In general, Poland has not adopted the concept of e-discovery as it is understood in common law jurisdictions, such as the United States. However, collecting and using evidence for criminal or civil proceedings is regulated in detail under Polish law. The case law related to evidence as such is also broad and has a long history.
There are some provisions of Polish law that relate to the use of electronically stored information (ESI), as detailed in Section II.
In addition, practitioners have a well-established view in relation to collecting and using electronic evidence from the perspective of privacy regulations. These regulations are the main concern for businesses when it comes to, for example, investigations connected to employment matters.
II YEAR IN REVIEW
Amendments to the Code of Civil Procedure (CPC) came into force in 2016, which specified that electronic documents are explicitly allowed as evidence in civil proceedings, and in many cases this evidence may be of even greater importance than standard, physical evidence.
According to Article 243(1) of the CPC, to classify a material as a document, the issuer of the document ought to be identifiable (by means of a signature or other identifying mark). If the issuer cannot be identified, the evidence will be classified as 'other evidence' as defined in Article 309 of the CPC (see below).
The rules applying to electronic documents as evidence generally do not differ from the general provisions on evidence. However, pursuant to Article 254 Section 2(1), an issuer of an electronic document may be, when necessary, requested by the court to provide it with the data carrier on which the document is stored. Section 2(2) of the same Article provides an exception to the obligation to present a data carrier for certain categories of witnesses who would be legally allowed to refuse to answer a question regarding the source of the electronic document – for example, whether it was created on the data carrier or uploaded there by the witness (this relates in particular to family members, who may refuse to testify in their relative's case).
The aforementioned 'other evidence' has the same evidential value as other types of evidence. The courts have expressly determined, among other things, that a print screen or an email2 that does not contain a signature3 shall be treated by the courts as other evidence. However, this does not prevent parties to the proceedings from presenting other materials as evidence, if it helps them prove their case. Judgments that refer to new kinds of electronic evidence can be expected.
The admissibility of electronic evidence is not questioned in criminal proceedings. The CPC does not provide definitions of 'electronic document' or 'electronic evidence', which could be further developed in the courts' decisions. In Polish legal literature, some classifications of electronic evidence used in criminal proceedings are being created and developed. However, criminal law – similar to civil law – applies the principle of free assessment of evidence, therefore these classifications will mostly be theoretical.
There are no specific rules for collecting electronic evidence. At the time of writing, there have been no announced changes to policy or legislation regarding electronic evidence in civil or criminal proceedings.
III CONTROL AND PRESERVATION
The law does not provide for e-discovery obligations related to the preservation of ESI. There are provisions of law that relate to destroying or hiding evidence that is necessary for legal proceedings, which apply to all types of evidence.
Under the Code of Criminal Procedure, any user of a device containing digital data or a computer system in which data is stored, including correspondence sent via email, is obliged to hand it over to a court or prosecutor, or – in urgent cases – at the request of the police or other authority (if the data constitutes evidence in a given case). If an individual does not voluntarily hand over evidence, the evidence can be taken by the appropriate authority by force. To detect or seize electronic data that may constitute evidence, relevant authorities (including the police) can search the premises and other places where there are reasonable grounds to believe that the data could be there.
Offices, institutions and companies conducting telecommunications activity are required to secure, at the request of a court or the public prosecutor, for a period not exceeding 90 days, digital data stored on their devices (including data on storage media and in computer systems). They must secure the data in a way that prevents it from being deleted and enables it to be easily handed over at the request of a court.
Any person who hinders or prevents criminal proceedings by concealing, destroying or distorting evidence (including destroying digital data), may be subject to criminal sanctions, including imprisonment for up to five years. Destruction of evidence is any act that prevents judicial authorities from discovering a crime or proving that the perpetrator is at fault.
IV REQUESTS AND SCOPE
The law does not specify that parties must meet and confer in the context of disclosure of ESI. There are provisions of law that relate to an obligation to produce evidence to a court in civil proceedings, which apply to all types of evidence.
Under the CPC, parties are obliged to produce evidence to establish facts to successfully argue their case. In this procedure, all parties might be obliged to submit, by order of the court, on a specified date and in a specified place, the data in their possession that constitutes evidence of a fact relevant to the resolution of the dispute. There are no sanctions if a party refuses to produce the evidence requested, but the court may take this as an indication that the evidence contradicts the party's statement and therefore supports the opposing party's statement.
If a court requests a third party to produce evidence and it refuses to do so without legitimate grounds, it may be subject to a fine. If the third party does comply with the court's request, it has the right to demand reimbursement of expenses connected with producing the evidence.
V REVIEW AND PRODUCTION
Poland has only just begun to acknowledge the use of digital sources of information in statutes, such as the CPC and the Code of Criminal Procedure. Consequently, civil and criminal proceedings still tend to focus on traditional sources of evidence, such as paper documents, witness testimony and, in criminal cases, materials gathered by law enforcement authorities (the police and the public prosecutor) during operational activities, including lawful searches and interception of communications.
The limited regulation on the use of ESI covers the collection of ESI by law enforcement authorities during criminal proceedings; the obligation of parties to produce ESI as evidence; and the method of assessing ESI in civil proceedings.
According to Article 218a of the Code of Criminal Procedure, offices, institutions and companies conducting telecommunications activity are obliged, upon the request of the court or the public prosecutor in the form of a written decision, to immediately secure, for a period not exceeding 90 days, electronic data stored on data storage devices (e.g., hard drives) or in IT systems.
The Code of Criminal Procedure also provides that the holder and user of a device containing electronic data or an IT system has to acquiesce to a lawful search conducted by a competent authority with regard to the data stored on this device or in this system, or on a data storage device in their possession or use, including email correspondence.
A search is lawful under criminal law if there are justified grounds for believing that specified objects that might constitute evidence in a case or that are subject to seizure in criminal proceedings (e.g., electronic files) may be found on the premises (Article 219 Section 1). Objects that may serve as evidence or that are subject to seizure to secure financial penalties, penal measures of a financial nature, forfeiture, compensatory measures or claims for compensation for damage, should be surrendered at the request of the court, the public prosecutor or, in urgent cases, the police or another authorised agency (Article 217 Section 1). The holder of an object subject to seizure is called upon to surrender it voluntarily (Article 217 Section 2). However, if the holder refuses, the object may be seized by force, provided appropriate procedures are followed – for example, the holder should be properly informed about the legal basis for the seizure and a formal written protocol from the seizure should be drawn up (Article 217 Section 5).
A search may be conducted by the public prosecutor, acting upon an order of a court, or by the police, acting upon an order of a court or the public prosecutor, or, in cases specified by the law, by another agency (Article 220 Section 1). A person whose premises are to be searched should be presented with a warrant issued by a court or the public prosecutor (Article 220 Section 2). In urgent cases, the authorities may conduct a search without the appropriate order, but approval from the court or public prosecutor must be sought promptly afterwards.
If the person on whose premises an object was seized or a search was conducted declares that a document found or surrendered contains confidential information, or information constituting a professional or other legally protected secret, or is of a private nature, the authority conducting the search should immediately, without reading it, hand the document over to the public prosecutor or to the court in a sealed envelope (Article 225 Section 1). However, the procedure does not apply to correspondence or other documents containing information classified as privileged or confidential, or information constituting a professional or other legally protected secret, if the holder is suspected of having committed an offence. It also does not apply to letters or other documents of a personal nature if the person suspected of having committed an offence is the holder, author or addressee (Article 225 Section 2).
Similarly, if the defence counsel declares that correspondence or other documents surrendered or found in the course of the search contain information pertaining to the performance of his or her function, the authority conducting the search must leave the documents with him or her without becoming familiar with their contents or appearance. However, if this statement is made by a person who is not a defence counsel, but is in possession of documents of that nature, the law requires the agency conducting the procedure to hand these documents over to the court, without reading them, in a sealed envelope. If the documents are seized, the court, having acquainted itself with their contents, must return them in their entirety or in part to the person from whom they were taken or must issue a decision that the documents be retained for the purposes of the proceedings (Article 225 Section 3).
The Code of Criminal Procedure also provides for general rules regarding interception of electronic communications. The rules that apply to the surveillance of telephone conversations also apply to the surveillance and recording by technical means of the content of other conversations or messages, including email correspondence (Article 241). The main rules are outlined below.
After the commencement of proceedings, the court, at the request of the public prosecutor, may order surveillance and recording of the content of telephone conversations by way of telephone tapping, to gather evidence for proceedings in progress or to prevent the perpetration of a new offence.
In urgent cases, surveillance and telephone tapping may be ordered by the public prosecutor, who is obliged to request the approval of the court within three days. The court must issue its decision on this matter within five days, at a closed hearing (without the participation of the parties). If the court does not approve the public prosecutor's order, any existing recordings must be destroyed. An appeal against the decision stays its execution.
Surveillance and telephone tapping are permissible with regard to a person suspected of an offence, an accused person, an aggrieved person or any other person whom the accused may contact or who may be connected with the accused or with the potential offence.
Offices and institutions conducting telecommunications activity, as well as telecommunications companies, are obliged to facilitate the execution of a court or public prosecutor's order concerning surveillance and telephone tapping, and ensure that they register the surveillance.
With regard to civil procedure, the regulations are more general. In practice, any advanced analytical tools involved in the analysis, review and production of ESI are most likely to be used by expert witnesses requested by the court or parties to participate in a given proceeding.
The Polish legal system is based on the idea that the courts are free in their assessment of the impact and admissibility of evidence presented during the proceedings. As a consequence, no precise rules regarding the use of technology-assisted review or the manner in which ESI should be collected or secured have been adopted in the procedural codes of Polish law. The courts generally rely on the testimony of expert witnesses who – when summoned by the court – have to assess certain aspects of the evidence, as requested by the court.
In both civil and criminal proceedings, the party against whom electronic evidence is presented may challenge the evidence by raising arguments about its value, authenticity, admissibility or quality. In doing so, the party may also request to consult an expert witness, which is the most reasonable way to have the evidence verified. Ultimately, it is up to the court to decide whether those arguments should prevail and if the evidence should be disqualified. The law does not provide sanctions for failure to produce discoverable ESI or misuse of disclosed ESI. Only general rules apply, according to which, if so directed by the court, each party shall produce, within a prescribed time limit and at a specified place, any document that is in its possession and that evidences a fact that is relevant to the case determination, unless the document contains classified information (Article 248 Section 1). As mentioned in Section IV, if a third party refuses to produce evidence, it will be fined by the court if it, or the parties, cannot justify the refusal (Article 251).
VI PRIVACY ISSUES
On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force and became directly applicable in Poland and the other Member States of the European Union. The GDPR has a significant impact on the discovery and disclosure of ESI, whenever this information (wholly or even partly) relates to an identified or identifiable natural person. In such cases, the rules for processing personal data set out in the GDPR apply and must be observed by any person or entity that determines (alone or jointly with others) the purposes and means of the processing of personal data (i.e., the data controller).
A particularly significant issue related to personal data processing is the necessity to identify a valid legal basis for processing activities, such as storing (including in electronic form) and sharing (granting access to) personal data. In accordance with Article 6.1 of the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
The defined catalogue of legal bases for personal data processing requires data controllers, in circumstances regarding discovery or disclosure of ESI comprising personal data, to search for and choose an applicable option. Generally, in court proceedings, the reasons set out in points (c) and (f), above, are applicable.
The reason in point (c) may be relied upon by the data controller if a specific provision of law requires a person or entity to disclose certain categories of personally identifiable information for a specific purpose. Under Polish law, an example of this is a list of required information to be included in admissible pleadings (Article 126 of the CPC). However, owing to the versatile nature of potential evidence in both criminal and civil cases, it seems unlikely that a provision of law will be sufficiently precise as to the scope and purpose of personal data to be disclosed for a controller to be able to rely upon it.
Consequently, the reason in point (f) must be considered by a controller wishing (or required to) disclose personal data or obtain it in the course of (or in relation to) legal proceedings. The existence of a legitimate interest of a controller (or a third party) needs to be assessed, taking into account various factors. Recital 47 of the GDPR indicates that the legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. The Recital specifies that the existence of a legitimate interest would need careful assessment, including of whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Because of that, the controller – when collecting personal data – must be diligent when editing its data processing information clauses, required by the GDPR, and ensure that the potential disclosure of personal data within relevant proceedings is listed as a potential form of processing of an individual's data. The Recital goes further to indicate that interests and fundamental rights of the data subject could override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
According to the GDPR, processing of personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest of the data controller concerned. In any case, a particular disclosure will require the controller to perform a legitimate interest test and, according to its outcome, disclose or refrain from disclosing the data, at least in a form that identifies the data subject.
Another issue is that, should a controller decide to anonymise the data it is submitting in proceedings, the information could be dismissed by the court as altered and not admissible as evidence.
The GDPR also includes a separate list of circumstances allowing for lawful processing of certain categories of personal data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health, or data concerning a natural person's sex life or sexual orientation. One of the admissible circumstances is when processing is necessary for the establishment, exercise or defence of legal claims (Article 9.2(f)).
As an EU Regulation, the GDPR does not restrict transfers of data within the European Union. However, transferring personal data outside the European Union (or, more specifically, the European Economic Area (EEA)) is restricted, unless specific conditions are met. These conditions depend on the level of risk posed by different circumstances accompanying a given transfer. Therefore, a transfer of personal data to a third country or an international organisation may take place if the European Commission (the Commission) has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. This type of transfer does not require specific authorisation (Article 45 of the GDPR).
In the absence of an adequacy decision from the Commission, a controller may transfer personal data to a third country or an international organisation only if it has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46.1). The appropriate safeguards may constitute:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules (within a group of companies);
- standard data protection clauses adopted by the Commission in accordance with the examination procedure;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
If there is no adequacy decision from the Commission, nor any appropriate safeguards in place, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only under strict conditions, one of which is that the transfer is necessary for the establishment, exercise or defence of legal claims (Article 49.1(e) of the GDPR). This circumstance, however, must be sufficiently justified and documented by the transferor.
According to Article 48 of the GDPR, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the European Union or a Member State, without prejudice to the other admissible grounds for transfer, described above.
VII OUTLOOK AND CONCLUSIONS
Providers of e-discovery services in relation to pre-litigation and litigation matters are becoming increasingly common. As demand for these services is clearly growing, it is likely to be a hot topic in Poland in 2019. Consequently, we feel that the Polish legislature should review the legal framework with a view to updating it by incorporating provisions on the collection and use of ESI. This would be beneficial for parties to proceedings, lawyers and the courts.
1 Anna Kobylańska and Marcin Lewoszewski are partners, Krzysztof Muciak is an advocate and
Maja Karczewska is an advocate trainee at Kobylańska & Lewoszewski Kancelaria Prawna Sp. j.
2 By decision of the Warsaw Court of Appeal dated 24 October 2017, reference number: VII ACa 938/17.
3 By decision of the Łódź Court of Appeal dated 1 September 2016, reference number: I ACa 254/16.