GDPR: ECJ curbs systematic abuse of information requests

The right to access one's own personal data is one of the strongest weapons of the General Data Protection Regulation (GDPR). However, those who misuse this instrument to make a business model out of it are now encountering legal limits. In a landmark ruling on Thursday, the European Court of Justice (ECJ) clarified that information requests can clearly be classified as an abuse of rights. The prerequisite is that they are made solely intending to provoke subsequent claims for damages.

With the decision in case C-526/24, the highest European court strengthens companies' defense options against so-called data protection trolls. The case originated in the Arnsberg Local Court. A kind of case study on a modern legal gray area developed there.

A person residing in Austria had signed up for the newsletter of the optician company Brillen Rottler, voluntarily entering their data into the form. Just 13 days later, they requested the company to provide comprehensive information about the processed data, citing Article 15 GDPR. When the company rejected the request, citing suspected abuse, the person sued for compensation of at least 1000 euros for alleged non-material damage.

Plaintiff was no stranger

The optician company was able to point out in court that the applicant was not unknown. Media reports and information from lawyers suggested that the person systematically subscribed to newsletters, immediately requested information, and initiated waves of lawsuits for data protection violations at the slightest delay or rejection. The Arnsberg Local Court then referred the case to the ECJ. It wanted to clarify whether an initial information request could already be considered “excessive” within the meaning of the GDPR and under what conditions a claim for damages exists in such constellations.

The judges in Luxembourg have now found that the relevant protection of the GDPR does not apply without restriction. While the right to information serves to make citizens aware of data processing and to check its legality. The aim is, if necessary, to exercise rights to rectification or erasure. However, if it can be proven that a request was made, despite formal correctness, solely to artificially create the conditions for a lawsuit for damages, it constitutes an abuse of rights.

According to the ECJ, such proof can be provided, for example, by the person's previous conduct and publicly available information about similar claims against other companies.

When is compensation due?

The ECJ's clarification regarding the conditions for damages is relevant for practical application. According to the ruling, a mere violation of the GDPR is not automatically sufficient for monetary compensation. Instead, the plaintiff must prove that they have actually suffered concrete material or non-material damage.

While non-material damage generally includes the loss of control over one's own data, the ECJ is now setting a crucial hurdle: Anyone who has caused the decisive cause of the damage through their own conduct – for example, by provoking data processing only to later “sue” it – cannot claim compensation.

This ruling promises relief for companies. In cases of excessive requests, they can refuse the information or demand an appropriate fee for the administrative effort, citing Article 12(5) GDPR. Nevertheless, the burden of proof remains with the controller.

The Arnsberg Local Court must now examine in the specific individual case whether the plaintiff's conduct has crossed the threshold of abuse. Factors such as the short period between registration and request, as well as the voluntary disclosure of data, play a central role.

()