European Court of Justice: “Every person has the right to know to whom his or her personal data have been disclosed”

As individuals, we support the data subject-centric judicial push but what outcomes we can realistically expect where businesses, especially SMEs, would yet again have to overstretch their limited resources.

Facts:

• On January 12, 2023, the European Court of Justice (ECJ) issued a new judgement in Case C-154/21 Österreichische Post concerning information regarding the recipients of personal data. A citizen requested Österreichische Post, the principal operator of postal and logistical services in Austria, to disclose to him the identity of the recipients to whom it had disclosed his personal data. He relied on the EU General Data Protection Regulation (GDPR). GDPR provides that the data subject has the right to obtain from the controller information about the recipients or categories of recipient to whom his or her personal data have been or will be disclosed.
• In response to the citizen’s request, Österreichische Post merely stated that it uses personal data and that it offers those personal data to trading partners for marketing purposes.
• However, the question emerged whether the GDPR leaves the data controller the choice to disclose either the specific identity of the recipients or only the categories of recipients, or whether it gives the data subject the right to know the specific identity of the data recipients.

What has the European Court of Justice (ECJ) decided and why?

The ECJ adjudicated that the data subject’s right of access to the personal data concerning him or her entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients.

The ECJ advanced several arguments, inter alia, the GDPR states that the data subject is to have the right to know and obtain communication in particular with regard to the recipients of the personal data and does not state that that right may be restricted solely to categories of recipient; the processing of personal data must be done in accordance with the principle of transparency; the right of access is necessary to enable the data subject to exercise his or her other rights granted by GDPR (including right to be forgotten or right to restriction of processing). 

Are there any limitations to this right?

The right to the protection of personal data is not an absolute right. A fair balance must be struck between the right of access and other rights, in accordance with the principle of proportionality. In some cases, it may be impossible to disclose the identity of specific recipients (e.g. when the recipients have not yet been identified by the controller). The ECJ highlights that the controller may refuse to act on requests for access to the personal data where those requests are manifestly unfounded or excessive, in which cases the controller may indicate to the data subject only the categories of recipient in question. However, the controllers must be very cautious if they refuse to provide the specific identity of the data recipients on those grounds, as the burden of proof lays on them. 

What effect could this decision have in practice?

For many companies, effectively identifying and mapping specific recipients of personal data, especially in the online environment for tracking and advertising purposes, as well as providing such information to end users/customers in a timely manner would likely require significant additional resources in terms of personnel, time, and finance.

Furthermore, some businesses may have to take steps to address potential confidentiality issues arising from contracts with third parties.  

Whether the businesses would be willing to make these additional efforts would most probably be driven by the enforcement impetus of the local DPA, rather than by their own aspiration towards compliance or by a wave of data subjects’ requests. Thus, not surprisingly, the ECJ decision is not likely to have any immediate tangible positive impact on data subject empowerment. However, in mid-term, that decision could lead to substantial change to how businesses select and contract with, especially in the online environment, their counterparties, like, vendors or partners, and how they manage the data subjects’ requests for access.