Clifford Chance

The EU General Data Protection Regulation (GDPR) grants individual data subjects rights and imposes obligations on data controllers and processors. One of the data rights granted is the right of access. Article 15 of the GDPR provides that data subjects have the right to access personal data that a controller has about them and to obtain information about the processing of that personal data. This right includes a right to be informed of the "recipients or categories of recipients to whom their personal data have been or will be disclosed" (Article 15(1)(c)). Recital 63 of the GDPR clarifies that data subjects should have the right to access to their personal data and receive information about its processing, including recipients of the personal data, easily and at reasonable intervals. So, a data subject has a right to obtain information from the data controller about those who receive their personal data.

But does the right of access extend to information about specific recipients or categories of recipients? Does a controller have the right to decide whether it provides information to a data subject about specific recipients or categories of recipients?

This question was referred to the European Court of Justice (ECJ) in RW v Österreichische Post AG (C-154/21). While the decision remains pending, the opinion of the Advocate General Pitruzzella has been published. In his opinion, he argued that Article 15 obliges a data controller to inform a data subject of the specific recipients of their personal data. As such, a data controller may only inform data subjects of the categories of recipients of their personal data if it is impossible to identify specific recipients, such as where they are not yet known, or if the data controller is able to demonstrate that the data subject’s request is manifestly unfounded or excessive.

The issue: how much detail does a data controller need to provide?

The GDPR grants data subjects a right to be informed of the "recipients or categories of recipients" to whom their personal data has been or will be disclosed.

This language is also found in Articles 13 and 14 of the GDPR, which provide for the information that a controller must include in its privacy notice. Like Article 15(1)(c), Articles 13(1)(e) and 14(1)(e) provide that the data controller must inform the data subject of the "recipients or categories of recipients" when it collects either directly from the data subject or indirectly by another source.

This language leaves an apparent choice to be made as to the kind of information that a data controller provides in multiple circumstances, such as in its privacy notice or in response to a request from a data subject: must the data controller provide information as to the specific recipients or would information as to categories of recipients be sufficient? The GDPR does not specify whether that choice is to be made by the data subject, as might be the case of a request made pursuant to Article 15, or by the controller, such as when a privacy notice is published.

In the EDPB's "Guidelines 01/2022 on data subject rights – right of access", the EDPB notes that, for Articles 13 and 14, the principles of transparency and fairness apply, such that information on the recipients or categories of recipients should be "as concrete as possible" (paragraph 115 of the Guidelines). It also notes that "sometimes [this] is not yet possible at the time…but only in a later stage, for example when an access request is made". The EDPB also notes that, referring to the principle and guidelines on transparency, "where a controller only provides the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients".

The Guidelines refer to the choice available in Article 15(1)(c), which bears the same language, in an example set out at paragraph 115. In this example, information on categories of recipients is provided by way of a privacy notice (pursuant to Articles 13(1)(e) and 14(1)(e)). An access request is then made (pursuant to Article 15(1)(c)). The EDPB notes that the data controller "should provide information as to the specific recipients…when [responding to] an access request" as this is "in line with the principles of transparency and fairness".

The Austrian Post case

        I.            The initial access request and claim

In RW v Österreichische Post AG, the appellant, RW, made an access request to the Austrian Post and asked to be provided information on the recipients of his personal data. The Austrian Post replied that it shared personal data with its customers, and referred RW to its website privacy notices, which provided general information on the categories of recipients it shared data with. The Austrian Post did not provide a specific list of data recipients at any point.

RW initiated legal action, arguing that the broad information provided online was insufficient to comply with the GDPR, and sought an order compelling the Austrian Post to specify: (1) potential transfers of his personal data to third parties and, (2) for any actual or anticipated transfers, the specific recipients of the disclosed data. The first instance court found in favour of the Austrian Post, ruling that the language of the GDPR allowed an organisation to provide the categories of recipient without disclosing specific recipients.

     II.            The appeal and reference

RW appealed. However, the appeal court agreed with the first instance decision and dismissed his application. RW then appealed to the Supreme Court of Austria, which in turn referred the following question to the European Court of Justice:

When an individual whose personal data are processed seeks to obtain from the data controller information regarding the third parties to whom the data are disclosed, does that person’s right of access necessarily imply that he or she should receive information regarding the specific recipients to whom his or her personal data are disclosed, or may the data controller confine itself to providing information solely regarding the categories of recipients of such disclosures?

Advocate General Pitruzzella's opinion

In the Advocate General Pitruzzella's opinion, he argued that a data subject must be given information as to specific recipients, unless disclosing this information is materially impossible or if the request was manifestly unfounded or excessive.

There were two main bases for his opinion.

        I.            Substantive basis: Article 15 provides for a fundamental right of the data subject

First, he noted that the GDPR is a piece of human rights legislation, and that the Article 15 right of the data subject to obtain access to personal held about them is a "specific expression" of the fundamental data right enshrined in the Charter of Fundamental Rights of the European Union (the "Charter"). Therefore, he reasoned that Article 15 should be read in a way that favours the broadest rights for the data subject.

AG Pitruzzella also argued that the very structure of Article 15 implied that the data subject, as the holder of the right to request information, should be able choose between the two alternatives. The data controller, in other words, did not have such a choice. AG Pitruzzella additionally relied on Recital 63 of the GDPR, which provides that a data subject should "have the right to know and obtain communication with regard to…the recipients of the personal data". In the absence of the choice for "specific or categories of recipient", he argued that Article 15 must be interpreted as allowing the data subject to request for the specific recipients.

Further, AG Pitruzzella noted the principle of transparency (in Article 5(1)(a) and Recital 39). He argued that the transparency principle meant that the data subject must be able to request information as the specific recipients of their personal data are to be able to verify the lawfulness of the processing and ensure that their personal data is not disclosed to unauthorised recipients.

     II.            Functional basis: Article 15 permitting an exercise of other rights

AG Pitruzzella's second argument tied in with his argument on the transparency principle. He argued that the disclosure of specific recipients is necessary for a data subject to exercise other rights: the right to rectification (Article 16), the right to erasure (or the right to be forgotten) (Article 17), and the restriction of processing (Article 18). He noted that Article 19 requires a data controller to communicate rectification, erasure or restriction requests "to each recipient of personal data, unless this proves impossible or would involve disproportionate effort". The data controller is also required to inform a data subject "about those recipients if the data subject requests it".

Therefore, AG Pitruzzella argued that Article 19 confirms that "the data subject must in principle have the right to be informed of the identities of specific recipients, where his or her personal data have already been disclosed", since "only in this way can the data subject asset his or her rights against [those recipients]".

The exceptions

AG Pitruzzella did recognise two exceptions to the right of a data subject to receive information on specific recipients.

First, a data controller does not need to provide information on specific recipients where it is materially impossible to do so. For example, the recipients may not have been identified. In such cases, AG Pitruzzella conceded that the data controller can only provide the information that actually exists.

Second, AG Pitruzzella noted that data subject rights must be interpreted in light of the broad principles of fairness and proportionality. Therefore, if the data controller can demonstrate that the data subjects' request is manifestly unfounded or excessive, the specific recipients need not be provided, or indeed the data controller need not respond to the request. This was a necessary concession in light of the language of Article 12(5) providing for such requests.

Clarification for Article 15, helpful for Articles 13 and 14

AG Pitruzzella's opinion is in line with substantial European jurisprudence that is friendly to data subjects. It is also broadly in line with the EDPB Guidelines, which were published only earlier this year.

The opinion is interesting, however, for its interpretation of the language of Article 15, which may impact the interpretation of the same language in Articles 13 and 14, notably whether privacy notices need to disclose specific recipients or categories of recipients.

The AG's substantive argument is that the choice should belong to the data subject, as the holder of the right, since Article 15 is, in his words, an "expression" of the Charter. The right of a data subject to obtain information is made clear in the first line of Article 15(1): "the data subject shall have the right to obtain from the controller…the following information". However, we note that Articles 13 and 14 are drafted as obligations laid upon data controllers. Indeed, the language of those Articles provides that "the controller shall…provide the data subject with the following information".

The AG's functional argument is that Article 15 allows for the functioning of other rights, such as those enshrined in Articles 16, 17, and 18. Therefore, Article 15 must be interpreted to provide a data subject enough information to exercise those other rights. In the context of Articles 13 and 14, however, they provide for the function of Article 15. In other words, Articles 13 and 14 oblige a data controller to provide sufficient information so that a data subject can exercise their right under Article 15 (which in turn allows for the exercise of other rights). Read together with the EDPB Guidelines, this must mean that one of the functions of Articles 13 and 14 includes providing sufficient ("concrete") information to a data subject to exercise their Article 15 right.

Following AG Pitruzzella's substantive and functional reasoning therefore, Articles 13 and 14 should be read to provide for a choice for a data controller. In the AG's view, thus, should a data subject submit a request under Article 15, specific information can be provided at that time.

What does this mean for your organization? 

Opinions from the Advocate General are not binding on the ECJ, which usually publishes its decision several months later. However, AG opinions are highly influential. A 2016 study showed that if the AG proposed the annulment of an act, the ECJ was 67% more likely to annul the act wholly or partly than if the AG had not proposed it.^[1] AG Pitruzzella's opinions have been followed in the past, including in a significant case in 2021, where in a landmark ruling the ECJ agreed with his view that a subsidiary could be liable for damages for the behaviour of its parent company.^[2]

A decision by the ECJ in favour of RW would shore up the guidance on the interpretation of Article 15. However, its effect on other parts of the GDPR with identical language remains to be seen, notably, on the level of granularity of a privacy notice as to the recipients and onward transfers of personal data, under Articles 13 and 14. Some organisations' privacy notices specify the recipients of personal data, but many others simply enumerate categories of recipients. Practically, it can be challenging to list all recipients of personal data and a requirement to update privacy notices frequently to keep up with such changes could be particularly onerous. Whether this must be weighed against another fundamental Charter right (such as the freedom to conduct a business) may well become relevant. Whether and how the ECJ will decide in RW v Österreichische Post AG will be crucial.

References

[1] Arrebola, C., Mauricio, A. J., & Portilla, H. J. (2016). An econometric analysis of the influence of the Advocate General on the Court of Justice of the European Union. Cambridge International Law Journal, 5(1), 82-112.

[2] Judgment of 6 October 2021, Sumal, C-882/19. Although the ECJ adopted different reasoning, the outcome was the same.