Landmark ruling of the ECJ grants individuals the right to know who their personal data has been shared with

Transparency is important in data protection because it allows individuals to understand how their personal data is being collected, used, and shared, and to make informed decisions about whether to provide that data. Additionally, transparency can help organizations identify and address potential data protection risks, as well as demonstrate compliance with data protection regulations. Thus, the European Court of Justice (ECJ) decided that companies are obliged to disclose with whom exactly they shared personal data at the data subject’s request.

What happened?

The Austrian postal service maintained a huge data base about the inhabitants of Austria. It shared the information with third parties. However, when data subjects requested information about such third party data recipients, the Austrian postal service refused to disclose such information. Instead, it responded to the data subjects’ right to access requests by merely listing “categories of recipients”, like “advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.” The Supreme Court of Austria was not convinced whether this practice fulfilled the requirements of Article 15 GDPR.

What was the court's decision?

According to the ECJ, Article 15 GDPR gives expression to the right of every individual to access data concerning him or her, enshrined in Article 8(2) of the Charter of Fundamental Rights of the European Union. The data subjects need to know the recipients by name to exercise this right. How else, the court asks, should they control the data processing, like

• checking whether the data was processed in a lawful manner,
• investigating whether data has been disclosed to authorised recipients,
• exercising the rights to rectification, erasure, or restriction of processing?

All the rights listed above would be ineffective without knowledge of the recipients. So, in conclusion, data subjects have the right to receive a detailed list of any third party that received their personal information.

Is the right to know the data recipients unlimited?

However, the right to receive detailed information about data recipients does have limits, the court ruled, if:

1. It is impossible to identify the recipients.
2. The controller demonstrates that the data subject’s requests for access are manifestly unfounded.
3. The controller demonstrates that the data subject’s requests for access are excessive.

The court did not elaborate on these limits. However, the burden of proof with respect to those limitations will lie with the data controller, and the limitations will likely apply in rare cases only:

1. Is “impossibility” reserved for material impossibility?

“Impossibility” will be an argument to reject the provision of detailed information on data recipients where the recipient is indeed not (yet) known, e.g. if data might only be transferred in future, e.g. to pursue claims. But can the controller also claim that identifying the recipient involves a disproportionate effort and is, thus, also impossible? The Advocate General to the ECJ suggested this in his opinion. However, the ECJ does not mention this aspect. So, disproportionate efforts may potentially have been rejected as an argument by the court.

2. When are requests manifestly unfounded?

“Manifestly” means that something is obvious for any reasonable person. So, requests can only be considered unfounded when the “unfoundedness” is indeed obvious, e.g. if the request was made by an unauthorised third person.

3. When are requests excessive?

Requests may be excessive if they are made very often – more often than actually required to receive the required information. Furthermore, requests made for reasons not actually related to the GDPR rights, like supporting a civil litigation, may potentially be considered excessive.

What are the practical consequences?

Companies need to be fully transparent about how they process personal data. If they are able to produce (even with some effort) which set of data was received by which recipient, such information will need to be provided to the data subjects.

If the transparency requirements for access requests under Article 15 GDPR also apply to the transparency obligations under Article 13 GDPR remains to be seen. According to the reasoning of the ECJ, how companies fulfil their duties under Article 13 GDPR is their call. Also, the information under Article 13 GDPR is directed towards a broader set of people and necessarily has to be more abstract. However, certain data flows may be the same for all data subjects involved and thus the discretion to withhold such information in general privacy notices may be limited.

Main Takeaways

1. Data Subjects have the right to detailed information about any recipient receiving their personal data.
2. This right has limits, but only under exceptional circumstances.
3. More than ever organizations should consider to track data flows.