|
Does GDPR pertain to pub buzz?, AG Bobek asks. |
Earlier this month, Czech judge and legal scholar
Michal Bobek rounded out a six-year term as an Advocate General (AG) of the European Court of Justice with a mind-bending
meditation on the ultimate futility of enforcing data protection law as written and a confirmation of the essentiality of transparency in the courts.
The case on which Bobek opined hardly required a deep dive. He said so: "This case is like an onion," he wrote. "I believe that it would be possible, and in the context of the present case entirely justified, to remain at that outer layer. No peeling of onions unless expressly asked for."
But the case provided Bobek an optimal diving board, and, on the penultimate day of his term as AG, he plunged and peeled.
Complainants in the case were litigants before the Dutch Council of State (Raad van State). They asserted that disclosure to a journalist of summary case information, from which they could be identified and details of their personal lives worked out, violated their right of privacy under the General Data Protection Regulation (GDPR) of the European Union, as transposed into Dutch law.
The disclosures are permissible under a GDPR exemption for judicial activities, Bobek concluded. But en route to that conclusion, he further opined that the potentially unbridled scope of the GDPR must be tamed to accord with social norms and democratic imperatives.
With remarkably plain reasoning, he framed the problem in a comfortable venue:
If I go to a pub one evening, and I share with four of my friends around the table in a public place (thus unlikely to satisfy the private or household activity exception of ... the GDPR) a rather unflattering remark about my neighbour that contains his personal data, which I just received by email (thus by automated means and/or is part of my filing system), do I become the controller of those data, and do all the (rather heavy) obligations of the GDPR suddenly become applicable to me? Since my neighbour never provided consent to that processing (disclosure by transmission), and since gossip is unlikely ever to feature amongst the legitimate grounds listed in ... the GDPR, I am bound to breach a number of provisions of the GDPR by that disclosure, including most rights of the data subject contained in Chapter III.
The pub might not be the only place where the GDPR runs up against a rule of reason. Consider the more nuanced problem of footballers considering a challenge against the processing of their performance stats. Goodness; the pub convo will turn inevitably to football.
Let's step back for a second and take stock of the GDPR from the perspective of the American street.
Americans don't get many wins anymore. We just retreated from a chaotic Afghanistan, despite our fabulously expensive military. We resist socialized healthcare, but we make cancer patients finance their treatments on Go Fund Me. We force families into lifelong debt to pay for education, undermining the social mobility it's supposed to provide. We afford workers zero vacation days and look the other way from the exploitation of gig labor. Our men's soccer team failed to qualify for the last World Cup and Olympics, while we're not sure why our women are rock stars; it can't be because we pay them fairly. When it comes to personal privacy, we tend to want it, but our elected representatives seem eager to cede it to our corporate overlords.
Truth be confessed, then, Americans are willing to engage in a smidge of schadenfreude when Europeans—with their peace, their healthcare, their cheap college, their Ryanair Mediterranean vacations, their world-class football, and their g—d— G—D—P—R—get themselves tied up in regulatory knots over something like the sufficient size of a banana. Ha. Ha.
Therein lies the appeal, to me, of Judge Bobek's train of thought. He finds inevitable the conclusion that posting case information is data processing within the purview of the GDPR. The parties did not even dispute that. For today, Bobek found an out through the GDPR exemption for the business of the courts in their "judicial capacity."
The out required a stretch to accommodate posting information for journalists, which is not, most strictly speaking, a judicial capacity. Bobek reasoned by syllogism: For the courts to do what they do, to act in the judicial capacity, they require judicial independence. Judicial independence is maintained by ensuring public confidence in the judiciary. Public confidence in the judiciary is bolstered by transparency in the courts. Transparency in the courts is facilitated by the provision of case information to journalists. Therefore, the judicial capacity requires publication of case information to journalists.
The problem, tomorrow, is that there is no answer in the case of pub gossip. Bobek meditated on the human condition: "Humans are social creatures. Most of our interactions involve the sharing of some sort of information, often at times with other humans. Should any and virtually every exchange of such information be subject to the GDPR?"
Can't be, he concluded.
[I]n my view, I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law. That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR's application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR. While it might certainly be possible that such protection of personal data is still able to "serve mankind," I am quite confident that being ignored as a result of being unreasonable does not in fact serve well or even contribute to the authority or legitimacy of any law, including the GDPR.
While we await reassessment of the bounds of data privacy law in modern society, Bobek opined more and mightily on the importance of judicial transparency as a countervailing norm. He opened the opinion with philosopher-jurist Jeremy Bentham:
"Publicity is the very soul of justice. It is the keenest spur to exertion, and the surest of all guards against impropriety.… It is through publicity alone that justice becomes the mother of security. By publicity, the temple of justice is converted into a school of the first order, where the most important branches of morality are enforced...."
Bobek later picked up the theme:
Judging means individualised detail brought to the public forum....
On the one hand, the basis for judicial legitimacy in an individual case are its facts and details. The judge settles an individual case. His or her job is not to draft abstract, general, and anonymous rules detached from individual facts and situations. That is the job of a legislature. The more a judicial decision departs from or hides the factual background to a public court case, or if it is later reported with significant limitations, the more often it becomes incomprehensible, and the less legitimate it becomes as a judicial decision.
On the other hand, ever since the Roman age, but presumably already earlier, if a claimant asked for the help of the community or later the State to have his claim upheld and enforced by the State, he was obliged to step into the public forum and let his case be heard there. In classical Roman times, the applicant was even entitled to use violence against the respondent who refused to appear in the public (the North Eastern part of the Roman Forum called comitium), before the magistrate (seated on a rolling chair on a tribune higher than the general public—hence indeed tribunal), when called before a court (in ius vocatione).
It is true that, later on, there were other visions of the proper administration of justice and its publicity. They are perhaps best captured by a quote from a judge in the Parlement de Paris writing in 1336 instructions to his junior colleagues, and explaining why they should never disclose either the facts found or the grounds for their decision: "For it is not good that anyone be able to judge concerning the contents of a decree or say 'it is similar or not'; but garrulous strangers should be left in the dark and their mouths closed, so that prejudice should not be caused to others.... For no one should know the secrets of the highest court, which has no superior except God...."
In the modern age, returning to the opening quote of Jeremy Bentham, it is again believed that even garrulous strangers should be allowed to see and understand justice. Certainly, with the arrival of modern technologies, a number of issues must continuously be re-evaluated so that garrulous strangers cannot cause prejudice to others....
Naturally, the publicity of justice is not absolute. There are well-grounded and necessary exceptions. The simple point to keep in mind here is: what is the rule and what is the exception. Publicity and openness must remain the rule, to which naturally exceptions are possible and sometimes necessary. However, unless the GDPR were to be understood as imposing a revival of the best practices of the Parlement de Paris of the 14th century, or other elements of the Ancien Régime or the Star Chamber(s) for that matter, it is rather difficult to explain why, in the name of the protection of personal data, that relationship must now be reversed: secrecy and anonymity were to become the rule, to which openness could perhaps occasionally become the welcome exception.
Bobek seems content with judicial exceptionalism in the GDPR framework. I'm not so sure. I rather think the problem of the courts points to the broader problem of GDPR scope. Will there ultimately be a pub exception, too? Stubborn American insistence on framing data protection as business regulation, as in California data protection law, suddenly exhibits some appeal.
The case is X v. Autoriteit Persoonsgegevens, No. C-245/20, Opinion of Advocate General Bobek (Oct. 6, 2021). HT @ Edward Machin, writing in London for Ropes & Gray.
This is not Bobek's first high-profile opinion on the GDPR—even this year. Read in Fortune about his January opinion in a Facebook case.