LUP Student Papers

Compliance Risks for EU Controllers - The DPF Disproportionate Burden-Expense Exception and its Effects on EU Controllers’ Duty to Provide a Copy of Personal Data via U.S. Processors

• Mark

Abstract

The Disproportionate Burden-Expense Exception within the EU-U.S. Data Privacy Framework is allowing certified organisations to refuse access requests based on organisational cost or burden. The thesis is examining how this exception affects the ability of EU controllers to fulfil their obligation under Article 15(3) GDPR, when employing a U.S. processor. To answer this question, the thesis is examining how the right to obtain a copy of personal data is phrased and protected in the GDPR, and whether there is any corresponding right for data subjects within the EU-U.S. Data Privacy Framework. The thesis is also examining the exception and comparing it to GDPR’s exceptions to the right to obtain a copy of personal data.

The hypothesis is... (More)

The Disproportionate Burden-Expense Exception within the EU-U.S. Data Privacy Framework is allowing certified organisations to refuse access requests based on organisational cost or burden. The thesis is examining how this exception affects the ability of EU controllers to fulfil their obligation under Article 15(3) GDPR, when employing a U.S. processor. To answer this question, the thesis is examining how the right to obtain a copy of personal data is phrased and protected in the GDPR, and whether there is any corresponding right for data subjects within the EU-U.S. Data Privacy Framework. The thesis is also examining the exception and comparing it to GDPR’s exceptions to the right to obtain a copy of personal data.

The hypothesis is that this exception introduces both legal and practical compliance risks for EU controllers relying on U.S. processors. The thesis tests this hypothesis by analysing the relationship between the GDPR’s controller obligation and the EU-U.S. Data Privacy Framework’s exception, and by assessing whether this divergence undermines the standard of essential equivalence required for transfers from the EU to the U.S.

Using a legal dogmatic and EU interpretive methodology, the thesis conducts an analysis of the GDPR and EU-U.S. Data Privacy Framework provisions including relevant case law and soft law. It also incorporates a comparative approach to assess the material differences between the two frameworks.

The discussion reveals that while the GDPR entitles data subjects to a nearly unqualified right to obtain a copy of their personal data, the EU-U.S. Data Privacy Framework permits certified U.S. processors to deny access if the cost or effort is disproportionate only in exceptional circumstances. Even if cost or effort it takes to provide access should not justify restricting access routinely, the exception introduces a structural difference from the GDPR. Although EU controllers remain fully responsible for fulfilling access requests under the GDPR, they may be practically unable to comply if their processor invokes the exception.

The discussion is therefore partly confirming the hypothesis. Legal responsibility does not shift, but practical compliance risks arise. U.S. processors might in practice interpret the exception in a way that is overriding their commitment in their Data Processing Agreement, where they are bound to always support the controller with access requests except when they do not have access to the data at all. The thesis therefore recommends that EU controllers adopt contractual clauses that explicitly override the exception, clarifying that the use of the exception cannot be regarded as an impossibility to support the controller with access requests under Article 28(3)(e). (Less)