Reconsideration or entrapment? Possible abuse of withdrawal rights under CRD, CJEU C-564/24

Over the past few days, one case has kept coming up in professional conversations which we have not covered so far - namely, Eisenberger Gerüstbau v JK (C-564/24), decided on 5 March, a new case concerning possible abuse of withdrawal rights. 

Facts and questions

In the case at hand, JK, the customer, had concluded a contract with Eisenberger Gerüstbau, a provider of scaffolding for building projects, to support the renovation/expansion works to be undertaken at a building owned by the consumer herself, for private purposes. The contract had been concluded with the assistance of an architect, who had drafted it as instructed by the consumer. The trader had signed the contract without making any changes. Signatures had been finalised in December 2020.

The scaffolding had been subsequently installed and held in place over a period of almost 12 months, during which the consumer had regularly paid a number of bills by the trader. In December 2021, when all the works for which the scaffolding had been indispensable had been concluded, the consumer indicated her wish to withdraw from the contract and demanded that all the money she had paid – close to 100 000 euros – be returned to her. The ground for her claim was that the trader had not informed her of her rights to withdraw from the contract, which would then be automatically extended from 14 days to 12 months and 14 days. The trader rejected the request and sued the consumer for the unpaid parts of the bill; the consumer counter-sued. 

 

The questions before the CJEU concerned two different aspects on which the referring court doubted on the way in which EU consumer law may apply to the case: first (questions1-3), whether the contract at hand (and modifications thereto) should be considered a distance contract for the purposes of article 2(7), Consumer Rights Directive, a necessary precondition for the application of the right to withdraw. Second (question 4), in case the contract had to be considered a distance contract under the relevant rules, whether in the case at hand the trader could legitimately claim that the consumer had exercised their right of withdrawal in a way that is contrary to good faith. 

 

The second issue was particularly laden (see para 37) as a result of a previous CJEU decision which had given pause to many practitioners, namely C-97/22. In that case, the court had upheld the right to withdrawal (and restitution of any expenses) for a consumer who had exercised their right after the contract had been fully performed. Could a different conclusion be reached in this case?

 

Reasoning and answers

As concerns the first question, the Court considered the three main elements that constitute the definition of “distance contract” under article 2(7) CRD, namely:” “any contract concluded between the trader and the consumer under an organised distance sales or service-provision scheme without the simultaneous physical presence of the trader and the consumer, with the exclusive use of one or more means of distance communication up to and including the time at which the contract is concluded”. One of these aspects – the exclusive use of distance means of communication - seemed to be uncontroversial. Two, however, deserved closer scrutiny. First: was the customer acting as a consumer? The referring court seems to consider that if the consumer uses the services of a professional intermediary, they may not necessarily be considered a consumer in the relationship to third party providers hired through such intermediaries. The Court’s answer to this is relatively succinct, in so far as it concludes, relying on the AG’s opinion, that “a consumer was assisted by a trader, in the present case an architect, in the context of the negotiation and conclusion of a contract between that consumer and another trader, is not such as to call into question the weaker position […] of that consumer vis-à-vis that other trader, even though the trader who assisted that consumer took the initiative to establish the contact between that consumer and the other trader and influenced the content of that contract”. This may be a dubious reasoning as no effort is made to show why the use of a professional intermediary should not affect the presumption that a consumer “must be deemed to be less informed, economically weaker and legally less experienced” [para 44] than their counterparty. 

 

Perhaps unexpectedly, the CJEU has more doubts as to whether the contract in question should be considered as concluded “under an organised distance sales or service-provision scheme”. From the description of the negotiation, it is clear that the contract was concluded exclusively by means of distance communication, but not that the trader themselves had set out any “organised” scheme for such distance negotiations. In that sense, the CJEU concluded that it is up to the national court to decide whether the contract was a distance contract under article 2(7) of the CRD. 

 

The answers to the previous questions made it still meaningful to answer the question concerning whether the consumer could be considered to be exercising their right of withdrawal against good faith. In this sense, the Court reaches to its own case-law on the notion of “abuse of right”, which is known to be very demanding and as such helps the CJEU distinguish this case from the one decided in C-97/22. The Court first observes that it has in the past held that “the application of eU legislation cannot be extended to cover transactions carried out for the purpose of fraudulently oer wrongfully obtaining advantages provided for by EU law”. This is the case when it can be shown that first, “despite formal observance of the conditions laid out by the EU rules, the purpose of those rules has not been achieved”, and, additionally, “a subjective element consisting in the intention to obtain an advantage from those rules by artificially creating the conditions laid down” for obtaining that advantage. The Court refers here to its own Grand Chamber judgment of 21 December 2023, BMW Bank and Others (C-38/21, C-47/21 and C-232/21, paragraph 285), which concerned potentially abusive exercise of the “eternal” right of withdrawal in consumer credit agreements. 

 

The threshold imposed by these requirements is, in essence, high enough that it could overcome not only the general demands of a high level of consumer protection but also the punitive elements inherent in the specific rules at hand, which extend the right of withdrawal by 12 months when consumers have not been informed of this specific right. 

 

In this sense, the Court reasons, it is not enough to observe that a consumer has exercised their right of withdrawal towards the end of the extended withdrawal period. However, additional facts specific to this case may be relevant; in particular, the referring court may consider the fact that the contract was “concluded on the basis of a draft prepared under the sole responsibility of the consumer by an agent of her choice, in accordance with the information given by the latter as regards the precise services expected from the trader, which that trader then signed without making any amendments”[para 78]. This could suggest that the objective element of the abuse test – formal observance of the rules undermining the objective of those same rules – may be met. 

 

The circumstances of the case, the CJEU concludes, may further suggest that the subjective element of the test has also been met – the timing of the invocation of the RoW, right between the conclusion of the necessary parts of the work and the expiry of the 12-month window to exercise her right of withdrawal constituting a potentially relevant factor.

 

Some preliminary thoughts

The second question/answer discussed above is the main reason why the judgment has drawn some attention within legal circles. While similar implications could be drawn from the 2023 car lease cases, those cases were so steeped in a specific discussion and litigation saga that it was not immediately clear how broadly the CJEU may be willing to generalise the applicability of the abuse doctrine in consumer law. This case, of course, doesn’t answer this question either, being ultimately still about withdrawal rights. It does, however, help us make some tentative distinctions. First, abuse of withdrawal rights is more than the somewhat disproportionate exercise of said rights. It requires an ex ante dimension of creating a situation which gives rise to potential legal consequences, and at least explicit awareness of this dimension. This means, second, that the “windfall” a consumer enjoys when profiting from a trader’s mistake is not equivalent to abuse. This makes sense, in particular, in light of the Court’s consistent position that such consequences are both meant to provide consumers effective remedies and sanction the traders for non-compliance, thereby incentivising compliance. 

 

The previous question may get less attention, but I do want to reflect on two aspects that I find notable: first, I mentioned above that the reasoning with which the Court denies that the presence of an intermediary may mean the customer may not quality  as consumer under (in particular) the CRD does not sound particularly convincing. If we go with the Court’s own recalling that consumers must be assumed to be weaker in terms of knowledge, financial means and and legal savvy, it seems that – contrary to what the Court claims – the presence of a professional intermediary would by definition intervene to mitigate some of these asymmetries. An intermediary will likely be hired precisely to provide additional knowledge and (contract-specific) legal experience, and their involvement may even mean that the consumer has sufficient investment in the contract that they may be financially almost comparable to an entrepreneur. At the same time, while the reasoning may be weak (pun not too intended), it seems wise of the Court not to open up to broader questions about when the presence of an intermediary may matter to someone’s consumer capacity. This seems like a question that, if at all, should be properly addressed by legislatively set exceptions. The case-by-case appreciation of the role of the intermediary finds a more limited, and hence arguable more appropriate, role in the assessment of the potential abuse. Second, I find it interesting that the Court proposes a rather strict interpretation of the “organised scheme” element in the definition of a distance contract, suggesting that situations in which the trader does not systematically work online/through means of distance communication may not be automatically drawn under the application of the more demanding CRD requirements for distance contract by the mere conclusion of the contract by means of distance communication. 

C-526/24 Brillen Rottler: when does exercising your GDPR rights become abusive?

Have you ever tried to find out who is processing your data and exercised your right under Article 15 GDPR? It is a useful transparency tool for data subjects – who are in many circumstances consumers as well, for instance when subscribing to an online newsletter or creating an account with an e-commerce platform. Based on this right, you can obtain from a data controller (often a company in a B2C relationship) confirmation of whether your personal data are being processed, and if so – for whatpurposes, which categories of data, who has received access to them, etc. You can also request a copy of your data.

Some individuals, however, exercise this right not to verify the lawfulness of data processing, but to “provoke” a situation in which a refusal – or any procedural shortcoming – will trigger a compensation claim under Article 82 GDPR. This is precisely what the case C-526/24 Brillen Rottler GmbH & Co. KG v TC is about.

The facts are relatively simple: an individual subscribed to the newsletter of Brillen Rottler, a family-run optician company based in Arnsberg, Germany, by voluntarily entering his personal data on the company's website. Thirteen days later, he submitted a request for access to his personal data under Article 15 GDPR (paras. 12–14). Brillen Rottler refused to comply, arguing that the request was abusive, because press reports, blog posts and lawyers' newsletters showed that the individual systematically subscribed to newsletters from various companies, then submitted access requests and subsequently filed claims for compensation (para. 15). The data subject denied any abusive intent and claimed compensation of at least EUR 1,000 for non-material damage resulting from the refusal itself (para. 16).

Designed by Freepik

The Local Court of Arnsberg, before which the dispute was brought, referred several questions to the Court of Justice for a preliminary ruling (para. 20). In essence, it asked: first, can a first access request already be considered "excessive" within the meaning of Article 12(5) GDPR, and if so, under what conditions? Second, does the right to compensation under Article 82 GDPR extend to damage caused not by unlawful processing of data, but by a wrongful refusal to act on an access request? And third, can the causal link required under Article 82 be broken by the data subject's own conduct?

What did the CoJ find?

On the "excessive" first request (questions: 1-3, 7)

The Court confirmed that even a first access request – not just a series of repeated ones – may, in certain circumstances be regarded as "excessive" within the meaning of Article 12(5) GDPR, and thus refused. However, it stressed that this exception must be interpreted strictly. The concept of "excessive requests" is inherently exceptional, and there must be strict criteria for characterising a first request as such. Crucially, the burden of proving that excessiveness lies explicitly with the controller (para. 35). It is not enough to point to a pattern of behaviour visible in public sources – for instance, that the individual has submitted similar requests and claims to multiple controllers. Such information may be taken into account, but only if it is supported by other relevant material (para. 43). What is required is a combination of two elements: objective circumstances showing that "despite formal observance of the conditions laid down by the EU rules, the purpose of those rules has not been achieved"; and a subjective element "consisting in the intention of the data subject to obtain an advantage from the EU rules by artificially creating the conditions laid down for obtaining it" (para. 36).

In practical terms, the controller must demonstrate unequivocally that the access request was not made to become aware of, or verify the lawfulness of, the data processing, but solely to create a ground for compensation (para. 41). In making that assessment, the court should look at all circumstances of the case: did the data subject provide their data voluntarily and without any obligation? What was the purpose of doing so? How much time elapsed between the data submission and the access request? And how did the data subject behave throughout (para. 42)? 

On the scope of compensation under Article 82 GDPR (questions 5-6)

The second issue concerned a broader question: does Article 82(1) GDPR – which grants compensation for "damage resulting from an infringement" of the GDPR – cover situations where the damage stems not from the processing of personal data as such, but from a controller's wrongful refusal to respond to an access request?

The Court answered in the affirmative. It reasoned that many of the rights enshrined in Chapter III of the GDPR – including the right of access, rectification, erasure, restriction, and portability – by their very nature produce infringements through refusals to act, rather than through any particular act of processing (para. 51). If compensation under Article 82 were limited exclusively to damage caused by unlawful processing, the rights of data subjects laid down in Chapter III would be significantly weakened and the effectiveness of the provision undermined (para. 53). In other words, the Court opted for a broad interpretation of Article 82(1), consistent with its literal wording, which covers damage resulting from any "infringement of this Regulation" not merely from unlawful data processing as such.

On causation – and the data subject's own conduct (question 8)

The third and most practically significant finding concerns the causal link. Even where a GDPR infringement is established and damage is claimed, compensation is only available if the data subject demonstrates actual harm and a causal link between that harm and the infringement. That link is a condicio sine qua non of any claim under Article 82(1) (para. 66).

Critically, the Court held that the causal link may be broken by the data subject's own conduct – provided that conduct proves to be the determining cause of the damage (para. 65). Where a person has voluntarily provided their data to a controller with the specific aim of artificially creating the conditions for a compensation claim, the resulting loss of control over data or uncertainty as to their processing cannot be attributed to the controller. The data subject cannot then claim compensation for harm that was, in substance, the result of their own deliberate decision (para. 66).

Final remarks

The Brillen Rottler case is not a revolution. The Court builds on what it has already established in Österreichische Datenschutzbehörde (C-416/23), FT (C-307/22), and Österreichische Post (C-300/21), but takes it one step further. What is new is the clarity – a first access request can be abusive, the causal link in compensation claims can be broken by the data subject's own conduct, and Article 82(1) GDPR covers more than just unlawful processing. The CoJ tries to be fair to both sides – the data subjects and data controllers. 

It also comes at an interesting moment. In November 2025, the Commission published the Digital Omnibus proposal (COM(2025) 837 final), which among other things touches on the GDPR's right of access. Recital 35 of that proposal states that "the right of access, which is from the outset favourable to data subjects, should not be abused in the sense that the data subjects abuse them for purposes other than the protection of their data", and gives as an example a situation where "the data subject intends to cause the controller to refuse an access request, in order to subsequently demand the payment of compensation, potentially under the threat of bringing a claim for damages". The reformulated Article 14(5) of the GDPR (see Art. 4(4) of the proposal) would allow controllers to refuse requests that are "manifestly unfounded or excessive, in particular because of their repetitive character" - while keeping the burden of proof on the controller. The Court's reasoning and the Commission's proposal clearly point in the same direction. Whether the final legislation will look anything like the current draft is, of course, another question.

Commission opens official DSA investigation into SHEIN

 While the announced Digital Fairness Act proposal remains so far at the announcement stage, the last few months have brought to light the DSA's potential - if yet to be tested - to contribute to consumer protection beyond content moderation practices. In this sense, it particularly interesting that this month the European Commission has announced an official investigation into Shein's practices concerning several potential violations, namely:

- potential failure to limit the sale of illegal products, "including content which could constitute child sexual abuse material, such as child-like sex dolls";

- potential failure to monitor systemic risks linked to addictive design "including giving consumers points or rewards for engagement", and adequacy measures that Shein has in place in order to mitigate negative effects on "users' wellbeing and consumer protection"; and 

- potential failure to achieve sufficient transparency of the recommender systems in the platform. 

The press release does not provide a detailed legal basis for the specific elements, so we did this for you. 

First, illegal content. Under the DSA, platforms do not have to actively monitor for the presence of illegal content (article 6), but they have have several obligations that are triggered once a notice is filed (article 16 para 4,5,6), and they are assumed to be legally aware of the illegal content once a valid notice has been filed (art 16 para 3). The commission has previously asked Shein to provide information about how they manage their notice & action systems to counter illegal content and the investigation is meant to obtain further insight. 

"rewards for engagement" from couponfollow.com

Second, as concerns the systemic risks, the Commission's framing seems to leverage the understanding of "risk" (assessment, art 34 and mitigation, art 35) referred to in recitals 81 and 83, namely that of addictive features of a platform's design or exploitation of weaknesses, in particular when it comes to children. The gamification mechanisms mentioned in the investigation announcement may structurally encourage consumers to over-spend or just spend more time in the app that normal usage would require. 

Finally, the Commission wants to know more about how Shein informs consumers about the criteria according to which product presentation is organised and selection is ranked. According to art 27 DSA, this information can be provided in the platforms T&Cs *but* "when several options are available" users must be given the a directly and easily accessible option to choose among these alternatives. The Commission here also indicates that users should be provided with *at least one easily accessible option that is not based on profiling* for each recommender system. This requirement does not follow directly from the DSA but seems in line with the requirements for consent under the GDPR (as it seems unlikely that a webshop would be able to rely on a different legal basis for the profiling). 

We do not know how long this investigation will take - the press release makes it clear that the Commission doesn't want to commit to a specific timeline. Of course, the outcome in this file may have broader implications for DSA enforcement and consumer protection, so we will be following (and sharing) any developments with great interest!

Dutch court upholds Fortnite fine for UCPD violations

 While the "Digital Fairness Act" may or may not become a thing in the near future, it is interesting to see how regulators have started to perhaps gain more confidence in the enforcement of existing rules in the digital context. A most recent example comes from a Dutch decision published today in Epic Game's case against the Dutch Authority for Consumer and Market's decision to fine the Fortnite producer for a number of prohibited practices embedded in the game. 

According to the ACM, Epic Games exposed children to advertisements which directly exhorted them to buy a product (a banned practice under the UCPD's annex) and put them under pressure to decide about a complex and unclear offer within a short time (para 1 decision).

Epic Games had earlier accepted parts of the ACM's decision, in so far as it concerned timers in the Item Shop that created the false impression that an item or offer may soon run out or disappear. They challenged, however, 1) the existence of exhortation to purchase directed at children, as well as 2) the ACM's claim that the game's Item Shop was designed in such a way to create artificial scarcity, putting players under pressure to decide within a short period of time whether to buy certain items. 

As to the first point, this hinged on the interpretation of the text in the annex. From the judgment it appears that Epic Games wanted the District Court to decide on the ACM's assumption that "children" in the UCPD's annex covers all minors, which was challenged on the basis that it failed to differentiate between young children and older teenagers. The court considers that this distinction may matter for the amount of the fine but not for the question of whether the finding of an infringement was justified and hence declines to examine the issue in detail since Epic Games has not challenged the entity of the fine. Even without a detailed examination, this element in the decision may in fact embolden authorities, which have found it tricky to claim that practices constituted direct exhortation to buy directed at children whenever a product was not exclusively marketed to very small children. There was otherwise relatively little in the decision that tried to suggest that the practices at stake (see picture, from decision) did not constitute direct exhortation to purchase.

As to the second point, the ACM (see decision para 17 and sub-paras) was relying not on a direct prohibition but on a savvy reading of the general prohibition of unfair practices which go against "professional diligence" and distort the average consumer's decision making (art 5 UCPD). In this respect, the Court says, the ACM has understood professional diligence through "the principles and international rules on ethical design such as transparency and the avoidance of damaging or misleading design". The ACM also claims that professional diligence requires abstaining from exploiting behavioural pitfalls of consumers through so-called "dark patterns".  In particular, lack of transparency about the offer was due to a mix of several elements:  items potentially disappearing from the item shop, lack of information about the items' significance within the game and their rarity (which all connected to their price), all combined with time pressure (because the Item Shop content was refreshed every 24 hours), made it difficult for consumers/children to decide without excessive pressure. The Court has accepted the ACM's analysis and characterisation of the practice, rejecting Epic Games' contention that the analysis relied on the wrong test. 

A final challenge concerned the burden of proof: did the ACM need to prove that the concerned practices had actually influenced the behaviour of children as a result of the factors that its analysis identified? The Court finds that no proof has to be provided of actual influence: it is sufficient that the analysis makes it sufficiently plausible (aannemelijk) that these effects would occur. Among other things, the court points to ACM relies on research reporting that 37% of the kids playing the concerned version of the game (namely, Battle Royale) do make in-game purchases and that significant numbers of children who make in-game purchases regret their choices afterwards (see decision para 21.1). 

The confirmed fine amounts to 1.1 million euros. It is clear from the points raised in the case that Epic Games was here seeking to establish a principled precedent against the ACM's interpretation of the UCPD and their recent steps in digital enforcement. This may suggest that the decision will be appealed - which we should know within a few weeks. Interesting case in any event!