The Duty of Disclosure and the impact of the GDPR and the AI Liability Directive

Under Swedish procedural law, if a party has a written document that could have relevance as evidence, the court may order the party to present the document. This duty of disclosure aims to ensure that each party can access the documents needed to assert their rights in court.

Traditionally, the evaluation of a disclosure request requires the court to strike a balance between the requesting party's right to relevant evidence and the opposing party's interest in not disclosing the information. In a recent preliminary ruling (published on 2 March, 2023), the European Court of Justice established that national courts must also consider whether a document contains personal data.

In the concerned dispute, a party had asked the Swedish district court to order the opposing party (a construction contractor) to provide an electronic personnel log. The log was intended to be used as evidence to show that work had not been performed to the extent for which payment was claimed. The opposing party objected to the disclosure, arguing that it would violate the GDPR as the log contained personal data of employees.

The lower courts granted the disclosure request. After the decision was appealed to the Swedish Supreme Court, a preliminary ruling from the European Court of Justice was sought.

The first question submitted to the European Court of Justice concerned whether a national court, when considering a party's request for disclosure, is obligated to consider the requirements set out in Article 6(3) and 6(4) of the GDPR.

Under the GDPR, lawful processing of personal data requires fulfilment of one of the conditions set out in Article 6(1), such as it being necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e). If the processing is carried out for a purpose incompatible with the purpose for which the personal data was originally collected, additional requirements in Article 6(4) apply.

Responding, the European Court of Justice stated that the presentation of a document with personal data in response to a disclosure order constitutes processing of personal data, which necessitates the fulfilment of one of the conditions under Article 6(1). The Court stated that disclosure, in general, can be allowed under the condition set out in Article 6(1)(e), since the disclosure rules provide an acceptable legal basis. Further, the Court noted that as the purpose of using a document as evidence is not compatible with the purpose for which the personal data was collected, the additional requirements in Article 6(4) must be met. Therefore, according to the Court, national courts must assess whether disclosure is a necessary and proportionate measure. The Court then made a preliminary assessment that the duty of disclosure meets these requirements.

The Swedish Supreme Court also asked the European Court of Justice to clarify whether Articles 5 and 6 of the GDPR should be interpreted in a way that requires a court to consider the interests of the data subjects (i.e., the individuals whose personal data is processed) in the assessment of disclosure.

In this regard, the Court asserted that the national court should consider the interests of the data subjects, but emphasised that the protection of personal data is not absolute. Priority may be given to the right to an effective remedy under Article 47 of the Charter of Fundamental Rights of the European Union. The duty of disclosure promotes this right by facilitating access to relevant documents. In other words, the court should balance the protection of the data subjects' personal data on one hand, against the right to an effective remedy on the other hand.

The Swedish Supreme Court must now, in light of the ruling, decide whether the construction contractor should be obliged to disclose the personnel register in the specific case. For this and future assessments of the disclosure of documents containing personal data, the preliminary ruling means that interest of privacy must be considered in addition to the relevance of the evidence and the opposing party's interest in not disclosing the document.

In addition to the GDPR and its impact clarified through the preliminary ruling, it seems that EU law will continue to influence the duty of disclosure in other aspects. On 28 September, 2022, the European Commission presented a proposal for a directive on non-contractual civil liability for damages regarding artificial intelligence (the AI Liability Directive). The directive includes rules on disclosure intended to facilitate the gathering of evidence and substantiation of claims for damages by individuals harmed by AI systems.

According to the proposal, member states should ensure that national courts have the authority, upon the request by a claimant, to order specified entities (such as the providers of high-risk AI systems) to disclose and preserve relevant evidence concerning AI systems suspected of causing harm to the claimant. However, this requires the claimant to present sufficient facts and evidence supporting its claim and to have taken all reasonable measures to obtain the evidence from the alleged responsible party. Courts should limit their orders to what is necessary and proportionate.

Further, the directive stipulates that if the alleged responsible party fails to comply with a court order to disclose or preserve evidence, the court shall presume that they have not met the relevant standard of care, thereby being considered negligent. Consequently, the proposed rules would prescribe for a new kind of presumption for national courts in their material assessments in cases regarding civil liability for damages.

At this stage, there is no specific timeline for the implementation of the AI Liability Directive. The next phase of the process will involve the proposal being adopted by both the European Parliament and the Council of the European Union, before being implemented by the member states in the national legislation. As the preliminary ruling makes clear however, national courts are already required to consider the interests of data subjects, balance privacy rights with the right to an effective remedy, and assess the necessity and proportionality of disclosure. While awaiting the implementation of the AI Liability Directive, it is crucial for national courts to remain cognizant of their existing obligations under the GDPR, ensuring that the duty of disclosure is exercised in a manner that upholds the fundamental rights and interests of all parties involved.

For litigating parties, the ruling and the proposal emphasises the importance of being well-informed to successfully navigate these questions.