- French Data Protection Agency (CNIL) Releases New Guidelines on "Discovery"
- August 27, 2009 | Authors: Gary Adler; Geoffrey M. Howard; Maureen A. Young
- Law Firms: Bingham McCutchen LLP - New York Office; Bingham McCutchen LLP - San Francisco Office
In Guidelines published on August 19 in the French Official Journal, the French Data Protection Authority (CNIL) opined on the legal requirements for French/U.S. data transfers in discovery activities related to litigation or for U.S. investigations.
The CNIL states in its detailed “Deliberation 2009-474” (in French only) that the volume and scope of document discovery in U.S. proceedings has significantly increased. It reiterates that all data flows out of France for litigation purposes must be in line with the French Data Protection Law of 1978 (as amended): “Obtaining an authorization from a French judge to send documents to the U.S. (through a “letter of request” addressed to the French chancellery) does not release a company from the obligation to respect French [data protection] law, in particular the provisions on data flows out of the EU....”
Is Prior Consent of the CNIL Required?
One key issue for U.S. litigants is when prior consent of the CNIL is required, irrespective of other regulations and treaties (such as the 1970 Hague Convention on Obtaining Evidence Abroad that the U.S. and France have ratified). The CNIL makes the following clarifications:
- The CNIL’s prior consent is NOT required for personal data transfers to the U.S. for litigation or investigation purposes (SEC, FTC, etc.) if: (i) it is a single data transfer, and (ii) the amount of information transferred is “not massive.” The CNIL still must be notified of the data transfer.
- Data transfers that go beyond this threshold (i.e.,“massive and repeated data transfers”), are only allowed if: (i) the receiving party in the U.S. signs the EU/U.S. Safe Harbor Principles, (ii) the parties use the EU contractual clauses for international data transfers, or (iii) the parties adhere to the Binding Corporate Rules (a complicated set of rules for corporate groups developed by the EU that must be individually approved by the national data protection authorities).
- If the data are already located in the U.S., the data processor must ensure that the data are “adequately protected” by the U.S. authorities, e.g., through a “stipulative court order” [probably a Protective Order].
Various Additional Privacy Issues
The CNIL addresses a number of privacy requirements for personal data transferred to the U.S., for instance:
- Prior consent of the individual: Prior consent of the individual can be a legitimate basis for data transfers under the French data protection laws, provided that there is evidence that it is “free, clear, specific” consent, in particular the consent must not be given “under pressure,” or merely to avoid “sanctions.”
- Reducing the amount of data: The CNIL demands that personal data sent from France must be “proportionate” and “adequate” with the discovery purpose. One method to ensure this is to filter the data in France for key words to reduce its volume. The CNIL also recommends anonymizing the data to the maximum extent.
- Data storage: Data sent to the U.S. may only be stored for the “duration of the proceedings.”
- Informing the individuals: Pursuant to French data protection laws, the individuals to whom the personal data in France refer must be informed about the data transfer (exceptions may apply if such disclosure “endangers the proceeding”). These individuals must have the right to know what is sent and to “rectify” false or incomplete information about them.
Many requirements that the CNIL stipulates in the Guidelines are open to interpretation. Given that the European “Article 29 Working Party” of data protection representatives at the EC is also looking into this issue on the European level (see Bingham’s e-discovery alerts of 02/23/09 and 02/11/2008), this is probably not the last word from Europe. It remains to be seen how aggressively the CNIL will enforce the new Guidelines.