EU court sketches limits on data privacy access requests

(CN) — Asking a company what data it has on you can now come with a warning label: If you’re trying to game the system, the request might backfire. The EU’s top court said Thursday even an initial request can be refused if it crosses the line into abuse.

The clash between a German optician and its customer landed at the Court of Justice of the European Union after a German court asked whether Brillen Rottler could refuse a data request that appeared tied to a compensation claim.

TC, the customer at the center of the dispute, signed up to Brillen Rottler’s newsletter in March 2023, voluntarily entering his personal data through the company’s website. Less than two weeks later, he asked the company to disclose what personal data it held about him.

The request was made under the EU’s sweeping 2018 privacy law, the General Data Protection Regulation, which gives people the right to access and control their data. When the company refused, he maintained the request and added a 1,000-euro ($1,150) claim for nonmaterial damages.

Brillen Rottler said that sequence was deliberate, pointing to publicly available material suggesting TC had followed the same pattern with other companies: Sign up, trigger data processing, file an access request, then pursue compensation. In its view, the request was not about transparency but about setting up a claim.

TC disputed that, insisting he was simply exercising his rights and that the refusal itself caused harm.

At issue was whether such a request could cross the line and be considered “excessive.”

The judges said yes, but only in tightly defined situations.

Even a first request is not exempt; it may be treated as excessive when it is not genuinely aimed at understanding or checking how personal data is processed but instead used to create grounds for a claim or gain an advantage. Here, excess is not about volume, but misuse.

Companies, however, face a high bar. To refuse a request, the court noted, “the controller must establish, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the data subject.”

That is a high hurdle. Suspicion alone will not do. Businesses must point to concrete evidence the request is being used to gain an advantage, not to check how personal data is handled.

The court also drew a clear line on damages. The prospect of a compensation claim does not by itself make a request abusive, and individuals may still seek damages for a breach of access rights without pointing to separate unlawful processing, as long as they can show real harm.

The judges focused on how the request fits into the broader sequence of conduct. Factors such as voluntarily providing data, the short gap before the request and a pattern of similar claims may, taken together, point to abuse. None is decisive on its own.

Even then, the threshold remains high: Companies must show both that the rules are being undermined and that the individual intended to exploit them, based on concrete, case-specific evidence. At the same time, refusing access can itself trigger liability, though compensation requires proof of actual harm and a causal link.

For Jörn Tröber, representing the optical retailer, the decision was “a success for all honest businesses,” saying the court has drawn a line where requests are used purely to generate profit at the expense of companies handling personal data. Paul Rottler, the company’s managing director, added that while customer data “deserves a particularly high level of protection,” businesses also need clear rules to spot abusive requests without undermining legitimate rights.

On the other side, Philipp Brandt, who represented the customer, stressed how narrow that line is. He said the court requires “unambiguous” proof that abuse was the sole aim, a threshold that will be difficult to meet in practice, especially given strict procedural deadlines that are often missed. He also noted that even simple uncertainty about how personal data is handled can qualify as damage, making such claims easier to bring.

Legal scholars, meanwhile, see the decision as a careful calibration rather than a shift.

Sophie Stalla-Bourdillon, co-director of the Brussels Privacy Hub, described it as a tightly balanced ruling that keeps the access right intact while carving out only a limited exception. She stressed that refusals remain exceptional, with a high bar that applies even to a first request, and that companies cannot rely on patterns or publicly available information alone to prove abuse.

In her view, the court draws a clear line between genuine efforts to understand data processing and cases where access is used to “artificially” create grounds for compensation, cautioning against stretching that category too far.

Gianclaudio Malgieri, a professor at Leiden University, likewise said the ruling does not turn access into a privilege and does not make ordinary requests inherently suspicious, instead keeping a strict test that requires concrete evidence of abuse.

He warned, however, that the commission’s proposed reforms, part of a draft 2025 “Digital Omnibus” package, could lower that bar by allowing refusals based on “reasonable grounds” and treating compensation-driven requests as excessive, potentially expanding a narrow anti-abuse exception into a broader climate of suspicion around a charter-based right. “Bad cases should not make bad law,” he said.

The case now goes back to the German court to apply the ruling to the facts. The court’s interpretation of EU law is final and cannot be appealed, but the national court will now decide the outcome, including whether the request was abusive and whether any damages are owed.

Courthouse News reporter Eunseo Hong is based in the Netherlands.