Motive Not a Consideration
On 26 October 2023, the Court of Justice of the European Union (CJEU) delivered a preliminary ruling in FT v DW (Case C307-22) (the Decision) deciding that, amongst other things, an individual is not required to inform a controller about the reasons for making a data subject access request (DSAR) under Article 15 of the General Data Protection Regulation (GDPR).
The CJEU has, in effect, confirmed a long-standing position: there are no special conditions for individuals to make DSARs. This remains the case irrespective of whether an individual has an ulterior motive in making a DSAR (e.g. to substantiate a potential claim against a controller by collating information), rather than to (genuinely) understand or verify the processing of their personal data.
The Decision further indicates that a high bar is set for controllers to refuse to respond to DSARs in circumstances which are (actually or potentially) contentious with individuals (e.g. related to litigation). In this regard, the Decision sheds light on the meaning of “manifestly unfounded” under Article 12(5) GDPR, such that “motive” alone will not fit this criterion for refusing to respond to a DSAR.
Background to the Decision
The Decision concerned a dentist (FT) who refused to provide a patient (DW) with a first copy of his medical records free of charge and requested payment for the associated costs. DW suspected that errors had been made in his dental care and requested a copy of his medical records from FT. Under German national legislation, a person providing treatment is required to keep medical records in paper form or electronic form and provide patients with access to such records upon request. However, the relevant German legislation provides that the patient must reimburse the person providing the treatment for the costs incurred.
No statement of reasons is required to make a DSAR
Recital 63 of the GDPR provides for the right of a data subject to access their personal data in order to be aware of, and verify, the lawfulness of the processing of their personal data. The CJEU was asked to consider whether a controller is obliged to provide a data subject with a copy of their personal data in circumstances where the data subject does not request their personal data to pursue the purposes referred to in Recital 63 but rather for an alternative reason, such as to substantiate a claim against the controller by obtaining information or documents concerning them (or their claim).
DW’s motive in exercising his right of access under the GDPR was to access his medical records to determine whether he had a legitimate claim against FT under German medical liability law. The CJEU considered that there is no requirement under Articles 12(5), 15(1) nor 15(3) of the GDPR for a data subject to put forward reasons to obtain a copy of their personal data free of charge. On this basis, the CJEU determined that DW was not required to state the reasons for making his DSAR.
The Decision contrasts with the UK position in Lees v Lloyds Bank Plc  EWHC 2249 (Ch). This case established that, in circumstances where a court considers that there is a “collateral purpose” behind a DSAR (e.g. an individual’s motive is not to obtain copies of their personal data but rather to obtain access to documents to assist their position in bringing proceedings against a controller), it may exercise its discretion to decline an order of compliance with a DSAR.
To date, there has been no such precedent set by the Irish or other EU courts. It was expected to be considered earlier this year when a case on this issue was referred to the CJEU (BZ v DKV Deutsche Krankenversicherung, Case C-672/22). However, this case was subsequently withdrawn from the CJEU list, indicating that it settled out of court.
2024 Coordinated Action: DSAR Compliance a Regulatory Priority
Since the GDPR came into effect in May 2018, DSARs have played a complex and prominent role in data protection authority (DPA) decisions and guidelines. It is a similar situation for businesses in terms of disciplinary actions, potential or actual litigation, costs, resources and data protection compliance frameworks. In Ireland, the Data Protection Commission’s Annual Report concludes year-on-year that DSARs are the most complained about data subject right on which it must adjudicate.
On 17 October 2023, the European Data Protection Board (EDPB) announced that the topic selected for its third Coordinated Action in 2024 will concern the implementation of the right of access by controllers, stating that, “[F]urther work will now be carried out to specify the details in the upcoming months and the action itself will be launched in 2024“.
National DPAs, including the Data Protection Commission, will be involved in this Coordinated Action next year. While the full details and scope of the Coordinated Action have yet to be announced by the EDPB, it is likely to involve engagement between the DPAs and organisations at national level, similar to the last coordinated action of the EDPB (announced in March 2023) which focused on data protection officers. As such, organisations may be selected at random based on the scope of the coordinated action. For example, the EDPB may look to focus on specific sectors.
Practical Take Aways
Given the increased regulatory focus and resources being dedicated by DPAs regarding DSARs, it is recommended that all organisations re-assess their existing DSAR procedures and policies to benchmark compliance in light of the 2024 Coordinated Action to ensure they are operating in line with current case law, DPA guidance and decisions on DSARs.
Organisations should continue to respond to DSARs in accordance with the GDPR (and national legislation), even where it seems that an individual has (or may have) an ulterior motive for making such a request.