- EU Sheds New Light on EU/U.S. Discovery Conflicts
- March 13, 2009 | Authors: Geoffrey M. Howard; Axel Spies; Erin A. Smart
- Law Firms: Bingham McCutchen LLP - San Francisco Office; Bingham McCutchen LLP - Washington Office; Bingham McCutchen LLP - San Francisco Office
A new report highlights the potential conflict between EU data protection (privacy requirements) and e-discovery demands in U.S. litigation where a party seeks data located in Europe. The Article 29 Data Protection Working Party (the “WP”), an advisory body of national data protection experts to the European Commission, recently released its report on international e-discovery, highlighting some of the differences between U.S. and “Civil Code” procedures and making various suggestions for conducting cross-border discovery. The WP invites interested industry members to comment.
- “[Data] controllers in the EU have no legal ground to store personal data at random for an unlimited time period because of the possibility of litigation in the U.S.”
- “Although in the U.S., the storage of personal data for litigation hold is not considered to be processing, under Directive 95/46 any retention, preservation, or archiving of data for such purposes would amount to processing [and thereby fall under the EU’s data protection laws].”
- “Exporting controllers in the EU should be able to produce clear evidence of a data subject’s consent...”
- “Valid consent means that the data subject [the individual to whom the data refers] must have a real opportunity to withhold his consent....”
- “As a first step controllers should restrict disclosure if possible to anonymised or at least pseudonymised data. After filtering (‘culling’) the irrelevant data — possibly by a trusted third party in the European Union — a much more limited set of personal data may be disclosed as a second step.”
- “Where the transfer of personal data for litigation purposes is likely to be a single transfer of all relevant information, then there would be a possible ground for processing under Article 26(1)(d) of the Directive where it is necessary or legally required for the establishment, exercise or defense of legal claims.”
B. Preliminary Observations
- Working Document 158 (the “Report”) is not directly binding on the national Data Protection Agencies (the “DPAs”), but will have a significant impact on them.
- Reviewing (“filtering”) of data in the country where the data is located is strongly advisable.
- Outsourcing discovery services does not bar claims by individuals against the data controller.
- A single data transfer to comply with U.S. court orders is preferable to establishing continued access by a U.S. entity to data in Europe.
- Having a group-wide retention policy in place before the data transfer is strongly advisable.
- Although the WP has a preference for discovery requests from the U.S. under the Hague Convention on Evidence (“letters of request”), this is not the only method for complying with EU data protection law.
As many companies facing U.S. litigation that implicates personal data in Europe well know, EU privacy (“data protection”) requirements and U.S. e-discovery demands meet each other head-on. For example, U.S. e-discovery laws require litigants to implement “litigation holds” to prevent the destruction of relevant unique information, and produce often voluminous amounts of data under broad discovery rules. Various laws in the EU meanwhile, prohibit “processing,” including storage or transfer, of all “personal data,” i.e., any data from which a human being can be identified, outside of certain limited exceptions, and requires deletion of data after it has served the purpose for which it was originally collected. Moreover, the U.S. is considered a country of “inadequate data protection” and data transfers from the EU to the U.S. are subject to various safeguards and restrictions under the EU 1995 Data Protection Directive (the “Directive”) and national data protection laws.
Policy makers are no strangers to these intensifying conflicts and one group in the EU is attempting to do something about it. On February 11, 2009, WP, a European advisory body on privacy which represents the EU Member States, adopted the Report with guidelines on pre-trial discovery for use in cross-border civil litigation. The Report is a joint product of the DPAs, the bodies charged with implementing the Directive.
Other EU national bodies as well as U.S. agencies are also considering this issue. France’s national DPA, CNIL, launched a proceeding on the limits of e-discovery in France. See Bingham’s February 2008 alert authored by Dr. Spies on CNIL Initiative on E-Discovery. Other national DPAs, such as the Spanish DPA and the “Duesseldorf Circle,” a group of German DPAs, are also working on developing national standards for international e-discovery. National DPAs will receive copies of the WP’s Report in their native languages in the next few weeks and from there will consider how, if at all, the Report may influence new rules in their Member States. The WP has initiated a dialogue with the U.S. Department of Commerce and the Sedona Conference in the U.S. on the data protection issues in order to find a balanced solution.
Although the Report is not legally binding on the DPAs, it sets out guidelines regarding litigation holds and pre-trial discovery that are likely to have a significant impact in the EU.
Much of the advice in the Report is similar to the general principles in the U.S. Federal Rules of Civil Procedure. The Report cautions that under EU law, parties have “no legal ground to store personal data at random for an unlimited time period because of the possibility of litigation in the U.S.,” instead, it encourages companies to adopt ongoing retention policies to manage their data. The Report further encourages parties to look to alternative sources of data if any exist before undertaking the difficulties of cross-border discovery. Finally, the Report notes that parties should make the U.S. court aware of EU restrictions and regulations early in litigation.
A. Data Processing
“Processing” of “personal data” must meet one of the three grounds in Article 7 of the Directive: (1) a party must obtain consent from the data subject; (2) the processing must be necessary for a legal obligation; or (3) the processing must be necessary to further a legitimate interest.
The Report summarily dismisses consent as a valid basis for processing in most litigation as “unlikely to provide a proper ground for such processing.” That is because consent must be informed, there must be “clear evidence” of consent, and the data subject must have a real opportunity to withhold, or even withdraw, consent. That said, the WP “recognise[s] that there may be situations where the individual is aware of, or even involved in the litigation process and his consent may properly be relied upon as a ground for processing.” The WP does not elaborate on those situations.
The Report further eliminates the ground of “necessary for a legal obligation” in many cross-border litigations by noting that “[a]n obligation imposed by a foreign legal statute or regulation may not qualify as a legal obligation by virtue of which data processing in the EU would be made legitimate.” The Report leaves open the possibility of the “necessary for a legal obligation” exception in the case of a foreign litigant’s use of the 1970 Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters. Under that Convention a U.S. court seeks judicial assistance by way of a “letter of request” that is sent to the Central Authority in the relevant EU Member State and executed by a local court. The U.S. and many EU members have signed the Convention. The Report notes that “in individual Member States there may exist a legal obligation to comply with an Order of a Court in another jurisdiction seeking such discovery,” which, apparently, the WP believes would make processing appropriate as “necessary for a legal obligation.” However, this process may not be appropriate for all parties because, apart from the fact that some EU Member States are not parties to the Convention, the letter of request process is bureaucratic and lengthy.
The Report suggests that whether processing is appropriate under the “necessary to further a legitimate interest” prong should involve a balancing of “the goal of providing for fairness in the proceedings and reaching a just outcome” with “the rights and freedoms of the data subject who has no direct involvement in the litigation process.” This “balance of interest test should take into account issues of proportionality, the relevance of the personal data to the litigation and the consequences for the data subject.”
Even when allowed, the Report suggests mechanics for processing personal data that could be unrealistic for U.S. litigation. The Report suggests that disclosure be restricted to “anonymised or at least pseudonymised data” from which an individual’s name has been removed. Although the Report tempers that instruction with “if possible,” there may be many situations in which such an option is technologically and/or physically “possible,” but cost prohibitive. The WP does not provide guidance on whether cost concerns affect the interpretation of “possible.” Before disclosing data, the Report further suggests that data be filtered (or “culled”) to exclude irrelevant data, a process it suggests may be appropriate to undergo in the host country.
B. Data Transfer
If personal data is to be transferred to a jurisdiction that is not considered to have adequate data protection laws, like the U.S., the transfer must further meet the requirements of Article 26 of the Directive. Article 26 allows transfer if “legally required for the establishment, exercise or defence of legal claims.” Unlike the “necessary for a legal obligation” exception in Article 7, the “legally required” language in Article 26, “[w]here the transfer of personal data for litigation purposes is likely to be a single transfer of all relevant information,…would be a possible ground for processing.” This suggests parties should consider reviewing personal data on the premises in Europe and transfer only data sets that are directly relevant to the outcome of the litigation. The WP further “recognises that compliance with a request made under the Hague Convention would provide a formal basis for transfer of personal data” and suggests that method “be considered first as a method of providing for the transfer of information for litigation purposes.”
C. Security Measures
Obligations under the Directive continue to apply in full force even in the event of litigation. For instance, the Report suggests that data subjects’ rights of access to, and rectification or erasure of, their data be imposed on parties to litigation by way of a Protective Order. While noting that these rights may conflict with the duty to preserve data in U.S. litigation, the Report lacks guidance on how to rectify that conflict.
Article 17 of the Directive requires the person or entity controlling personal data to “take all reasonable technical and organisational precautions to preserve the security of the data to protect it from accidental or unlawful destruction or accidental loss and unauthorised disclosure or access.” Outsourcing discovery services does not bar claims by individual data subjects against the data controller in the event of a breach. The Report suggests that law firms, vendors, experts, and even the court, adopt security measures. Such security measures likely include a Protective Order limiting the use of personal data, providing that personal data be filed under seal, and requiring the data’s destruction at the end of the litigation.
The WP’s recently released Report is useful in summarizing the current state of the discussion. However, it raises a number of unanswered questions, such as whether prior consents can legitimize a data transfer. That may not be completely unplanned as the WP styles its Report as an “initial consideration of the issue” and “an invitation to public consultation with interested parties, courts in other jurisdictions and others to enter a dialogue with the Working Party.”