In October 2018, at a court hearing in the Netherlands, Z (a party to the proceedings) and X (representing Z) were approached by a journalist. During the conversation, X noticed that the journalist had documents from the case file, including documents that he himself had drafted, showing his name and address, as well as Z’s national identification number. The journalist said that he had gained access to the documents under the right of access to case files granted by the court. This was confirmed in writing by the president of the court, who said that it did provide the media with documents relating to pending cases and that, on that particular day, documents to assist journalists in following hearings, namely copies of the notice of appeal, the response, and where appropriate, the contested judicial decision, had been provided with the instructions that they should be destroyed at the end of the day.

X and Z complained to the Netherlands Data Protection Authority (AP), claiming that the provision of personal data originating from documents on a court file infringed the General Data Protection Regulation (2016/679/EU).

The AP said that it did not have the authority to supervise the personal data processing operations of the court. X and Z challenged this decision in the Netherlands District Court, which asked the CJEU whether Article 55(3) of the GDPR, which provides that “Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity”, means that the court temporarily making available to journalists documents containing personal data from court proceedings falls within the exercise by that court of its “judicial capacity”. In that context, it asked whether, in order to answer that question, it was necessary to consider the interference which the supervisory authority’s exercise of its powers might have with the independence of judges in specific cases. It also asked whether it was necessary to take into consideration the nature and purpose of that making available of procedural documents, i.e., to enable journalists to report on the course of court proceedings, or whether that making available had an explicit legal basis in domestic law.

The CJEU said that the GDPR clearly applies to processing operations carried out both by private persons and by public authorities, including judicial authorities, such as courts, subject to the adjustments included in some provisions to take account of the specific nature of the processing operations carried out by courts, e.g., Article 55(3), which excludes any competence of the supervisory authority in respect of processing operations carried out by courts “acting in their judicial capacity”.

Further, the CJEU said, Recital 20 of the GDPR states that it should be possible to entrust the supervision of processing operations carried out by the courts “acting in their judicial capacity” to specific bodies within the judicial system of the Member State concerned, rather than to the supervisory authority, in order to “safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making”. Given the use of the word “including”, this was clearly not limited to the independence of judges in relation to the giving of a judicial decision, the CJEU said.

Safeguarding the independence of the judiciary means ensuring that judicial functions are exercised wholly autonomously, the CJEU said. Therefore, “acting in their judicial capacity” must be understood as not being limited to the processing of personal data carried out by courts in specific cases, but as referring more broadly to all processing operations carried out by the courts in the course of their judicial activity where assessment by a supervisory authority would be likely to influence the independence of the judiciary or to weigh on their decisions.

Therefore, while the nature and purpose of the processing carried out by a court relate principally to the examination of the lawfulness of that processing, the nature and purpose may also indicate that the processing falls within the exercise by that court of its “judicial capacity”.

Further, the CJEU said, the question whether the processing has an explicit legal basis or whether the personal data concerned can lawfully be disclosed to third parties, related exclusively to the examination of the lawfulness of the processing, which was irrelevant to determining whether the supervisory authority was competent to supervise that processing operation on the basis of Article 55.

As for the processing in this case, the CJEU held that the processing of personal data by the courts in relation to the cases before them, such as temporarily making available to journalists documents from a court case file, fell outside the competence of the supervisory authority pursuant to Article 55(3).

In the CJEU’s view, deciding whether to make documents available to journalists in a given case to enable them to report accurately on the proceedings was clearly linked to the exercise by such courts of their “judicial capacity”, the supervision of which by an external authority would be liable to undermine, in general, the independence of the judiciary.

Therefore, the CJEU held that Article 55(3) means a court temporarily making available to journalists documents from court proceedings containing personal data in order to enable them to report on the course of those proceedings falls within the exercise by that court of its “judicial capacity” under Article 55(3). (Case C-245/20 X v Autoriteit Persoonsgegevens EU:C:2022:216 (24 March 2022) — to read the judgment in full, click here).