On August 19, 2009, the French privacy and data protection authority (the "CNIL") issued an opinion (the "Opinion") addressing privacy and data security concerns that may arise under French law when U.S. litigants attempt to reach data falling under French jurisdiction. While the Opinion does not apply to data requests from U.S. agencies or to evidentiary issues that may surface during litigation, it may have considerable impact on U.S. litigants conducting discovery of data governed by French law.
The Opinion emphasizes the need for application of French and European data protection laws to foreign discovery of French data, in addition to limitations on international data transfers imposed by the Hague Convention of 1970 (the "Hague Convention"). It also offers practical guidance to U.S. litigants seeking documents that fall under French jurisdiction. U.S. litigators should note such guidance when conducting discovery of data located in France or otherwise affected by French privacy laws.
Basis of Opinion: Conflict of Laws
The tension between U.S. discovery requests and French data protection laws stems from the comparatively limited role discovery plays in the French civil law system. While the common law system encourages involvement of parties in collecting evidence through permissive discovery rules, civil law typically restricts disclosure of evidence to documents that are admissible at trial. More specifically, many civil law countries limit the ability of foreign litigants to reach, through discovery proceedings, data located in those countries. Such limitations on foreign discovery efforts are often imposed through national laws called "blocking statutes," which intend to protect the sovereignty, as well as the economic and security interests, of the nations from which discovery is sought. For example, France's blocking statute of 1968 (the "Blocking Statute") prohibits foreign discovery of French data under penalty of up to six months imprisonment, a €18,000 fine, or both. This prohibition extends to anyone, regardless of citizenship or residency.
The Blocking Statute poses a significant hurdle to U.S.-originated discovery for two reasons:
- It may deprive litigants of documents needed to strengthen their legal positions; and
- When combined with U.S. court-mandated discovery requests, it may place the recipient of the request in a "Catch-22" situation, because complying with the request may violate French data protection laws, while refusing to comply with the request may violate the U.S. Federal Rules of Civil Procedure (the "FRCP").
Nonetheless, like most jurisdictions, France allows international instruments to override the provisions of its Blocking Statute. Specifically, the Hague Convention, to which France and the United States are parties, allows contracting states to request evidence under the jurisdiction of other contracting states through a Letter of Request.
France, however, took advantage of the Hague Convention's Article 23 (which allows signatory countries to limit the extent of their compliance) by declaring that Letters of Request issued in the context of pre-trial discovery will be honored only if "the documents are specifically enumerated in the Letter of Request and have a direct and precise link with the subject matter of the litigation." This requirement gives the French judge receiving a Letter of Request discretion to decide whether to order production of the documents sought under the FRCP.
Historically, attempts to circumvent the requirements of the Hague Convention were rarely criminally prosecuted in France. In 2007, however, the French Court (the Cour de Cassation) breathed new life into the Blocking Statute by upholding a fine to a France-based lawyer who tried to obtain information from a French potential witness in connection with a California litigation, without following the Hague Convention. This decision suggested that overlooking the Hague Convention while conducting U.S.-based discovery in France may be problematic.
Under these circumstances and in light of increasing volumes of personal data transferred from France to the United States, the CNIL issued its recent Opinion to address privacy concerns arising from U.S. discovery requests for data falling under French jurisdiction.
In general, the Opinion reinforces the importance of the Hague Convention and French data protection laws, which stem mainly from the French Data Protection Act of January 6, 1978, or "the law on computers and liberty" (the "CL Law"). The CL Law regulates processing of personal data and offers various levels of protection for such data, depending on the nature of the data. In effect, the CL Law creates a three-tier framework for data processing:
- Sensitive data, such as data pertaining to race, ethnic origin, handicap, labor union membership, and sex life, can be processed only in extremely narrow circumstances defined by the CL law.
- Less sensitive data, such as genetic data, criminal convictions, and other data affecting individual rights, can be processed only with prior authorization from the CNIL.
- All other data can be processed simply by filing a declaration with the CNIL, subject to some exceptions.
Violation of the CL Law is a criminal offense sanctioned by imprisonment of up to five years and fines of up to €300,000. The CL Law also gives certain enforcement powers to the CNIL, including power to:
- Reprimand violators and to publish the reprimands;
- Enjoin violators from continuing illegal processing; and/or
- Impose fines of up to €300,000.
In the context of international discovery, the issue before the CNIL was whether the CL Law may be triggered by U.S. discovery requests, and if so, what U.S. litigants should do to comply with the law. The CNIL adopted a conservative stance regarding this issue.
The Opinion requires the person responsible for data processing (the "Data Controller") to notify the CNIL concerning any international transfers of personal data. The agency reserves the right to upgrade the declaration requirement to an authorization requirement "depending on the legal framework surrounding those data transfers." The Opinion also lays out the following guidelines for application of the CL Law in the context of discovery requests in foreign-based litigation:
Responsibility of the Data Controller. The Data Controller is typically the person who directs the transfer of personal data as part of legal proceedings. This person may be connected to French territory in one of two ways: (i) by being established in France, or (ii) by conducting the data processing through technological means located in France (except where those means are used only as a conduit for the data).
Legitimacy of Purpose. Data processing can take place only if the purpose is legitimate and if individual rights are protected. The person to whom the data relates (the "Data Subject") retains the ability to prevent disclosure of his or her personal information for legitimate reasons during U.S. litigation. In certain circumstances, consent of the Data Subject to disclosure of the information may be enough to satisfy the CL Law. For example, processing of sensitive personal data is generally prohibited, unless the Data Subject has consented to such processing or the processing is necessary to safeguard a legal right of the Data Controller.
Proportionality. Discovered data must be "adequate, pertinent and non-excessive" with respect to the purpose for which it is collected, which means that only information relevant to the discovery request can be transferred. Relevant information may be isolated by using filtering technologies such as keyword searches. The proportionality and quality of the data must be objectively assessed, and this operation must be done locally, i.e., in the country where the data resides. The CNIL recommends consulting a third party to assess the proportionality of the relevant data. In addition, data must be complete and accurate.
The agency notes that when personal elements, i.e. elements allowing identification of a person, embedded in data are not relevant to the discovery request, the data must be made anonymous or pseudonymous before being produced. Specifically, the CNIL provides two fact patterns where the proportionality principle was satisfied: (1) a request for production of documents made by the SEC to a French company where the personal elements of the data were not relevant to the SEC's investigation and the data was successfully made anonymous before being transferred to the SEC; and (2) a stipulated U.S. court order that limits the scope of discovery by defining the boundaries of document production and laying out specific rules regarding use and access of the discovered information.
Limited Duration of Storage. Personal data can be stored only for a reasonable period, which is tied to the purpose of the processing. In discovery proceedings, a "reasonable period" is the duration of the discovery process. The CNIL advises against using any other time frame.
Discretion. Recipients can only receive data necessary to carry out the discovery or the part of discovery they conduct.
Transparency. Data Subjects have the right to be informed in a clear and comprehensive way prior to collection of their data. When data is scheduled to be transferred outside the European Union, Data Subjects must be informed of the following: the entity responsible for processing their data; the facts in the legal action; the link requiring disclosure of the data pertaining to the Data Subject; whether the disclosure is mandatory or optional; the consequences for the Data Subject of refusing disclosure of the data; the potential transfer outside of the European Union; and how to exercise the right to access, modify, and oppose disclosure of the information. Exceptions to the transparency principle include situations where: (a) informing the Data Subject jeopardizes the ability of the data collector to gather evidence, and (b) preliminary injunctive relief (mesures conservatoires) is necessary to prevent destruction of evidence. Under these circumstances, the Data Subject may be informed after the data transfer takes place.
Right to Access and Modify. The Data Controller must guarantee all Data Subjects the right to: (a) access data pertaining to them; (b) inquire as to whether the data is inaccurate, incomplete, equivocal, or expired; and (c) rectify or suppress such data. Preliminary injunctive relief may be granted to the Data Controller to maintain the confidentiality of an investigation.
Security. Access to personal data must be limited to persons who can legitimately access the data to further the purpose(s) of the processing, e.g., people employed to process such data. The Data Controller must take all appropriate measures to guarantee the security of the data. In the data processing organization, the data must be separated and isolated to the extent that different departments in the organization are in charge of different aspects of processing. The CNIL also recommends that access to the data be monitored. If the Data Controller hires a service provider who can access personal data, the contract must include provisions prohibiting the service provider from using the data for any other purpose.
Transfer of Personal Data to the United States.
Requirements for transfer of personal data to the United States depend on the volume and frequency of the data transferred:
- Small, one-time data transfers do not require authorization from the CNIL, but must be declared to the CNIL.
- Large and/or repeat transfers require the person or company carrying out the transfer to comply with French and E.U. privacy laws in any of the following three ways: (a) ensuring that the recipient has adequately certified compliance with the U.S. Department of Commerce's Safe Harbor Principles; (b) entering into contractual provisions meeting E.U. standards for protection with the person processing the data in the United States;  or (c) adopting binding corporate rules that meet E.U. standards for protection.
Finally, the CNIL suggests that U.S. jurisdictions use stipulated protective orders to limit the scope of discovery in ways consistent with E.U. data protection laws.
The CNIL's Opinion offers practical guidance to U.S. litigants seeking documents that fall under French jurisdiction. These guidelines may require U.S. litigants to restructure their litigation strategies or timelines to take into account the CNIL's requirements. In addition, companies operating in France or processing data governed by French law should revise their privacy policies and appoint a data protection officer, as recommended by the Opinion, to facilitate compliance with these rules. Legal counsel can offer advice and guidance on establishing or revising privacy policies and complying with French law and U.S. discovery requests.