But while judges are exempt in their judging role from GDPR requirements, there would have to be a ‘judge data controller’ responsible for material within the judicial system, as well as a process within the judiciary for defining materials that are subject to, or exempt from, the regulation.
“We have to accept that the genie is out of the bottle. We aren’t going back to an age when there aren’t vast amounts of information out there, electronically stored,” Frank Clarke declared at the ‘Litigation in the data age’ seminar at Blackhall Place on 25 January.
The Chief Justice added that, while data and IT might assist in conducting litigation, they might also cause difficulties. He pointed out that putting a dysfunctional system online would not make it good, referring to the vast amounts of paper currently produced for many court hearings.
Courts are the repository for a great deal of personal data, and the risks of holding data online will become more acute in a court context. Courts may have to become more creative in their data requests, since there will be pressure on foot of the GDPR to limit the scope of discovery orders to what is absolutely necessary, he said.
'Extremely' personal data
The nature of litigation is that a lot of the information filed in our courts is personal data – sometimes extremely personal data – extending to third parties, he said.
“There have been a number of decisions in the High Court over the last six or seven years, where the court has declined or postponed discovery orders because compliance would require revealing private information, not just of the party … but frequently about third parties.
“Up to now, it has always been regarded as a legal fact that a court order requiring compliance with a disclosure obligation absolves you from any other adverse consequences.”
Privacy versus disclosure
The Chief Justice continued: “Maybe the corollary of that is that courts need to become more careful to ensure that they only require disclosure of documentation … that is necessary and that greater use be made of redaction. Courts are going to have to become more creative about the way in which they craft disclosure obligations,” so that confidential information that is not essential to the court process remains private.
On the question of privacy versus disclosure, Clarke said that a corporation amenable to US law might well be obliged to makes disclosures that were in breach of data protection legislation in Europe.
He flagged the fact that a lot of data lives in corporations that are registered in Ireland; therefore, this country could become a particular battleground for these issues. An Irish court could have little choice but to enforce European legislation.
He noted that, in the US, there were companies that provided ‘big data’ predictors for the outcome of court cases. “The best of these systems are … better than skilled lawyers!” he said, adding that the sheer volume of US cases meant that algorithms could give reasonably good predictions.
Disproportionate
Solicitor Ann Henry pointed out that, in Ireland, we have a disproportionate number of global tech companies that are of systemic importance in the area of data.
This, combined with the fact that, in 2019, Ireland will become the only English-speaking common law jurisdiction in Europe, means that there is a renewed interest in how we undertake litigation here.
Senior counsel Cian Ferriter pointed out that while, legally, the protection of data is a fundamental right, not every breach of data is a fundamental breach. This will become a theme in the practical roll-out over the next five to ten years of the various protections provided for in the GDPR, he suggested, particularly in terms of damages. Tensions would flow from vindicating the privacy right, while also striking an appropriate balance in the protection of competing interests, he said. Ultimately, he believed that common sense would prevail. If breaches were technical or minor, no damages should ensue. Under GDPR, penalties for breaches could run to up to 4% of global turnover.
Damages
“Interesting questions will arise in this jurisdiction, particularly if it is the sole remaining common law jurisdiction [in the EU], where we socially, culturally and legally, have quite a different approach to giving people damages for a breach of their rights than, perhaps, obtains in certain civil law jurisdictions.”
He gave the example of a fictional data breach of a supermarket loyalty scheme, which could give rise to a snowball of claims that could result in an alarming level of damages to the business were each claimant able to show that they had suffered non-material damage, and was therefore entitled, as a matter of law, to compensation.
He questioned whether Ireland ran the risk of potential ‘deharmonisation’ with other EU member states if we became an outlier in giving more generous damages compared with our EU counterparts.