UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

Last year, the UK government introduced a legislative proposal to change the UK privacy/data protection regime (which essentially consists of UK GDPR, e-privacy rules and the Data Protection Act 2018). Parliamentary work on this draft legislation was then put on hold and the UK government has now reintroduced the draft legislation, with changes. 

The UK government says the bill is “common-sense-led UK version of the EU’s GDPR [which] will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.” 

Purported benefits of the bill would include:

• Creating clear, business-friendly framework, reducing paperwork organizations must provide to demonstrate compliance and enabling businesses to continue cross-border transfer mechanisms if they’re already compliant
• Maintaining data adequacy with the EU and establishing wider international confidence in the UK’s data protection standards
• Increasing public and business confidence in AI technologies by clarifying situations in which decision-making safeguards apply

Much of the bill overall seems to be about seeking to make clarifications. While certain clarifications may be welcome (given the difficulties in interpreting some aspects of the existing data protection regime) whether the final legislation will deliver on making claimed substantive changes, such as getting rid of so-called data protection representatives, rather than consisting in the end of a major tweaking exercise will have to be seen.

Whatever the final outcome, international organizations that have devoted much work, time and resources trying to ensure compliance with both the existing UK GDPR and EU GDPR may find that there is more work for them to do on the UK side of things.

EU GDPR case

A few days before the revised data protection bill was introduced in the UK’s House of Commons, the EU’s Court of Justice handed down a long-awaited judgment in a case relating to application of the EU’s GDPR in the civil court system. The case has some important principles for anyone involved in producing documents to a court which include personal data.

In simple terms, the case was a construction dispute. A contractor, Norra Stockholm Bygg, sued for the work done on a building project. The customer, Per Nycander, argued that the contractor’s staff had not worked the hours claimed on the project. It asked the Swedish court for an order that a third party processor, Entral, who managed timekeeping for the contractor provide the records either unredacted or with the personal identity number redacted.

Norra Stockholm Bygg argued that the records — including employees’ names, identity numbers and clock-in and clock-out times — were mainly collected for tax auditing purposes, and so it refused to provide the records, saying that the interests of its employees outweighed the interest of allowing access to the records for their possible evidential value in the dispute.

The court hearing the case ordered Entral to produce the records unredacted, and that decision was appealed right up to the Swedish Supreme Court, which determined that there was an important matter of EU law to consider and so it referred this aspect of the case to the ECJ for a ruling. Since the case was felt to be of special importance, the ECJ also heard observations from lawyers representing the European Commission, Sweden, the Czech Republic and Poland. 

Ultimately, the ECJ decided that an individual’s data protection rights must be taken into account when courts consider requesting documents for disclosure in civil cases. The Swedish court will now take the ECJ’s judgment into account when ruling on the case.

In assessing whether documents containing personal data are ordered for disclosure, courts must balance the interests of individuals with the circumstances and type of the case in question and with the data protection law principles of proportionality and data minimization that are set out in GDPR Article 5.

Courts have previously been sanctioned under GDPR for their breaches — for example, in January 2023 the Polish DPA fined the Szczecin District Court for its failure to meet its obligations as a data controller.  The prospect of courts being sanctioned may well be a concern to some courts and judges, especially those in the U.S., where some courts have not shown too much concern about the GDPR implications for the parties. Having the court possibly be subject to sanction in the EU may give greater cause for concern.

Is pseudonymisation difficult? Yes, the process of pseudonymisation is often difficult to achieve in practice. It is important to note that pseudonymization will not take it outside the protection of GDPR, but it may provide some protection to the individuals involved. Pseudonymisation may include redacting the employee’s names although in practice more steps will usually need to be taken to reduce the chances of an employee being identified — for example, if there was only one employee working on site on a particular day even redacting their name will still make them identifiable.

More litigation could be in the offing related to this matter. Data protection litigation is already on the rise in Europe, and now that the ECJ has re-established the need for a balancing test, we may see more individuals taking action saying that their rights have not been properly considered. We may also see individuals seeking to block data being transferred to a third party on the basis that the proper balancing test has not been conducted.

This information was first published (UK bill, EU GDPR) at Cordery and is republished here.