On 20 April 2023, the Advocate General (“AG”), Nicholas Emiliou, published his Opinion in the case of FT v DW, (C-307/22). In particular, the AG took the view that Art. 12(5) and Art. 15(3) GDPR must be interpreted as requiring a data controller to provide the data subject with a copy of his or her personal data, even where the data subject requests the copy for purposes unrelated to data protection. This Opinion, if confirmed by the European Court of Justice (“CJEU”), aligns with an increasing tendency, by both data protection supervisory authorities and courts, towards a broad interpretation of the right of access. The case could have far-reaching consequences for the assertion of claims, such as claims for damages, against companies in civil proceedings.
Course of proceedings and questions referred by the German Federal Supreme Court
The case was referred to the CJEU for a preliminary ruling by the German Federal Court of Justice.
In the case, a patient of a dental practice, who suspected a treatment error, requested that the dental practice provide him, free of charge, with a copy of all medical records concerning him that were in the possession of the dental practice. The patient requested the medical information in preparation for a medical malpractice action for damages before a civil court. The dental practice took the view that the medical records should only be provided to the patient if the patient reimbursed the costs.
The Local Court granted the patient’s claim in its judgement of 30 March 2020. On appeal by the dentist, the Regional Court confirmed the decision, by way of a judgement of 15 December 2020. In its reasoning, the Court stated that the right of access under Article 15(3) of the GDPR was not excluded by the fact that the patient requested the information in order to examine medical liability claims.
The dentist lodged an appeal before the German Federal Court of Justice. The German Federal Court of Justice, in its decision of 29 March 2022 (Case No. VI ZR 1352/20), decided to stay the proceedings and refer the questions to the CJEU for a preliminary ruling. In particular, the German Federal Court of Justice referred the question as to whether Art. 12(5) and Art. 15(3) GDPR are to be interpreted as meaning that the controller is not obliged to provide the data subject with a first copy of his or her personal data free of charge, if the data subject requests the copy for purposes unrelated to data protection.
Further questions referred concerned the admissibility of an obligation to bear the costs for the information for the person concerned under national law as well as the question of whether the person concerned must be provided with a complete copy of the patient file.
Opinion of the Advocate General
In its Opinion, the AG proposed that the CJEU answer the first question referred as follows:
Articles 12(5) and 15(3) of the GDPR must be interpreted as requiring a data controller to provide the data subject with a copy of his or her personal data, even where the data subject does not request the copy for the purposes referred to in recital 63 of the GDPR, but for a different purpose, unrelated to data protection.
The AG justifies this Opinion on the basis of the broad wording of Art. 12(5) and Art. 15(3) GDPR. The systematics of the GDPR would also speak for a broad interpretation, since other provisions of the GDPR, e.g., Article 17(3) GDPR, provide for explicit exceptions of data subjects’ rights, but Article 12(5) and Article 15(3) of the GDPR do not. Although the AG concedes that the wording of recital 63 to Art. 15 GDPR is not entirely clear, he takes the view that it cannot be deduced from the recital that the right of access should be guaranteed exclusively for the purposes mentioned there (“in order to be aware of, and verify, the lawfulness of the processing“).
In contrast, according to the AG, national legislation that provides for a cost reimbursement obligation for patients may be permissible under certain circumstances based on Art. 23(1) GDPR; in particular, if the costs to be reimbursed are strictly limited to the actual costs incurred in this regard. Also, the AG states that in the context of a doctor-patient relationship, Article 15(3) GDPR cannot be interpreted as conferring on the data subject a general right to obtain a full copy of the documents included in his or her medical file. However, the controller is to provide the data subject with a partial or full copy of the documents, when that is necessary to ensure that the data provided is intelligible, and that the data subject is able to verify that the data provided is complete and accurate.
The AG’s position is not surprising. In the request for a preliminary ruling, the German Federal Court of Justice had already made it relatively clear that, in its view, the assertion of the right of access was not dependent on the pursuit of the purposes mentioned in recital 63 of the GDPR. The European Data Protection Board (EDPB) had also formulated the view in the “Guidelines 01/2022 on data subject rights – Right of access” – to which the AG Opinion also refers – that the ‘controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting … and whether they hold personal data relating to that individual “. It can be assumed that the judgement of the CJEU will adopt the same approach, as the Court largely follows the Opinions of the Attorney General.
This would follow a growing trend of case law that assumes a broad interpretation of the right of access – in favour of data subjects and to the detriment of controllers. For example, the CJEU recently ruled in the case of RW v Österreichische Post AG, that when exercising their right of access under the GDPR, data subjects must be provided with the individual data recipients of their personal data (CJEU, judgment of 12 January 2023 – C-154/21 – RW v Österreichische Post AG) (see our blog post ). The German Federal Court of Justice also interpreted the scope of the right of access broadly in its judgment of 15 June 2021, when it ruled that, among other things, internal notes and internal communications about the data subject are not categorically excluded from the scope of the right of access pursuant to Art. 15(1) GDPR (German Federal Court of Justice, judgment of 15.6.2021 – VI ZR 576/19, para. 24 et seq.).
This broad interpretation of the right of access is increasingly subject to criticism – while it is easy for data subjects to exercise their right of access, it often requires considerable effort and resources on the part of controllers to comply. Data subjects are therefore able to exert considerable pressure on companies by exercising their right of access.
If, as in the given case, the right of access is used to obtain evidence, this is likely to undermine central principles of German civil procedure. German civil procedure does not have any pre-trial discovery comparable to US civil procedure, which makes it possible to investigate the opponent, e.g., by inspecting business documents. Rather, to ensure equality of forces, the principle of production of evidence (‘Beibringungsgrundsatz’) applies, according to which each party is obliged to present facts relevant to the decision. Also, the basic rule of the distribution of the burden of presentation and proof is that each party must present the facts that are favourable to him or her and prove them in the event of a dispute. It is also recognized that it is not permissible to investigate an opponent without permission. This balance is obviously disturbed by a broad interpretation of the right to information under data protection law.
Nevertheless, controllers are not completely unprotected in the face of access requests.
Pursuant to Art. 12 (5) sentence 2 lit. b) GDPR, the controller may refuse to act on the request where requests from data subjects are “manifestly unfounded or excessive”. The general objection of abuse of rights is also applicable, e.g., if the data subject pursues objectives disapproved of by the legal system with his or her request, or acts fraudulently or vexatiously, which the German Federal Court of Justice also points out in its request for a preliminary ruling.
As a last bulwark against requests aiming at pre-trial discovery, national regulations based on Article 23 (1) (i) of the GDPR are likely to become particularly important. In Germany, for example, the Federal Data Protection Act (Bundesdatenschutzgesetz – ‘BDSG’) allows to refuse access if the data controller would otherwise disclose information that by its nature must be kept secret, in particular because of the overriding legitimate interests of a third party (Section 29 (1) sentence 2 BDSG). It is to be hoped that courts will recognise that based on this norm, data controllers may also refuse to disclose information that could otherwise be used as evidence against them in civil proceedings. If there are no corresponding national regulations, controllers will have to refer directly to Article 15 (4) of the GDPR.
In this context, it is encouraging that the Advocate General recognizes the possible restrictions of the right of access by “the rights and freedoms of others” in Art. 15(4), Art. 23(1)(i) and the Recital 63 of the GDPR and apparently interprets them relatively broadly. For instance, he expressly states that these also include restrictions that serve to protect some fundamental economic rights of individuals, including those of controllers.
For further information or if you have any questions, please contact your usual DLA Piper contact.