Can the Evidence Obtained in Breach of GDPR Be Used Against You in a Civil Lawsuit?

Over the last two decade, the world has witnessed firsthand the technological revolution, which completely transformed the way people communicate and connect. Social media platforms like Facebook, Twitter, Instagram, or WhatsApp? have become a storage of personal data in which the adverse party in a civil lawsuit will look for the evidence to bring the best evidence to the court’s attention. Nevertheless, in May 2018, the European Union passed the “General Data Protection Regulation” (GDPR), which is one of the strictest rules for personal data protection, to regulate the collection and processing of personal data. The provision of GDPR made a significant impact on the online investigation and the collection of online data, because it tightens up the processing of personal data by requiring the social media company, as a data controller, to ask for a specific, unambiguous consent from the data subject before handing it to a third person as evidence. However, what happened when evidence offered by the parties is obtained illegally without the prior, ambiguous consent as required by the GDPR? ‘Is the evidence obtained in breach of GDPR admissible in the civil lawsuit?’ This essay will find it out.

As we might have already known, people today use social media platforms as a way to express their thoughts and feelings, and courts are recently welcome social media content as evidence both for and against people. Personal data on social media platforms, for example, the picture of a person on Instagram, the location that a person checked-in on Facebook, as well as the opinion tweeted on Twitter are currently thought to be valuable sources of evidence that the opposing party and the legal counsel will definitely investigate when the lawsuit is anticipated. Moreover, a practice of obtaining evidence through potentially dubious means such as secret recording, hidden microphones or cameras is widely spread and prevalent because parties to civil cases are likely to do anything they can to introduce every relevant evidence to the court. These emerging litigation practices are absolutely a consequence of the digital and social media disruption.

To get a clear picture of how these personal data on social media work in the civil lawsuit, let’s take the case in Largent v. Reed (2011) as an example. In this case, the plaintiff, who claimed serious, permanent physical, mental injuries, pain and suffering, was rebutted by the post-accident photos of her Facebook account, showing that she was obviously feeling well. If the defendant counsel offered into evidence those personal photos saved from the plaintiff’s account without prior consent, would the photos be admissible? This example clearly illustrates how the social media content could be used against people in the court, which seems to be a normal practice these days.

However, as you might notice, these practices also give rise to a question that ‘Should the courts in civil lawsuit accept the data obtained without consent as evidence to be considered in the court’s deliberation?’ This challenging question became more relevant when the GDPR, which requires the unambiguous consent from the data subjects “before processing their personal data,” became effective, and the practice of taking personal data from social media as well as recording of a voice call by hidden microphones or cameras all constituted “processing of personal data.”

Some might argue that the personal data obtained without prior, unambiguous consent from the data subject, which is potentially in breach of GDPR, could not be introduced as evidence in a civil lawsuit, because such evidence is illegally obtained. However, contrary to popular belief, the prohibition against illegally obtained evidence applies primarily, essentially solely, to law enforcement.

The principle of illegally obtained evidence has long been recognized from the decision in Weeks v. United States (1914), which created a strong version of exclusionary rule prohibiting unreasonable searches and seizures conducted by the federal agencies, and also the decision in Mapp v. Ohio (1961), which applied such principle to the state level. This rule primarily applied in order to protect the integrity of the courts, which would totally be degraded if the government agencies can turn the violation of the constitution into evidence through its prosecutors. Moreover, the Supreme Court in I.N.S. v. Lopez-Mendoza (1984) ruled that the defendant in civil proceedings could not suppress his or her identity even if subject to an unlawful arrest, and the exclusionary rule does not apply to deportation hearings, which are civil proceedings.

From the doctrine discussed above, it could be implied that the use of personal data garnered from social media platforms without prior consent is permissible in the civil proceedings because the rule of illegally obtained evidence does not function in this situation. Therefore, most of the courts are likely to accept these personal data without any issue.

On the basis of these considerations, it is likely that the evidence obtained from social media platforms in breach of GDPR could still be admissible in the civil proceedings. To put it another way, “consent,” which was once thought to be an effective safeguard against the wrongful use of personal data is not by any mean a magic wand that can protect your personal data particularly when it was introduced as evidence in the courtroom. Therefore, the best way to protect your data, particularly when lawsuit is reasonably foreseeable, is to use the social media platforms that do not collect your personal data too much and try to think twice before posting or sharing any personal information on the social media sites.