Dutch privacy law is used to obtain attachment on e-mail documents

Atos Medical B.V. / MDS B.V. Interim relief judgment of the district court of Noord-Nederland (Groningen) of 8 December 2016, case number: C/18/172364.

The Noord-Holland District court issued an interesting judgment on December 8, 2016, deciding to grant leave for bewijsbeslag, evidentiary seizure. Building on a 2013 case of the Hoge Raad, the district court granted an ex parte ‘’prejudgment writ of attachment’’, allowing for the collection of digital evidence from third parties.

In case of a serious breach of privacy laws by party B, it may be legitimate for party A to request for attachment remedies on the e-mails from party B. If there are indications that a company you work together with is handling the data of your customers in such a way it violates privacy laws, you may, under circumstances, be permitted in your request for a so-called ‘’prejudgment writ of attachment’’. This other party is then obliged to give access to his e-mails so that you can prove that that party has violated the privacy laws, the judge ruled.

That is a pretty drastic and expensive legal instrument and of course, no one wishes to be confronted with such measures in their businesses. Until this judgement, it was not very common to seek for attachment measures in ‘normal’ civil proceedings (except for infringements of intellectual property). Now a judge ruled that apparently these civil investigative measures can also be used in violation of privacy rights of individuals with regard to health data. That makes this ruling unique and therefore we find it appropriate to inform you about it, so you know how serious it is in the field of data protection.

What happened?

In the judgment, the facts are not mentioned explicitly, but can rather be reconstructed between the phrases. Atos Medical (the claimant – ‘’party A’’) is a company engaged in the development of solutions for people who have undergone ENT-surgery and is a leader in the field of laryngectomy care. MDS and others (the garnishee – ‘’party B’’) is engaged in the manufacture of medical instruments and devices. The exact relationship between the parties is not made clear in the judgment, but it is likely that the nature of this relationship is somehow business-related. Apparently an employee or subordinate from MDS has sent patient health data from a business e-mail account to a personal account.

To prevent any further illegitimate spread of the patient data, the claimant asks the court for a legal title to execute a prejudgment writ of attachment with regard to the media/devices on which said e-mails with patient data would be accessible through. In doing so - and this is the very interesting part of the judgment – Atos Medical seeks justification for such drastic legal action, by basing its claim on its obligations under the Dutch Data Protection Act (Wet bescherming persoonsgegevens) and the related Act on Data Breaches (Wet meldplicht datalekken). 

The court’s decision

The judge in this case puts the protection of privacy on a high level. And that is reflected in the decision: Briefly, MDS should allow the bailiffs (accompanied by an IT expert) to access computer systems, servers (both in-house or remote), cloud environments, hardware etc. and in addition provide them with login credentials. A basic rule in civil attachment law proceedings is that both parties should be heard before the judge can give such a verdict. Nevertheless, the court finds that  ‘’given the nature of the goods (privacy-sensitive data files with patient data) and the fact that they are easy to obfuscate as well as the reproached acts by the garnishee and the way this was conducted in secret, reason to deviate from this basic rule’’.

De judge imposes a non-compliance penalty of € 2,000.00 to MDS (excluding the first hour) per hour with a maximum of € 200,000.00 to make sure the attachment will be conducted.

Legal background

Until September 2013, there was only a statutory basis to proceed with a prejudgment writ of attachment of evidence in civil relations in cases concerning infringements of intellectual property (IP). On September 13, 2013 the Dutch Supreme Court) ruled in a so-called preliminary ruling (ECLI:NL:HR:2013:BZ9958) that prejudgment writ of attachment is also possible in non-IP-related issues. In this, especially for tech-companies groundbreaking ruling, the Supreme Court ruled that there may be circumstances under which a claimant can successfully apply for prejudgment writ of attachment on e-mails (in this case it was involving no less than 16,000 e-mails!) which were located in the cloud. The Supreme Court also indicated, citing European case law, that the derogation of the right to privacy (protected by article 8 of the European Convention on Human Rights) in connection with such an attachment, not necessarily have to conflict with the aforementioned article.

In the present case, Atos Medical's lawyer also uses the right to privacy, but argues the other way around: exactly because the Data Protection Act and the Act on Data Breaches requires to make every effort possible to avoid that the information that was entrusted to Atos Medical ends up in the hands of unauthorized third parties, the prejudgment writ of attachment is justified.

Conclusion

To our knowledge this is the first (published) case wherein Dutch legal provisions aimed at ensuring the privacy of individuals is used in such a way for obtaining a legal title to execute a prejudgment writ of attachment to secure evidence. Nevertheless, this case is also special when realizing that the Data Protection Act and the Act on Data Breaches originally was written for the relationship between a data controller and a natural person for protection to the right to privacy of the latter. Now becomes clear that the standards within this act may also have consequential effects in the business relationship between two legal persons (besides the relationship between data controller and data processor). We are very curious to see where this is going to in the future. Will there be other judges that are not afraid to use such an drastic legal instrument to protect privacy rights? Whitebridge Advocatuur will keep you up to date.

Privacy: it’s serious now.

 

Source: IT & Recht

Back to the overview