Series
Blogs
Series
Blogs
In March 2023, the CJEU issued an important ruling on the application of the GDPR to civil litigation (Norra Stockholm Bygg, C‑268/21). In summary:
These issues relate to a payment dispute between construction company Norra Stockholm Bygg AB (“Fastec”) and its customer Per Nycander AB (“Nycander”). Nycander asked the court to order Fastec to produce its staff register, which Fastec is obliged to maintain under Swedish law for tax purposes.
The case ended up before the Swedish Supreme Court, Fastec arguing that Nycander’s request should be rejected as such a disclosure would breach the GDPR as the requested data was collected for another purpose - i.e., for tax purposes, and not to serve as evidence in a legal dispute.
The Swedish Supreme Court submitted the following questions to the CJEU:
The CJEU decided that any processing of personal data, including processing carried out by public authorities such as courts, must be based on a legal ground under Article 6 GDPR.
Interestingly, the CJEU did not examine Article 6(1)(c) GDPR (legal obligations) as a potential legal basis in this context, but only Article 6(1)(e) GDPR (public interest) in combination with Article 6(3). Article 6(3) GDPR indeed provides that EU Member States may adopt more specific provisions regarding personal data processing activities in the public interest, provided that such more specific law meets an objective of public interest and is proportionate to the public interest pursued.
The CJEU also decided that disclosure of the documents was a further processing for the purposes of Article 6(4) GDPR. However, that further processing will be permitted where the processing is based on national law and constitutes a necessary and proportionate measure in a democratic society to safeguard one of the objectives referred to in Article 23(1) of the GDPR. That includes the “protection of judicial independence and judicial proceedings” and the “enforcement of civil law claims”.
This means that national courts must ascertain whether the relevant national provisions related to the production of documents containing personal data in civil court proceedings meet one or more objectives referred to in Article 23(1) of the GDPR and are necessary and proportionate to those objectives.
Here, the CJEU concluded that the Swedish Code of Judicial Procedure satisfies these requirements.
The CJEU’s approach to the second question is based on the following reasoning:
As a consequence, national courts ordering the production of documents containing personal data must determine whether the production is adequate and cannot be achieved by less intrusive means.
This decision of the CJEU is likely to be significant. Any civil court considering ordering the production of documents must consider the effect of GDPR, i.e., do the documents contain personal data, and – if so – is the disclosure compliant with the GDPR? Given personal data is broadly defined to include any information relating to an identified or identifiable natural person, this issue is likely to arise frequently.
The party seeking a disclosure order must therefore argue that national procedural law permits disclosure and the disclosure of personal data to the court and the opposing party is adequate, and its purpose cannot be achieved by less intrusive means.
The party opposing the order may well argue that these conditions are not fulfilled and that the request for the production of documents should therefore be totally or partially dismissed.
Resolving this tension may, in some cases, require additional data protection measures such as redacting personal data, restricting the access, or committing to not use the produced data for purposes other than the use of evidence in the case at hand and/or to delete the data afterwards.
The CJEU suggests the use of witness evidence as a less intrusive means of proof than the production of documents containing personal data. The regimes of witness hearings vary between EU Member States. In jurisdictions where these hearings are not common in private law matters, written statements could potentially turn out to be another convenient surrogate to the production of documents.
The CJEU’s decision post-dates Brexit so is not binding in the UK. While some of the CJEU’s decisions can still be persuasive in the UK, it is not clear this particular decision will have much impact on current practice.
The English Courts have already considered the effect of privacy and data protection laws on civil disclosure on a number of occasions, most recently in Anthony Dixon v North Bristol NHS Trust [2022] EWHC 3127.
That case related to a report on a doctor who was alleged to have improperly carried out mesh surgery. A number of patients brought claims in respect of that surgery and the NHS Trust wanted to disclose a copy of the report as part of voluntary pre-action disclosure and to comply with its statutory duty of candour. The court dismissed the doctor’s object to the disclosure of the report as:
While there are likely to be cases in which particularly private information should not be disclosed or should be subject to additional protection (see, for example, in Webster v Ridgeway School [2009] EWHC 1140) these are likely to be the exception rather than the rule. In Dixon, the Court concluded “data protection legislation must be read purposively not mechanically. It does not give a data subject a 'veto' on what data can be disclosed”.
17 April 2023
Up next