The GDPR allows individuals to inquire about the “recipients or categories of recipients” to whom their personal data has been disclosed. On 12 January 2023, the European Court of Justice (ECJ) published its judgment in Case C-154/21,[1] which addressed the obligations of a data controller under this clause.
In Case C-154/21 (RW v Osterreichische Post AG), the ECJ clarified the right of access to personal data and information about the processing of such data under Article 15(1) of the GDPR. Although Article 15(1)(c) states that data subjects have the right to obtain from a data controller information about “the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations” (emphasis added), the ECJ ruled that this provision does not allow data controllers to choose between identifying specific recipients or categories of recipients. Rather, when responding to requests from data subjects, data controllers established in the EU must disclose the true identity of the recipients unless it is impossible to do so or they can demonstrate that the request is manifestly unjustified or disproportionate.
Background
A customer of Österreichische Post AG requested information about the processing of his personal data, including the names of any recipients. Österreichische Post AG explained that it uses personal data in the course of its activities as a publisher of telephone directories and makes this data available to business partners for marketing purposes. The consumer was informed that this use was acceptable under the law. Austrian Post did not disclose the names of these business partners in its response.
During the course of the legal proceedings, Austrian Post provided new information on the categories of recipients. For example, Osterreichische Post AG classified the recipients as stationery shops, IT companies and mailing list providers, but did not identify each individual recipient. In both the trial and the original appeal, the Austrian courts sided with Osterreichische Post AG, arguing that the GDPR gives data controllers the option of disclosing “recipients or categories of recipients” without having to identify the exact recipients to whom personal data is transferred.
On appeal to the Austrian Supreme Court, the Supreme Court found that the wording of the GDPR was ambiguous as to whether data subjects had a right to access specific information about recipients or whether data controllers had discretion as to how to respond to requests for access to information about recipients. In response to a data subject’s request for access, the Supreme Court stayed proceedings and asked the CJEU to rule that the GDPR requires data controllers to disclose the identity of recipients to data subjects.
The Court’s decision
The ECJ held that the correct interpretation of Article 15(1)(c) requires data controllers to provide the data subject with the actual identity of the recipients, unless it is impossible to identify them or the data controller can demonstrate that a request for access is manifestly unfounded or excessive (as under Article 12(5)(b) of the GDPR):
- Although it is not possible to deduce from the wording of Article 15(1)(c) an order of precedence between the terms “recipients” and “categories of recipients”, the Court found that the corresponding recital (recital 63) does not allow the right of access to be limited to categories of recipients only.
- All processing of personal data must comply with the standards set out in Article 5 of the General Data Protection Regulation. The third principle, transparency, provides that data subjects must be provided with information on how their personal data are processed and that this information must be easily accessible and easily understandable.
- Article 15 gives data subjects a legitimate right of access. When exercising this right, a data subject must have the choice of requesting either information about the individual recipients to whom the data have been or will be disclosed, or information about the categories of recipients. It is the data subject, not the controller, who can choose between the two options in the provision.
- The right of access must enable a data subject to confirm that his or her data are accurate and are or have been processed lawfully. This allows a data subject to exercise their right to rectification, erasure or restriction of processing under Articles 16, 17 and 18 of the GDPR, as well as their right to object to processing under Article 21, and their right to sue for damages under Articles 79 and 82. In order to fully exercise these rights, a data subject must have the right to be informed of the precise recipients to whom his or her personal data have been disclosed. Furthermore, the Court concluded that this is compatible with Article 19 of the GDPR, which imposes a notification obligation on data controllers.
Case comment
However, the right of access is not an unlimited right. It has to be balanced against other legally protected considerations, and these concerns may limit it. The ECJ sets out exceptions where it is impossible to comply with a request for access, or where the request is manifestly unjustified or disproportionate.
The Court’s interpretation of Article 15(1)(c) GDPR is consistent with a number of data protection rules and concepts, including the principle of transparency, as well as the GDPR’s main objective of ensuring a high level of protection. However, the question that remains is whether this ruling will actually make it easier for individuals to identify the recipients of their personal data. In this respect, two considerations could be examined.
First, as explained by the Court, under Articles 13 and 14 of the GDPR, data subjects have the right to be informed about data processing, including the categories of recipients. To obtain the most detailed information about the processing, including the recipients, data subjects must go beyond reading the information provided by controllers and exercise their right of access under Article 15 of the GDPR. In addition to the exceptions specifically listed by the CJEU, additional rights may limit the right of access. Depending on the specific circumstances, the confidentiality interests of companies and third parties may impose such limitations (cf. Article 15(4) of the GDPR). Freedom of access may also be regulated by EU or national law (in Germany, Sections 27(2), 28(2), 29(1) and 34(1) of the Bundesdatenschutzgesetz (“BDSG”)), for example to protect whistleblowers.
At this stage, it is clear that the ruling is an improvement for data subjects. There is now a clear obligation for data controllers to provide information on the identity of recipients, where previously they were not required to do so, and research[2] has shown that they often fail to do so. This way of providing information, as noted above, appears to leave data subjects in a better position than before the judgment, as they are better able to assess the lawfulness of the processing, exercise other rights or seek redress with knowledge of the identity of the recipients.
However, this may not be the case, as Article 15 GDPR actually requires the data subject to make an attempt to submit a request for access to a data controller, wait for its response, and process the information if it is received. Understandably, few data subjects have the motivation or the means to submit access requests. Even when they do, some research[3] shows that controllers may be slow to respond or may not respond at all, and when they do, the information provided is too general or otherwise deficient. Unless practical hurdles are removed, we run the risk of strengthening paper safeguards while neglecting how practicality may undermine the core right to data protection.
Second, the ruling loses some of its force when data processing techniques are considered in the digital context. It is already common knowledge that online platforms and websites process huge amounts of personal data from internet users. Online websites and platforms can collect personal data not only from users but also from non-users by placing cookies on other websites. They also receive personal information from third parties and share it with third parties. Finally, they may aggregate data from all of these sources for a variety of purposes, including targeted advertising. As a result, today’s online environment is highly interconnected: websites/platforms are constantly sharing personal data with each other in a complex web of data flows that can be extremely difficult for data subjects to unravel, despite the transparency requirements set out in Articles 13 and 14 of the GDPR. This is because under Article 13, controllers are only required to provide information on the categories of recipients, and under Article 14, few, if any, controllers tell data subjects when the data was received from third parties.
Whether or not a particular controller can rely on one of the two exceptions will determine the extent to which the decision brings data subjects closer to being able to identify the recipients of their personal data in an online environment. If they are able to do so, data subjects are back to square one, armed only with knowledge of the categories of recipients. Given the imbalance of power between controllers and data subjects in the online environment, more may be needed to ensure that Article 15 helps to tip the balance in favour of the data subject.
Are there any consequences for organisations?
Effectively identifying and mapping specific recipients of personal data, particularly in the online environment for tracking and advertising purposes, and providing such information to end users/customers in a timely manner may require significant additional resources in terms of personnel, time and money for many companies. In addition, some companies may need to address potential confidentiality concerns arising from arrangements with other parties.
The willingness of companies to undertake these additional efforts would likely be determined by the enforcement vigour of the local data protection authority, rather than by their own desire to comply or a flood of requests from data subjects. The ECJ ruling is unlikely to have an immediate positive impact on data subject empowerment. However, in the medium term, it may lead to significant changes in the way organisations select and negotiate with business partners, such as suppliers and partners, and in the way they handle data subject access requests.
Oorganisations should nevertheless ensure that their data maps are up to date and adequately represent the path of personal data collected. Another safeguard is to review Records of Processing Operations (RoPAs) to ensure that they continue to represent processing activities. Where significant changes have been made to data maps or processes, the RoPA should be updated to reflect these changes. In addition, it should ensure that it has completed vendor due diligence on any new suppliers, as this will establish its accountability for the sharing and processing of personal data.
