On July 23, 2009, the French Data Protection Authority [Commission nationale de l’informatique et des libertés (“CNIL”)] released its Deliberation No. 2009-474 concerning recommendations for the transfer of personal data in the context of discovery in US litigation (the “Recommendation”).
This Recommendation must be taken into account by all parties that find themselves in the position of transferring documents or other information containing personal data from France to the United States in the discovery or litigation context.
In the Recommendation, the CNIL, a governmental agency whose stated goal is in particular to protect individuals with regard to the processing of their personal data in France, has wrestled with the threats posed to personal data privacy by discovery requests served in US civil and commercial litigation.The Recommendation was issued in response to “an increase in the number of matters concerning the transfer of personal data to the United States, filed principally either by French subsidiaries of American companies or by French companies that have commercial ties with the United States, in the context of ‘Discovery’ proceedings before American courts.” For those familiar with the CNIL’s prior Recommendations and privacy-friendly positions, this one will not come as a complete surprise; nonetheless, the Recommendation represents an important new authoritative statement regarding the defense of privacy rights in the discovery context. (The Recommendation does not apply to US criminal litigation or the investigations by governmental agencies.)
Conditions for processing
In the Recommendation, the CNIL maintains that individuals whose personal information is divulged in the context of a US proceeding shall benefit, in all circumstances, from a right to oppose the disclosure on legitimate grounds. Although the practical implications of this are not entirely clear, this would seem to mean that, in the event personal data of employees fall within the scope of a discovery request, those employees would have a right to oppose the processing of their data by their employer, which would be required to take this opposition into account in its actions in the discovery context.
In addition, the Recommendation provides that parties producing personal data must weigh the proportionality and quality of the information and the consequences of the disclosure for the individuals against the need for the information in the underlying litigation. If personal information is not needed for the purpose of the discovery request to be fulfilled, the personal information should be redacted. In this respect, the Recommendation offers guidance as to the circumstances when the data should be filtered, secured, redacted, and/or how it should be utilized once transferred.
Conditions for transfer
Subject to certain limited exceptions, the individual’s consent is required prior to processing of the data. Such consent must have been “freely given”. However, such consent cannot be considered to have been freely given to the extent that the consent was obtained through pressure or threats.The individuals must also be provided with specific information with respect to the processing and the transfer of their data to the US.
A one-time transfer of relevant information may be justified by the exception within the 1978 Law on Data Processing, Data Files and Individual Liberties [Loi n°78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés] that allows the transfer of data to a country, such as the United States, that does not provide an adequate level of protection for personal data, where the transfer is necessary for a defense in legal proceedings. Historically, this ‘self-defense’ exception has been the most common means for a party to litigation to comply with a US discovery request without violating the 1978 Law on Data Processing, Data Files and Individual Liberties, although the exception probably does not apply to a third-party to litigation (e.g., in the case of a third party being issued with a US “subpoena” for the production of documents). A party seeking to rely upon this exception must provide prior notice to the CNIL, but the CNIL’s permission need not be sought.
Where the transfer of personal data is “on a large scale” and repetitive, the CNIL’s prior permission must be obtained, and the information may be transferred only in compliance with the Recommendation and where the entity to which the information is transferred (a) has adhered to the safe harbor principles, (b) has entered into a contract including the standard contractual clauses enacted by the European Commission, or (c) has adopted binding internal regulations (“Binding Corporate Rules”).
While the CNIL’s position in the Recommendation is consistent with its previous positions, as well as its general outlook and purpose and positions taken at a European Union level, the Recommendation is particularly important both for its specific rules and for its reaffirmation of the strong French position in favor of personal data protection—even when that protection comes into conflict with other interests, such as judicial cooperation.
The Recommendation also reaffirms that the Convention on theTaking of Evidence Abroad in Civil or Commercial Matters of 1970 is the only legal way of transmitting information from France to the US in the discovery context and that the orders of US courts to parties in France to produce documents or information in any other fashion are “irregular.” As a result, this Recommendation will provide an additional tool to both parties and non-parties seeking, in the context of US discovery, to resist providing certain information covered by privacy rights under the French data protection regulation.The Recommendation also does not alleviate the difficulties experienced by French parties that, for whatever reason, wish to comply fully with a discovery request served in connection with US litigation. How this Recommendation will play out in practice remains to be seen.