ECJ Ruling Censures Austrian Data Protection Authority: Excessive Complaints or Structural Problem?
A ruling by the European Court of Justice (ECJ) caused quite a stir: The Austrian Data Protection Authority (DSB) was reprimanded by the ECJ because it had rejected the processing of complaints as “excessive” due to their sheer number. The Court clarified that such a limitation of complaints is inadmissible as long as no abusive intention on the part of the complainant can be proven.
Since the General Data Protection Regulation (GDPR) came into force in 2018, the legal framework for the protection of personal data in Europe has changed fundamentally. The GDPR guarantees EU citizens extensive rights over their data and obliges companies to comply with these rights. The national data protection authorities play a central role here: they are responsible for handling complaints from data subjects and sanctioning violations.
In Austria, the implementation of these regulations has encountered difficulties from the outset. Despite an increasing number of complaints and proceedings, the DSB has only managed to hold companies accountable in a few cases to date. According to the data protection NGO noyb (“None of Your Business”), which was founded by Max Schrems, the vast majority of proceedings either end without consequences or are discontinued after lengthy delays. According to official DSB reports, only 55 fines were imposed out of a total of 4,030 proceedings in 2023 - a rate of just 1.36 percent.
The case before the ECJ: complaints as a burden?
The starting point of the current ruling was the case of a citizen who had submitted 77 complaints to the DSB in just under two years. After the second complaint per month, the authority refused to process any further requests, citing the “excessive nature” of the requests. The person concerned appealed against this decision and the case was finally referred to the ECJ.
In its ruling, the Court clearly stated that the number of complaints submitted alone is not a legitimate reason for refusal. Although the GDPR provides that requests can be rejected if they are manifestly unfounded or abusive, such an intention to abuse must be proven. The mere volume of complaints is not sufficient for this.
Max Schrems and the criticism of the DPA
Max Schrems, one of Europe's most prominent data protectionists and founder of noyb, was delighted with the ECJ's ruling and spoke of a “slap in the face” for the DSB. In a press release, he accused the authority of having used various “tricks” for years to avoid proceedings against companies. “If the DSB consistently punished violations, there would be fewer complaints. Instead, the authority is turning the law on its head by trying to get rid of complaints instead of dealing with them”, says Schrems.
The comparison with other areas is particularly explosive: According to noyb, up to 7,000 fines were imposed every month in Vienna alone in 2023 for incorrectly parked e-scooters. This compares to the 55 data protection fines issued by the DSB for the entire year. “The average parking offender in Austria has more to fear than corporations that misuse millions of personal data,” Schrems sharply criticized.
Structural problems and EU-wide dimension
The ECJ's ruling highlights structural deficits in the work of the DSB, which is clearly not sufficiently equipped to carry out its tasks efficiently. Although the authority's staff has increased from 43 to 60 employees in recent years, many observers consider this to be insufficient in view of the large number of procedures and the increasing importance of data protection.
Schrems also points out the financial potential that lies in the consistent enforcement of the GDPR. For example, a single fine against a large tech company such as Google could amount to billions and thus generate considerable revenue for the state. “A GDPR fine against Google would be worth more than Austria's share of the Brenner Base Tunnel,” explained Schrems. At the same time, however, he emphasized that it should not only be about higher penalties but also about more efficient processing of the proceedings.
The European context: a problem for many member states
However, the problem of the lack of enforcement of the GDPR is not limited to Austria. According to noyb, 140,106 proceedings were initiated across the EU in 2022, but only 1.3% of these cases ended with a fine. The EU Commission and the European Data Protection Board see a need for action and could exert more pressure on national data protection authorities in the future.
The ECJ's ruling is therefore seen as pointing the way forward: It makes it clear that data protection authorities must take their tasks seriously and not dismiss complaints for purely organizational reasons. Rather, the Member States must ensure that the authorities are adequately staffed and funded so that they can fulfill their obligations.
A wake-up call for data protection authorities
The ECJ ruling represents an important step for the protection of fundamental rights in Europe. It emphasizes that compliance with the GDPR must not only exist on paper but must be actively enforced. For DSBs, this means rethinking their practices and taking more consistent action against infringements in the future. At the same time, it remains to be seen whether the legislator in Austria is prepared to provide the necessary resources to better equip the authority.
Max Schrems and noyb can chalk up the ruling as a success, but the road to effective enforcement of the GDPR throughout Europe remains long. The case impressively shows how wide the gap is between the legal requirements and actual implementation - and that strong impetus is needed to overcome this.