The GDPR and Processing of Personal Data for Research Purposes: What About Case Law?

Abstract

Case law regularly includes personal data on identifiable persons, often of a rather sensitive nature. This makes the EU General Data Protection Regulation (GDPR) relevant. However, the processing of personal data in case law has until recently not been questioned from the point of view of data protection of the individuals concerned. The Court of Justice of the European Union has taken steps ensure such protection for individuals appearing before the courts. Sweden has chosen another path. As transparency is a highly treasured in Sweden, including transparency in the judiciary, restricting access to the full verdict is sensitive. Instead, the processing of personal data has been restricted in a certain areas, such as research. In order to fulfill the requirements for an ‘appropriate safeguard’ under Article 89 GDPR, an ethical approval is needed for all research on specific categories of sensitive personal data, with no exception for publicly-available official documents like case law. The question posed is how the interest in protection of personal data retrieved from case law can be reconciled with the interest in transparency of the judicial process. It is concluded that even though requirements for an ethical approval of legal research hardly can be seen as a relevant ‘appropriate safeguard’, it cannot be denied that there is a legitimate interest of identifiable persons in case law to have their rights in personal data at least considered. Courts should therefore be stronger in elucidating when and why transparency is of overriding importance, and when and why data protection and the interest of secrecy should prevail. Data protection, transparency, case law, official documents, secrecy, sensitive data, research exception, appropriate safeguard, ethical approval