EU Court rules GDPR complaints can’t be rejected based on frequency
The Court of Justice of the European Union (CJEU) recently ruled that the frequency of complaints submitted to data protection authorities under the General Data Protection Regulation (GDPR) does not affect the validity of the complaints. This decision is significant for advocates of privacy rights, as it ensures that frequent complaints cannot be dismissed simply due to their number, bolstering efforts for stricter GDPR enforcement.
The case arose when the Austrian Data Protection Authority (ADPA) rejected a complaint from an individual who had filed 77 complaints between 2018 and 2020. The ADPA argued that the frequency of these complaints, along with regular phone inquiries, justified their dismissal. They proposed a limit of two complaints per data subject per month. However, an Austrian court annulled this rejection in December 2022, stating that frequency alone is insufficient to deem a complaint “excessive.”
The CJEU upheld this decision, emphasizing that complaints must be “manifestly vexatious or abusive” to be considered excessive. The ruling further clarified that authorities must demonstrate an abusive intent on the part of the complainant to refuse action. This judgment is seen as a victory for privacy activists, reinforcing the right to address any GDPR violations.
The ADPA acknowledged the ruling’s implications, recognizing the need to prove abusive intent when dismissing complaints. They also noted that while they can refuse to act on manifestly unfounded or excessive complaints, they are generally free to act at their discretion. The impact of this ruling extends beyond Austria, affecting data protection practices across the entire European Union.
Source: EU Court rules GDPR complaints can’t be rejected based on frequency
