On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.
The challenges discussed in the Working Document have considerable practical implications for companies, which are increasingly caught between U.S. requirements that personal data be retained and transferred to the United States for litigation purposes, and European legal restrictions on such retention and transfers. These challenges are not just theoretical, as in December 2007 the French Supreme Court (Cour de cassation) upheld a €10,000 criminal fine against a French attorney for collecting information as part of U.S. discovery proceedings.
The Working Document identifies four data-related stages during the litigation process—retention, disclosure, onward transfer, and secondary use—and stresses that the “use of personal data at each of these stages will amount to processing” and “will require an appropriate condition to legitimate the processing.” It is tempting to focus only on the issues raised by transferring personal data to the United States, but collecting, storing, and analyzing personal data within Europe also require legal justifications and careful attention.
According to the Working Document, “it is unlikely that in most cases consent would provide a good basis for processing.” Instead, the Working Document points to Article 7(f) of the EU Data Protection Directive—processing necessary for the purpose of a legitimate interest of the controller or a third party—as a more likely basis for complying with U.S. civil discovery laws. The Working Document also leaves open the possibility that Article 7(c) of the Directive—compliance with a legal obligation—might also work, since some member states may impose a legal obligation to comply with the orders of foreign courts. However, a foreign legal obligation alone is insufficient to provide a legal basis for data processing under the Directive.
“Sensitive” personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life) could only be processed with unambiguous consent or if “necessary for the establishment, exercise or defence of legal claims.” Given the Working Party’s generally negative view towards consent or legal necessity as a basis for data processing in the discovery context, a practical solution to the issue of processing sensitive personal data still seems remote.
In addition to requiring a legitimate basis for each stage of data processing in connection with civil discovery, the Working Document also stresses other key data protection requirements that must be complied with. For example, under Article 6, personal data must be “processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not used fort incompatible purposes.” Personal data must also be “adequate[,] relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”
The Working Document notes that compliance with these provisions may require “filtering” of personal data while still in Europe to limit the data to those relevant to a civil discovery demand, and may require “the services of a trusted third party in a Member State.”
Transparency is another key requirement stressed in the Working Document, which states that “in the context of pre-trial discovery this would require advance, general notice of the possibility of personal data being processed for litigation.” Additional notice would be required if data are actually produced as part of a judicial proceeding.
The Working Party also stressed the rights of access, rectification and erasure, and suggested that before complying with civil discovery orders, and during the trial itself, data subjects must have access to their data and an opportunity to “access and rectify incorrect, incomplete or outdated personal data prior to the transfer.”
Finally, the Working Document highlights the need to provide continuing security for personal data.
On the specific issue of transferring data to a third country (e.g., the United States) for production, the Working Party would require compliance with Safe Harbor, a data transfer agreement based on standard contract clauses approved by the European Commission, or a set of binding corporate rules that have been approved by the relevant Member States’ data protection authorities. The Working Document notes that compliance with a request under the Hague Convention would always “provide a formal basis for a transfer of personal data,” but goes on to observe that not all member states have signed the convention, many who have signed have entered reservation against the discovery provisions, and U.S. courts have been reluctant to follow Hague Convention procedures.
The Working Document is noteworthy for its thoroughness and moderate tone. While the Working Document is signed by Article 29 Working Party president Alex Türk of the French Data Protection Authority (the CNIL), the process that led to the Working Document included a subcommittee of the Working Party led by Dr. Alexander Dix, who has carefully studied the issues and who was a featured participant in the High-Level Workshop on U.S. Civil Discovery and European Data Protection co-sponsored by the Centre for Information Policy Leadership at Hunton & Williams, LLP, in October 2008. Many of the recommendations also appear to reflect the careful, moderate arrangements that Dix has negotiated or approved as Data Protection and Freedom of Information Commissioner of Berlin—calling for broad notice, a limited scope of data retention, close scrutiny within Europe, the negotiation with U.S. courts for appropriate limitations and protective orders, and continuing obligations that follow the data.
That said, the Working Document is likely to face three limitations. First, there are a number of issues it explicitly defers consideration of, for example, document retention and production in criminal and regulatory investigations and practical litigation management systems that store broad swaths of data to facilitate the retention and analysis of data in response to discovery requests.
Second, while Dr. Dix and his colleagues have developed significant understanding of the complex issues surrounding civil discovery and have provided guidelines noteworthy for their “balance” and “proportionality”—two words that appear frequently in the document—it is not clear that U.S. courts, unfamiliar with basic data protection concepts, will be similarly diplomatic in their outlook. Instead, U.S. judges may well perceive some of the recommended steps to accommodate privacy interests as time-consuming and burdensome at best, or as a threat to their judicial authority at worst. So translating the Working Party’s broad guidelines into practical reality may be the greatest challenge ahead.
Third, the Working Document explicitly notes that its guidelines are an “initial consideration” of how to manage the issues surrounding pre-trial discovery, but that resolving those issues is “beyond the scope of an Opinion by the Working Party” and can “only be resolved on a governmental basis, perhaps with the introduction of further global agreements along the lines of the Hague Convention.” The Working Document might best be understood as a first step—an important first step to be sure—towards a more distant goal.
The Working Document concludes with an “an invitation to public consultation with interested parties, courts in other jurisdictions and others to enter a dialogue with the Working Party.”
Hunton & Williams actively advises clients on compliance with the EU Data Protection Directive generally and in connection with civil discovery and internal and criminal investigations. If we may be of service, or for further information about the Working Document, contact Chris Kuner or Bridget Treacy.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code