Turner v Bayer Australia Ltd (No 6) [2023] VSC 244 (10 May 2023): consideration by Victorian Court of GDPR obligations on a party whose discovery may contain personal information collected in the EU.

May 22, 2023 |

Justice Keogh in Turner v Bayer Australia Ltd (No 6) [2023] VSC 244 considered the application of the Victorian law and the European Privacy law, the General Data Protection Regulation (GDPR). The issue was whether releasing and reporting on personal information of individuals in documents generated in the EU attract protections that the Court should consider in the context of media reporting of a Victorian proceeding.

FACTS

The  proceeding is a product liability action concerning implanted permanent contraceptive medical devices identified collectively as the Essure device [1].

The trial commenced on 11 April 2023 and is estimated to run for 12 weeks [2].

Media organisations sought access to transcript and some of the documents relied on by the parties at trial.

The second defendant, Bayer Aktiengesellschaft,  is a corporation registered in Germany [4].

Some of the defendant’s discovery was of documents that originated from Germany (‘EU documents’), which some of which contained  personal data of natural persons residing in the European Union (‘EU’), including:

  • names,
  • job titles,
  • signatures,
  • business email addresses,
  • street addresses and phone numbers, and
  • personal email addresses,
  • street addresses and phone numbers (‘EU data’) [4].

The defendants opposed the media having general access to transcript and EU documents used at trial because, they argue, the release of EU data would be a breach of the GDPR [4].

The defendants sought orders requiring that media apply to the Court for release of transcript and any EU documents tendered at trial and give details of the context and purpose underpinning their request when applying for access, provide the parties with time to object to media access, and provide the parties further time  to redact personal information from documents to be released [5].

The defendants relied on a report of Professor Dr Gregor Thüsing, a jurist and professor at the University of Bonn in Germany who has has expertise in the European law of data protection and data security [12].

The court summarised his opinion as:

  • data protection law enjoys a high status in European and German law. Since 2018 the conditions for the processing of personal data of natural persons residing in the EU have been contained in the GDPR, which is Regulation (EU) 2016/679 of the European Parliament [13].
  • personal data means any information relating to an identified or identifiable natural person, and includes the name, identification number, location data, online identifier and identifying characteristics of that person [14].
  • the GDPR prohibits unnecessary processing of personal data [15].
  • ‘Processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use or disclosure [15].
  • Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [16].
  • the right to protection of personal data is not absolute, and must be balanced against other fundamental rights in accordance with the principle of proportionality [17].
  • the purpose of the GDPR is not to block discovery in court proceedings [18].
  • application of the GDPR depends on the location of the document controller. Outside the EU the GDPR applies under narrow conditions only, and does not bind the Supreme Court of Victoria [19].
  • a goal of the GDPR is that the protection offered in respect of personal data travels with the data. One way of achieving this is that data exporters from the EU enter into contracts that bind data importers located in countries outside the EU that have Standard Contractual Clauses (‘SCCs’) making those data importers subject to the provisions of the GDPR [20].
  • in this case the EU data was exported by the second defendant to other defendants located in the United States of America (‘USA’) and Australia, and to the defendants’ lawyers. The SCCs allowed the EU data to be processed by the recipients if ‘necessary for the establishment, exercise or defence of legal claims’ [20].
  • because the Supreme Court of Victoria is not bound by the GDPR or the SCCs, it may therefore process the personal data in a way that would certainly not be permitted by the defendants [21].
  • in this case, to the extent it is governed by the GDPR data may only be processed when it is necessary for the establishment, exercise or defence of a legal claim [22].
  • the ‘necessity test’ requires a close and substantial connection between processing the data in question and the purpose for which it is processed [22].
  • the GDPR emphasises the need for personal data to be adequate, relevant and limited to what is necessary for that purpose. This requires careful assessment of whether anonymised or pseudonymised data would be sufficient [22].
  • Article 49(1)(e) of the GDPR states:

As to the interests, rights and freedoms of the data subject which need to be taken into consideration, the possible negative effects, i.e. the risks of the data transfer on any type of (legitimate) interest of the data subject have to be carefully forecasted and assessed, by taking into consideration their likelihood and severity. In this regard, in particular any possible damage (physical and material, but also non-material as e.g. relating to a loss of reputation) needs to be taken into consideration. When assessing these risks and what could under the given circumstances possibly be considered as “suitable safeguards” for the rights and freedoms of the data subject, the data exporter needs to particularly take into account the nature of the data, the purpose and duration of the processing as well as the situation in the country of origin, the third country and, if any, the country of final destination of the transfer.

  • what is deemed appropriate for the establishment, exercise or defence of legal claims is to be determined by weighing the interests of the parties to the proceedings and the data subjects only.
  • the tension between the purpose limitation and the necessity principle has not been discussed in case law and literature in the EU, since European courts are bound by the GDPR [23]
  • the likelihood of the data transfer for the purposes of providing it to the media (or any third parties) constituting a breach of the SCCs (on the basis that it is not in line with the rules of the GDPR) increases:

(a) as the relevance of the personal data to the defence of the claim decreases;
(b) as the personal data becomes more ‘intimate’ or ‘sensitive’ (for example, personal addresses would be more ‘intimate’ than business addresses);
(c) as more people are provided with the data; and
(d) as more data and more data subjects are involved.

 

DECISION

The Court stated that:

  • the EU data is largely if not entirely contained in records of the second defendant relevant to the conduct of its business in Germany [25].
  • the EU documents were provided by the second defendant directly to the defendants’ lawyers in Australia, or indirectly by first being transferred by the second defendant to other Bayer entities in the USA before re-transfer to Australia [25].
  • the transfer of the EU documents to Australia, and the resulting processing of the EU data was necessary for the establishment, exercise or defence of legal claims in this proceeding, and therefore occurred in accordance with the SCCs [26].
  •  data processing by discovery was not a breach by the defendants or their lawyers of the GDPR or the SCCs because:
    • .the purpose of the GDPR is not to prevent or restrict proper discovery of documents in court proceedings.
    • discovery of the EU documents, and the processing of the EU data, was consistent with the purpose for which the documents were transferred to Australia [27].
    • the processing of the EU data that resulted from discovery as necessary. Questions of foreseeability, knowledge and constructive knowledge are at issue in this proceeding. It is evident from the document tender process that the names, occupations and employment positions of individuals may be relevant to a consideration of those issues [28].
    • discovery of the EU documents by the defendants and the resulting processing of the EU data was governed by the laws of this jurisdiction and made pursuant to orders of this Court [29].
    • it doubted that processing of the EU data was subject to the GDPR [29].
  • the application is made on the basis of two considerations:
    • allowing media access to the personal data of European citizens is inconsistent with the protections provided by the GDPR that applied to the EU documents in the EU. Those protections should not be lost simply because the documents were transferred to Australia for the purposes of the proceeding.
  • release of the EU data to media exposes some of the defendants and their lawyers to the risk of penalties and damages for breach of the GDPR and/or the SCCs [30].

The Court rejected the defendants’ application stating:

  • the orders sought by the defendants would provide, at best, only a very limited degree of protection of the EU data because:
    • the trial of the proceeding is being live streamed [31] and many of the documents that are tendered are publicly displayed in the court room and during the live stream process.  Media are free to report any EU data communicated in this way. There is no  justification for restricting access to transcript and tendered documents on the court file after the information they contain has been openly displayed or discussed during the trial [31].
    • the risk of harm to EU citizens from communication of personal data resulting from media access to documents on the court file in this proceeding is low [32]. Personal data is likely to be peripheral to or remote from the issues that will be the focus of media reporting [32].
    • there is no evidence  of any significant reporting of this proceeding in the EU and any reporting occurs in the EU is unlikely that to include communication of sensitive EU personal data [32].
    • it did not accept that the material discloses any real risk of the defendants or their lawyers being prosecuted or subject to claims for damages if third parties are given access to documents on the court file that contain EU personal data [33]. There is no suggestion that by making discovery of the EU documents the defendants or their lawyers have breached the GDPR or the SCCs. Once the documents are used in the proceeding the Court is the controller of the documents, and is the body processing the documents by allowing third parties access to the court file [33].
    • Thüsing’s opinion about the risk of prosecution and damages claims proceeds on the false assumption that it is the defendants or their lawyers who would be communicating the EU data to media [33]
    • important principles of open justice should not be ignored. There is no justification for  orders which would delay media access to documents and restrict media access to some information [34].
  • as an exception the court accepted  the defendants’ submissions that personal contact information of EU residents and more sensitive data such as information relating to health should not be released [35].

ISSUE

The decision is not particularly surprising.  The operation of civil procedure in Victoria is not subject to the GDPR.  The defendant’s application always faced difficulties in convincing a court to  limit the media reporting of open court proceedings.

It is an interesting decision as the first reported decision where the court has considered the obligations of an entity which created documents in the EU and are the subject to the provision of the GDPR. It is not surprising that the court would proceed on the basis that discoverable documents produced and referred to in court, probably being tendered, may be reported upon by the media unless one of the exceptions, in Australian law, apply.  The court was sceptical of the concerns raised about the risk of publication into the EU of personal information of EU citizens.  That is not unexpected given there was little evidence of the risk produced. 

 

Leave a Reply





Verified by MonsterInsights