Introduction
Earlier this year a Scottish court looked at the potential conflicts between litigation and GDPR. The case concerns an Employment Tribunal case where a manager was alleged to have called an employee a “f****** retard.” The manager effectively said that GDPR entitled him to take part in the proceedings. As a result, the court had to look at the conflicts between GDPR and litigation.
There are some GDPR specific terms in this note which are explained at www.bit.ly/gdprwords
Conflicts between GDPR and litigation
This isn’t the first case looking at the conflicts between GDPR and litigation. For example the ECJ recently looked at the conflicts between GDPR obligations and eDiscovery in the Norra Stockholm Bygg case. We wrote about that case here https://www.corderycompliance.com/ec-gdpr-0323-1/.
In addition the Irish DPA, the Data Protection Commission, has warned of the dangers of mixing up the right of data access under GDPR and the discovery process in litigation. You can read the DPC’s blog here https://twitter.com/dpcireland/status/1655901176422883328?s=12
What was the case about?
The case, Courtney Timoney Riley vs. The Student Housing Company (Ops) Ltd [2023] SC DNF 7, concerned Employment Tribunal (ET) proceedings which were reported in The Scottish Sun in March 2022. You can read the original article here https://bit.ly/3o6Ndkj. Riley had worked for The Student Housing Company until 31 December 2019 when his employment had been terminated.
Riley had been the line manager of Conor Adamson and Adamson made a number of complaints against Riley and other members of staff. Adamson said that Riley had used derogatory language which referred to his disability. Adamson’s tribunal claim was successful and he was awarded £9,500. In the written decision of the ET Riley was referred to on 162 occasions.
The Sun covered the tribunal case under the heading “VILE JIBE: Disabled Scots janitor wins £10k in compensation after colleague called him a f****** retard.” Riley was mentioned six times in The Sun’s article.
What was the GDPR claim about?
In simple terms, Riley claimed that his former employer should have told him about the ET proceedings, provided him with copies of the tribunal bundles, asked him to comment on the allegations that had been made against him and invited him to provide a witness statement to be put to the ET. The judge summarised his main claim as follows:
“The pursuer’s position is that the defender’s failure to take these steps constituted a breach of its duty to process his personal data fairly and transparently, in terms of [GDPR] Article 5(1)(a). It also amounted to a breach of the requirement not to process data in a way that is incompatible with the purpose for which it was collected, in terms of [GDPR] Article 5(1)(b).”
What did Riley want?
Riley sued for £75,000. He brought a claim for distress and anxiety. He also said that his employment prospects had been impacted.
What was the principal issue at stake?
The principal issue was whether the former employer was exempted from its duty to comply with the two provisions on which the Riley’s claim was based, GDPR Article 5(1)(a) and GDPR Article 5(1)(b). Paragraph 5(3) of Schedule 2 of the Data Protection Act 2018 says that in some circumstances relating to legal proceedings data controllers are exempted from complying with a number of data protection principles, known as “the listed GDPR provisions.”
Paragraph 5(3) says this in the following terms:
“The listed GDPR provisions do not apply to personal data where disclosure of the data—
- is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
- is necessary for the purpose of obtaining legal advice, or
- is otherwise necessary for the purposes of establishing, exercising or defending legal rights, to the extent that the application of those provisions would prevent the controller from making the disclosure.”
The debate centred on the closing words of Paragraph 5(3) of Schedule 2, which say that the listed GDPR provisions do not apply:
“to the extent that the application of those provisions would prevent the controller from making the disclosure.”
What did the Judge decide?
On the fairness point, the judge said:
“I express no opinion on what the defender should in fact have done in order to comply with the principle of fairness and transparency, as this is not the issue before me.”
The judge said that using the first principle (in GDPR Art. 5(1)(a)) to give anyone mentioned in proceedings an unfettered right to insist on the right to appear in those proceedings would conflict with the right of litigants to decide how to conduct their case. He said:
“In an adversarial system each party enjoys the right to choose whom to call as witnesses; and may decide not to cite a potential witness if, for example, there is a concern that the witness might be found not to be credible or reliable. This is as true of a case involving vicarious liability for the alleged actions of a non-party as of any other case: the defender is under no obligation to call the alleged wrongdoer as a witness.”
He said that it would not be consistent with the right to a free trial to make a litigant “look in two directions” essentially at the running of their case and subjecting their case to harm to appease GDPR rights. He said that the purpose of the exemption in GDPR was to ensure that a litigant’s duties as a data controller do not impinge on its right to a fair trial.
What can courts do?
The Sheriff said that in some respects courts could help parties by anonymising judgments. He looked at a number of recent Scottish cases where this had been done. He said:
“As a matter of practice, therefore, the power of the court (or tribunal) to anonymise a judgment appears to be the procedural means by which the right of a data subject to privacy and confidentiality may be afforded appropriate protection.”
We’d mention in passing that in our experience anonymity in cases like this is not as easy to achieve as it might appear. In our experience pseudonymising a data subject’s data might be more achievable. Even so the risks of a publication like The Sun reversing that pseudonymisation should be taken into account. But just because anonymisation and pseudonymisation are difficult that doesn’t mean you shouldn’t try. A recent English case – Ali v Chief Constable of Bedfordshire seems to confirm that too. In that case a police force was ordered to pay damages after it failed to consider the need to anonymise data even though some people may have been able to guess who the anonymised individual was. In addition, reversing anonymised or pseudonymised data can be a criminal offence under s.171 Data Protection Act 2018 (see https://www.corderycompliance.com/client-alert-data-protection-act-2018/) although regrettably some newspapers are prepared to commit criminal acts for a story.
What about damages?
The judge was also sceptical about the £75,000 claim. He said:
“No breakdown of this figure is given. Counsel submitted that the pursuer seeks compensation for distress and anxiety but does not explain how this was caused or how it is to be valued … The figure of £75,000 hangs in a vacuum, unsupported by explanatory averments or calculations under either of the heads of claim…For the reasons given above, I conclude that: (i) the defender was exempted from having to comply with Article 5(1)(a) and Article 5(1)(b) by virtue of Paragraph 5(3) of Schedule 2; (ii) the pursuer’s averments regarding the data involved are so lacking in specification as to be irrelevant; and (iii) the pursuer’s averments are insufficient to enable him to prove that any material or non-material damage that he suffered was caused by the defender’s alleged infringement, for the purposes of Article 82(1) and Article 82(2). Accordingly, the pursuer’s case is irrelevant.”
Practical Tips
This case doesn’t mean that employers have a free-for-all with employees or former employees when defending ET proceedings. Like the Norra Stockholm Bygg case it stresses that there will need to be a balancing act. ‘Necessity’ is often a high bar and so employers (and other litigants) will have to think carefully when balancing the conduct of the litigation with the GDPR rights of those motioned in the case.
Litigants might want to consider:
- Reviewing the six principles relating to the processing of personal data in GDPR Art. 5. They will want to make sure that data is being processed fairly and lawfully and that they are being transparent with data subjects. They will also want to make sure that the data being processed is minimised. In practical terms, this may mean taking more care and attention over the nature of the evidence sought – what is the minimum amount of data a party needs to prove its case?
- Consider having independent counsel look at the rights of people mentioned in the case (such as former employees) and the GDPR issues involved.
- Consider preparing a Data Protection Impact Assessment (DPIA) to look at the expected data processing, the risks of that processing and the steps that can be taken to mitigate that risk (such as pseudonymising details for any judgment handed down).
- Remind recipients of data that they have obligations too. This might include reminding a court, tribunal or the other side in litigation that they could become a data controller under GDPR.
- Looking at their transparency obligations up front. This may involve changing employment contracts or notices to explain to employees that their data may need to be shared in court or tribunal proceedings.
More Information
The judgment is here https://www.bailii.org/scot/cases/ScotSC/2023/2023_SC_DNF_7.html.
The judgment in Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB) is here https://www.bailii.org/ew/cases/EWHC/KB/2023/938.html.
We are grateful to Stuart Duffy for bringing the case to our attention.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 347 2365 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |