Somewhere Between a Summary and a Data Dump – CJEU Finds Controllers Must Provide Data Subjects a “Faithful And Intelligible” Copy of Their Personal Data

Alert
|
4 min read

The Court of Justice of the EU (CJEU)1 has held that the General Data Protection Regulation (GDPR) requires controllers to provide data subjects a "faithful reproduction" of their personal data, which takes into account the rights of others and includes any additional information that is "essential" to enable the data subject to exercise their data protection rights. This means that a raw data dump is unlikely to be compliant in many cases. Ultimately, it is a fact-intensive inquiry whether any disclosure of personal data is compliant, and the CJEU has provided fairly limited guidance for companies, courts, and regulators in its latest decision.

Background

Article 15(3) GDPR requires controllers to provide data subjects with "a copy of the[ir] personal data" upon request. FF, an individual, submitted a request to an Austrian credit rating agency for access to his personal data that the company was processing, including a copy of documents (namely emails and "database extracts") "in a standard technical format." The agency responded with a list of his personal data in an aggregated form; no documents were produced. FF lodged a complaint with the Austrian Data Protection Authority ("DSB") claiming that the response was incomplete under Article 15(3) GDPR. The DSB rejected the complaint, finding that the agency had not infringed FF's right of access. FF appealed against the DSB's decision to the Austrian courts.

Seeking to clarify the scope of Article 15(3) GDPR, the Austrian Federal Administrative Court referred several questions to the CJEU. In summary:

  1. What does a "copy [of the personal data]" actually mean?
  2. Do data subjects have a right only to "an exact reproduction of the personal data," or do they also have a right to receive entire documents or copies of database extracts, containing their personal data?
  3. If data subjects have a right only to an "exact reproduction of the personal data," will certain circumstances mandate providing "text passages or entire documents?"
  4. Should the term "information"2 in the third sentence of Article 15(3) GDPR be interpreted as referring (a) solely to "personal data undergoing processing," or (b) also information pursuant to Articles 15(1) GDPR, and (c) "associated metadata?"

Overview of CJEU Ruling

The CJEU dealt with questions 1-3 together. It held that Article 15(3) GDPR does not set out a separate right from that provided in Article 15(1) GDPR; Article 15(3) GDPR merely sets out "the practical arrangements for fulfillment of the controller's obligation" specified in Article 15(1) GDPR.3 Thus, the CJEU clarified that Article 15(1) GDPR establishes a data subject's access rights, and Article 15(3) GDPR is intended to give effect to those rights.

The CJEU also noted at the outset that the GDPR does not define "copy," as that term is used in Article 15(3) GDPR, but concluded – based on a contextual reading – that it means "a faithful and intelligible reproduction of all the data."4 The CJEU found that controllers must not only include all of the data subject's personal data undergoing processing, but they must also consider whether it is "essential" to include extracts or full documents in order to contextualize the personal data and render it intelligible such that the data subject can then exercise their data protection rights. Whether the information ultimately provided is in fact faithful or intelligible is ultimately a fact-specific inquiry. Practically speaking, however, providing a "purely general description of the data" or "a reference to categories of personal data" is not going to be insufficient.5

All of the foregoing is subject to the principle that the data subject's right to access under Article 15 GDPR is not absolute. The CJEU confirmed that controllers must also consider the rights and freedoms of others under Article 15(4) GDPR.6 This, read in conjunction with the CJEU's clarification that Article 15(3) GDPR is not a separate right from Article 15(1) GDPR, suggests the CJEU's belief that Article 15(4) GDPR applies to Article 15(1) GDPR.7

On question 4, the CJEU again employed a contextual reading of Article 15(3) GDPR. It found that the term "information" in the third sentence of Article 15(3) GDPR relates only to the "copy of the personal data undergoing processing" (and not to information associated with/surrounding that data, i.e., metadata).8 That is, a controller is not obliged to disclose any information that is: (i) not the personal data of the data subject who is making the request; or (ii) beyond the scope of the request made by that data subject.9

Impact

Data subjects are likely to invoke the CJEU's CRIF decision to support the broadest interpretation of what data controllers must provide them, while also complaining (depending on the facts) that some 'data dumps' are unintelligible and therefore noncompliant. Controllers can cite CRIF to limit the scope of plaintiffs' Article 15(3) GDPR requests by invoking Article 15(4) GDPR exemptions (the rights and freedoms of others), excluding metadata from the disclosure, and arguing that specific circumstances are not "essential" to require disclosure of copies of documents and extracts from databases. Additionally, CRIF may serve as a basis to disagree with the European Data Protection Board's recent position that Article 15(4) GDPR exemptions do not extend to Article 15(1) GDPR.10

Ultimately, however, CRIF only reaffirms that access questions are inherently fact-specific. As such, we expect to see widely divergent decisions on whether a copy of data is "faithful and intelligible" and what additional information is "essential" as EU courts and regulators tackle interpreting these terms on a case-by-case basis.

1 FF v. CRIF GmbH (C-487/21) ("CRIF") (4 May 2023).
2 For reference, Article 15(3) GDPR provides: "The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form." (emphasis added).
3 Paras. 31-32 (emphasis added).
4 Para. 54(1).
5 Para. 21.
6 Paras. 43, 54(1).
7 European Data Protection Board's Guidelines 01/2022 on data subject rights - Right of access, adopted on 28 March 2023, at 5 (stating that Article 15(4) "is not, however, applicable to the additional information on the processing as stated in Art. 15(1) lit. a.-h.").
8 Paras. 46, 54(1).
9 Paras. 31-32.
10 See fn. 7 supra.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP

Top