As the year draws to a close, reform of the data subject access request (DSAR) regime in the EU and the UK may turn out to be a welcome gift for organisations grappling with complex access requests. Regulators in both jurisdictions are signalling a more flexible, pragmatic approach to compliance, recognising that DSARs have often been exploited for tactical or disruptive ends.

EU Digital Omnibus Proposal

In the EU, the Digital Omnibus Proposal (Omnibus) — a package of GDPR amendments designed to simplify and streamline compliance — reflects a deliberate policy shift. The Omnibus acknowledges that, while DSARs remain a cornerstone of data subject rights, in practice they have increasingly been used as tactical tools in litigation and employment disputes, rather than for genuine transparency. The package therefore seeks to ease procedural burdens in situations where DSARs are used for disruptive, strategic, or otherwise improper purposes.

The Omnibus clarifies that organisations can refuse DSARs that amount to an “abuse of rights” under the GDPR or, in other words, requests that go beyond a genuine attempt to understand how personal data is being used. In particular, controllers may challenge requests that are manifestly unfounded, excessive, or repetitive, such as those that are strategically timed to disrupt business operations.

However, as with many regulatory “gifts”, the wrapping is attractive, but the instructions are unclear. Familiar concepts such as “manifestly unfounded” and “excessive” remain highly fact-specific and open to interpretation. Regulators have historically set a high bar for refusing to comply with a DSAR and, consistent with current rules, the controller will continue to bear the burden of demonstrating that a request is manifestly unfounded or excessive.

UK Data (Use and Access) Act 2025

Across the Channel, the UK’s Data (Use and Access) Act 2025 (DUAA) takes a similar, if slightly bolder, approach. Effective from 19 June 2025, the Act clarifies that, under Article 15 of the UK GDPR, controllers need only conduct a reasonable and proportionate search for personal data. This provision applies retroactively from 1 January 2024.

The DUAA also allows controllers to ask data subjects to clarify their identity and to specify or narrow the request to the personal data they wish to access. In addition, the Act introduces a “stop-the-clock” mechanism, allowing controllers to pause DSAR timelines while awaiting clarification or additional details from the requester. These reforms reduce the pressure to rush through complex DSARs with broad or unclear scope, allowing controllers to manage requests more deliberately and with greater confidence.

Yet, as with the EU framework, the UK reforms do not provide a settled definition of terms such as “reasonable” and “proportionate” which remain elastic and fact specific, limiting the practical impact of the DUAA’s simplifications.

Case law

The UK’s more flexible statutory framework sits uneasily alongside recent case law. Notably, the 2025 Mike Ashley decision. This judgment reaffirmed a data-subject-friendly approach to DSAR compliance, emphasising thoroughness, transparency and the centrality of access rights. While the facts of the case were specific, the reasoning sent a clear message: proportionality must not become a convenient excuse for superficial searches or selective disclosure. Importantly, however, this case was decided before the DUAA came into effect.

Taken together, the Omnibus, the DUAA and the Mike Ashley decision paint a picture of regimes in transition. While policymakers are increasingly aware of the need to balance individual rights with organisational capacity, they have stopped short of delivering the one thing many organisations would most like to find under the tree: a settled, universally accepted definition of what constitutes reasonableness in the context of a DSAR.

Looking Forward

Against this backdrop, organisations should keep a close eye on the outcome of the ongoing Gregg Wallace v BBC litigation. This case may offer important insight into how lenient the courts are willing to be.

Gregg Wallace, a British television presenter, is suing the BBC for “distress and harassment” following an alleged failure to disclose his personal data in response to a DSAR. Even after designating the request as complex, the BBC took more than seven months to respond — around four months beyond the long-stop date. While such a delay is unlikely to sit comfortably with the courts, the 21-year scope of the request may test the limits of tolerance and flexibility. The outcome could therefore prove critical in determining whether recent legislative easing translates into meaningful practical breathing room.

Practical takeaways for organisations

1. Use “stop-the-clock” proactively but transparently

Where clarification or identity verification is required, engage early and document the rationale for pausing the deadline.

2. Embed proportionality into DSAR workflows

Define and record what a “reasonable and proportionate” search looks like for different systems and categories of data, rather than defaulting to blanket searches.

3. Treat refusal and limitation decisions as high-risk

While we await further guidance from the courts and regulators, decisions to refuse DSARs should be carefully considered and evidenced, even under the Omnibus and UK reforms.