The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data.
Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation of an individual’s right of access to their data under Article 15 GDPR (often known as a data subject access request, or DSAR/SAR). Specifically, the Opinion addresses an individual’s right to access information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”, pursuant to Article 15(1)(c) GDPR. The AG delivered the Opinion in the context of Case C-154/21 (the Case), which is currently pending before the CJEU.
In the Case, an individual based in Vienna submitted an access request with the Austrian Post (Österreichische Post AG) pursuant to Article 15 GDPR. Pursuant to the request, the data subject asked the Austrian Post to provide a list of all recipients to whom their personal data had been disclosed. In response, the Austrian Post provided an overview of the relevant categories of recipients. The data subject challenged the Austrian Post’s response in the Austrian courts, claiming that they should have been provided with a list of the specific recipients of their personal data. In the first instance, the Austrian courts considered the Austrian Post’s approach to be lawful from a GDPR perspective, but the appellant court referred a question of interpretation to the CJEU.
In essence, the question referred to the CJEU seeks to determine whether a data subject’s right of access necessarily implies they should receive information regarding the specific recipients to whom their personal data has already been disclosed and, therefore, whether the option in Article 15(1)(c) for organisations to provide information on the categories of recipients (as opposed to specific recipients) is only available in the case of planned future disclosures (i.e., where the specific recipients are not yet known).
In the Opinion, the AG firstly sets out that, due to its formulation, Article 15(1)(c) GDPR is not by itself sufficient to provide a definitive answer on the referred question, noting that: (i) the terms “recipients” and “categories of recipient” are used in Article 15(1)(c) in succession, in a neutral way, without any order of priority, and that (ii) Article 15(1)(c) does not expressly specify whether a choice may be made between “recipients” or “categories of recipient” or who (i.e., the data subject or the data controller) might be entitled to make such determination. That said, the AG considers that the structure of Article 15 suggests that a data subject may choose between the two types of information; the AG reasons that Recital 63 GDPR, which does not allow controllers to restrict the right only to categories of recipients, provides support for that interpretation.
Further, the AG emphasises that the main purpose of the right of access is to enable data subjects to be aware of the processing activities involving their personal data and to verify the lawfulness of such processing, including that personal data has only been disclosed to authorised recipients. The AG finds that restricting the information to categories of recipients would not allow data subjects to achieve that purpose. Moreover, information provided pursuant to a right of access request is also relevant for the exercise of other data subject rights — for example, the right to object to processing activities (per Article 21 GDPR) – that would not be possible or would involve disproportionate effort if the data subject lacked specific information regarding the recipients of their data.
The AG ultimately concludes that the GDPR requires controllers, in response to a data subject access request, to identify the specific recipients of the data subject’s personal data. However, the AG also provides for at least two circumstances in which controllers may respond with information limited to categories of recipients, namely: (i) if it is materially impossible to provide details of specific recipients (arguably this could apply if the recipients have not been identified by the controller), or (ii) if the request is manifestly unfounded or excessive (the burden of proving this lays with the controller).
Impact of the AG Opinion
In most cases, the CJEU follows the opinion of the Advocate General. As set out above, in this case the AG appears to favour a broad and data subject-friendly interpretation of Article 15(1)(c) GDPR, albeit with certain limitations. This approach is in line with other recent data subject-friendly rulings issued by the CJEU, and also the recent guidelines from the European Data Protection Board (EDPB) on the right of access. Usually, the CJEU renders its final judgment a few months after having received an opinion, but a decision could be published sooner.
If the CJEU follows the AG’s Opinion, organisations could be expected to identify specific recipients of personal data as a matter of course when responding to data subject access requests (e.g., from their individual customers/clients/end users and from their employees). For many organisations, effectively identifying and mapping specific recipients of personal data disclosures — per data subject or group of data subjects sharing the same recipient list — would likely require significant additional resources in terms of staffing, time, and finance. For this reason, organisations will look to the CJEU’s ruling for greater clarity on its expectations of compliant responses to data subject access requests.
Organisations that do not meet the standards outlined in the Opinion with respect to Article 15(1)(c) GDPR could face administrative procedures by regulators as well as complaints and civil claims from individuals. Typically, civil claims are triggered by specialised data protection or consumer organisations, and we may see an influx of such claims if the CJEU follows the Opinion.