Taking the temperature of data protection and disclosure
The approach taken by the court to data protection directly contrasts with that taken by Advocate General Ćapeta of the CJEU in Norra Stockholm Bygg AB v Per Nycander AB. In that case, AG Ćapeta opined that EU national courts ordering disclosure in civil proceedings which would involve the processing of personal data are data controllers of that personal data. As such, before making a disclosure order, national courts must conduct a proportionality analysis in accordance with the GDPR that takes into account the interests of data subjects.
What approach would the English courts take in each instance? And could the decisions impact the EU’s assessments of whether the US and the UK provide adequate levels of protection for personal data?
On 7 October 2022, President Biden issued an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (the Order).
In 2020 the Court of Justice of the European Union (the CJEU) ruled that transferring personal data from the EU to the US under the previous “EU-US Privacy Shield” adequacy decision would not comply with the General Data Protection Regulation (the GDPR). The aim of the Order is to implement a new “Trans-Atlantic Data Privacy Framework” to address the concerns that gave rise to that ruling.
The UK welcomed the release of the Order, and also announced its own “Comprehensive Dialogue on Technology and Data” with the US to address similar adequacy concerns.
The current lack of adequacy decisions by the EU and the UK has meant that companies looking to transfer data to the US have to do so via other means (such as by using Standard Contractual Clauses) to ensure adequate protection of personal data in accordance with the GDPR and UK GDPR.
The hope is that the Order will lay the groundwork for new adequacy decisions for transfers to the US which can withstand legal challenge. Common adequacy decisions by the EU and the UK in respect of the US should also help smooth the way for continued mutual adequacy decisions between the UK and the EU, despite proposed changes to the UK data protection regime.
In a Fact Sheet accompanying the Order, the White House said that the new Framework “underscores our shared commitment to privacy [and] data protection” and “reflects the strength of the enduring EU-US relationship based on our shared values”. A joint US and UK press release shared a similar message: “trust in the use of data fuels our respective economies, societies, shared values, and in realizing a more peaceful and prosperous future”.
However, two recent court opinions in the EU and US cast doubt on how far those “shared values” between the EU and US really extend when it comes to data protection considerations in the context of disclosure during civil litigation. The directly contrasting approaches taken in each case – and the way in which the English courts might approach similar matters – could impact future adequacy decisions by the EU.
On 28 September 2022, the US Bankruptcy Court of the Southern District of New York issued an opinion in Re Celsius Network LLC et al. The court refused a request from crypto-lending platform Celsius to redact all personally identifiable data from a public list of “creditors” it was required to file with the court in the course of its Chapter 11 bankruptcy proceedings.
The list of “creditors” was in fact a list of Celsius’s customers, for reasons related to the nature of Celsius’s business model and how it classified its users. The court’s refusal to approve the requested redactions therefore resulted in the names and transaction details of approximately 500,000 customer accounts between April and June 2022 being publicly disclosed.
Celsius had asked the court to, among other things, redact the names, home addresses, telephone numbers and email addresses of any citizens of the UK or the EEA on the list, on the grounds that disclosing that information risked violating the UK GDPR and the GDPR. Celsius argued that the rights and freedoms of its customers overrode any legitimate interest in making the personal data publicly available.
Following objections raised by the Office of the US Trustee, the court ruled that only home addresses, telephone numbers and email addresses should be redacted; names and transaction details should remain unredacted. The court decided that Celsius had “failed to show that public disclosure of UK or EU citizens personal data in violation of the UK GDPR or EU GDPR would constitute an unlawful injury to those individuals” and that it was not convinced, beyond mere speculation, that disclosure of customer names alongside their transaction details “presents an imminent risk of harm”.
The judgment has been widely condemned by the crypto community for allowing named Celsius users to be matched with the dates and amounts of transactions on blockchain records. In other words, the file not only links identifiable individuals with Celsius transactions, it allows those individuals to be identified and their funds traced across blockchains using the unique payment amounts included in the Celsius filing. That represents a heightened risk of scams or even physical threats to the named individuals, albeit the US court was not convinced that such threats were reasonably likely.
A week or so later, AG Ćapeta issued her advisory opinion to the CJEU in Norra Stockholm Bygg AB v Per Nycander AB.
The dispute concerns the price due for the construction of an office building. Nycander challenged Norra’s payment request on the grounds that Norra spent less time on the project than it was claiming payment for. To prove its case, Nycander requested disclosure of a staff register maintained by a third party, Entral, on Norra’s behalf for tax purposes. Norra asked the Högsta domstolen (the Swedish Supreme Court) to reject Nycander’s request, or to at least order that only an anonymised version of the register be disclosed, on the grounds that disclosing the full register would breach the GDPR because the data was not collected for the purposes of the litigation.
The Högsta domstolen asked the CJEU for guidance as to whether and, if so, how the GDPR applies to courts weighing up making disclosure orders in civil proceedings.
Although AG Ćapeta’s opinion is non-binding and the CJEU may decide not to follow it in its final decision, it contains two key conclusions.
- When determining whether to issue disclosure orders in civil proceedings which would involve the processing of personal data, EU national courts are subject to both their own national civil procedural rules and the GDPR in parallel.
That means national courts must “respect the rules of the GDPR when deciding on the disclosure of documentary evidence in an individual case”.
- In ordering the disclosure of personal data in civil proceedings other than for the purposes it was collected, the national court becomes an entity determining the purposes and means of processing, and therefore is a data controller under the GDPR in respect of that data.
As such, EU national courts must, before making any disclosure order, “undertake a proportionality analysis that takes into account the interests of data subjects whose personal data are to be processed”.
The proportionality analysis must consider whether the relevant data is: (i) adequate (i.e. it shows what the parties say it will show), (ii) relevant (i.e. it has the probative value it is alleged to have in the case), and (iii) necessary for its intended purpose (i.e. the relevant information cannot be obtained from elsewhere, or in a different format).
Although the US courts are, of course, not bound by the GDPR and both the facts and law applied in each case are different, the two opinions show contrasting approaches to data protection considerations during disclosure in civil proceedings.
Most fundamentally, the starting point of the court in each case was completely different.
AG Ćapeta’s view was that, whenever a court is considering ordering disclosure which contains personal data, its starting point should be that the relevant data subjects have not consented to the use of their personal data in the litigation and therefore interference with their rights must be justified in detail and by reference to both the specific facts and arguments in each case. In other words, the greater the extent of interference with the right to data protection, the more important the public interest objective pursued must be in order to justify a departure from the default starting position that disclosure of such personal data is an interference with the data subject’s rights.
The US Bankruptcy Court took the opposite approach: its starting point was the public interest in the openness of court proceedings and the presumption of open access to court records. Departure from that starting point needs to be justified pursuant to statute and based on evidence (not mere speculation) of an imminent risk of specified harm (interference with a right to protection of personal data alone seemingly not being sufficient). Despite the fact that, because of Celsius’s business model, complying with the normal creditor disclosure rules would make a vast store of customer personal data publicly available, the court did not consider the interests of the individual data subjects sufficient to order that all personal data be redacted.
What approach would the English courts take in each instance?
It is difficult to see an English court ordering the public disclosure of such an extensive set of personal data as Celsius were, in effect, ordered to disclose.
In an insolvency-specific context, English administrators and liquidators are required to file a statement of affairs with Companies House which should include the names, addresses and outstanding balances of a company’s creditors. The statement of affairs is generally made available to the public on the Companies House website.
However, individuals who are creditors by virtue of being employees or consumers who have pre-paid for goods or services must only be identified on a separate list which is not filed with Companies House. In addition, an administrator or liquidator may apply to court for an order redacting details from a statement of affairs. Redactions can be made if the material is otherwise likely to prejudice the insolvency process (which a mass data privacy claim arguably could) or might reasonably be expected to lead to violence against any person (which in the Celsius case seems a reasonable expectation, despite the US court’s findings).
In a more general civil litigation context, disclosing a document containing personal data to the opposing party when compelled to do so by a court’s disclosure order: (a) does not mean that document will necessarily become public (disclosed documents do not usually have to be publicly filed) and (b) will not breach the UK GDPR, which has exemptions for disclosure ordered by a court or necessary for the purposes of, or in connection with, legal proceedings.
If a disclosing party is nonetheless concerned about disclosing personal data to an opponent during English litigation, the Civil Procedure Rules can help in two ways. First, personal data can be redacted from disclosed documents provided it is: (i) irrelevant to any issue in the proceedings and confidential, or (ii) privileged. Second, the court has the power to make orders restricting the recipients and use of disclosed documents where justified in the circumstances.
As for the approach taken in Norra Stockholm, an English court is likely to have some difficulty with the concept that it “becomes the data controller” of any personal data in documents disclosed pursuant to its disclosure orders (whether in relation to the parties to the litigation or, as in Norra Stockholm, a third party).
The consequences of that would go beyond the need to conduct a proportionality analysis at the time of making an order for disclosure. It would mean, for example, that the court as a data controller could be the target of a subject access request in respect of the underlying data in documents disclosed pursuant to its order (thereby circumventing the existing court rules on access to documents). The existing provisions in the UK GDPR, namely that data subject access rights cannot be exercised in relation to data processed by a court, arguably would not solve this issue because the disclosed documents would have been processed by the parties giving the disclosure and not by the court.
There also appears to be a slight gap in the logic in AG Ćapeta’s opinion, in that she does not explain precisely why she considers the court to meet the definition of a data controller in these circumstances. When considering whether to make a disclosure order, the court is not necessarily “determining the purpose and means” of the processing of personal data (these being the central activities that determine who is the data controller). Instead, it is arguably simply acting as the arbiter of a dispute concerning what disclosure is necessary. The court does not exercise actual control over the personal data being processed, or how the processing is done – it simply decides what disclosure is required in the context of each particular case.
Further, when making a disclosure order in English litigation, the court most likely will not have seen any of the personal data the relevant disclosure might contain, or even know what documents and what personal data exist. Indeed, the court may never see that personal data if it is not ultimately included in a trial bundle or otherwise put before the court.
Standing back, if one were to apply AG Ćapeta’s logic more broadly, the Swedish tax authorities who required the staff register to be collected for tax purposes in the first place would also theoretically be data controllers, despite not exercising any control over the data (unless and until provided to them). Again, that analysis could have unintended and wider consequences for any set of personal data processed by an entity pursuant to, or for reasons related to, a statutory obligation.
The broader question the two cases raise is whether they will impact the EU’s adequacy assessments of the US and the UK.
In relation to the US, the difference in approach calls into question the extent to which the EU might genuinely consider the US to provide an equivalent level of protection for personal data (under the Order or otherwise) – in circumstances where a US court has readily dismissed what appear, from a European perspective at least, to be substantive concerns about the impact of disclosure on data subjects. It is not currently clear, for example, what recourse and means of redress EU citizens on Celsius’s list might have if they consider the GDPR has been breached. As a matter of principle, it is difficult to see an EU national court reaching the same decision if it were faced with similar facts.
In relation to the UK, as explained above, it seems unlikely the English courts would agree with AG Ćapeta’s reasoning. If that is right, but the CJEU does agree that national courts are data controllers of data disclosed pursuant to their orders, that would mean there is a significant difference in opinion between the EU and the UK as to the meaning of the term “data controller”. At present, the GDPR and UK GDPR represent very similar regimes in both principle and practice. The common concept of a data controller is, however, fundamental to that similarity. If there is a serious divergence of opinion as to what that means, that could have wide-reaching implications which may impact the EU’s assessment of whether the UK regime (whatever form that ultimately takes) really is equivalent.