On March 20, 2026, the Court of Justice of the European Union (CJEU) delivered a highly anticipated and structurally transformative judgment in Case C-526/24, establishing critical new judicial boundaries regarding civil litigation under the General Data Protection Regulation (GDPR). The comprehensive ruling directly addresses the rising phenomenon of strategic, profit-driven data protection litigation across Europe, placing significant, test-based limits on the Right of Access (Article 15) while simultaneously refining the parameters of strict liability and compensation calculation under Article 82.
The most profound doctrinal innovation in the judgment is the formal judicial introduction and standardization of the "plea of abuse of rights" under Article 12(5) of the GDPR. The CJEU ruled that data controllers possess the legal authority to reject even an initial request for data access as "excessive" if it is demonstrably driven by abusive intent, shifting the focus away from merely relying on the volume or repetition of requests. To standardize this across member states, the Court established a strict two-stage legal test for determining abuse:
Simultaneously, the CJEU expanded the scope of corporate liability by clarifying a major dogmatic debate regarding Article 82(1). The Court ruled that claims for damages do not strictly require a direct, unlawful data processing event (such as a data breach or unauthorized transfer). An unlawful, administrative refusal to provide access, which violates the fundamental rights outlined in Chapter III of the GDPR, is legally sufficient to trigger a tort claim. Furthermore, the Court confirmed that a mere "loss of control" over personal data can legally constitute compensable non-pecuniary damage without needing to cross an arbitrary de minimis threshold.
However, to counterbalance this expanded liability matrix, the CJEU introduced the highly consequential "Causality Brake." This legal mechanism serves as a potent defense for data controllers facing manufactured litigation. The Court ruled that if a data subject deliberately induces a data processing event with the specific, predetermined intent of provoking a GDPR procedural violation and subsequent litigation, the subject's own conduct legally becomes the "decisive cause" of the damage. This formal interruption of causality can result in the complete and total exclusion of the controller's liability. This ruling fundamentally forces corporate legal departments and Data Protection Officers (DPOs) to meticulously document the context and timing of data requests, shifting the EU privacy landscape from a strictly compliance-based model to one that aggressively scrutinizes the strategic motives of the claimant.
Source: TaylorWessing