Legal Watch No. 93 – March 2026. 

 

Access to personal data: recognition of abuse of rights?

A recent decision by the Court of Justice of the European Union (CJEU) clarifies the conditions of the right of access for individuals to their personal data, and in particular the circumstances in which a request for access may be considered abusive by a data controller.

While Article 12 of the GDPR links the abusive nature of requests to their repetitive aspect, the CJEU clarified on March 19 in Case C-526/24 – Brillen Rottler that this criterion of repetition is illustrative: the number of requests is not decisive, and an initial access request can be considered abusive if the data subject uses this right to gain an advantage, for example, if they seek to artificially create a right to compensation against a data controller. In such a case, this constitutes an abuse of rights.

Refusing to respond to an access request must, however, remain exceptional under the GDPR, and the data controller must be able to prove the abusive intent of the requester.

In this particular case, the person in charge had to establish, based on concrete evidence, that the request was not intended to verify the processing of data, but to artificially create the conditions for a claim for damages.

The applicant was indeed known to have made multiple requests to numerous data controllers, after providing them with his data, in order to obtain redress.

The Court reiterates that three conditions must be met for compensation to be granted:

• A violation of the GDPR,
• Damage
• And a causal link between the two.

Intangible damage may result from a loss of control or uncertainty regarding data processing, but the damage must be proven by the claimant, and it cannot have been caused by the claimant's conduct.

In this particular case, the causal link was broken due to the behavior of the person concerned, acting with the aim of artificially creating the conditions for the damage.

When the three above conditions are met, an infringement of the right of access may therefore give rise to a right to redress, even if this infringement does not result directly from data processing in the strict sense.

Refusing to respond to an access request may expose the responsible party to a claim for redress from a bona fide requester.

The data controller who suspects an abusive request must therefore exercise extra caution and retain evidence of this abusive nature before refusing access. 

The clarifications provided by the CJEU are consistent with the guidelines published by the European Data Protection Board (EDPB) in 2022 on the subject, which provides additional guidance.

Thus, the excessive nature of the requests may depend on the specific characteristics of the sector in which the data controller operates.

"The more frequent the changes made to the data controller's database, the more likely the data subject is to be allowed to request access to their data without it being considered excessive."

In the event of repeated requests, the data controller may, instead of refusing access, decide to charge the person concerned a fee corresponding to the cost of the administrative procedures caused by the requests.

Finally, it should be noted that the European Commission also intends, in its proposal for a digital Omnibus, to provide more legal certainty to data controllers when they are faced with abuses of rights by the data subjects.

While the EDPB and the EDPS (European Data Protection Supervisor) support this desire for clarification in their opinion of February 10, they believe that the exercise of the right of access for purposes other than the protection of personal data should not be a defining element of what constitutes an abuse… as long as the good faith of the applicant is not in question.

 

An implementing decree for the SREN law, published on March 24, introduces additional requirements for hosting health data (HDS) exclusively on EU or EEA territory, requirements welcomed by the CNIL as they aim to increase transparency towards the persons concerned as well as to strengthen the control of health data by the parties to the hosting contract with regard to the risk of extra-European access.

More generally, the entire state IT system intends to migrate towards sovereign solutions.

Thus, one week after the announcement of the deployment of the LaSuite collaborative platform to the 80,000 agents of the Health Insurance, the interministerial digital directorate (DINUM) officially announced on April 9 its intention to leave Windows for Linux and to switch to a sovereign solution before the end of the year.

These objectives have become more concrete since the seminar of April 8 which brought together for the first time ministries, public operators and private actors with the aim of identifying which foreign software and services the State depends on today in order to do without them tomorrow.

"Starting this fall, each ministry (and the public bodies that depend on it) will have to submit its own roadmap for reducing its foreign digital dependencies."

The state's digital security roadmap for 2026-2027 was published in early April.

It is part of the effort to bring state administrations into compliance with the NIS2 directive and engages them in their transition to post-quantum cryptography. 

"In a context of high threat and a deteriorating geopolitical situation, it sets out the priority efforts that ministries must make in the area of digital security: consolidating governance, strengthening access management, controlling the information systems environment, etc."

The CNIL published its priority control themes for 2026 on April 3rd.  She will focus on

• Recruitment,
• The single electoral register
• Sports federations.

Further cybersecurity-related announcements will be made when its annual report is published in May.

She also published her work program for supporting professionalswhich will emphasize

• The use of AI,
• Health data,
• Conditions of the right of access
• Cybersecurity.

Its website also features a new guide regarding the retention periods for HR data. Finally, in a publication dated March 20, the CNIL reiterates the very restrictive conditions for recording sound by video surveillance cameras.

While the hacking of the Regional Health Agencies (ARS) was officially confirmed in September 2025, the situation is taking a more alarming turn today. while the hacker group DumpSec claims responsibility for the attack and is now selling a massive database from the French healthcare system.

More than 35 million patients would be affected, and the data would include sensitive information relating to care pathways.

The data breach stems from the theft of practitioner credentials on the GRADeS (regional e-health support group) servers.

The CJEU issued a ruling on March 19 affecting the conditions for the collection of biometric data by the French police.

In case C 371/24 – Comdribus, it held that national legislation is incompatible with the European “Police justice” directive when it authorises a law enforcement service to systematically process the biometric data of suspects without requiring the competent authority to justify the absolute necessity and proportionality of this processing.

A person who refuses the collection of their biometric data can only be sanctioned if the planned collection meets these conditions, assessed in light of the circumstances at the time when this collection is decided by the competent authorities.

The motivation for the collection is necessary to enable the person concerned to exercise their right to an effective legal remedy.

In this particular case, during an action carried out in Paris in May 2020 by climate activists, several participants, including the complainant, were arrested by law enforcement for organizing an undeclared demonstration.

Placed in police custody, the complainant refused to submit to fingerprinting and photography.

The Minister of the Interior stated on April 3 in the Senate, during a question period with the government, that the use of facial recognition software by law enforcement on their Neo identity control devices was not legal, except within the framework of an investigation under the direction of a judge.

The minister indicated that the CNIL was currently looking into this issue.

The head of a cybersecurity company that won the French Tech 2030 program was arrested at the end of March as part of a large-scale European crackdown on a child pornography platform.

The engineer, who heads a start-up specializing in anticipating cyber threats – whose clients include the FBI and the European Commission – is suspected of having purchased child pornography images and videos via a Darknet child pornography platform.

More than 200 arrests have been made by law enforcement across Europe in the context of a coordinated operation, thanks to cryptocurrency payments traced and de-anonymized by investigators.

 

European institutions and bodies

On March 11, the European Parliament agreed to extend the (exceptional) rules allowing the control of electronic communications ("Chat control"). while limiting their scope.

Rather than granting blanket authorization for scanning technologies, Parliament requested that these tools be used only against known suspects and solely to detect known child pornography.

In the meantime, Google, Meta, Microsoft and Snap (Chat) nevertheless reaffirmed in a joint press release "that they will continue to take voluntary actions regarding their affected interpersonal communication services".

Interinstitutional negotiations are still ongoing: the Cypriot Presidency of the Council aims to finalize the project by July 2026, and the issue is currently being negotiated within the framework of the trilogue between Parliament, the Council and the Commission.

On March 26, Members of the European Parliament took a position in plenary session on the AI component of the Digital Omnibus package.

They voted to postpone the entry into force of several provisions of the AI regulation.

AI systems involving biometrics and those used in critical infrastructure, education, employment, essential services, law enforcement, justice and border management would thus be postponed from August 2026 to December 2, 2027.

Parliamentarians propose to postpone the compliance of other systems subject to sectoral regulation (security and market surveillance) until August 2, 2028.

The trilogues between the European Commission, Parliament and the Council aim for a provisional agreement on the text by April 28.

It is worth recalling that the essential principles of the regulation have already entered into force and are subject to controls by the CNIL (French Data Protection Authority).

On March 24, the European Commission detected a cyberattack that affected the cloud infrastructure hosting its website on the Europa.eu platform, which turned out to be more serious than initially indicated in its press release.

The data affects 71 customers of the Europa hosting service. CERT-EU, the EU's data security service, confirms the presence of names, usernames, email addresses, and email content in the leak.

340 GB of data and nearly 52,000 email files were published on the dark web.

Two important CJEU rulings dated March 19, Brillen Rottler and Comdribus, have been discussed above in the editorial and news in France.

The European Digital Infrastructure Consortium “Digital Commons” (EDIC) takes shape with the accession of new countries and the launch of its first projects, including a pilot project for a European sovereign technology fund.

The consortium's objective is to help European Union member states develop open digital infrastructures and strengthen Europe's digital sovereignty.

 

News from the member countries of the European Union.

A German court has ruled that Meta unlawfully processed the personal data of unregistered individuals through its "Find Friends" feature on Facebook.

Furthermore, the company would have no legal basis to process users' personal data from its own platform for advertising purposes.

In a recent case, an Austrian court held that the data protection authority was correct in refusing to process a complaint under Article 57(4) of the GDPR, after an individual had attempted to abuse the complaints mechanism to delay the recovery of a debt.

The Belgian Data Protection Authority (APD) considered that an employer had sufficiently satisfied an employee's request for access by providing the employee with their data through a reproduction rather than by fully extracting the emails in question.

In Finland, the DPA issued a warning to a credit rating agency for improperly handling data access requests.

The data controller referred the data subjects to its data access portal without following up, and indicated that a fee would be charged for any request made more than once during a twelve-month period.

The Spanish Data Protection Agency (APD) has fined a digital identification and age verification service provider (YOTI) €950,000 for collecting biometric data without valid consent (lack of sufficient granularity and safeguards regarding data relating to minors) and for not limiting the data retention period.

The Belgian Data Protection Authority (APD) also fined Hyundai €2,000,000 after a cyberattack exposed the data of more than one million people, including their names, contact details, and vehicle identification numbers. It determined that the data controller had failed to ensure an adequate level of security, particularly because the data in question was not encrypted.

Finally, the Belgian Data Protection Authority (APD) imposed a particularly heavy fine (€10 million) on airport operator Aena for the way it implemented its facial recognition boarding system. The system allows passengers to board simply by looking at a camera. The authority found that this biometric system was implemented without a prior data protection impact assessment.

The Italian Data Protection Authority (APD) has fined a bank €31,800,000 for failing to implement sufficient security measures to prevent an employee from accessing the financial data of more than 3,500 people for purposes unrelated to their duties.

The data controller also failed to inform the APD and the data subjects in a timely manner of this data breach.

Another bank was fined €17,628,000 for transferring the accounts of 275,000 customers to its subsidiary without their consent. The bank had used profiling to select individuals considered to be "primarily digital" customers.

In Luxembourg, the Supreme Administrative Court overturned a €746 million fine imposed on Amazon. The decision does not call into question the unlawful processing of personal data for targeted advertising purposes, but requires the Data Protection Authority (APD) to reassess the offense and proportionality before imposing any new sanctions.

In summary proceedings, a court in the Netherlands prohibited the social media platform X from producing and distributing, via Grok, non-consensual intimate content and child pornography. The court also prohibited X from offering Grok's functionalities as long as these violations persist.

The Romanian Data Protection Authority (APD) has fined Renault Romania 637,262.50 RON (€125,000) for failing to implement appropriate security measures following a data breach related to an application managed by a subcontractor, which resulted in the publication of personal data disclosed on an online platform.

 

Brazil's law on the protection of minors online has officially come into effect, and with it, a decree from the Minister of Justice that directly targets the design choices used by tech giants to capture the attention of young people.

The regulation shifts children's online safety from reactive content moderation to ex ante regulation of platform architecture, including restrictions on infinite scrolling, autoplay, manipulative notifications, targeted advertising by profiling aimed at minors, and stricter age verification requirements.

In early April, the Chinese Ministry of Industry and Information Technology, along with eight other ministries, published "Experimental Measures Relating to the Ethical Evaluation and Provisioning of Artificial Intelligence Technologies."

The document provides an overview of what China means by "ethical AI governance" and the types of policies and technical measures it deems necessary to combat the trivialization of ethics through marketing strategies that promise respectful services but in reality do not comply with AI regulations.

On April 24, Meta was ordered to pay $375 million in civil fines by a jury in the U.S. state of New Mexico, which found that the company had failed to adequately protect children on its platforms. This fine stemmed from violations of an unfair business practices law.

On April 8, a federal appeals court in Washington, DC, refused to block the inclusion of the AI company Anthropic on the Pentagon's national security blacklist, a victory for the Trump administration.

However, another appeals court issued a contrary decision in a separate legal proceeding brought by Anthropic.

The company, developer of the AI assistant Claude, claims that the Secretary of Defense overstepped his authority by designating the company as a national security supply chain risk.

Anthropic had refused to remove certain restrictions on the use of its products in light of their use by the US defense.