Transparency and data protection in the CJEU case law: towards an increased protection of individual rights?

The aim of this research is to address the recent interpretation of the Court of Justice of the European Union (CJEU) in data protection cases. It especially focuses on data access requests from data subjects, and the associated transparency requirements. We found that the Court seems to adopt a protective approach of individual’s privacy rights, imposing a higher burden on data controllers, the entities processing individual’s personal data.

In order to address these findings, we will successively discuss (1) what a data subject right entails, (2) how recipients need to be understood under the GDPR, and (3) the framework of the transparency concept, taking into account the data protection context and the definition of Birkinshaw in administrative law. The new case law trends will then be developed, by (4) highlighting how the Court of Luxembourg extended the transparency principle in the RW v. Österreichische Post AG case, together with the two main limits linked with data access rights requests, namely the “impossibility” criterion and the “unfounded or excessive” character of a request. Finally, (5) the three criteria set by the Charter of Fundamental Rights regarding the limitation of rights will be shortly developed, with a specific attention drawn on the proportionality analysis.

The conclusion will reflect on the three main elements pointed out by Misfud Bonnici regarding the functions of the right to data protection, (i) individual autonomy, (ii) trust, (iii) participation of the citizen in society, and examine how increased transparency might impact these.