supervisory authority, relating to a multitude of controllers with which the data subject does not necessarily have any connection, that this inordinate use of the right to submit complaints demonstrates, taken together with other factors such as the content of the complaints, an intention on the part of the data subject to paralyse the functioning of the supervisory authority by flooding it with requests.
81. It will be for the referring court, on the basis of those indications, to establish whether the DSB was entitled to make a finding of ‘excessive requests’ within the meaning of Article 57(4) of the GDPR.
82. I would repeat, in that regard, that the complaints lodged by FR, of which there are 77, follow requests for access or erasure which were made by that person to various controllers and to which, in most cases, there was no response within one month. To add to that, FR regularly telephoned the DSB to establish whether certain factual circumstances provided a basis for a complaint.
83. According to the DSB, by constantly lodging new complaints, the total number of which it regards as considerable, FR appropriated its limited human resources to his own advantage, over a period of about a year and a half, to an extent that was disproportionate in comparison with data subjects submitting fewer complaints. In addition, the growing number of complaints and the telephone conversations between FR and the DSB suggested that FR was likely to make very extensive use of its services in the future. The 77 complaints lodged must therefore be characterised as ‘excessive requests’ within the meaning of Article 57(4) of the GDPR.
84. I doubt that that reasoning is sufficient to justify such a characterisation, given that it does not disclose any abusive conduct on the part of FR, which is to say conduct not seeking to obtain protection of FR’s rights under the GDPR, but pursuing another goal, that of interfering with the proper functioning of the supervisory authority. Similarly, the supervisory authority’s predictions as to the significant number of complaints that FR might lodge in the future and the observation that its human resources are limited do not appear to me to be relevant.
85. It follows from the foregoing that Article 57(4) of the GDPR must, in my view, be interpreted as meaning that requests cannot be characterised as being ‘excessive’, within the meaning of that provision, solely by reason of their number within a given period, in so far as it is also incumbent on the supervisory authority to demonstrate an abusive intention on the part of the person making those requests.
C. The third question referred
86. By its third question, the referring court asks, in essence, whether Article 57(4) of the GDPR is to be interpreted as meaning that, where excessive requests are submitted to a supervisory authority, that authority has a free choice between charging a reasonable fee based on the administrative costs and refusing to act on the request. If not, the referring court seeks to ascertain which criteria must be taken into account by the supervisory authority and, in particular, whether that authority must seek to charge a reasonable fee as its primary response, before refusing to act on such a request.
87. An examination of the wording of that provision leads me to observe that the options of, first, payment of a reasonable fee based on the administrative costs and, secondly, refusal to act on excessive requests, are set out in succession and separated by the coordinating conjunction ‘or’, and that it is not possible to infer, from the chosen wording, an order of priority as between those options. (31)
88. Thus, the wording of the provision, by putting the two options available to the supervisory authority on an equal footing, seems to plead in favour of the interpretation that, once it has established that the requests before it are excessive, the supervisory authority is free to choose between charging a reasonable fee and refusing to act on those requests.
89. However, having regard to the context of Article 57(4) of the GDPR and the objectives pursued by that regulation, a supervisory authority cannot make that choice on a discretionary basis and without giving reasons. Taking account of the importance of the right to lodge complaints in relation to the objective of ensuring a high level of protection of personal data, of the essential place occupied by the handling of such complaints among the tasks assigned to supervisory authorities and of the obligation of those authorities to handle such complaints with all due diligence, it is incumbent on supervisory authorities to have regard to all the relevant circumstances and to satisfy themselves that the chosen option is appropriate and proportionate. Those aspects of the assessment must be set out in the statement of reasons for the decision of the supervisory authority to which the complaint has been submitted.
90. In that regard, a supervisory authority may consider it appropriate, in the light of the relevant circumstances and with a view to halting an abusive practice which is liable to hamper its proper functioning, to charge a reasonable fee based on the administrative costs of the additional workload created by excessive complaints. The dissuasive effect of that option may lead the authority to prefer it over an immediate refusal to act on such complaints.
91. I would add that the principle of proportionality and the objective of ensuring a high level of protection of personal data should also predispose supervisory authorities to charge a reasonable fee based on the administrative costs before refusing to act on such complaints, given that the former measure is less harmful to the rights of data subjects under the GDPR.
92. However, it does not seem to me that Article 57(4) of the GDPR can be interpreted as going so far as to oblige a supervisory authority, in every case, to give priority to the option of charging a reasonable fee.
93. Accordingly, I consider that Article 57(4) of the GDPR must be interpreted as meaning that, when confronted with excessive requests, a supervisory authority may choose, by reasoned decision, between charging a reasonable fee based on the administrative costs and refusing to act on such requests, taking account of all the relevant circumstances and satisfying itself that the chosen option is appropriate and proportionate, without either of those options having priority.
IV. Conclusion
94. In the light of all the foregoing considerations, I propose that the Court should answer the questions referred for a preliminary ruling by the Verwaltungsgerichtshof (Supreme Administrative Court, Austria) as follows:
Article 57(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that:
– the concept of ‘requests’ or ‘request’ which appears Article 57(4) of the GDPR covers ‘complaints’ referred to in Article 57(1)(f) and Article 77(1) of that regulation;
– requests cannot be characterised as being ‘excessive’, within the meaning of Article 57(4) of that regulation, solely by reason of their number within a given period, in so far as it is also incumbent on the supervisory authority to demonstrate an abusive intention on the part of the person making those requests;
– when confronted with excessive requests, a supervisory authority may choose, by reasoned decision, between charging a reasonable fee based on the administrative costs and refusing to act on such requests, taking account of all the relevant circumstances and satisfying itself that the chosen option is appropriate and proportionate, without either of those options having priority.