Agefi Luxembourg - avril 2026

AGEFI Luxembourg 44 Avril 2026 IA & Tech ParPierrePINCEMAILLE,Secrétairegénéraldela Gestion, DNCA Investments L es craintes d'obsolescence liées à l'IAet le lancement d'une opéra- tionmilitaire auMoyen-Orient sont deux séquences qui ontmis les nerfs des investisseurs à rude épreuve. Face à ces pé- rils, la saisonde résultats tri- mestriels semble plus que jamais indispensable. Au regard de la corrélation his- toriquedelacroissancedesbéné- fices avec les indicateurs avancés d'activité, la saison s'est donc avé- rée de bonne facture aux États-Unis : la croissance des bénéfices par action au quatrième trimestre s'élève à 14% sur une année. Dans le détail, environ 75%des sociétés ont publié au-dessus des attentes (en ligne avec l'historique). A nouveau, ce sont les secteurs de la technologie (+31 %) et les financières (+17 %) qui sont les plus gros contributeurs à la croissance de la cote améri- caine, alors que la santé ferme la marche avec des bénéfices stables sur la période. L'absence d'équivalent desMag7 enEurope rend la copie plus terne de ce côté de l’Atlantique : la crois- sance des BPA est de 4 %, tirée par les finan- cières (+19 %) et les utilities (+25 %). À l'inverse la consommation discrétionnaire et l'énergie sont en retrait significatif (respectivement -27 % et -24%), mais la dynamique bénéficiaire des majors pétrolières a vocation à s'inver- ser drastiquement avec l’envolée des prix du pétrole et du gaz. Enfin, l’analyse des performances médianes, plutôt que moyennes, donneune imageplus équilibrée de la situation : selon cette méthode, l'écart de croissance des BPA n'est « que » de 400bp entre les deux zones (+9%vs. +5%). Au-delà des résultats, les dépenses d'investissement sont l’autre indicateur que les analystes scrutent avec attention. Ceux-ci ont relevé leurs objectifs agrégés d'investissements pour l’année de 24 % par rapport au trimestreprécédent à670milliardsdedollars, soit une hausse de 62%par rapport à 2025 ! En aval de ce phénomène d’envolée des CapEx, le nombre de sociétés mentionnant le thème de l'IA est en hausse sur le trimestre : 70 %des sociétés du S&P 500 ont abordé le sujet lors de la présentation des résultats par les directions. 54 %d'entre elles la mentionnent dans un contexte de gain de produc- tivité, mais les chiffres chutent drastiquement quand il s'agit de présenter des cas d'usage quanti- fiés (10 %) ou l'impact sur les bénéfices (1 %). Preuve que nous sommes encore aux prémices du phénomène chez les corporates. L'IAfait aussi l'objet de commentaires dans le cadre des intentions d'embauche. Une part encore modeste des sociétés la mentionne comme raison de licenciement ou de gel des embauches au T4 (moins de 5 %). Goldman Sachs a calculé que les sociétés ayant abordé le sujet ont réduit leurs pers- pectives d'embauche de 12 % en 2025 contre 8 % pour l’ensemble des entreprises. Avec comme toile de fond l’IA et ses conséquences, la réactiondes titres le jour de lapublicationde leurs résultats s’est écartée du comportement classique : en moyenne, les sociétés européennes ayant publié au-dessusdes attentesduconsensus ont euuneper- formance en ligne avec l’indice le jour de l'annonce. Inversement toute déception a été sanctionnée par les investisseurs dans des proportions bien supé- rieures à la moyenne historique. Et on constate depuis le début de l'année une absence inédite de corrélation entre performances boursières et ajus- tements du consensus des bénéfices des deux côtés de l'Atlantique. Cette rupture est probablement le reflet des interrogations des investisseurs quant à la valeur terminale de certains modèles d'affaires susceptibles d'être affectés par la révolution tech- nologique en cours. À la veille du conflit armé auMoyen-Orient, les sur- prises positives tant en Europe qu’aux États-Unis ont permis auconsensusde revoir à lahausse les attentes decroissancedesbénéficesannuels,àrespectivement +13%et +16%.Mais cet évènement géopolitique, qui se traduit par une hausse significative des prix du pétrole et du gaz ainsi que des taux de fret, pourrait mettre un coup d'arrêt à cette tendance. Ce scénario dépendra de l'intensité et surtout de la durée de ce conflit, deux paramètres difficiles à évaluer au moment de la rédactionde ces lignes. Plus généralement, le niveau actuel d'incertitude devrait inciter une nouvelle fois les investisseurs à diversifieraumaximumleursportefeuillespouropti- miser le couple risque / rentabilité. Dans ce cadre, le segment « qualité/croissance » de la cote (comme les laboratoires pharmaceutiques) devrait faire l'objet d'un réexamenpar les investisseurs, après l’avoirmis de côté depuis fin 2021 Saison de résultats : la guerre des mondes (réel et virtuel) I n an era of increasingly capableAI agents detectingGDPRnon-compliance and cookie consent violations inorder to demand compensation, andof data subject access rights (“DSAR”) beingweaponised as tactical instruments in employment disputes, financial disagreements or rent reductionproceedings, a rulinghandeddownon 19 March 2026 by theCourt of Jus- tice of the EuropeanUnion (“CJEU”) is both timely andwel- come (CaseC-526/24, BrillenRot- tlerGmbH&Co. KGvTC). The CJEU clarified that EU law cannot be invoked for abusive or fraudulent pur- poses and, in particular, that even a first DSAR can be rejected as abusive where the controller demon- strates that the requester acted with the intention of artificially creating the conditions required to obtain compensation. The threshold is, however, high, and the burdenof proof restswith the controller. In March 2023, an Austrian individual signed up to receive promotional emails from Brillen Rottler, a smallfamily-runopticianbasedinGermany,entering his personal details on the company’s website and consenting to the processing of those data. Art. 15 of Regulation (EU) 2016/679 (the “GDPR”) grants data subjects the right to access their personal data and to verify the lawfulness of its processing. Thirteen days after signing up, the individual sent Brillen Rottler a formal DSAR. The optician refusedwithin the statu- tory one-month period, considering the request abu- sive under Art. 12(5) GDPR, pointing to publicly available reports suggesting the individual followed thispatternsystematicallyacrossmultiplecontrollers. When he maintained his request and added a dam- ages claimof EUR 1.000 underArt. 82GDPR, Brillen Rottler brought proceedings before a German court of first instance, which referred eight questions to the CJEU for a preliminary ruling. Can a controller refuse a first DSAR? The most striking aspect of the ruling concerns the CJEU’s treatment of a first-ever request. The CJEU held that “the relevant criterion for a finding of abu- sive conduct is the excessive character of the request foraccess,whichistobeassessedqualitatively”(§34), and that “the adjective ‘excessive’ denotes something which exceeds the ordinary or reasonable amount.” “Themere use of that adjective, which relates to both qualitative and quantitative characteristics, does not thereforeruleoutthepossibilitythatafirstrequestfor access may be excessive” (§25). Although the GDPR cites repetitive requests as an illustration of excessive behaviour, this does not confine the concept to situa- tions involving multiple requests (§26). A first and only request may therefore in principle be regarded as “excessive” (§35). The lawdoes not protect against abuse simply by counting requests. Howcan a controller prove that aDSAR is excessive? Whilst refusal is theoretically available from the very first request, the CJEU set the threshold extremely high.Theconceptofexcessiverequestsmustbeinter- preted restrictively (§35), assessedby taking into ac- count all relevant facts and circumstances of each individual case (§31, §36), and may be relied upon only exceptionally (§35). The CJEU established a two-part test: - The first limb requires “a combination of objective circumstancesinwhich,despiteformalobservanceof theconditionslaiddownbytheEUrules,thepurpose of those rules has not been achieved” (§36): the con- trollermustdemonstratethatenablingthedatasubject to verify the lawfulness of the processingwas not the genuine objective of the request. -Thesecondlimbrequires“asubjectiveelementcon- sisting in the intentionof thedata subject toobtainan advantage from the EU rules by artificially creating the conditions laid down for obtaining it” (§36): the controller must establish deliberate abusive intent. Relevant circumstances include whether the data subjectprovidedtheirdatawithoutanyobligationto doso,thepurposeofthatprovision,thetimeelapsed between data submission and the DSAR, and the overall conduct of the data subject (§42). Publicly available evidence of a systematic pattern may be taken into account, provided it is corroborated by other concrete and specific elements (§43). A con- troller cannot simply locate an online article charac- terising someone as a serial claimant and treat that alone as grounds for refusal. The burden of demon- stratingexcessivecharacterrestsexplicitlyandexclu- sivelywith the controller. Does a violation of the right of access give rise to compensation? Art. 82(1) GDPR provides that any person suffering “materialornon-materialdamageasaresultofanin- fringementofthisRegulation”hastherighttoreceive compensation. The CJEU confirmed that this article contains no reference to “processing”, so the right to compensationisnotlimitedtodamageresultingfrom processingactivities(§48).Anunjustifiedrefusaltoact on aDSAR is itself an infringement capable of giving rise todamages claim.Acontroller cannot refusea le- gitimate access request and then argue that no data wasmishandled in the course of processing. Thatsaid,Art.82doesnotprovideforautomaticcom- pensation(§59).Threecumulativeconditionsmustbe satisfied:aninfringementoftheGDPR,actualdamage suffered, and a causal link between the two (§60). Damage cannot be presumed from the infringement alone, and the claimant must demonstrate actual harm, however minimal (§62). Where compensation is sought on the basis of a fear of future mis- use, the national courtmust verify that such fear is well founded in the specific circum- stances (§63). Critically, a data subject can- notreceivecompensationwheretheirown conductwas thedeterminingcauseof the damage, includingwhere the lossof con- trolarosefromtheirdeliberatedecision to submit data to a controller for the purpose of manufacturing a claim (§65,§66).Non-materialdamageen- compasses loss of control over per- sonal data or uncertainty as to its processing, provided the data subject actuallysufferedsuchdamageandtheir own conduct was not the determining causeofit(§67).Aproceduralfailuretore- spondtoaDSARcarriesdirectcivilliability, andtheabsenceofanysubstantiveprocess- ing irregularityprovides nodefence. Operational recommendations for controllers This ruling carries several concrete implications for controllers,thatwouldbewelladvisedtoupdatetheir DSAR response workflows to incorporate an early- stageabuse-of-rightsassessment.Uponreceiptofany access request, relevant redflags shouldbe identified and documented immediately, including the timing between data submission and the access request, whether the datawas provided voluntarily, and any contextual indicators bearing on the data subject’s overallconduct.Internalescalationandapprovalpro- cessesforsuspectedabuseshouldbeformalised,with clearcriteriaforflaggingpotentiallyabusiverequests, reliable sources identified to support the assessment, and every stepdocumented in an auditablemanner. Equally important is what this judgment does not authorise. It must not be read as a general licence to refuse access requests. The default position remains full compliance withArt. 15 GDPR, and any limita- tion on a data subject’s right of access must remain exceptional and heavily dependent on the specific facts. Evenwhere a refusal is justified, the controller must still communicate its decision without undue delay andwithin onemonth of receipt. A controller that refuses a legitimate access request, even ingood faithbutwithoutsufficientevidentialfoundation,re- mains exposed to liability under Art. 82 and to reg- ulatory sanctions. Sector-specific implications The financial sector is affected by this ruling, and ar- guably more so given the volume and sensitivity of the personal data it processes on a daily basis. These institutionsareamongthemostfrequentrecipientsof DSARs, as clients, both retail and professional, regu- larly wish to understand what information is being usedtoinformdecisionsabouttheircreditworthiness, their risk classification, their investment suitability or their insurance terms. In the employment sector, DSARs have become a primary instrument for em- ployees and former employees to gather evidence ahead of wrongful dismissal claims, discrimination proceedings orwhistleblowingdisputes, particularly in jurisdictions where labour tribunals offer limited pre-trial discovery. The two-part test established by theCJEUmay,inprinciple,applywhereanemployer can demonstrate on clear and concrete evidence that aDSARwas submitted to harvest documentary evi- dence for unrelated litigation. The threshold remains high, the burden rests with the employer, and legal adviceshouldbeobtainedbeforeinvokingtheabuse- of-rights exception in any employment context. The legislative backdrop: TheDigital Omnibus Proposal Therulingarrivesataparticularlytimelymoment,fol- lowingtheEuropeanCommission’sDigitalOmnibus proposal of 19 November 2025, which proposes to amendArt. 12(5) GDPR to allowcontrollers to refuse aDSARwherethedatasubject“abusestherightscon- ferred by this Regulation for purposes other than the protection of their data”, and to lower the burden of proof regarding the excessive character of a request (Recital35andArt.3(4)oftheProposal).Theproposed text would add that “overly broad and undifferenti- ated requests should also be regarded as excessive.” Thisproposalmust beassessedwithcare.Manydata protectionorganisations, national dataprotectionau- thorities, and legal scholars have expressed concerns abouttheproposedamendmentanditslinkwithArt. 8oftheCharterofFundamentalRightsthatenshrines therightofaccessasafundamentalright.Therecould beariskofweakeningarightthathasservedasanac- countability mechanism, as illustrated by the Uber drivers who collectively relied on DSARs before the AmsterdamCourtofAppeal(04/04/2023,200.295.747/ 01)toexposeandchallengeunlawfullabourpractices. WhetherthefinalOmnibustextretainstheEuropean Commission’s broader formulation or is narrowed to require demonstrated abusive intention, as the CJEU has required, remains to be seen but on the basis of the latest unofficial versions that are circu- lating, the requirement of “ purposes other than the pro- tection of their data ” in order to prove an abusive request, seems to be removed. In which event, em- ployees, for example, could continue to request ac- cesstotheirpersonaldatainthecontextofalitigation with their employer, as also recently confirmed by the Belgian data protection authority too. Conclusion Taken together, the ruling provides controllers with greater clarity on the lawful options available when facedwithplainlyabusive access requests. TheCJEU hassetoutaworkable,ifdemanding,legalframework foridentifyingandrefusingsuchrequests,whilstreaf- firming the fundamental nature of the right of access and the serious consequences of unjustified refusals. Therulingresolvestheprinciplewhilstleavingitsap- plication highly fact-sensitive and dependent on na- tional courts. Itwill fall to the local Court ofArnsberg to resolve the underlying dispute, and how courts across the EUwill apply the established threshold in practice remains tobe seen.What is certain is that the relationship between DSAR and the boundaries of good faithhas entereda newphase. Controllerswho investinrobustDSARprocesses,carefuldocumenta- tion and proportionate decision-making will be best placed tonavigate it. The ruling is equallya reminder to data subjects that rights exercised in bad faith are rights that the lawwill not protect. Vincent WELLENS Partner NautaDutilh Avocats Luxembourg Aline BLEICHER Associate NautaDutilh Avocats Luxembourg GDPR access rights under scrutiny: The boundaries of lawful refusal and the limits of compensation