Disproportionate Effort in European and U.S. Privacy Law

By Sheng Gao, LL.B., and Megan Lombardi, J.D.

Disclaimer

The views expressed herein are those of the authors and do not reflect any policy or position of their employer(s).

In May 2022, the California Privacy Protection Agency (CPPA) released its first draft of the California Privacy Rights Act (CPRA) Regulations. Among other clarifications and definitions, the draft provided a new definition of the term “disproportionate effort” that has attracted considerable attention in the privacy community.

In the field of data privacy, disproportionate effort serves as an exemption for companies who would otherwise be required to comply with unduly burdensome data subject access requests (DSARs).1 This exemption seeks to strike a balance between efficient use of company resources and fulfillment of consumer needs. It is focused on protecting consumer interests, as the threshold for claiming disproportionate effort is dependent on benefits to consumers rather than to businesses. As the CPPA stated in its Initial Statement of Reasons, providing a clear definition for this principle would not only “clarif[y] when a business, service provider, or contractor can use this exception, [but also] prevent[] them from abusing this exception by claiming that everything requires ‘disproportionate effort’ on their part.”

From a public interest standpoint, clear definition and guidance is required so that this principle can adequately serve consumers. However, courts in the United States and Europe differ significantly in their interpretations of the principle. This article will examine the tension between the existing interpretations of the term “disproportionate effort,” as well as explore potential remedies for the uncertainty surrounding this principle in both European and American privacy law.

Disproportionate Effort in U.S. Privacy Law

The disproportionate effort exemption was initially introduced by the California Consumer Privacy Act (CCPA) in 2018. However, the California legislature provided only limited guidance on when this exemption was applicable. The CPRA draft regulations applied the disproportionate effort doctrine to situations where “the time and/or resources expended by the business to respond to the individualized request significantly outweighs the benefit provided to the consumer by responding to the request.”2 To this end, businesses must demonstrate that “the time and/or resources needed to correct the information would be significantly higher than that material impact on the consumer.”3

In simpler terms, the draft regulations imposed the burden of proof for claiming disproportionate effort on businesses rather than consumers. Further, the threshold for businesses to make such a claim appears to be high, which is consistent with the California Privacy Protection Agency’s (CPPA) Statement of Reasons. However, while these draft regulations provide a more detailed definition of the disproportionate effort principle, its practical scope will remain uncertain until enough case law and judicial interpretations start to emerge.

Disproportionate Effort in European Privacy Law

Although the disproportionate effort principle is a relatively new feature of U.S. privacy law, it is no stranger to privacy professionals in Europe. For instance, section 8(2)(a) of the U.K. Data Protection Act of 1998 included such an exemption for the obligation to supply the data subject with a copy of the information in response to a DSAR request. In Dawson-Damer v. Taylor Wessing LLP (2017), the England and Wales Court of Appeal clarified the approach of assessing disproportionate effort. The Court stated that the correct approach is “to examine what steps a data controller has taken, and then to ask if it would be disproportionate to require further steps to be taken to comply with the individual’s right of access.”4 The disproportionate effort principle also can be found in the Data Protection Law (Jersey) 2018 and the EU’s General Data Protection Regulation.5

Depending on courts’ interpretations and different countries’ Data Protection Agencies (DPAs), the practical scope of disproportionate effort varies. Some courts or DPAs tend to apply fairly broad interpretations, while others are inclined to interpret the doctrine more narrowly. Thus, the current issue that privacy professionals are facing is not a lack of definition, but a threshold issue. As precedent in this area continues to develop, the manner in which courts choose to interpret disproportionate effort moving forward could have serious implications for consumers worldwide.

Broad versus Narrow Interpretation

The implications of disproportionate effort depend on whether it is interpreted broadly or narrowly. In the context of the DSARs obligation, a broad interpretation of the disproportionate effort exemption is defined as “an exemption which releases [data] controllers from having to search for data which they could show was difficult to find or was trivial is of far greater value.”​​6 In contrast, a narrow interpretation would confine the scope of the exemption only to “the supply of a copy of information in permanent form.”7

Under section 8 of the 2008 UK Data Protection Act, the disproportionate effort exemption is applicable when “supplying the data subject with a copy of the information in permanent form is not possible or would involve disproportionate effort.” Similarly, under paragraph 12 (6)(a) of the Data Privacy Law (Jersey) 2018, the exemption is applicable in a variety of situations, including when “providing the specified information is impossible” or “involv[ing] a disproportionate effort on the part of the [data] controller.” 

A plain statutory interpretation would suggest a relatively narrow scope in which the exemption is only applicable to supplying or providing the information. The Guidance Note published by the Jersey Office of the Information Commissioner (JOIC) appears to support this interpretation of the exemption, indicating that its scope is limited to “‘supplying’ a copy of the relevant information in permanent form.” This narrow interpretation carries “limited significance given that producing a copy of information is the last stage in the process.”

However, not all DPAs or court interpretations follow this narrow approach. For instance, in a Belgian DPA’s decision (DOS-2018-06125), in relation to a former employee's right to access under Article 15 GDPR, the Belgian DPA upheld the notion that granting access to relevant IT logs would impose a disproportionate burden on the data controller. In Ittihadieh v. 5-11 Cheyne Gardens RTM Company Ltd and Others (2017), the Court of Appeal noted that the obligation to search applies only to circumstances where the search in question is “reasonable and proportionate.” Despite concerns that a broad interpretation might “favour data controllers whose data processing operations and systems are poorly organized,”8 this approach could still be limited to circumstances where the search of data involves excessive burdens and unreasonable search.

From the standpoints of consumer protection and business operations, both interpretations have benefits and drawbacks. On one hand, solely applying a narrow interpretation could significantly undermine the benefits of the disproportionate effort exemption for businesses. On the other hand, although a broad interpretation of disproportionate effort relieves excessive burdens on businesses where a search would be unreasonable and disproportionate, this course of action could potentially disincentivize businesses from keeping their systems well-organized.

Potential Solutions and the Future of Disproportionate Effort

Although the United States data privacy landscape continues to progress rapidly, courts have not reached a consensus on the correct interpretation of the term “disproportionate effort.” One way to address this issue is to apply a totality of circumstances approach. This approach would allow courts to focus on all the facts of a given case and apply a combination of the existing approaches applied by European courts and DPAs, as well as consider other factors, such as the data subject’s motive for the request.9

For clarity and fair application, California should amend the CCPA and CPRA to include a totality of circumstances approach for disproportionate effort cases. There is minimal jurisprudence to date on the CCPA, thereby creating a murky environment full of unknowns and ambiguity. Further clarification could provide businesses more guidance for reference when there are truly valid justifications for claiming disproportionate effort. More importantly, it could set a clear standard which could effectively prevent potential abuse of the disproportionate effort exemption and more adequately protect consumer interests.

Sheng Gao, LL.B., is a privacy compliance professional with experience in retail, insurance, and financial services industries. Sheng received his law degree from Queen's University Belfast. He received his BA in Economics from The George Washington University.

Megan Lombardi, J.D., is a seasoned privacy professional with years of experience in different privacy compliance fields. Megan received her Juris Doctorate from University of Arkansas School of Law. She received her Bachelor's degree in Business Administration and Management from Oklahoma State University.

1 § 1798.130(a)(2)(B).

2 CPRA Draft Regulations § 7001(h).

3 Id.

4 Taylor Wessing at 73.

5 Data Protection Law (Jersey) 2018 §§ 12(6)(a), 20(7)(c), 27(8); General Data Protection Regulation, Prefatory Language, Art. 14.5b, Art, 9, Art. 34.3(c).

6 Kate Brimsted, Subject Access Requests: Keeping a Sense of Proportion (Mar. 1, 2004). p>

7 Id.

8 Id.

9 While courts in Europe have declined to consider motive, it can be an important factor to consider when examining whether the disproportionate effort exemption applies. In Dublin Bus v. Data Protection Commissioner [2012] IEHC 339, for example, the High Court in Ireland held that “the existence of proceedings between a data requester and the data controller does not preclude that data requester making an access request under the act nor justifies the data controller in refusing the request.” Further, the court in Ittihadieh “did not accept that motive was irrelevant” and noted that “it would be odd that [motive] could not be taken into account when deciding costs questions.”