The right of access is a cornerstone of data protection.
Without this right, individuals would be unable to effectively assert their claims in matters of data protection. In fact, only those who are aware of the data being processed about them can, if necessary, assert their rights[1].
However, this right is not without limits. A recent ruling by the Court of Justice of the Canton of Geneva highlights the subtleties and potential abuses of the right of access[2].
Case overview
A Geneva-based family office was responsible for providing various services for the daughter of a wealthy businessman. The family office handled the daughter's daily requests and payments within the budget limits set by her father. The expenses were paid from the father's personal funds, debited from one of his bank accounts.
Frustrated by his daughter's extravagant spending and her initiation of legal proceedings against her two sisters in the United States, the father instructed the family office to cease all payments on behalf of his daughter.
Invoking her right of access under the Federal Act on Data Protection (“FADP”), the daughter demanded that the family office grant her full access to her file. The family office complied by providing an initial set of documents, followed by more than 6,000 emails.
Deeming that the disclosed data was incomplete, the daughter filed a request for access with the Court of First Instance of the Canton of Geneva. However, the Court of First Instance found the request to be abusive. The daughter was seeking financial information related to her father and sister, with whom she was in litigation, including details about a trust she was no longer a beneficiary of, and bank accounts she did not hold.
Following the reasoning of the Court of First Instance, the Court of Justice noted the abusive nature (according to Art. 2 para. 2 of the Swiss Civil Code (“CC”)), of a right of access request whose sole and real purpose was to gather evidence for litigation. Consequently, the Court rejected the daughter's appeal and upheld the initial judgment.
Right of access according to Art. 25 FADP
The right of access is now enshrined in Art. 25 FADP (formerly Art. 8 FADP[3]).
According to Art. 25 para. 1 FADP, any person may request information from the controller on whether personal data relating to them is being processed. The data subject shall receive the information required to be able to exercise their right sunder this Act and to guarantee transparent data processing (Art. 25 para. 2FADP).
The right of access primarily serves to protect personality rights. It allows the data subject to verify the data being processed in a third party’s file, thus ensuring that the principles of data protection law are upheld in practice. These principles include the collection of data by lawful and fair means, the accuracy of the data, and processing in accordance with the principle of proportionality[4].
This right does not apply to all personal data, but only to data that still exists and is contained in a file, as well as to available information on the origin of the data[5].
The condition of personal data implies that the debtor of the right of access must transmit all personal data, meaning all information relating to an identified or identifiable person. This excludes data concerning third parties. In this context, it is up to the debtor of the right of access to organize and take the necessary security measures (sorting data, redacting names or other data) to prevent the applicant from accessing third-party data, failing which they risk infringing on third-party privacy rights[6].
Limits to the right of access according to Art. 26 FADP
According to Art. 26 para. 1 FADP (formerly Art. 9 FADP), the controller may refuse to provide information, or restrict or delay the provision of information if a formal law so provides, particularly to preserve professional secrecy (lit. a),if it is required to safeguard overriding third-party interests (lit. b), or if the request for access is obviously unjustified, particularly if it does not serve the purpose of data protection or is clearly frivolous (lit. c).
It is the principle contained in Art. 26 para. 1 lit. c FADP that was applied by the Court in the aforementioned case. Indeed, the exercise of the right of access can be limited by the prohibition of abuse of rights (Art. 2 para. 2 CC),particularly when the right of access is used for a purpose unrelated to data protection[7].
The existence of an abuse of rights must be recognized when the exercise of the right by the holder does not correspond to any protected interest, is purely vexatious, or when, under the circumstances, the right is used to serve interests that do not align with those the rule is meant to protect, such as when the right of access is used solely to harm the debtor of this right[8].
The use of the right of access with the sole purpose of spying on an (upcoming)opposing party and obtaining normally inaccessible evidence should also be considered contrary to its purpose and thus abusive. This right is not intended to facilitate the obtaining of evidence or to interfere with civil procedural law. This would be the case of a request that is merely a pretext for an indefinite search for evidence ("fishing expedition")[9].
In any event, the circumstances of each individual case must be evaluated to determine if an abuse of rights is present[10].
Insights
This case highlights the necessity of finding a delicate balance between the right of access under the Federal Act on Data Protection and the prevention of its abuse. While this right is essential for ensuring self-determination in matters of personal information, it must not be used for purposes unrelated to data protection.
A meticulous examination of right of access requests is crucial to ensure they serve their primary objective: upholding the protection of personality by allowing the individual whose data is being processed to verify if the processing complies with applicable legal principles.
At this regard, it is necessary to consider the legitimate interest of the right holder when assessing potential abuse.
This approach helps maintain the role of the right of access in data protection without being exploited for purposes unrelated to its intent.
[1] Message from theFederal Council on the Federal Act on Data Protection (FADP) dated March 23,1998, FF 1988 II 421, 460.
[2] Judgment of the Courtof Justice of the Canton of Geneva dated December 5, 2023, ACJP/1610/2023.
[3] The new Federal Act onData Protection came into force on September 1, 2023.
[4] ATF 138 III 425,consid. 5.3, in SJ 2013 I, p. 81.
[5] ATF 147 III 139, consid. 3.1 and3.2.
[6] BENHAMOU Yaniv, Mise en oeuvre judiciaire du droit d'accès LPD: aspectsprocéduraux choisis, in METILLE Sylvain (éd.), Le droit d’accès, 2021, p. 81ss.
[7] ATF 138 III 425 consid.5.2, in SJ 2013 I, p. 81 and the references cited.
[8] ATF 141 III 119,consid. 7.1, in SJ 2015 I 353.
[9] Idem.
[10] ATF 138 III 425 consid. 4.3.
.webp)
