譯者 | 黃元亨 北京大學法律碩士
一審 | 鄧雅元 復旦大學法學院 本科
二審 | 胡惟禕 康奈爾大學 LL.M.
編輯 | 蘇 桐 華中科技大學 本科
lzzy 美國西北大學 LL.M.
責編 | 馬語謙 武漢理工大學 本科
Riley v. The Student Housing Co (Ops) Ltd
法庭中的個人資料保護:以Riley v. The Student Housing Co (Ops) Ltd為例
目錄
一、案情簡介
二、爭議焦點和法庭判決
三、所涉法律
四、爭議與分析
(一)法律訴訟豁免
(二)關於所涉及的個人資料的陳述
(三)因果關係
五、簡要評述
在英國的訴訟程式中,披露含有個人資料的檔案時不僅要確保披露法院規則下所有相關的材料,還需要遵守英國的資料保護法。根據相關法律,對於必須作為法律程式(或預期法律程式)一部分披露的資料,英國《2018年資料保護法》規定有特定的豁免條款。在Riley v. The Student Housing Co (Ops) Ltd [2023]中,英國法院首次審查了該豁免條款的適用問題,強調了在英國《通用資料保護條例》(“《英國GDPR》”)下資料主體的隱私權與資料控制者的公平審判權之間的平衡。
一
案情簡介
The pursuer’s contract of employment with the defender was terminated on 31 December 2019. Following this, the defender used his personal data while defending itself in employment tribunal proceedings which were raised against it by Mr Adamson, based on breaches of Sections 15 and 26 of the Equality Act 2010. The pursuer had been Mr Adamson’s line manager.
原告(Courtney Timoney Riley)與被告(The Student Housing Company (Ops) Limited)之間的僱傭合同已於2019年12月31日正式終止。此後,在處理Adamson先生依據《2010年平等法》第15條及第26條向就業法庭提起的訴訟時,被告利用原告的個人資料作為抗辯依據。原告曾是Adamson先生的直屬上級。
Prior to the end of the pursuer’s employment Mr Adamson had made a number of complaints about the pursuer, including an allegation that he had been subject to a number of jokes by one of the pursuer’s friends, who was visiting him at the defender’s premises. In the employment tribunal proceedings Mr Adamson made allegations about the behaviour of the pursuer and other members of staff. He claimed that the pursuer had used derogatory language which referred to his disability.
在原告離職前,Adamson先生曾對原告提出多項投訴,其中一項指控涉及原告的一位來訪朋友在被告公司場所內多次對Adamson先生進行戲謔。在就業法庭的訴訟過程中,Adamson先生對原告及其他員工的行為提出了多項指控,他聲稱原告曾使用侮辱性語言提及他的殘疾問題。
On 22 March 2022 the decision was reported in an Article on The Sun’s website, entitled “VILE JIBE: Disabled Scots janitor wins £10k in compensation after colleague called him a f****** retard.” The pursuer is named in the Article on six occasions. In particular, the Article notes that “Connor started working nightshifts as a facilities assistant in March 2019 but suffered at the hands of ex general manager Courtney Riley and his friends.” The Article remains available to be read online.
2022年3月22日,《太陽報》網站發表了一篇題為《惡毒嘲諷:蘇格蘭殘疾清潔工遭同事辱罵為“**的弱智”,獲賠1萬英鎊》的文章。文章中六次提及原告的姓名。特別是,文章指出:“Connor於2019年3月開始承擔設施助理的夜班工作,但遭到前總經理Courtney Riley及其朋友們的虐待。”該文章至今仍可在網上查閱。
(圖片源自於網路)
The pursuer avers that the defender processed his personal data while defending the employment tribunal proceedings. He contends that the defender should have told him about the employment tribunal proceedings, provided him with copies of the tribunal bundles, asked him to comment on the allegations that had been made against him and invited him to provide a witness statement to be put to the employment tribunal. The pursuer’s position is that the defender’s failure to take these steps constituted a breach of its duty to process his personal data fairly and transparently, in terms of Article 5(1)(a). It also amounted to a breach of the requirement not to process data in a way that is incompatible with the purpose for which it was collected, in terms of Article 5(1)(b).
原告聲稱,被告在就業法庭的訴訟中擅自處理了其個人資料。原告認為,被告本應履行以下義務:告知他就業法庭訴訟的相關情況,向他提供訴訟檔案的副本,就針對他的指控徵詢他的意見,並邀請他提供證人陳述以提交給就業法庭。然而,原告指出,被告未能採取上述任何措施,這一行為不僅違反了英國GDPR第5(1)(a)條中關於公平、透明處理個人資料的義務,也違背了第5(1)(b)條關於不得將資料用於與收集目的不符的用途的規定。
The pursuer sues for £75,000. He advances a claim for distress and anxiety. He also avers that his employment prospects have been impacted.
原告索賠75,000英鎊。他提出因遭受痛苦和焦慮而要求賠償,並聲稱自己的就業前景已受到影響。
二
爭議焦點和法庭判決
The principal issue that was argued at debate was whether the defender was exempted from its duty to comply with the two provisions on which the pursuer’s claim is based, Article 5(1)(a) and Article 5(1)(b). Paragraph 5(3) of Schedule 2 of the 2018 Act provides that in certain circumstances relating to legal proceedings data controllers are exempted from complying with a number of data protection principles, known as “the listed GDPR provisions.
在法庭辯論中,雙方爭議焦點是,被告方是否能夠援引豁免條款,從而免於履行原告訴求所依據的英國GDPR第5(1)(a)條和第5(1)(b)條。根據《2018年資料保護法案》附錄2的第5(3)段規定,在某些與法律訴訟相關的特定情形下,資料控制者可以免於遵守一系列被稱為“列明的GDPR條款”的資料保護原則。
Conclusions:
(i) the defender was exempted from having to comply with Article 5(1)(a) and Article 5(1)(b) by virtue of Paragraph 5(3) of Schedule 2;
(ii) the pursuer’s averments regarding the data involved are so lacking in specification as to be irrelevant;
and (iii) the pursuer’s averments are insufficient to enable him to prove that any material or non-material damage that he suffered was caused by the defender’s alleged infringement, for the purposes of Article 82(1) and Article 82(2).
結論:
(一)根據《2018資料保護法》附錄2第5(3)段的規定,被告無需遵守英國GDPR第5(1)(a)條和第5(1)(b)條的規定;
(二)原告關於所涉及資料的陳述因缺乏具體性而無關緊要;
(三)根據第82(1)條和第82(2)條的目的,原告的陳述不足以證明其所遭受的任何物質損害或非物質損害是由被告所稱的侵權行為造成的。
Accordingly, the pursuer’s case is irrelevant. I shall therefore sustain the defender’s first and second pleas in law, repel the pursuer’s first and second pleas in law and dismiss the action.
因此,法官將支援被告的第一和第二項法律主張,駁回原告的第一和第二項法律主張,並駁回訴訟。
三
所涉法律
Article 5(1)(a) and Article 5(1)(b), UK-GDPR
“Article 5 Principles relating to processing of personal data
1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).”
《英國GDPR》第5(1)(a)條和第5(1)(b)條
“第5條 關於個人資料處理的原則
1. 個人資料應:(a)就資料主體而言,以合法、公平和透明的方式進行處理(“合法性、公平性和透明性”);
(b)為特定、明確和合法的目的而收集,且不得以與這些目的不相符的方式進行進一步處理;根據第89(1)條,為符合公共利益的存檔目的、科學或歷史研究目的或統計目的而進行的進一步處理,不應被視為與最初目的不相符(“目的限制”)。”
Paragraph 5(3) of Schedule 2, 2018 Data Protection Act
The listed GDPR provisions do not apply to personal data where disclosure of the data—
(a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending
legal rights, to the extent that the application of those provisions would prevent the controller from making the disclosure.
《2018資料保護法》附錄2第5(3)段
當披露資料符合以下情況時,列明的GDPR條款將不適用於個人資料:(a)為法律程式(包括預期的法律程式)之目的或與之相關而必需,(b)為獲取法律意見之目的而必需,或(c)為建立、行使或捍衛法律權利之目的而在其他方面必需,且前提是適用這些條款會妨礙控制者披露資料。
四
爭議與分析
(一)法律訴訟豁免
1. 豁免的法理依據
The rationale for the exemption contained in Paragraph 5(3) of Schedule 2 appears to be that a party’s duties as a data controller should not fetter its discretion to conduct litigation as it sees fit in pursuance of the vindication of its legal rights, or impinge on its right to a fair trial in terms of Article 6 of ECHR. It is because of the potential for tension to arise between these considerations that the exemption is necessary.
附錄2第5(3)段所載豁免條款的合理性似乎在於,資料控制者的職責不應限制其按照自身認為合適的方式開展訴訟以維護其合法權益的裁量權,也不應侵犯其根據《歐洲人權公約》第6條享有的公正審判權。正是鑑於這些考量之間可能產生的潛在衝突,豁免條款才顯得尤為必要。
This was made clear in the English case of Dunn v Durham County Council [2013] 1 WLR 2305, in which the Court of Appeal explored the purpose and ambit of the equivalent statutory exemption under the 1998 Act, together with the competing interests of litigants and those of non-parties whose personal data may be processed for the purposes of litigation. In Dunn a party sought to avoid having to comply with standard disclosure requirements under the CPR, on the basis that to do so would be to breach its duties under the 1998 Act. At paragraph 21 Kay LJ said:
英國“Dunn v Durham County Council [2013] 1 WLR 2305”一案明確說明了這一點。在該案中,上訴法院探討了《1998年資料保護法》同等法定豁免條款的目的和範圍,以及訴訟當事人與非訴訟當事人(其個人資料可能因訴訟而被處理)之間的利益衝突。在該案中,一方當事人試圖豁免遵守《民事訴訟規則》(CPR)下的標準披露要求,理由是這樣做將違反其在《1998年資料保護法》下的義務。在第21段中,Kay法官指出:
“In my judgment, it is misleading to refer to a duty to protect data as if it were a category of exemption from disclosure or inspection. The true position is that CPR31, read as a whole, enables and requires the court to excuse disclosure or inspection on public interest grounds. In a case such as the present one, it may be misleading to describe the issue as one of public interest immunity (a point to which I shall return). The requisite balancing exercise is between, on the one hand, a party's right to a fair trial at common law and pursuant to Article 6 of the European Convention on Human Rights and Fundamental Freedoms (ECHR) and, on the other hand, the rights of his opponent or a non-party to privacy or confidentiality which may most conveniently be protected through the lens of Article 8.
“在我看來,將資料保護義務單純地視為一種可以免除披露或檢查的豁免類別是頗具誤導性的。正確的理解應當是,整體解讀《民事訴訟規則》第31條,該條款賦予並要求法院基於公共利益考量,有權免除披露或檢查的要求。在諸如本案這類情形中,若將問題簡單歸結為公共利益豁免,可能會引發誤解(這一點我稍後會再作闡述)。真正的權衡在於,一方面需保障當事人依據普通法及《歐洲人權公約》第6條所享有的公正審判權,另一方面則需顧及對手方或非訴訟方透過《歐洲人權公約》第8條可獲得的隱私權保護。
It is a distraction to start with the DPA, as the Act itself acknowledges. Section 35 exempts a data controller from the non-disclosure provisions where disclosure is required in the context of litigation. In effect, it leaves it to the court to determine the issue by the application of the appropriate balancing exercise under the umbrella of the CPR, whereupon the court's decision impacts upon the operation of disclosure under the DPA.
從《資料保護法》(DPA)的角度切入容易讓人偏離主旨,因為該法本身亦對此有所認識。依據第35條,當訴訟程式需要披露相關資訊時,資料控制者可不受不披露條款的制約。實質上,這是將問題交由法院,在《民事訴訟規則》的框架下,透過恰當的權衡判斷來作出裁定,而法院的裁決結果將直接影響到《資料保護法》下披露義務的執行。”
While Kay LJ was concerned with the operation of the CPR, as counsel for the defender submitted, his observations are of broader application: he interprets the exemption for the purposes of litigation under the 1998 Act as being widely drawn and holds that the rights of a non-party fall to be protected via Article 8 of ECHR rather than with reference to the provisions of the 1998 Act.
雖然 Kay法官關注的是《民事訴訟規則》的實施情況,但如被告律師所述,他的觀點具有更廣泛的應用性:他對《1998年資料保護法》因訴訟目的而享有的豁免權進行了寬泛的解釋,並認為非訴訟方的權利應透過《歐洲人權公約》第8條來保護,而非參考《1998年資料保護法》的相關規定。
Is the scope of the exemption under the 2018 Act narrower than under the 1998 Act? The parties were divided on this point. Section 35 of the 1998 Act is in the following terms:
“35. — Disclosures required by law or made in connection with legal proceedings etc.
(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary—
(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or
(b) for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”
《2018年資料保護法》下的豁免範圍是否比《1998年資料保護法》下的豁免範圍更窄?雙方在這一問題上存在分歧。《1998年資料保護法》第35條內容如下:
“35.——法律要求披露或與法律訴訟等相關的披露
(1)若披露是根據任何成文法、法律規則或法院命令的要求進行的,則個人資料可免於不披露條款的約束。
(2)若披露對於以下情況是必要的——
(a)任何法律訴訟(包括預期的法律訴訟)的目的或與之相關,或
(b)為獲取法律諮詢,或為確立、行使或辯護法律權利而有必要,則個人資料可免於不披露條款的約束。”
(圖片源自於網路)
It is similarly worded to Paragraph 5(3) of Schedule 2 of the 2018 Act, but it does not include the qualification that a controller is exempted from complying with the listed GDPR provisions only to the extent that their application would prevent the disclosure from being made. However, Section 27(3) defines the term “the non-disclosure provisions” as meaning various specified provisions “to the extent to which they are inconsistent with the disclosure in question.” Counsel for the defender submitted that these words introduced an equivalent qualification to that contained within Paragraph 5(3) of Schedule 2. Conversely, counsel for the pursuer argued that the words “are inconsistent with” were not as strong as the words “would prevent.” He maintained that the exemption under the 2018 Act is qualified, whereas the previous exemption contained in the 1998 Act was not.
該條款與《2018年資料保護法》附表2第5(3)段的措辭相似,但並未包含“資料控制者僅在不披露將阻礙相關資訊披露的程度上,可免於遵守所列GDPR條款”的限定條件。然而,第27(3)條定義了“不披露條款”一詞,意指各種具體規定“在其與所述披露不一致的範圍內”。被告律師認為,這些措辭引入了與附表2第5(3)段所載內容相當的限定條件。相反,原告律師則認為,“與……不一致”(“are inconsistent with”)的措辭不如“將阻礙” (“would prevent”)強烈。他堅持認為,《2018年資料保護法》下的豁免是有限定的,而《1998年資料保護法》中先前的豁免則沒有這樣的限定。
In my opinion, the submissions of counsel for the defender are to be preferred. To ask if a disclosure is “inconsistent” with a provision is really to ask whether the application of that provision “would prevent” the disclosure from being made. In other words, the requirements placed on a controller by Sections 35 and 27(3) of the 1998 Act and Paragraph 5(3) of Schedule 2 of the 2018 Act are similar in substance. I will return to the wording of the legislation shortly, but at this stage I observe that as there is no material difference between the relevant provisions of the 1998 Act and its successor, the passage from Dunn regarding the wide scope of the exemption, to which I have referred above, is applicable to the 2018 Act.
在我看來,被告律師的立場更為可取。詢問一項披露是否與某項規定“不一致”,實際上是在詢問該規定的應用“是否會阻止”披露的進行。換言之,《1998年資料保護法》第35條和第27(3)條以及《2018年資料保護法》附表2第5(3)段對資料控制者提出的要求,在實質上具有相似性。我稍後會再回到立法措辭的問題上,但在此階段,我注意到《1998年資料保護法》及其後續法案的相關規定之間並無實質性差異,因此,我之前提到的Dunn案關於豁免範圍廣泛的論述,同樣適用於《2018年資料保護法》。
The potential identified in Dunn for a litigant’s duties as a data controller to encroach upon its right to a fair trial is apparent from the pursuer’s case in the present action. The pursuer avers that in fulfilment of the principle of fairness and transparency under Article 5(1)(a) of the 2018 Act the defender should have invited him to comment on the allegations that related to him and taken a witness statement from him to be lodged. The problem with requiring the defender to take these steps is that this would have undercut its discretion as a litigant to prepare and present its case as it deemed fit. The right of a party to a litigation to do so is a central tenet of an adversarial system, which in turn is a vital characteristic of a fair hearing: Avotins v Latvia [GC], no. 17502/07, (2017) 64 EHRR 2 119; Murdoch A Guide to Human Rights Law in Scotland para 5.106.
從本案原告的情況中,可以明顯看出Dunn案中所指出的資料控制者(即訴訟當事人)的職責可能侵犯其公正審判權的問題。原告聲稱,根據《英國GDPR》(原文為《2018年資料保護法》,應為筆誤)第5(1)(a)條所規定的公平與透明原則,被告本應邀請他就相關指控發表意見,並從他那裡獲取證詞存檔。然而,要求被告採取這些步驟的問題在於,這將削弱其作為訴訟當事人自行準備和提出案件的權利。訴訟當事人享有這樣的權利是對抗制訴訟程式的核心原則,而對抗制訴訟程式又是公正審理的重要特徵:參見Avotins v Latvia [GC], no. 17502/07, (2017) 64 EHRR 2 119;Murdoch所著《蘇格蘭人權法指南》(A Guide to Human Rights Law in Scotland)第5.106段。
In an adversarial system each party enjoys the right to choose whom to call as witnesses; and may decide not to cite a potential witness if, for example, there is a concern that the witness might be found not to be credible or reliable. This is as true of a case involving vicarious liability for the alleged actions of a non-party as of any other case: the defender is under no obligation to call the alleged wrongdoer as a witness. In some circumstances the court may draw an adverse inference from a defender’s failure to do so, depending on the context and particular circumstances: Oil States Industries (UK) Limited v “S” Limited and Others 2022 SLT 919 (paragraphs 79 – 81); Royal Mail Group Ltd v Efobi [2021] 1 WLR 3863 (paragraph 41). But this is a risk that the defender is entitled to take.
在對抗制訴訟程式中,每一方都有權選擇傳喚哪些證人作證;如果擔心證人可能不可信或不可靠,則可以決定不傳喚潛在的證人。這同樣適用於涉及非訴訟方被指控行為的替代責任案件:被告沒有義務傳喚被指控的過錯方作為證人。在某些情況下,法院可能會根據具體情境和特定情況,從被告未傳喚證人這一行為中作出不利推斷:參見Oil States Industries (UK) Limited v “S” Limited and Others,2022 SLT 919(第79-81段);Royal Mail Group Ltd v Efobi,[2021] 1 WLR 3863(第41段)。但這正是被告有權承擔的風險。
(圖片源自於網路)
To require a party take steps such as the lodging of a witness statement of a particular individual pursuant to its duties as a data controller would mark a significant departure from the adversarial process as it is generally understood to operate, with potentially far reaching consequences. For example, what if the witness statement turned out to be unsupportive of the party’s position? Presumably the party would be confronted with the unenviable choice of either lodging unhelpful evidence or breaching its duty under Article 5(1)(a).
要求一方當事人根據資料控制者的職責採取諸如提交特定個人證詞等步驟,將標誌著與人們通常理解的對抗制訴訟程式的重大偏離,並可能產生深遠的後果。例如,如果證詞最終不支援該方的立場怎麼辦?可以預想,該方面臨的將是一個令人尷尬的選擇:要麼提交無助於己方的證據,要麼違反第5(1)(a)條的規定。
Another scenario that counsel for the defender presented was that while a pursuer would be free to lead evidence of the conduct of an alleged wrongdoer, the defender might be constrained when responding, for fear of facing a potential claim under Article 5(1)(a). This contrasts with the normal position under which witnesses may speak freely in court, by virtue of the law of privilege. The result would be to place the defender at a disadvantage at proof, infringing the principle of equality of arms between parties.
被告律師還提到了另一種情況,那就是原告可以自由提供關於被指控過錯方行為的證據,但被告在回應時可能會受到更多限制,因為他們擔心會違反第5(1)(a)條的規定。這與正常情況不同,一般而言,證人可以依據特權法規則在法庭上暢所欲言。這樣一來,被告在舉證方面就會處於不利地位,違反了當事人之間的武器平等原則(equality of arms)。
This second scenario reveals a fundamental difficulty with attempting to apply Article 5(1)(a) in the context of litigation: irrespective of what particular steps might be identified as being necessary in the interests of fairness and transparency, the process of seeking to apply the principle is liable to fetter a party’s conduct of the litigation. Counsel for the pursuer submitted that when data is to be disclosed in the context of litigation the data controller must undertake a two-stage process, first assessing what the requirements of fairness and transparency demand in the circumstances and only seeking to rely on the exemption if those steps would prevent disclosure.
第二種情形揭示了在訴訟中運用第5(1)(a)條時面臨的一個根本性難題:無論為了公平和透明需採取哪些具體措施,這一原則的應用都可能限制當事人在訴訟中的行動自由。原告的律師指出,當訴訟過程中需要披露資料時,資料控制者應先進行兩步評估:首先明確在當前情境下公平和透明的具體標準,然後只有在這些標準可能阻礙資訊披露的情況下,才考慮援引豁免條款。
He described this as an inherently factsensitive exercise. But in practice requiring a party to go through an evaluative process of this kind (which might then be challenged by the data subject in a separate action, as in the present case), would have the potential to inhibit a party’s conduct of the litigation. It is not hard to imagine the looming spectre of a possible claim for a breach of Article 5(1)(a) interfering with the sort of tactical decisions that a litigant will usually take at the point of lodging productions and citing witnesses. It is not consistent with the right to a fair trial that a party should have to look in two directions in this way. In my opinion, it is precisely this tension between data protection requirements and the demands of litigation that the exemption is intended to address. It follows that the two-stage process that the pursuer proposes would defeat the purpose of the exemption.
他強調,這一過程本質上非常依賴具體的情境分析。然而,在實際操作中,要求當事人經歷這樣的評估流程(且這一流程可能會像本案一樣,在另一項訴訟中被資料主體質疑),可能會束縛當事人在訴訟中的行動。不難想象,潛在的違反第5(1)(a)條的指控就像一個揮之不去的陰影,干擾著訴訟當事人在提交證據和傳喚證人時做出的常規策略性決定。當事人不得不瞻前顧後,這與保障公正審判的權利是相悖的。在我看來,豁免條款正是為了解決資料保護要求與訴訟需求之間的這一衝突而設立的。因此,原告提出的兩步評估程式實際上會違背豁免條款的初衷。
2. 附錄2第5(3)段的解釋和適用
(1)解釋
In his submissions, counsel for the defender placed emphasis on the words “the
disclosure” at the end of the closing phrase. His point was that if the defender required to consider adding additional witness statements to the material to be produced, as the pursuer contends, “the disclosure” would have been prevented from being disclosed – at least in its original form – as an amended disclosure would have been substituted for it.
在被告律師的陳述中,他著重強調了結尾中的“披露”一詞。他的觀點是,如果要求被告像原告所主張的那樣,在待提交的材料中考慮增加額外的證人陳述,那麼“披露”將無法(至少以原始形式)進行——因為會有一份修改後的披露取而代之。
(圖片源自於網路)
It seems to me that this submission is well founded and that its logic is capable of being applied not just to the paragraph’s final line, but to its structure and language more generally. The main body of paragraph 5(3) provides that the listed GDPR provisions do not apply to personal data where the disclosure of the data “is necessary” for the purposes of litigation. This wording seems to contemplate a situation in which personal data has been identified to be disclosed and the disclosure of that specific data is necessary.
在我看來,這一論點很有說服力,其邏輯不僅適用於該段的結尾,也貫穿於其整體的結構和語言。第5(3)條的主體部分明確指出,當個人資料的“披露”對訴訟目的至關重要時,所列出的GDPR條款便不適用於這些個人資料。這一表述似乎是在描述一個已經確定要披露個人資料,且這種披露確屬必要的場景。
If one interprets the final line of the paragraph with this in mind, the words “the disclosure” take on the meaning that counsel for the defender suggested; and where the application of a listed GDPR provision would result in a change to the content of the disclosure it should not be applied. This is because otherwise the effect would be to prevent a necessary disclosure from being made in its intended form.
如果我們基於這樣的理解去解讀段落的結尾部分,“披露”一詞便如被告律師所建議的那樣,有了特定的含義:如果適用所列出的GDPR條款會導致披露內容發生改變,那麼就不應適用這些條款。否則,就會阻礙以預期形式進行必要的披露。
(2)第5(1)(a)條的適用
As I have explained above, as soon as a data controller is tasked with attempting to apply Article 5(1)(a) the potential arises for a disclosure that would otherwise have been deemed necessary for the purposes of the litigation to be prevented. The risk of facing a claim made by a data subject based on an alleged breach of Article 5(1)(a) is apt to influence the material that a data controller may be prepared to risk placing before the court in any litigation to which it is a party.
如前所述,一旦資料控制者嘗試運用第5(1)(a)條,原本因訴訟需求而必須進行的披露就可能受阻。資料主體若基於第5(1)(a)條被指違規,可能會提出索賠,這種風險往往會讓資料控制者在作為訴訟一方時,不太願意向法院提交相關材料。尤其在每個具體案件中,如何履行公平和透明的原則存在不確定性,這種風險就更為顯著。
This is particularly so given the uncertainty that would accompany having to work out what steps might have to be taken in fulfilment of the principle of fairness and transparency in the particular circumstances of each individual case. This is brought into sharp focus by the idea that a data controller might have to go as far as to take a witness statement from a data subject and lodge it. It was, of course, submitted on the pursuer’s behalf that his claim might ultimately succeed on the narrower basis that the defender ought to have informed him that his data was to be used. But the point is that requiring a litigant to undertake the process of identifying what action is necessary creates the mischief in itself, regardless of what steps are ultimately identified and how limited (or extensive) they might turn out to be.
特別是當資料控制者可能需要採取極端措施,比如從資料主體處獲取並提交證人證言時,這一點就更加明顯。當然,原告方認為,其主張最終可能僅在較小範圍內獲勝,即被告本應告知其資料將被使用。但關鍵問題在於,要求訴訟當事人確定必須採取哪些行動本身就會引發一系列問題,不論這些行動最終如何確定,以及它們的範圍可能有多小(或多廣)。
In my opinion, given this scope for the process of applying Article 5(1)(a) to restrict or prevent the content of disclosures, Paragraph 5(3) of Schedule 2 exempts a data controller from complying with it. This interpretation is consistent with the purpose of the exemption, which is to ensure that a litigant’s duties as a data controller do not impinge on its right to a fair trial.
我認為,由於應用第5(1)(a)條可能會限制或阻止披露的內容,因此附表2的第5(3)條為資料控制者提供了免除遵守該條規定的義務。這一解釋與豁免條款的目的相吻合,即確保作為資料控制者的訴訟當事人在履行職責時,不會侵犯其獲得公正審判的權利。
(3)第5(1)(b)條的適用
The operation of the exemption in relation to Article 5(1)(b) is more straightforward. Under the purpose limitation principle for which Article 5(1)(b) provides, data must not be processed in a manner that is incompatible with the purpose for which it was collected. As counsel for the defender submitted, either disclosing data in connection with a litigation is compatible with the purpose for which it was collected, in which case there is no breach of the duty, or it is incompatible, in which case the exemption applies. Neither of these scenarios leaves any room for a claim to be brought by a data subject under Article 5(1)(b) when his data is disclosed in connection with litigation.
與第5(1)(b)條相關的豁免條款運作起來更為直接明瞭。根據第5(1)(b)條所規定的目的限制原則,資料的處理方式必須與收集資料的目的保持一致,不得相違背。如被告方律師所述,要麼是與訴訟相關的資料披露與資料收集的目的相符,在這種情況下就不存在違反職責的情況,豁免條款也就無需適用;要麼是與訴訟相關的資料披露與資料收集的目的不符,在這種情況下豁免條款就應當適用。在這兩種情形下,當資料因與訴訟相關而被披露時,資料主體均無法再根據第5(1)(b)條提出索賠。
(圖片源自於網路)
Counsel for the pursuer submitted that the defender was under a duty to inform the pursuer that his data was to be used for the purposes of the tribunal proceedings, in terms of Article 5(1)(b). He contended that this duty to inform also fed into the defender’s duty to act in a fair and transparent manner under Article 5(1)(a). In support of this submission, counsel referred me to Recital 61 of UK GDPR, which provides: “Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient.
原告律師提出,根據第5(1)(b)條,被告有義務告知原告,其資料將被用於訴訟程式。他辯稱,這一告知義務也與第5(1)(a)條規定的被告應以公平和透明的方式行事的義務相吻合。為支撐這一觀點,原告律師引用了英國GDPR的第61條說明:“當個人資料可以合法地向另一接收者披露時,應在首次向接收者披露個人資料時通知資料主體。
Where the controller intends to process the personal data are first to be disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.” The problem with this submission is that, notwithstanding the terms of Recital 61, Article 5(1)(b) says nothing about informing data subjects or providing them with additional information. The defender might be subject to the duty contended for in terms of another of the listed GDPR provisions, Article 13(3), but the pursuer did not rely on this and I heard no submissions on the operation of the exemption in relation to Article 13(3).
如果資料控制者計劃將資料用於首次披露目的之外的其他目的,那麼控制者應在進一步處理之前,向資料主體提供關於這一新目的及其他必要資訊的說明。”然而,這一論點的不足之處在於,儘管第61條有所規定,但第5(1)(b)條中並未明確提及向資料主體告知或提供額外資訊的義務。被告可能依據GDPR的另一條款,即第13(3)條,負有原告方律師所爭辯的義務,但原告方並未引用此條款,且我未聽到任何關於第13(3)條相關豁免條款如何運作的論述。
In my view, instead of incorporating an independent duty to inform into the terms of Article 5(1)(b), Recital 61 effectively indicates that other relevant provisions, in particular Article 13(3) and Article 5(1)(a), are applicable where data is to be disclosed for a purpose other than that for which it was collected. But the pursuer does not plead a case based on the first of these provisions, as I have said, and I have held that the defender is exempt from having to comply with the second. In these circumstances, the pursuer does not aver a relevant case under Article 5(1)(b), in my view.
在我看來,第61條實際上是在強調,當資料被用於收集目的之外的其他目的而被披露時,其他相關規定,尤其是第13(3)條和第5(1)(a)條,是適用的,而並非是在第5(1)(b)條中單獨增加一項告知義務。但正如我之前所述,原告方並未基於第一項規定提出主張,而我已判定被告無需遵守第二項規定的義務。因此,在這種情況下,我認為原告方並未根據第5(1)(b)條提出一個有效的主張。
3. 資料主體的保護
If a data subject is not entitled to rely on Article 5(1)(a) and Article 5(1)(b) when the disclosure of his personal data in connection with litigation is in prospect, what protection is available to him? In Dunn the Court of Appeal held that the right of a non-party to privacy or confidentiality is most conveniently protected through the lens of Article 8 of ECHR. I accept the submission of counsel for the defender that the appropriate procedural mechanism for ensuring the protection to a data subject’s Article 8 rights lies in the discretion of courts and tribunals to anonymise judgments.
當資料主體的個人資料可能因訴訟而面臨披露風險,且無法依據第5(1)(a)條和第5(1)(b)條獲得保護時,他還能透過哪些途徑獲得保護呢?在Dunn案中,上訴法院認為,非訴訟方的隱私或保密權利最適合透過《歐洲人權公約》第8條來加以保障。我認同被告方律師的觀點,即確保資料主體在《歐洲人權公約》第8條下的權利得到保護的適當程式機制,關鍵在於法院和法庭有權對判決進行匿名化處理。
The power to anonymise is exercised sparingly, as it involves interfering with the open justice principle, which the Inner House recently described as the cornerstone of the legal system: BBC v Chair of the Scottish Child Abuse Inquiry 2022 SLT 385 (paragraph [44]). Nonetheless, it is a power that the courts hold. I was referred to two recent examples of the Scottish courts giving consideration to anonymising a judgment to protect the interests of a non-party: Oil States Industries (UK) Limited v “S” Limited and Others 2022 SLT 919 and Billy Graham Evangelistic Association v Scottish Event Campus Limited [2022].
然而,法院行使匿名化權力的頻率並不高,因為這涉及對公開審判原則的干預,而最近高階法院更是將其視為法律體系的基石:BBC v Chair of the Scottish Child Abuse Inquiry 2022 SLT 385 (paragraph [44])。儘管如此,這確實是法院所擁有的一項權力。我瞭解到,蘇格蘭法院在近期兩起案件中考慮了透過匿名化判決來保護非訴訟方的利益,分別是Oil States Industries (UK) Limited v “S” Limited and Others 2022 SLT 919 和Billy Graham Evangelistic Association v Scottish Event Campus Limited [2022].
(圖片源自於網路)
The employment tribunal has a similar power. Rule 50 of the employment tribunal rules empowers the employment tribunal to anonymise judgments; and non-parties are entitled to apply for a judgment to be anonymised. It is also competent for a judgment to be anonymised after it has been published on the HMCTS website: X v Y [2021] ICR 147; TYU v ILA Spa Limited [2022] ICR 287.
就業法庭也具備類似的權力。根據《就業法庭規則》第50條的規定,就業法庭有權對判決進行匿名化處理;同時,非訴訟方也有權申請對判決進行匿名化。即使判決已在HMCTS(英國皇家法院與法庭服務機構)網站上公佈,對其進行匿名化處理仍然是可行的,參見X v Y [2021] ICR 147; TYU v ILA Spa Limited [2022] ICR 287.
As a matter of practice, therefore, the power of the court (or tribunal) to anonymise a judgment appears to be the procedural means by which the right of a data subject to privacy and confidentiality may be afforded appropriate protection.
因此,從實際操作的角度來看,法院(或法庭)對判決進行匿名化的權力,似乎是為資料主體的隱私和保密權利提供適當保護的程式性手段。
4. 結論
As the pursuer’s case is based on Article 5(1)(a) and Article 5(1)(b), and as I have held that the effect of Paragraph 5(3) of Schedule 2 is to exempt the defender from having to comply with these provisions, it follows that the pursuer’s case is irrelevant.
鑑於原告的訴請是基於英國GDPR第5(1)(a)條和第5(2)(b)條提出的,且我已確認《2018法案》附表2第5(3)段的規定實際上是免除了被告遵守這兩條款的義務,因此,原告的訴請便不再恰當。
Before I leave this issue, it is worth highlighting two points. Firstly, the parties were agreed that the exemption is generally understood to excuse a data controller from having to comply with Article 5(1)(a) and Article 5(1)(b); and counsel for the pursuer very fairly acknowledged that a decision in the pursuer’s favour would have potentially far reaching consequences. It would seem, therefore, that the interpretation of the legislation that I have accepted accords with the general understanding of its meaning and application within the legal profession.
在結束這一問題的探討之前,我想強調兩點。首先,雙方均認同,該豁免條款通常被視為資料控制者無需遵守第5(1)(a)條和第5(1)(b)條的理由;原告律師也公正地指出,如果判決原告勝訴,可能會帶來深遠的影響。因此,我所採納的法律解釋與法律界對此條款含義及應用的普遍認知是一致的。
Secondly, the pursuer’s position was in part premised on the notion that the 2018 Act differs from its predecessor – i.e. whereas previously the exemption was absolute, the enactment of the new legislation heralded the introduction of the two-stage process suggested by the pursuer. But at the risk of repetition, in my view there is no material difference between the exemptions contained in the 1998 Act and the 2018 Act.
其次,原告的部分觀點是基於這樣一個認識,即《2018年資料保護法》與其前身有所不同——之前的豁免是絕對的,而新法案的出臺則意味著引入了原告所提議的兩階段程式。但為避免贅述,我認為《1998年資料保護法》與《2018年資料保護法》中的豁免條款在實質上並無差異。
(二)關於所涉及的個人資料的陳述
Counsel for the defender submitted that the pursuer fails to specify which of his personal data was involved in the alleged breaches on the part of the defender. Conversely, counsel for the pursuer argued that sufficient notice of the personal data involved was given at Article 9 of condescendence.
被告律師提出,原告未能明確指出其哪些個人資料遭到了被告所稱的違規行為的影響。相反,原告律師則辯稱,在起訴書第9條中已就所涉及的個人資料給出了充分的說明。
Looking at Article 9, the material averments are as follows:24
“To progress and defend the Tribunal proceedings, the defender had to process the pursuer’s personal data. Pleadings were drafted, damaging allegations were made about the pursuer, and were responded to, or were not responded to as the case may be, without the pursuer’s knowledge. Documents referring to the pursuer were produced in evidence without his knowledge.”
仔細研讀第9條的內容,其核心陳述概括如下:
“為了推進和辯護法庭的訴訟程序,被告不得不處理原告的個人資料。期間起草了訴狀,對原告提出了一些不利的指控,並根據實際情況回應或不予回應這些指控,而這一切原告都毫不知情。同時,還有提及原告的檔案被作為證據提交,原告對此也一無所知。”
In my view there is merit in the defender’s criticism of these averments. They set out, in very general terms, the use to which the pursuer’s data is alleged to have been put; but beyond a fleeting reference to unspecified “documents” in the final sentence, there are no averments that define the content of the personal data involved. As the pursuer does not offer to prove what personal data was processed, it is difficult to see how he can establish either that the defender breached its duties or that he suffered any damage as a result. Accordingly, I consider that the pursuer’s averments regarding the personal data alleged to have been processed are so lacking in specification as to be irrelevant.
在我看來,被告對這些陳述的批評不無道理。它們只是泛泛而談地描述了原告資料被指稱使用的用途;然而,除了最後一句簡單提及了一些未明確的“檔案”之外,並未有任何陳述來界定所涉及個人資料的具體內容。由於原告並未提出證明哪些個人資料被處理,因此很難看出他如何能夠證實被告違反了其職責,或者他因此遭受了任何損害。所以,我認為原告關於被指稱已處理的個人資料的陳述由於缺乏具體細節而變得不恰當。
(三)因果關係
Both parties challenged the relevancy of their opponent’s averments regarding causation. In part, the arguments revolved around the correct construction to be placed upon Article 82 of UK GDPR, which makes provision for liability for infringements of UK GDPR and for a right to compensation. It may be helpful to consider the parties’ competing positions on this issue before turning to the pleadings.
雙方均對對方關於因果關係的陳述的相關性提出了質疑。雙方的爭論在一定程度上圍繞英國GDPR第82條的正確解釋展開,該條款對違反英國GDPR的責任和獲取賠償的權利做出了規定。在深入探討訴狀內容之前,先了解一下雙方在這一問題上的不同立場,或許會有所助益。
1. 對第82條的解釋
Articles 82(1), 82(2) and 82(3) appear to fit together as a coherent framework, which falls to be applied sequentially.
英國GDPR第82條第1款、第2款和第3款似乎構成了一個連貫的框架,需要按順序應用。
First, Article 82(1) provides a right to compensation where a person has suffered
damage as a result of an infringement of UK GDPR. It is apparent from the wording of the provision that a pursuer seeking to establish liability under its terms must prove: (1) that there has been an infringement; (2) that the pursuer has suffered material or non-material damage; and – critically, for current purposes – (3) that the damage has occurred “as a result of” the infringement. Self-evidently, this third element is the causal nexus between (1) and (2)
第一,第82條第1款規定,因英國GDPR被侵犯而遭受損害的人有權獲得賠償。從該條款的表述中可以明顯看出,尋求根據該條款確立責任的一方必須證明:(1)發生了侵權行為;(2)受害方遭受了物質損害或非物質損害;以及——對於當前目的而言至關重要——(3)損害是“因”侵權行為“而”發生的。顯然,第(3)個要素是第(1)和第(2)個要素之間的因果關係紐帶。
(圖片源自網路)
Second, Article 82(2) follows on logically from Article 82(1), as it imposes liability on inter alia controllers who are involved in processing “for the damage caused by processing which infringes this Regulation” (my italics). Accordingly, Article 82(2) replicates the three elements that are contained within Article 82(1) – i.e. an infringement of UK GDPR via processing, the eventuation of damage and a causal link between the two. Once again, it is apparent that causation is essential to the establishment of liability. It will be noticed that Article 82(1) and Article 82(2) differ slightly in their wording: under Article 82(1) the court is tasked with asking whether the damage occurred “as a result of” an infringement. By contrast, under Article 82(2) the question is whether the damage was “caused by” processing which infringes UK GDPR. Given that Articles 82(1) and 82(2) appear to dovetail with each other, it seems unlikely that anything is to be taken from this difference in phrasing. Both require a pursuer to prove causation.
第二,第82條第2款在邏輯上是對第82條第1款的延續,因為它規定了對參與“因處理而違反本條例所造成的損害”負責的控制者(等)的責任。因此,第82條第2款複製了第82條第1款所包含的三個要素——即透過處理違反英國GDPR、損害的發生以及兩者之間的因果關係。再次顯而易見的是,因果關係對於確定責任至關重要。值得注意的是,第82條第1款和第82條第2款的措辭略有不同:第82條第1款要求法院判斷損害是否“因”侵權行為“而”發生;相比之下,第82條第2款的問題在於損害是否由“違反英國GDPR的處理”所“造成”。鑑於第82條第1款和第82條第2款似乎相互銜接,因此這種措辭上的差異似乎並無特殊含義。兩者都要求原告證明因果關係。
I can see no basis in either form of words for the suggestion that the court must focus solely on the conduct of the defender when considering causation under these provisions, as the pursuer contended. A more obvious reading of Article 82(1) and Article 82(2) may be that under both the court must assess whether the infringement is a factual cause of the damage, by asking whether the damage would have occurred but for the infringement, or whether the infringement materially contributed to the damage. If correct, this approach involves evaluating other possible causes of damage, instead of focussing narrowly on the conduct of the defender.
我認為,無論是從哪種表述來看,都沒有依據支援原告所主張的觀點,即法院在根據這些條款考慮因果關係時,必須僅關注被告的行為。對第82條第1款和第82條第2條更合理的解讀可能是,在這兩條款下,法院都必須評估侵權行為是否是損害發生的實際原因。這需要透過詢問以下問題來實現:如果沒有侵權行為,損害是否會發生,或者侵權行為是否對損害產生了實質性影響。如果這種解讀正確,那麼這種方法就涉及評估損害的其他可能原因,而不是僅僅侷限於關注被告的行為。
Third, this interpretation of Articles 82(1) and 82(2) ties in with Article 82(3), which exempts a controller (or processor) from liability “if it proves that it is not in any way responsible for the event giving rise to the damage”. The term “event” contrasts with the references to infringements of the regulation that are contained in Article 82(1) and Article 82(2) and appears to imply an intervening occurrence of some other kind that breaks28 the causal chain. At this stage the defender faces the onerous challenge of establishing that he or she is “not in any way responsible” for the event that has given rise to the damage.
第三,對第82條第1款和第82條第2款的這種解讀與第82條第3款緊密相連。第82條第3款規定,如果控制者(或處理者)“證明其對於導致損害的事件完全不負責任”,則可免除責任。這裡的“事件”一詞與第82條第1款和第82條第2款中提到的違反條例的行為形成對比,似乎暗示了某種打斷因果鏈的其他型別事件的發生。在這一階段,被告面臨著艱鉅的挑戰,即必須證明他或她對於導致損害的事件“完全不負責任”。
Reading Article 82(1), Article 82(2) and Article 82(3) together, therefore, I think that in the first instance it is for a pursuer to prove causation under Article 82(1) and Article 82(2), having regard not just to the conduct of the defender, but to all of the material circumstances. If the pursuer succeeds in doing so, the onus passes to the defender to establish a break in the causal chain in the form of an intervening event that has given rise to the damage, for which the defender is in no way responsible, in terms of Article 82(3).
因此,綜合閱讀第82條第1款、第82條第2款和第82條第3款後,我認為,首先,原告需要依據第82條第1款和第82條第2款證明因果關係,不僅要考慮被告的行為,還要考慮所有相關情況。如果原告成功證明,那麼責任就轉移到被告身上,被告必須依據第82條第3條,透過證明存在一個打斷因果鏈的介入事件(該事件導致損害發生,且被告對此完全不負責任)來免責。
2. 法院分析
In my opinion the submissions of counsel for the defender are to be preferred. On the pursuer’s averments, Mr Adamson made allegations concerning him in the employment tribunal proceedings, thereby placing them in the public domain. In addition, the pursuer accepts that the defender was entitled to process his data in the course of defending the tribunal proceedings, but avers that he should have taken various steps while doing so. This is the background, as averred by the pursuer. At proof the court would be required to take account of these circumstances when determining whether any damage suffered by the pursuer occurred “a result of” and was “caused by” an infringement on the part of the defender, in terms of Article 82(1) and Article 82(2).
在我看來,被告辯護律師的陳述更為合理。根據原告的陳述,Mr. Adamson在就業法庭訴訟中對原告提出了指控,從而使這些指控進入了公眾視野。此外,原告承認被告有權在法庭訴訟辯護過程中處理其資料,但堅稱被告在處理資料時本應採取多種措施。這是原告所陳述的背景情況。在舉證階段,法院需要考慮這一情況,以判斷原告所遭受的任何損害是否根據第82條第1款和第82條第2條“因”被告侵權行為而發生,並由其“造成”。
(圖片源自網路)
By corollary, in order to plead a relevant case the pursuer would require to aver
what difference it would have made to the outcome if the defender had either taken the steps that the pursuer identifies in his pleadings, or simply elected not to process his data. An associated problem with the pursuer’s case is that he does not specify which of his data the defender processed, as I have explained above. As the pursuer does not offer to prove what data was involved and how this differed from the material that Mr Adamson had placed before the tribunal, his averments are insufficient to enable him to establish the causal link between any damage suffered and the defender’s alleged infringement. Accordingly, the pursuer does not plead a relevant case on causation.
由此推論,為了提出一個恰當的訴請,原告需要陳述如果被告採取了原告在訴狀中指出的措施,或者簡單地選擇不處理原告的資料,那麼結果會有何不同。原告案件的一個相關問題是,他沒有明確指出被告處理了他的哪些資料,如我之前所述。由於原告沒有提出證明哪些資料被涉及,以及這些資料與Adamson先生提交給法庭的材料有何不同,因此他的陳述不足以讓他確立所遭受的任何損害與被告所稱的侵權行為之間的因果關係。因此,原告在因果關係方面沒有提出一個恰當的訴請。
As to counsel for the defender’s submission regarding the operation of Article 82, my interpretation of this provision is different, as I have set out above. In my opinion, at the point of applying Article 82(1) and Article 82(2) the court is not confined to consideration of the defender’s conduct, but is tasked with evaluating the circumstances as a whole when assessing whether the defender’s alleged infringement was a cause of damage to the pursuer. Thus, I also reject the proposition that the broader circumstances only fall to be considered at the point of applying Article 82(3). From this it follows that I must reject the criticisms made by counsel for the pursuer of the defender’s averments regarding causation.
關於被告律師就第82條的適用所提出的意見,我的理解與上述闡述有所不同。在我看來,在適用第82條第1款和第82條第2款時,法院不僅僅侷限於考慮被告的行為,而是需要在評估被告所稱的侵權行為是否是導致原告損害的原因時,對整體情況進行綜合考量。因此,我也不同意那種認為更廣泛的情況只有在適用第82條第3款時才需要考慮的觀點。由此可以推斷,我必須駁回原告律師對被告關於因果關係陳述的指控。
五
簡要評述
本案作為適用《2018年資料保護法》下“法律訴訟豁免”的第一案,揭示了資料主體和資料控制者之間的複雜微妙的角質關係。法院對“法律訴訟豁免”的解讀直接關係到資料控制者在訴訟過程中,是否能自由使用個人資料,而不必嚴格遵守GDPR的所有條款。法院在比較雙方觀點並進行推演後指出,過於嚴格的資料保護規則,可能會限制當事人在法律訴訟中有效陳述案情的能力。因此法院在判決中認為,豁免不能限制資料控制者根據其合法權利自行提起訴訟的自由裁量權,從而侵犯資料控制者根據《歐洲人權公約》第 6 條獲得公正審判的權利,相反豁免的存在正是因為必須在這些相互競爭的人權之間取得平衡。
原文連結:
https://www.bailii.org/scot/cases/ScotSC/2023/2023_SC_DNF_7.html