Austria: Abuse of data protection rights

Background

The tasks performed by the data protection supervisory authorities are provided to data subjects free of charge (Article 57(3) GDPR). Pursuant to Article 57(4) GDPR, in exceptional cases, such as manifestly unfounded or excessive requests, a reasonable fee may be charged, or the authority may refuse to handle the data subject's complaint (hereafter "data protection complaint"). After the Austrian Data Protection Authority ("DSB") refused to handle a data protection complaint, the Austrian Supreme Administrative Court ("VwGH") requested a preliminary ruling from the CJEU on three questions concerning Article 57(4) GDPR.

In its judgment of 9 January 2025, C-416/23, Österreichische Datenschutzbehörde (Demandes excessives), the CJEU stated, among other things, that a supervisory authority may refuse to handle a data protection complaint under Article 57(4) GDPR if, taking into account all the relevant circumstances of the individual case, it can establish and demonstrate the existence of an abusive intention (CJEU 9 January 2025, C-416/23, para. 50). On that basis, the VwGH set aside six decisions of the Austrian Federal Administrative Court ("BVwG") because the latter had "failed to recognise" that it was necessary to investigate and determine the motive – and therefore any possible abusive intention – of the respective complainants. Thus, the corresponding factual findings were missing. The legal view of the VwGH can be summed up best through the judgment in the lead case that gave rise to the preliminary ruling request (VwGH 29 January 2025, Ra 2023/04/0002) and the judgment in VwGH 29 January 2025, Ra 2022/04/0049.

The judgments

The VwGH clarified that an abusive intention within the meaning of Article 57(4) GDPR does not require malicious intent in a vexatious sense. Based on this consideration, the VwGH defined at least eight cases or groups of cases in which an abusive intention, in the sense of an excessive exercise of the right to lodge a data protection complaint, can be presumed. An abusive intention is indicated – or can be assumed – if:

• data protection complaints are lodged without this being objectively necessary to protect the rights to which the complainant is entitled under the GDPR;
• the decisive reasons for the complainant's filing of numerous data protection complaints do not stem from the pursuit of their rights under the GDPR, and the complainant would not have filed such a high number of complaints without extraneous motives;
• the complainant's aim is to impair the proper functioning of the authority by flooding it with requests;
• the complainant files numerous access requests with controllers to which they have no connection, and there are no indications that those controllers process the complainant's personal data;
• the complainant triggers the processing of their personal data by a controller solely to assert their GDPR rights, such as the right of access, and a relationship between the complainant and the controller exists only for that reason;
• the complainant lodges complaints to achieve a purpose not protected by data protection law (e.g. publicity, hostility, sensationalism);
• the complainant must be aware that their legal position is incorrect, such as when they have already unsuccessfully filed the same or similar complaints;
• the complainant uses the authority's resources even though the data protection complaint obviously pursues objectives other than the enforcement of data protection law.

Moreover, in its decision Ra 2022/04/0049, the VwGH defines an additional (ninth) group of cases in which an abusive intention can be assumed in the sense of a manifestly unfounded data protection complaint. According to that decision, a data protection complaint is manifestly unfounded if it has no prospect of success based on its content, even without extensive examination (VwGH 29 January 2025, Ra 2022/04/0049 para. 25). The BVwG adds a tenth group of cases according to which the data protection complaint may also be regarded as abusive if its handling would lead to an unreasonable additional burden for the authority (BVwG 11 March 2025, W137 2305838-1, p. 18).

Interpretation and potential impact

The VwGH's reasoning concerns abusive data protection complaints to the DSB under Article 57(4) GDPR. However, the wording of Article 12(5) GDPR, which allows controllers to refuse to handle manifestly unfounded or excessive requests submitted by data subjects, substantially corresponds to the wording of Article 57(4) GDPR. Therefore, the group of cases established by the VwGH and BVwG can be applied mutatis mutandis to the handling of abusive data subject requests by controllers. Controllers should in any event be able to raise the objection of an abusive intention if a person (i) submits numerous data subject requests for extraneous motives that have nothing to do with the pursuit of GDPR rights, (ii) aims to flood the controller with requests, (iii) only triggers the processing of their personal data by the controller to subsequently exercise their data subject rights, (iv) submits data subject requests solely to achieve an aim not protected by data protection law (e.g. publicity, hostility, sensationalism), and (v) uses the controller's resources even though it is already apparent from the request that it pursues objectives other than the enforcement of data protection law. Likewise, it is abusive if data subject requests merely serve the purpose of forcing an unreasonable additional burden on the controller, thereby inflicting damage on it (BVwG 11 March 2025, W137 2305838-1, p. 11).

Pursuant to the CJEU's case law, a purpose unrelated to data protection does not inherently prevent the exercise of the right of access (CJEU 26 October 2023, C-307/22, FT para. 52; 27 May 2024, C-312/23, Addiko Bank para. 52). In this regard, however, the CJEU refers to requests for the disclosure of personal data (e.g. medical records in C-307/22, FT, or banking information in C-312/23, Addiko Bank). The purpose unrelated to data protection in those cases merely stems from the fact that the request for access is not intended to verify the lawfulness of the processing. The VwGH, on the other hand, interprets extraneous motives ("sachfremde Gründe") to mean that the data subject's intention is not to exercise their rights to protect their personal data, but to achieve other goals, such as publicity, hostility or sensationalism. Consequently, the groups of cases outlined by the VwGH regarding abusive intention within the meaning of Article 57(4) GDPR – and their application to Article 12(5) GDPR – are consistent with the CJEU's case law.

Among the extraneous motives expressly cited by the VwGH are publicity, hostility and sensationalism. However, it also appears as an extraneous motive if the complainant wishes, in principle, to act against the processing of personal data by a specific controller, a certain sector or a widespread practice. In such cases, the objective being pursued likewise is not to exercise data subject rights. Instead, general aims are pursued, such as strengthening data protection. The understanding of general aims as extraneous motives is supported by the VwGH's view that triggering a data processing operation merely so that the data subject can subsequently exercise their data subject rights and file a data protection complaint amounts to an abusive intention. Along similar lines, the General Court of the European Union ("EGC") has argued that "an applicant is not justified in behaving in such a way as to trigger a certain outcome (namely the transfer of his personal data to a third country), only subsequently to claim compensation for damage allegedly caused by that outcome, which was in fact directly caused by his conduct" (EGC 8 January 2025, T-354/22, Bindl/Commission para. 162).

The practice to visit websites or to give consent to the processing of cookies merely to complain afterwards about infringements of data protection rights and issue warnings to website operators does not aim at protecting one's own personal data. Those data would be best protected simply by not visiting the website or not giving consent. The data processing is triggered solely so that a violation of data protection rights can later be asserted. Thus, in the light of the VwGH's case law, this warning practice appears to be an abuse of rights. Accordingly, if a website is only accessed or consent is only given to subsequently request compensation for non-material "damage", such a request should be qualified as an abuse of data protection rights. The CJEU will have the final word by answering the preliminary ruling request in the case C-526/24, Brillen Rottler.

author: Janos Böszörmenyi