We first reported on this case on 3 March 2023 and have updated this note as more information has come to light.
On 02 March 2023, the EU Court of Justice (ECJ) handed down judgment in a much awaited case – Norra Stockholm Bygg AB – looking at the conflicts between eDiscovery (also called disclosure) and GDPR. The case has some important principles for anyone involved in producing documents to a court which include personal data.
There are some GDPR specific terms in this note which are explained at www.bit.ly/gdprwords.
What was the underlying dispute about?
In simple terms, the case was a construction dispute. A contractor, Norra Stockholm Bygg, sued for the work done on a building project. The customer, Per Nycander, argued that the contractor’s staff had not worked the hours claimed on the project. It asked the Swedish court for an order that a third party processor, Entral, who managed timekeeping for the contractor provide the records either unredacted or with the personal identity number redacted.
The contractor argued that the records — including employees’ names, identity numbers and clock-in and clock-out times — were mainly collected for tax auditing purposes, and so it refused to provide the records, saying that the interests of its employees outweighed the interest of allowing access to the records for their possible evidential value in the dispute.
The court hearing the case ordered Entral to produce the records unredacted and that decision was appealed right up to the Swedish Supreme Court.
The Swedish Supreme Court felt that there was an important matter of EU law to consider and so it referred this aspect of the case to the ECJ for a ruling. Since the case was felt to be of special importance, the ECJ also heard observations from lawyers representing the European Commission, Sweden, the Czech Republic and Poland.
What did the ECJ decide?
The ECJ decided that an individual’s data protection rights must be taken into account when courts consider requesting documents for disclosure in civil cases.
In assessing whether documents containing personal data are ordered for disclosure courts must balance the interests of individuals with the circumstances and type of the case in question and with the data protection law principles of proportionality and data minimization which are set out in GDPR Art. 5.
The ECJ also looked at the need for there to be a lawful basis for any data processing under GDPR Art. 6. The court said:
“Any processing of personal data, including processing carried out by public authorities such as courts, must satisfy the conditions of lawfulness set by Article 6 of the GDPR.”
The ECJ said a court must assess whether the enforcement of a civil law claim justifies the processing of personal data “for a purpose other than that for which they have been collected. In this assessment, it must consider whether the processing is “necessary and proportionate” and whether an individual’s right to effective judicial protection is respected.
The ECJ said that a national court must consider the GDPR requirement for data minimisation and whether “additional data protection measures, such as the pseudonymization” of personal information, could be applied. Even if the court does order personal data to be produced, it should also give consideration as to how that is used – for example by ordering that public access to the data is limited or ordering receiving parties only to use the data for the purposes of evidence in the case at issue.
The ECJ effectively said that any assessment by the court will be fact specific:
“That assessment may, depending on the case, lead it to authorize the full or partial disclosure to the opposing party of the personal data thus communicated to it, if it finds that such disclosure does not go beyond what is necessary [to guarantee the fundamental right to effective judicial protection]”.
What about the court’s position when making an order?
When the ECJ looks at cases like this the court’s judgment is preceded by an opinion of one of the court’s Advocate-Generals who looks at the legal issues involved. In this case the opinion of A-G Ćapeta was delivered on 6 October 2022. Part of the A-G’s opinion concentrated on this aspect and how the court could itself become a data controller by directing that personal data be disclosed.
As a data controller the court would have to ensure its own compliance with GDPR. The ECJ confirmed that the production of personal data following a court order also counts as processing under GDPR:
“It follows that a processing operation which falls within the material scope of the GDPR includes not only the creation and maintenance of the electronic staff register but also the production as evidence of a document whether digital or physical, containing personal data, ordered by a court in the context of judicial proceedings … it must be pointed out that any processing of personal data, including processing carried out by public authorities such as courts, must satisfy the conditions of lawfulness set by Art. 6 of GDPR.”
The court must also ensure that it has a lawful basis for processing the data. The processing of that personal data must also be necessary and proportionate. We have had cases on necessity before and that is likely to be a high bar. It is a higher test than convenience. The court will also need to balance the rights of individuals including their GDPR rights and the right to respect for an individual’s private life. So a court will also have to make sure it has conducted the necessity and proportionality tests before making an order which includes the production of personal data.
Courts have previously been sanctioned under GDPR for their breaches – for example in January 2023 the Polish DPA fined the Szczecin District Court for its failure to meet its obligations as a data controller. The prospect of courts being sanctioned may well be a concern to some courts and judges, especially those in the US where some courts have not shown too much concern about the GDPR implications for the parties. Having the court possibly be subject to sanction in the EU may give greater cause for concern.
Is pseudonymisation difficult?
Yes, the process of pseudonymisation is often difficult to achieve in practice. It is important to note that pseudonymising the data will not take it outside the protection of GDPR but it may provide some protection to the individuals involved. Pseudonymisation may include redacting the employee’s names although in practice more steps will usually need to be taken to reduce the chances of an employee being identified – for example if there was only one employee working on site on a particular day even redacting their name will still make them identifiable.
The ECJ also recognised the difficulties:
“In that regard it should be noted that … pseudonymised personal data which could be attributed to a natural person with the use of additional information should be considered to be information on an identifiable natural person, to which the principles of data protection apply.”
It is also worth remembering that once data has been pseudonymised attempting to re-identify an individual from that data could be a criminal offence in the UK under s.172 of the Data Protection Act 2018 (see our note on that here https://www.corderycompliance.com/client-alert-data-protection-act-2018/).
Will this lead to more litigation?
Possibly. Data protection litigation is on the rise in Europe. Now that the ECJ has re-established the need for a balancing test we may see more individuals taking action saying that their rights have not been properly considered. We may also see individuals seeking to block data being transferred to a third party on the basis that the proper balancing test has not been conducted.
What happens next?
The Swedish court will now take the ECJ’s judgment into account when ruling on the case.
The case reinforces the need for parties to litigation (or requests to produce documents to government agencies or third parties in investigations or arbitrations) to fully consider the GDPR implications of their actions. In particular they may want to:
- Review the six principles relating to the processing of personal data in GDPR Art. 5. They will want to make sure that data is being processed fairly and lawfully and that they are being transparent with data subjects. They will also want to make sure that the data being processed is minimised. In practical terms, this may mean taking more care and attention over the nature of the evidence sought – what is the minimum amount of data a party needs to prove its case? Any fishing expedition which includes personal data is likely to be knocked back.
- Consider having independent counsel look at the nature of the request and the GDPR issues involved.
- Consider preparing a Data Protection Impact Assessment (DPIA) to look at the expected data processing, the risks of that processing and the steps that can be taken to mitigation that risk.
- Remind recipients of data that they have obligations too. This might include reminding a court that they could become a data controller under GDPR even if the court is based outside the EU/UK.
- Looking at their transparency obligations up front. This may involve changing employment contracts or notices to explain to employees that their data may need to be shared in court proceedings.
Cordery provides advice on a wide range of data protection mattes including issues relating to eDiscovery to a wide range of clients including other law firms. You can find out more about some of our recent data protection work here https://www.corderycompliance.com/data-protection-privacy/.
You can read the judgment here https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0268.
s.171 Data Protection Act 2018 is here http://bit.ly/3ZVM64y.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785