Image: Data protection stock photo/Shutterstock.com

One click, a newsletter, then an immediate request for information—and finally, collecting money. What seemed like a clever plan to some is now facing a major setback. The European Court of Justice (ECJ) has ruled that anyone who deliberately abuses data protection rights in order to later claim damages may end up with nothing.

When Data Privacy Becomes a Source of Revenue

The right of access under the GDPR is a powerful tool. Anyone can ask companies to disclose what personal data they have stored. It is, in essence, a safeguard for citizens.

Yet in some cases, this very right has been exploited strategically. The tactic: voluntarily provide data, then request information shortly thereafter—and file a lawsuit immediately at the slightest error or delay.

As reported by the Heise portal, a case exactly like this has now gone to court.

The specific case: Newsletters and swift legal action

A person signed up for an optician’s newsletter and entered their information themselves. Less than two weeks later, a request arrived: a full disclosure under the GDPR.

The company responded skeptically and refused to answer, citing the risk of potential misuse. The individual then filed a lawsuit, seeking at least 1,000 euros in damages.

Shocking: This apparently wasn't the first time the plaintiff had done this. Evidence suggested that he had used this tactic on multiple occasions.

ECJ Draws a Clear Line

The case eventually ended up before the European Court of Justice. The key question: Can a claim for information be made even if the sole purpose is to recover money later?

The answer is clear. The judges make it clear: The right to access information has a clear purpose—namely, to ensure transparency regarding one’s own data. If it is used solely to artificially fabricate claims, this can be considered an abuse.

This makes it clear for the first time: Even formally correct requests can be inadmissible if the intent behind them is not right.

It's no longer so easy to get compensation

Another point in the ruling is particularly important: A violation of the GDPR does not automatically result in a fine.

Anyone seeking compensation must provide specific evidence that they have actually suffered a loss. A mere “feeling” or a deliberately provoked conflict is not sufficient.

This means that anyone who deliberately provokes a situation cannot later claim to have been harmed.

What this means for businesses

For companies, the ruling is a significant relief. In the future, they will be better able to defend themselves against suspicious or mass inquiries.

However, there is one catch: the abuse must be proven. And that is often anything but easy. Evidence of a systematic pattern is required—such as previous cases or a recognizable pattern.

A landmark ruling

This case shows how quickly well-intentioned rules can be exploited. The GDPR was intended to empower consumers—not to create new business models.

The European Court of Justice is now drawing a line that goes beyond this specific case. Rights remain important, but they have their limits.

And that is precisely where the issue lies: anyone who uses data protection as a tool to exert targeted pressure is no longer acting in accordance with the spirit of the law. This may now be clearer from a legal standpoint—but it raises the question of how many such cases have gone undetected so far.

Source: heise.de