In March 2023, the CJEU issued an important ruling on the application of the GDPR to civil litigation (Norra Stockholm Bygg, C‑268/21). In summary:

• The GDPR applies to civil proceedings before national courts, including court orders to produce documents containing personal data as evidence.
• Where documents to be produced as evidence were initially created for other purposes, their processing in the context of judicial proceedings constitutes a further processing for a purpose different from the initial purpose. That further processing is likely to constitute a necessary and proportionate measure to protect judicial proceedings or enforcement of civil claims (Article 23(1) GDPR). However, this is for the national courts to determine.
• When considering whether to order the production of documents containing personal data, national courts must also take data subjects’ interests into account by balancing them according to the circumstances of the case, the type of proceeding, and the principles of proportionality and data minimisation, e.g., by considering alternatives such as hearings with selected witnesses or modalities such as pseudonymisation, limiting public access and orders not to use data for other purposes (Articles 5 & 6 GDPR).

Background

These issues relate to a payment dispute between construction company Norra Stockholm Bygg AB (“Fastec”) and its customer Per Nycander AB (“Nycander”). Nycander asked the court to order Fastec to produce its staff register, which Fastec is obliged to maintain under Swedish law for tax purposes.

The case ended up before the Swedish Supreme Court, Fastec arguing that Nycander’s request should be rejected as such a disclosure would breach the GDPR as the requested data was collected for another purpose - i.e., for tax purposes, and not to serve as evidence in a legal dispute.

The Swedish Supreme Court submitted the following questions to the CJEU:

• Does Article 6(4) GDPR impose a requirement on national procedural legislation relating to the obligation to produce documents in court?
• If so, does the GDPR require the court to take into account the interests of the data subjects when deciding on the production of documents which involves the processing of personal data and, in such circumstances, what are the applicable EU law requirements?

Does the GDPR apply to civil disclosure?

The CJEU decided that any processing of personal data, including processing carried out by public authorities such as courts, must be based on a legal ground under Article 6 GDPR.

Interestingly, the CJEU did not examine Article 6(1)(c) GDPR (legal obligations) as a potential legal basis in this context, but only Article 6(1)(e) GDPR (public interest) in combination with Article 6(3). Article 6(3) GDPR indeed provides that EU Member States may adopt more specific provisions regarding personal data processing activities in the public interest, provided that such more specific law meets an objective of public interest and is proportionate to the public interest pursued.

The CJEU also decided that disclosure of the documents was a further processing for the purposes of Article 6(4) GDPR. However, that further processing will be permitted where the processing is based on national law and constitutes a necessary and proportionate measure in a democratic society to safeguard one of the objectives referred to in Article 23(1) of the GDPR. That includes the “protection of judicial independence and judicial proceedings” and the “enforcement of civil law claims”.

This means that national courts must ascertain whether the relevant national provisions related to the production of documents containing personal data in civil court proceedings meet one or more objectives referred to in Article 23(1) of the GDPR and are necessary and proportionate to those objectives.

Here, the CJEU concluded that the Swedish Code of Judicial Procedure satisfies these requirements.

Must civil disclosure consider the interests of data subjects?

The CJEU’s approach to the second question is based on the following reasoning:

• National courts must guarantee the protection of personal data, which is a fundamental right (Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union) and respect for private life (Article 7 of the Charter). However, the right to data protection is not absolute. It must be balanced with other fundamental rights, such as the right to effective judicial protection (Article 47 of the Charter), to which the production of a document containing the personal data of third parties in civil court proceedings contributes.
• According to the principle of “data minimisation” set out in Article 5(1)(c) of the GDPR, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Having regard to the interests involved is part of the examination of the necessity and proportionality of the measure, which are provided for in Articles 6(3) and (4) GDPR.

As a consequence, national courts ordering the production of documents containing personal data must determine whether the production is adequate and cannot be achieved by less intrusive means.

Implications for civil litigation

This decision of the CJEU is likely to be significant. Any civil court considering ordering the production of documents must consider the effect of GDPR, i.e., do the documents contain personal data, and – if so – is the disclosure compliant with the GDPR? Given personal data is broadly defined to include any information relating to an identified or identifiable natural person, this issue is likely to arise frequently.

The party seeking a disclosure order must therefore argue that national procedural law permits disclosure and the disclosure of personal data to the court and the opposing party is adequate, and its purpose cannot be achieved by less intrusive means.

The party opposing the order may well argue that these conditions are not fulfilled and that the request for the production of documents should therefore be totally or partially dismissed.

Resolving this tension may, in some cases, require additional data protection measures such as redacting personal data, restricting the access, or committing to not use the produced data for purposes other than the use of evidence in the case at hand and/or to delete the data afterwards.

The CJEU suggests the use of witness evidence as a less intrusive means of proof than the production of documents containing personal data. The regimes of witness hearings vary between EU Member States. In jurisdictions where these hearings are not common in private law matters, written statements could potentially turn out to be another convenient surrogate to the production of documents.

The position in the UK

The CJEU’s decision post-dates Brexit so is not binding in the UK. While some of the CJEU’s decisions can still be persuasive in the UK, it is not clear this particular decision will have much impact on current practice.

The English Courts have already considered the effect of privacy and data protection laws on civil disclosure on a number of occasions, most recently in Anthony Dixon v North Bristol NHS Trust [2022] EWHC 3127.

That case related to a report on a doctor who was alleged to have improperly carried out mesh surgery. A number of patients brought claims in respect of that surgery and the NHS Trust wanted to disclose a copy of the report as part of voluntary pre-action disclosure and to comply with its statutory duty of candour. The court dismissed the doctor’s object to the disclosure of the report as:

• The NHS Trust had a legal basis for the disclosure either under Article 6(1)(c) UK GDPR (i.e., the legal obligation arising out of the “duty of candour” or the pre-action protocol) or Article 6(1)(e) UK GDPR (particularly given section 8, Data Protection Act 2018 expands the concept of public functions to include the “administration of justice”). The disclosure also fell within the specific exemption for disclosure in legal proceedings in Schedule 2, Paragraph 5(3) of the Data Protection Act 2018.
• On the facts, the use of the report in civil litigation was not incompatible further processing. The report was always potentially going to be used in civil litigation.
• The information in the report should not be withheld on the basis it was inaccurate (Article 5(1)(d) UK GDPR). The report represents the findings of the relevant investigation – the fact the doctor disagreed with those findings did not make them inaccurate.
• The separate claims that disclosure was a breach of confidence and misuse of private information were also dismissed, principally because disclosure for the purposes of litigation is justified (Tournier v National Provincial and Union Bank [1924] 1 KB 461).

While there are likely to be cases in which particularly private information should not be disclosed or should be subject to additional protection (see, for example, in Webster v Ridgeway School [2009] EWHC 1140) these are likely to be the exception rather than the rule. In Dixon, the Court concluded “data protection legislation must be read purposively not mechanically. It does not give a data subject a 'veto' on what data can be disclosed”.