Privacy & Data Protection
Other sections of this issue:
Privacy & Data Protection | ISP-Liability & Media Law | Contracts & E-Commerce |
Electronic Communications & IT
European article 29 working party offers guidance on discovery for cross-border civil litigation
Multinational companies with operations both in the U.S. and Europe are keenly aware of the conflict between European data protection laws and U.S. discovery requirements. Compliance with discovery rules are clear legal obligations for entities facing litigation in the U.S. However, the handling of European personal data to comply with these legal obligations may breach the national laws in Europe implementing the requirements of Data Protection Directive (95/46/EC) (the "Directive").
On February 11, 2009, the EU Article 29 Data Protection Working Party (the "Working Party") published its working paper 158, purporting to provide guidance to data controllers on how to reconcile the demands of the litigation process in a foreign jurisdiction with the requirements of the Directive.
Introduction - Conflicting demands between U.S. and European laws
Before reflecting on the Working Party's comments it is useful to look briefly at the key conflicts between U.S. discovery requirements and European data protection laws:
- Triggering the directive in U.S. pre-trial discovery : Under the U.S. legal requirements, U.S. litigants have a duty to preserve information when litigation is reasonably anticipated. This might include data stored in Europe or otherwise subject to the protections of the Directive. Wherever personal data that identifies a living individual is "processed" (this includes storage, access, review and disclosure) in Europe, the legal requirements of the Directive will apply in relation to the handling of that data. Therefore, the retention of data for purposes of anticipated or pending litigation is subject to these requirements.
- Limits on circumstances in which personal data can be handled : The Directive only permits the "processing" of personal data in certain circumstances. Compliance with foreign legal statutes or regulations (such as the U.S. Federal Rules of Civil Procedure) is not included in the list of permissible processing grounds under the Directive. So personal data may only be preserved in connection with U.S. litigation where other grounds are satisfied.
- Proportionate data filtering : To comply with the requirements of the Directive, all processing of European personal data must be conducted in a proportionate fashion. To meet these requirements, any data filtering required as part of the U.S. discovery process should ideally be carried out in the country where the data is found, or at the very least within the EU. Relevancy decisions should also be made by someone with knowledge of the litigation. This could be the services of a "trusted third party" within the EU who does not have a role in the litigation but has the sufficient level of independence and trustworthiness to reach a proper determination on the relevance of the personal data. Only those categories of data that are required for litigation should then be transferred to the U.S. for disclosure in litigation proceedings.
- Transparency : The Directive requires the processing of personal data to be transparent. Individuals (including company employees) must ordinarily be informed of the ways in which their personal data is being processed. In some circumstances (where, for example, there is a risk of the intentional destruction of evidence) it is not always possible to provide advance notice of internal investigations.
- Data retention : The Directive requires personal data to be kept for as long as it is collected or for which it will be further processed. European personal data may not be retained for unlimited periods simply because of the possibility of U.S. litigation.
- Prohibition on data transfer to the U.S. : The Directive contains a basic prohibition on the "transfer" (this includes the review of personal data stored in Europe by personnel located in the U.S.) of personal data to the U.S. There is an exception to this prohibition which permits the transfer of personal data to the U.S. where it is necessary or legally required for the establishment, exercise or defense of legal claims. However, data disclosed must generally be limited to categories that are relevant to anticipated or pending U.S. proceedings. The wholesale transfer of all potentially relevant personal data to the U.S. for preservation purposes is not permissible under EU law.
The working party guidance
In its paper on this topic, the Working Party acknowledges the need to reconcile U.S. litigation rules and EU data protection provisions and states that it intends to offer up guidelines for EU data controllers on the four stages of the litigation process - retention, disclosure, onward transfer, and secondary use. In reality, the guidance provided does little more than to summarize the conflicts identified above, as well as to impose additional obligations under the Directive for the handling of EU personal data.
Because of this, U.S. litigants may feel that the document provides very little guidance or relief. For example, the Working Party urges the use of the Hague Convention as a first method of transferring data to the U.S. even though the Working Party recognizes that all member states have not signed the Hague Convention and that the procedures set forth in the convention are less than efficient. The Working Party paper is, however, useful in that it seeks to identify many of the key issues that arise as a result of the conflict in the legal regimes.
In its paper, the Working Party acknowledges that resolving the issues involved in cross-border discovery is beyond the scope of a Working Party opinion and calls instead for a government solution. For the time being, at least from a European perspective, it seems that the issue is being left to data protection authorities and national courts to resolve.
Our advice - risk reduction strategy
In the meantime, the following measures may help to reduce risk:
- Allocating roles and responsibilities for this issue internally;
- Mapping corporate information management infrastructure so that there is an understanding of where personal data is located;
- Adopting or revising records storage, retention and destruction policies to contain fixed retention schedules;
- Adopting detailed network monitoring and use policies that contemplate the review of employee email and other data;
- Ensuring European workers union/counsel agreements adequately address this issue;
- Establishing a plan for the retention and transfer of corporate data for U.S. litigation, including considering a corporate transfer solution such as binding corporate rules;
- Considering obtaining advance consent from key personnel to the disclosure of their personal data;
- Providing training to key personnel, especially personnel who may be involved in the processing or transfer of data for litigation outside the EU;
- Learning the enforcement attitudes of the data protection authorities in relevant European jurisdictions; and
- Monitoring enforcement actions in relevant European jurisdictions.
If you would like advice and guidance on how to reconcile the demands of the U.S. litigation process with the requirements of the Directive, please contact us.
For more information, contact: Gaela Bailey or Frederik Van Remoortel.
Joint Investigation Action on the Implementation of the Data Retention Directive
The Article 29 Working Party has announced that it is launching an investigation concerning the compliance of telecom providers and ISPs with national and EU obligations on traffic data retention.
Questionnaires will first be sent to the companies concerned. These will be followed by on site investigations.
The announcement confirms the increasing trend of the Working Party and national data protection authorities undertaking pro-active enforcement actions.
Click to access the press release - which is dated December 10, 2008, but was only made public via the website of the European Commission on March 17, 2009.
For more information, contact: Frederik Van Remoortel.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.