The Bottom Line
- Regulators Have Discretion: Data Protection Authorities (DPAs) are not legally required to fully investigate every GDPR complaint they receive, especially if a complaint is broad or lacks specific evidence of a violation.
- Burden of Proof is on the Complainant: An individual or entity filing a complaint must provide plausible evidence of an actual GDPR breach. Merely pointing to a potential issue, like a neighbor’s security camera, is not enough to compel a DPA to launch a full-scale investigation.
- Prioritization is Lawful: DPAs can legally prioritize their limited resources for systemic risks and high-impact cases. This means individual or low-impact disputes may be deferred, leaving the parties to pursue other legal avenues like civil litigation.
The Details
In a case with significant implications for corporate compliance and regulatory engagement, the District Court of Noord-Holland ruled that the Dutch Data Protection Authority (the “AP”) was justified in refusing to investigate a citizen’s complaint about the widespread use of security and doorbell cameras in his neighborhood. The complainant had requested enforcement action against 17 specific addresses, arguing that the cameras, many of which filmed public spaces, constituted a structural violation of his and his family’s privacy rights under the GDPR.
The AP declined to launch a full investigation following a preliminary “desk assessment.” The regulator’s position was that the complaint was too general and lacked specific evidence that each individual camera was operating unlawfully. Determining a violation would require a resource-intensive, case-by-case analysis of each camera’s settings, purpose, and the specific data being processed. The AP argued that under the GDPR, it has the discretion to investigate complaints “to the extent appropriate” and must prioritize its resources. Individual camera disputes, it contended, are not an efficient use of its enforcement capacity and fall outside its strategic focus areas.
The Court sided entirely with the Data Protection Authority. The ruling affirms that DPAs possess significant discretion in managing their caseload. The Court found the AP’s approach—requiring a complainant to make a violation plausible before committing to an in-depth investigation—to be reasonable. The mere existence of a data processing activity, such as a security camera, is not in itself proof of a GDPR violation. This judgment reinforces that a DPA’s role is not to resolve every individual grievance but to use its powerful enforcement tools strategically to address the most significant risks to data privacy.
Source
Rechtbank Noord-Holland
