The recent case of Norra Stockholm Bygg represents another important data protection decision from the ECJ. The decision addresses the application of the General Data Protection Regulation (‘GDPR’) to Member State courts when they are handling personal data, and therefore has important practical significance for civil procedure in all Member States. Domestic courts are now required to have regard to the data protection interests of data subjects when making civil orders which may involve the disclosure of personal data. Moreover, the ECJ’s approach to the legality of such processing offers the first judicial interpretation of Article 6(4) of the GDPR, the potential for lawful ‘incompatible further processing’.
Background and preliminary ruling request
This referral comes from the Supreme Court of Sweden, in the context of a civil dispute between Norra Stockholm Bygg AB (‘Fastec’) and Per Nycander AB (‘Nycander’) over payments for the construction of an office building. The amount owed was in dispute, in particular the number of hours worked. Nycander wanted access to an electronic staff register which recorded the presence of Fastec’s workers on the construction site. The register was compiled to comply with Swedish tax law, and was held by a third party (Entral AB) on behalf of Fastec. When Nycander sought access to the register by way of court order, Fastec opposed this disclosure on the grounds that the register was personal data and disclosure was contrary to the GDPR. Initially the disclosure order was granted, but a number of appeals ensued until it reached the Supreme Court.
In Sweden, documentary evidence is governed by Chapter 38 of the rättegångsbalken (the Swedish Code of Judicial Procedure) (para. 9). The referring court explained that in determining whether evidence should be produced, a weighing process is conducted, between the relevance of the evidence versus the opponent’s interest in not releasing that information (para. 22). No account is taken of any privacy interest in the contents of the document, or other persons’ interest in access to the document’s content (para. 23.) This engaged questions of the applicability of the GDPR, and the questions were framed in terms of Articles 6 of the GDPR.
The referring court thus asked two questions of the ECJ, as follows:
- Does Article 6(3) and (4) of the GDPR also impose a requirement on national procedural legislation relating to [the obligation to produce documents]?
- If Question 1 is answered in the affirmative, does the GDPR mean that regard must also be had to the interests of the data subjects when a decision on [production] must be made which involves the processing of personal data? In such circumstances, does EU law establish any requirements concerning how, in detail, that decision should be made?
Thus, this case primarily concerns Article 6 of the GDPR. As an introduction, Article 6 requires all processing activities by a regulated entity (a ‘data controller’) to satisfy at least one of a set number of legal bases in order for their processing to be lawful. Thus, broadly, processing is said to be lawful if the controller can demonstrate one of the following: consent, contractual necessity, compliance with a legal obligation, vital interests, public interest or exercise of official authority, or legitimate interests (Article 6(1), GDPR). Article 6(3), GDPR prescribes how legal processing on the basis of legal obligation or public interest or official authority must be founded on EU or Member State law, and requirements about the nature of such laws. Article 6(4) is a novel addition to the GDPR, not found in the previous Data Protection Directive. Article 6(4) concerns further processing of personal data for a new purpose, and offers a test of compatibility for when processing is regarded as compatible with the purpose for which the data were initially collected. As we shall see, the ECJ approaches Article 6(4) as effectively creating an additional means of lawfully processing beyond those in Article 6(1), in narrow cases based on consent or EU or Member State law.
Question 1: The application of the GDPR to civil court proceedings
First, the ECJ confirmed that the GDPR applies to the processing of personal data in civil court proceedings, following its ruling in Autoriteit Persoonsgegevens. The ECJ held that the production of the register as evidence ordered by a court in judicial proceedings fell within the material scope of the GDPR (para. 28). Accordingly, any processing of personal data, ‘including processing carried out by public authorities such as courts’ must satisfy the requirements of Article 6 (para. 29).
Initially, the ECJ looks to the ground of public interest or official authority. This allows the processing where it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (Article 6(1)(e), GDPR). Such processing in the public interest or based on official authority must be laid down by EU or Member State law, per Article 6(3), GDPR, and the law in question must ‘meet an objective of public interest and be proportionate to the legitimate aim pursued.’ Thus, the ECJ finds that Chapter 38 of the Swedish Code of Judicial Procedure which ‘lay[s] down the obligation to produce a document as evidence and provide for the possibility for national courts to order the production of that document,’ provides the legal basis for processing (para. 34).
Moreover, because the data was not originally collected for the purpose of judicial proceedings, but for tax compliance, the ECJ also looks to Article 6(4), GDPR. Article 6(4) of the GDPR provides a set of compatibility conditions that the data controller must take into account when processing for new purposes, but it does not apply where processing is justified on consent or an EU or Member State law ‘which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1).’ The ECJ interprets this first clause of Article 6(4) which provides for the scope of its application as creating a rule. The ECJ finds that ‘it follows from Article 6(4) of the GDPR, read in the light of recital 50 thereof, that such processing is allowed provided it is based, inter alia, on Member State law and that it constitutes a necessary and proportionate measure in a democratic society to safeguard one of the objectives referred to in Article 23(1) of the GDPR’ (para. 33).
Therefore, in order to engage in further processing of the data (seemingly both the ordering and complying with a civil order) the ECJ find the appropriate legal basis under the Swedish Code of Judicial Procedure, but only if that Code is pursuing an objective recognised under Article 23(1) and is necessary and proportionate to those objectives. The relevant objectives in this instance are named as ‘the protection of judicial independence and judicial proceedings’ and ‘the enforcement of civil law claims’ (Article 23(1)(f) and 23(1)(j), GDPR). The ECJ confirms that this objective of protecting judicial independence and judicial proceedings also includes ‘the proper administration of justice’, and that ‘[i]t cannot be ruled out that the processing of personal data of third parties in civil court proceedings may be based on such objectives’ (para. 38).
The proportionality analysis is then referred back to the Swedish court. The ECJ confirms that the GDPR applies to the production of evidence of the staff register, but it is for the Swedish court to determine if the Swedish Code of Judicial Procedure satisfies one of the Article 23(1) objectives, and is proportionate to those objectives, such that it can render the processing lawful under Article 6, GDPR.
Question 2: The obligation to consider data subjects when making civil production orders
Having determined the GDPR applied to the making of an evidence production order, the ECJ then had to address the nature of the obligation of the national court to consider the affected data subjects. First, the ECJ points to the general requirements to satisfy the data protection principles, data subject rights and to have a legal basis for processing under Article 6 (paras. 43-44).
Importantly, the ECJ characterises the legal basis as falling under Articles 6(3) and 6(4), finding that the rules of the Swedish Code of Judicial Procedure: ‘are capable of falling within the scope of cases of personal data processing regarded as lawful under the provisions of Article 6(3) and (4) of the GDPR, read in combination with Article 23(1)(f) and (j) thereof’ (para. 45). This reading of Article 6 has important consequences, as I will discuss further below, it indicates an additional means of lawfully processing data beyond initial purposes, and also a narrow understanding of the legal basis available to the national court.
The obligations of the national court are then framed in a novel manner as a balancing test is created in which the court must weigh the data protection interests of any affected data subjects when making an evidence disclosure order. Because the lawful basis is characterised as grounded in ‘a necessary and proportionate measure in a democratic society and safeguards the objectives referred to in Article 23 of the GDPR which it pursues,’ the ECJ suggests the national court is to engage in a balancing test. The national court is required to consider opposing interests in assessing whether to produce a document containing personal data of third parties, which should be weighed on a case-by-case basis (paras. 46-47). The ECJ acknowledge the competing interest of the parties in a right to effective judicial protection, and that ‘the parties to civil court proceedings must be in a position to access the evidence necessary to establish to the requisite standard the merits of their complaints, which may possibly include personal data of the parties or of third parties’ (para. 53). In order to accommodate a proportionality based assessment, the ECJ finds that national courts should have regard to the principle of data minimisation, which the ECJ say ‘gives expression to the principle of proportionality’ (para. 54). The national court should consider whether ‘less intrusive means’ of disclosure are possible, such as by pseudonymising the data, ‘limiting public access to the file’, or an order to the parties not to use the data for other purposes (paras. 55-56). The national court may require that the personal data be provided to the court, so that it might conduct the proportionality test itself in full knowledge of the facts in question (para 58).
There is much to discuss in a judgment like Norra Stockholm AG, but I will focus on two elements. First, this judgment has important consequences for the interpretation of Article 6, GDPR. Second, the application of EU data protection law to the actions of national judiciary in this manner may have very far reaching consequences, but there are significant gaps in the judgment.
First, this judgment is the first interpretation of Article 6(4), GDPR. Some important consequences flow from the Court’s decision, but it is unfortunate that there are places where the reasoning is questionable.
Significantly, the ECJ seems to confirm the position that Article 6(4) of the GDPR creates an additional means to legitimate processing for purposes which are regarded as incompatible with the original purpose of collection, grounded in a Member State or EU law or consent. This had been previously suggested by Kotschy as taking the form of a justifiable limitation of the purpose limitation principle (The EU General Data Protection Regulation: A Commentary, p. 343), though in this case the ECJ seems to use it as a broader stamp of general legality. It states ‘[i]t follows from Article 6(4) of the GDPR that such processing of personal data is lawful provided that it constitutes a necessary and proportionate measure in a democratic society and safeguards the objectives referred to in Article 23 of the GDPR which it pursues’ (para. 46).
Unfortunately, the identity of the relevant data controller (the national court or Fastec, the party required to disclose the data) is continually conflated in the judgment, which causes some difficulties in discerning the respective obligations. Nevertheless, the ECJ seems to suggest that the legality of the processing by both parties is grounded in Article 6(4) (paras. 41, 45). This contrasts with the Advocate General’s Opinion. The Advocate General pointed to Article 6(4) legitimating the ‘further’ processing by Fastec for a new purpose, but separately pointed to Article 6(1)(e), or the official authority of the national court as justifying its processing of the data in making the disclosure order (paras. 35-42). Alas, this clarity is not to be found in the ECJ judgment. Rather, the logical implication of the ECJ’s reliance on Article 6(4) for both Fastec and the national court, is that the ECJ regards both parties to be engaged in ‘incompatible’ further processing of personal data. This has significant consequences, as it represents a very strict understanding of compatible processing, and suggests that ‘collection’ of data occurs only once and is not relative to the controller in question. In other words, when the national court makes its order regarding the data, it is not ‘collecting’ the data afresh for a purpose to be grounded in Article 6(1), but rather the compatibility of the court’s use must be judged by reference to the original collection by Fastec for tax purposes.
Second, this case suggests that the data protection interests must now be weighed in the exercise of judicial authority in civil litigation.
The applicability of the GDPR to judicial authorities is not a grand surprise. This is suggested in the language of the GDPR (Recital 20, Article 55(3)) and had already been confirmed in Autoriteit Persoonsgegevens. However, Autoriteit Persoonsgegevens concerned a much narrower case—that of the judiciary releasing data to journalists for publication. Norra Stockholm AG, on the other hand, confirms that the GDPR extends to all personal data processed in the course of civil litigation. In framing the judiciary’s obligations in a novel manner, the case suggests that the judiciary must consider the interests of any data subjects whose data might be relevant to that dispute. This case suggests that civil procedure rules themselves may need to be reinterpreted or even changed to accommodate the right to data protection.
Given the far-reaching consequences, other silences by the ECJ are troubling. There is no clarity on the status of the national court as a controller, but it is implicit in the reasoning. By contrast, the Advocate General explicitly found that the national court ‘becomes the data controller’ (para. 22). Nevertheless, the requirement to satisfy Article 6 is a responsibility which attaches to a data controller, thus the judgment implies that the ECJ considers the national court to be a data controller. If this is the case, then what about the other obligations of a controller? Is the national court bound to notify the affected data subjects who are the subject of a disclosure in civil proceedings? If they are not party to the proceedings this may be practically very onerous. The principle of data minimisation is mentioned, but what about the other principles? We are left without answers.
This judgment represents an important first illustration of the operation of Article 6(4) of the GDPR, and when processing is to be regarded as ‘incompatible’ with the purposes for which the data were originally collected. Yet the Article 6 analysis is far from entirely clear, and the uncertainties which it creates seem bound to lead to future referrals to the ECJ for clarification.
Moreover, this is a case of significant practical importance, as it represents a clash between civil procedure rules and data protection. In any dispute regarding an exchange of evidence, litigators are now armed with a new tool to resist disclosure – interference with the rights of data subjects mentioned in any documentation. Given the acknowledged important rights and interests at play—the right to a fair trial, the administration of justice, and the right to protection of personal data—the piecemeal understanding of the data protection obligations of the judiciary is unfortunate.