The EU Digital Omnibus 2025, a proposal currently being negotiated by the EU institutions, makes a bold proposal regarding the GDPR’s Data Subject Access Request (DSAR). Data controllers would be allowed to refuse a DSAR if the request is an “abuse of the rights conferred” by the GDPR. In practice, this would mean modifying GDPR Article 15 so that organisations could refuse a DSAR if the request is used for purposes that are not related to data protection such as litigation "fishing expeditions". Alternatively they could charge a ‘reasonable’ fee.
As the access right dates back all the way to the world’s first data protection laws of the 1970s, we are talking about a substantial change. Would it benefit organisations and regulators, or seriously threaten individual rights?
In search of some answers, CPDP (“Computers, Privacy and Data Protection”), a multidisciplinary conference, debated this topic in Brussels on 22 May. Dr. René Mahieu, Assistant Professor of data protection and privacy law at Open University Netherlands, first discussed the role and purpose of DSAR which is not only a GDPR right but also guaranteed by the European Charter of Fundamental Rights. He reminded us that DSARs are not only about getting hold of our personal data or to have incorrect details rectified. There is also a much broader aim which relates to informational powers as DSARs can empower individuals to verify the lawfulness of an organisation's processing, and their broader aims behind that processing.
Moderated by Julien Rossi, Associate Professor at the University of Paris 8, the panel discussed the EU proposals, practical problems in fulfilling DSARs and improvements that could be made.
Dr. Jessica Pidoux, Director of PersonalData.IO, a Swiss NGO which supports individuals in accessing their data and where necessary, builds collective actions, spoke about working directly with data subjects. She has first-hand experience on how DSARs can help individuals to understand what is happening in today’s society through organisations having to explain the purposes that they use personal data for.
“Our physical lives and digital lives are interconnected. Right of access helps to understand what is happening in digital society, and to start contesting the relationships of power between platforms, companies and individuals. It allows us to gain an insight into the company.”
Her organisation helps individuals to identify who they need to write to, and on receipt of data, analyse it for them. She said this is often a task that individuals could not manage on their own if data is provided in many different formats such as PDFs or Excel files, and not presented in an easy-to-understand manner.
Coping with DSARs
Florence Gaullier, Partner at Vercken & Gaullier and member of CEDPO, The Confederation of European Data Protection Organisations, said that as data controller, her organisation has experienced some pressure from DSARs. The numbers received vary greatly depending on the size of organisation and sector, but even just ten requests per day can be very time-consuming - it is all about the quality of the request.
DSARs can have a preventative impact in an organisation – for example they can be used as an argument to implement other fundamental rights such as data minimisation, transparency or data retention. It is easier to explain to teams that they should not collect and retain all available personal data if they know this causes a problem when responding to DSARs, she said.
However, there is clearly some misuse of DSAR as well, and this must be addressed. The Commission’s proposal addresses situations such as when a former employee asks for copies of all emails and all messages relating to them, when in reality even we know that they do not wish to access such a quantity, she said. “The access right can also leverage other rights and serve labour rights. They can get access to data that labour law would not provide. These are typical cases for us.”
She said that some DPOs now receive 20 000 requests in a week as people use AI tools to submit requests. This is a situation organisations cannot cope with.
Jacob Gursky, Privacy Company, the Netherlands, spoke about practical issues with DSARs.
Gursky is a Technical Advisor with a background in privacy engineering. At Privacy Company, he works on large-scale Data Protection Impact Assessments (DPIAs) that incorporate data subject access rights in the identification of risk assessment and mitigation measures. The work entails filing DSARs as part of a DPIA exercise for large companies, and helping clients to respond to DSARs.
They have seen many vexatious requests but is there such a thing as a vexatious response, he asked? “It's possible that both parties are doing something wrong. For example, we often receive push back from companies that refuse to release all data – sometimes it is just a very large request from one person but this can be seen as vexatious because of the work involved.”
Pidoux said that there is a mixed response from companies depending on their size. Large corporations are putting in more effort in preparing their responses. But her organisation still often receives incomplete data.
“When we deal with one company often, we start to understand how they work and we can then contest that. There may even be problems with identifying the DPO or entity where to address the DSAR. Sometimes there is much back and forth. Companies can wrongly say that everything is in the privacy policy. Sometimes they offer to delete the individual’s account and after that do not offer any response. Sometimes we receive data that does not have unit labels e.g. miles and km, or is delivered in a wrong language. We therefore need legal expertise and technical expertise to work on these problems.”
She said that progress is being made, for example Uber drivers that they have represented now receive a lot of data - this has changed over time. One response can encourage others in a similar position to make a request, and sometimes they pool applicants together.
Omnibus proposals
Rossi explained that the access right is used more and more, and reminded that DSARs do not need to include any explanation of motive. Having to give a reason in future would be problematic.
Gaullier said that statistics by CEDPO, the Confederation of European Data Protection Organisations reveal that among CEDPO members (privacy professionals, data protection officers, compliance experts, and legal practitioners) the large majority support the Commission’s proposal on combating abuses. In a recent survey, nearly 700 respondents said that the EU proposal corrects a prejudice against the data controller and that the issue of scope appears to have been resolved: requests for all emails or collaborative tools are unmanageable for companies, as they are unable to restrict the scope of searches. However, some said that harmonised guidance from the European Data Protection Board would be a better solution than modifying the GDPR. Clear examples of abuse, criteria for calculating the reasonable fee, and standards of justification are essential.
The French association for DPOs has found that 76 % of DSAR responses are now delivered in time as opposed to only 46% in 2022. The quality of responses is also better. However, sometimes companies - especially SMEs - do not recognise DSARs.
“I am not personally sure if the Omnibus is delivering the tools for DPOs to charge fees for certain misuse of rights. We still do not know what is an excessive request,” Gaullier said.
Mahieu reported on some recent EU case law on DSARs which take an expansive view of what data has to be provided, but in real terms they just confirm what the law says. His view was that it was clear from early on that DSARs can be used for other purposes. What is now needed is clarification of ‘disproportionate effort’ as this is still an open question to some degree.
“GDPR Articles 12 and 15 should not be changed at all. The courts are there to clarify the meaning of the GDPR. We are just getting to the point where these interpretations are clear whereas the Omnibus proposals are not.”
Conclusion
The EU’s staff working document that accompanied the Digital Omnibus proposal says that “The proposed amendment would provide legal clarity to controllers on lawful options to handle situations where access requests are clearly abusive. This would allow controllers to allocate their resources more effectively and focus in a timely manner on genuine access requests and other requests contributing to the exercise of data subjects’ rights.”
It is clear that the regime can be onerous especially for SMEs. Can we make DSARs simpler both for data subjects and data controllers?
Data controllers need to invest in usable data access mechanisms. For example by using AI and data mapping tools for Automated Data Discovery, it is possible to scan across multiple disparate systems. Equally, machine learning algorithms can automatically detect and redact third party personal data when preparing a DSAR response.
Negotiations on the Digital Omnibus are currently underway at the European Parliament and Council, but it is not likely to be adopted until 2027. An added element is criticisms by the EU data protection regulators over the plans to modify DSAR rules - a view which may be echoed by the Parliament.
We’ll be following this topic closely. In the meantime, check out progress in this free legislative tracker or on LexisNexis.
