Discovery through the backdoor? – ECJ on GDPR data subject access request for purposes not related to data protection

On 26 October 2023, the European Court of Justice (ECJ) rendered an important decision (C-307/22 - FT Copies du dossier médical) on the right of access to information under Article 15 of the General Data Protection Regulation (GDPR). The main issue that the ECJ had to rule on was whether a copy of personal data may also be requested for legitimate purposes not related to data protection. This is particularly important in practice, as the data subject access request (DSAR) is often used to obtain evidence for non-data-protection-related disputes.

Background

In a dispute before the national courts in Germany, a patient had requested a copy of his medical records from his dentist in order to take legal action against him for possible incorrect treatment. Since the decision depended on an interpretation of the applicable national legislation in the light of the GDPR, on 10 May 2022 the German Federal Court of Justice (Bundesgerichtshof, BGH) has essentially referred the following questions to the ECJ:

1. Is a controller obliged to provide a data subject with a copy of his or her personal data even if the data subject’s request for access to information is based on legitimate purposes not related to data protection?
2. Is a controller obliged to provide such a copy free of charge even if a national law prior to the GDPR provides otherwise?
3. What is the scope of the right of access to a copy of information when it relates to medical records in a doctor-patient relationship?

First question: The ECJ’s often overlooked limited scope for judgement.

As regards the first question, the ECJ confirmed that, in so far as the data subject's request for access does not constitute an abuse of rights under Article 12(5) GDPR, it cannot be rejected on the ground that the data subject is pursuing purposes not related to data protection. According to Recital 63, purposes related to data protection are those which enable the data subject “to be aware of, and verify, the lawfulness of the processing” – no more, no less.

To begin with, and this is often overlooked in the discussion of the ruling, it is important to note that the scope of the ECJ’s review was very limited, as the BGH had already found that the specific purpose of the data subject’s request – namely to trigger the dentist’s liability – was not abusive. Therefore, the ECJ could not decide whether the request was abusive and whether it could be refused on that very reason. This is why the judgement does not say that information must be given for all purposes even if they are not related to data protection. Quite the opposite: if the purpose is already abusive in itself, the request for information can still be refused in accordance with Article 12 (5) GDPR.

Given that in the present case there appears to have been no record of the medical treatment other than that in the controller's medical records, it is questionable whether this decision can be applied to other claims for damages where there is other information available.

Furthermore, the ECJ pointed out that neither the wording of Article 12(5) GDPR nor that of Article 15(1) and (3) GDPR provides that data subjects must give reasons to justify their requests. However, this does not mean that data controllers must reject every request without comment or question. It follows from Recital 63 that in cases “where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates”. Thus, in such cases, the correct wording of the request for specification is important. It should also be noted that in cases where the data subject nevertheless provides reasons for his or her request, the controller may use this justification to decline the data subject’s request.

Second question: The controller must provide a first copy free of charge, but further copies may be charged for.

On the second question, the ECJ stated that under Article 23 (1) (i) GDPR, the rights of data subjects can generally be restricted by national legislation adopted before the GDPR entered into force. In this case, Section 630g of the German Civil Code (BGB) was at issue. It provides that a patient may, under certain circumstances, request a copy of his or her medical records, however, he or she has to reimburse the costs for such copy.

The ECJ has now decided that the controller is obliged to provide a “first copy” of the personal data free of charge, i.e. the data subject does not have to reimburse the costs. For any further copies, or in cases where the data subject should already have a copy of their information (e.g. application forms), this remains open.

Third question: Clarification of when a “copy” includes extracts of documents.

In answering the third question, the ECJ substantiates the statements of a previous judgement of 4 May 2023 (ECJ C-487/21 - Österreichische Datenschutzbehörde and CRIF). In this case, the ECJ ruled that the term “copy” in terms of Article 15 (3) GDPR must be understood as providing the data subject with a “faithful and intelligible reproduction” of his or her personal data. However, this does not necessarily have to be a copy of an entire document. Only if such a copy is necessary to ensure the data are intelligible or essential to enable the data subject to exercise his rights effectively, this “entails the right to obtain copies of extracts from documents or even entire documents”.

The ECJ has now clarified that in the context of a doctor-patient relationship, this can include a patient’s medical records. According to the Court, the sensitivity of the data must be taken into account, which is not necessarily the case for other categories of data. In addition, a summary or selection of data may not be sufficient if this “could create the risk of some relevant data being omitted or incorrectly reproduced”: However, if done correctly, this risk may not always be present.

That said, Article 15 (3) GDPR generally does not provide the basis for a claim for copies of extracts from documents or even entire documents – this only is the case under special circumstances where a copy is necessary to ensure the data are intelligible or essential to enable the data subject to understand the personal data contained in the documents.

Practical implications of the decision: It remains to be seen

Recently, there has been an increase of cases in which data subjects seek to obtain copies of personal data under Article 15 GDPR to prepare further claims which are not related to a data privacy. However, German courts have tended to reject such claims (see, for example, Higher Regional Court of Nuremberg, decision of 14 March 2022, case number 8 U 2907/21).

Although the ECJ ruling discussed above appears to be in favour of the data subjects, its applicability to other cases is doubtful. In particular, the question of when a data subject’s request is abusive has not been answered, as the scope of the ECJ was limited by the BGH.

Contrary to what many assumed in the immediate aftermath of the ruling, it is not always necessary to provide information if the request is based on grounds not related to data protection. For insurers, where there is a risk of fraud, it is important to assess each request on a case-by-case basis, as abusive requests may jeopardise ongoing audits. In the absence of definitive guidance from the ECJ, the rejection of access requests will remain to be discussed in the future.