Introduction to US Discovery and European Data Privacy
It is not unusual for companies doing business in Europe to be involved in US litigation proceedings. In the course of such litigation proceedings, US courts may require companies to disclose certain information, including the personal data of employees, customers and other persons.1 European data privacy law generally prohibits the transfer of personal data to another legal entity, not to mention if such an entity is domiciled in another country.2 This prohibition leads to a potential conflict between the European and US systems. It also causes difficulties for companies facing an obligation to transfer personal data when defending against or raising claims in a US trial while simultaneously having to comply with European data privacy laws.3
Failure to comply with requests for such information can lead to companies facing severe sanctions.4 On the other hand, violations of European data privacy laws following the disclosure request may lead to damage claims, fines or, in severe cases, criminal prosecution.5 This article aims to suggest possible solutions for that dilemma.
The United States and Europe take differing approaches with regard to discovery and data privacy. While data privacy plays an important role in Europe, discovery is not a significant issue. Conversely, in the United States, discovery is a significant component of litigation proceedings and there is less protection of data used in the private sector.6
Some civil law countries, including Germany, have introduced laws intended to restrict cross-border discovery of information for disclosure proceedings in foreign jurisdictions (so-called “blocking statutes”).7 In some cases, US courts have rejected the idea that such provisions provide a defense against discovery in relation to US litigation.8 However, in other cases, US courts have acknowledged the foreign party’s interest in obeying its national law and have agreed that this supersedes the opposing party’s interests in requesting such evidence.9
Is There a Justification for Data Disclosure?
In order to understand the conflicting approaches in the United States and Europe in regards to data privacy laws, it is necessary to explain the context of data privacy laws in Europe.
In the European Union, as well as in the European Economic Area, data privacy law is based on European Directive 46/95/EC, dated 24 October 1995 (the “Directive”), which deals with the protection of individuals with regard to the processing of personal data and the free transfer of such data. The Directive was implemented by national data privacy laws, such as the German Federal Data Privacy Act (Bundesdatenschutzgesetz or BDSG) and the British Data Privacy Act of 1998. Hence, EU Member States’ national laws on data privacy are based on the same Directive and, therefore, on the same principles. Nevertheless, they vary in certain aspects.
Pursuant to the general principles established by the Directive, collecting, processing and using personal data is permitted only if the data subject has consented, or if there is a statutory justification. The same holds true for the transfer of personal data to a third party. Moreover, additional requirements have to be met if personal data is transferred to third parties located outside the European Union or the European Economic Area.
In practice, the data subject’s consent can rarely be used as a valid justification for transfer; the law sets strict requirements for a declaration of consent and the sheer volume of data eventually requested in disclosure proceedings often makes it nearly impossible to procure the written consent of every person whose data might be concerned. Hence, parties regularly need to find a statutory provision that justifies the data transfer required for an e-discovery.
When is processing personal data permitted?
Pursuant to Article 7 (c) of the Directive, the data controller may process personal data if processing is required in order to comply with other legal obligations. However, disclosure in e-discovery proceedings is based on US e-discovery rules. Such foreign law statutes, however, do not constitute a legal obligation within the meaning of Article 7 (c) of the Directive. Hence, Article 7 (c) of the Directive does not provide for a justification to process personal data in e-discovery proceedings.
However, Article 7 (f) of the Directive allows for the processing of personal data if such processing serves the legitimate interests of the data controller and if these interests are not outweighed by fundamental rights and freedoms of the data subject. Consequently, Article 7 (f) of the Directive requires a thorough balancing of the legally protected interests of the data controller and those of the data subject.
Disclosure of personal data during litigation would certainly serve the justified interests of the data controller if that individual or entity is involved in litigation. Therefore, the transfer and use of third-party data may generally be possible before European courts.10 However, that provision does not generally permit the transfer of personal data to US courts, as additional measures are required to ensure an adequate level of protection for a data transfer to parties outside the European Union or the European Economic Area.
May personal data be transferred to the United States?
In the course of pre-trial e-discovery proceedings, Article 26 (1) (d) of the Directive might come into play. This provision permits the transfer of personal data without the requirement to guarantee an adequate protection level if the transfer is necessary “for the establishment, exercise or defense of legal claims.”
It is worth noting that, for instance, the English-language version of the Directive does not require the establishment, exercise or defense of legal claims to take place in a specific forum, while other language versions,11 such as the German version of the Directive, require “court proceedings.”
The German-language version of Article 26 (1) (d) of the Directive has been implemented into German law in Section 4c Subsection 1 Sent. 1 No. 4 BDSG. Germany, like several other countries, has chosen to implement a stricter version of the Directive, allowing for a transfer of personal data to a party in a country outside the European Union without any further measures to guarantee an adequate protection level only if “the transfer is required…for the establishment, exercise or defense of legal claims before courts.” Hence, it is questionable whether Article 26 (1) (d) of the Directive and Section 4c Subsection 1 Sent. 1 No. 4 BDSG also cover pre-trial disclosure proceedings.
In support of this view, it could be argued that the legal interests of a party subject to e-discovery are exactly the same as if this party actually litigated before a US court. However, Article 26 (1) (d) of the Directive forms an exception to data privacy that has to be interpreted narrowly so as not to circumvent the European data privacy standard.12
Discovery in the United States is typically conducted prior to the beginning of the actual trial proceedings. It is aimed at gathering evidence in preparation for the actual trial and does not, typically, take place before the court. As the pre-trial gathering of evidence is not a familiar element of the German civil procedure law, it can be assumed that an exception provision is not intended to cover such unknown pre-trial proceedings.
According to the guiding principles of avoiding data transfer (pursuant to Section 3a BDSG) and limiting the processing of data to a specific purpose, data handling must be avoided if it is not required.13 Therefore, applying the exception would contradict German data privacy law standards. That leads to the restrictive interpretation of the exception regulation, as it cannot justify any transfer of data to the United States in the course of pre-trial discovery proceedings.14
The Exception and Data Privacy Principles
A disclosure request by a US court seems to be incompatible with EU and German privacy laws. However, considering the economic importance of requesting or producing documents in e-discovery for European parties, companies are advised not to completely refuse a disclosure request on the grounds of existing national data privacy legislation. Often, a better alternative is to find a privacy-compliant approach to the requested disclosure. Such a privacy-compliant solution might be found by considering the background and the purpose of the exception provision detailed in Section 4c Subsection 1 Sent. 1 No. 4 BDSG.
What are a data recipient’s obligations?
Public accessibility of European documents produced during US e-discovery proceedings is quite problematic from a European privacy law perspective.15 In a German scenario, the documents produced as evidence in discovery proceedings are only accessible to persons attending the court proceeding itself (Gerichtsöffentlichkeit),16 and decisions are only published in anonymous form.17 In the United States, however, decisions, writs and protocols in current proceedings can be accessed by anyone worldwide. Documents are even made public over the Internet.
This demonstrates that the recipients who are entitled to receive the documents, including personal data, are not able to protect the personal data against any further transfer or public access. Furthermore, the recipients are generally not able to guarantee that the data is only used during, and for the purpose of, the respective litigation proceedings, or that it is only processed as much as necessary. Therefore, when transferring data, additional measures should be implemented to guarantee that the data is not processed outside the discovery.
Which data can be transferred?
Another important point is that only data that is necessary for the support of the claim may be transferred. Many provisions in the German privacy law permit data processing only if it is required for the specific purpose set out in the respective exception provision, Section 4c Subsection 1 Sent. 1 No. 4 BDSG. Therefore, this principle should be considered as a general restriction relative to data transfer in e-discovery.
Generally, the exception provision permits a data transfer if such transfer is required to support legal claims before German, European or other courts. The provision describes an exception where the data subject’s interests are minor and subordinate to the justified interests of the parties involved in litigation.18 The BDSG grants the effective prosecution of claims that supersede the data subject’s interests.19 Therefore, the word “required” does not require any additional assessment if the party transferring the data has interests that override the interests of the data subject. The principle of proportionality acts as a guideline for the permitted type and scope of data transfer.20
Definitions of “Required”
As a guiding principle, the criterion “required” has to be interpreted restrictively. Although the exception provision suggests that there is a general option to transfer personal data to countries outside the European Union for litigation purposes, information required under US law will not automatically be held as required within the meaning of Section 4c Subsection 1 Sent. 1 No. 4 BDSG.
The aim of the discovery process in the United States is to ensure that the parties to litigation proceedings have access to required and relevant information for their cases, given the rules and procedures of the jurisdiction in which the litigation takes place.21 Discovery is a fundamental part of the litigation process in common law jurisdictions, but the scope of what is required for discovery differs greatly between common law and civil code jurisdictions. The European and German understanding of discovery in trials varies significantly from the understanding of discovery under US law.
Accordingly, it must be assumed that US courts would prefer a wide interpretation of “required.” From a German law perspective, however, one would have a very restricted understanding of what documents should be disclosed under the US procedures, and the scope of required data would be limited and concentrated.22 In the German legal context, “required” is interpreted as “mandatory” and does not merely mean “useful.”23
Some data privacy analysts state that the US perspective should be decisive. They argue that, as the German exception provision generally allows the transfer of data required in litigation, the clause should be interpreted to allow the transfer of required data under the applicable law. Thus, if a company is involved in litigation in the United States, then the general meaning of “required” should be defined by US law.24 That perspective should not be applied, however, in jurisdictions where fundamental principles of data privacy are not respected or enforced. In such cases, interpretation of the term “required” according to applicable law should be restricted.
This view complicates the application of the exception that should allow a data transfer. First, “required” is more a factual criterion than a legal interpretation. In addition, it is difficult to define which principles are to be considered fundamental.
In concert with the principles of data reduction and data economy pursuant to Section 3a BDSG, the principle of proportionality generally serves as a guideline according to which data may be processed. This principle would apply here and would restrict the amount of data that may be transferred.
The provision of Section 4c Subsection 1 Sent. 1 No. 4 BDSG only allows the transfer of data that has already passed the proportionality test. Therefore, the general permission to transfer data for litigation purposes is implicitly restricted by the fundamental data privacy principles expressed in German law.
Such principles include data reduction and data economy pursuant to Section 3a BDSG, which prohibits a transfer that is not required for the intended purpose. As this is a German law provision, German law standards with respect to data transfer must be met for the exception provision to serve as a justification.25 Therefore, when transferring data for discovery proceedings, only required data pursuant to German law standards should be transferred.
Article 29 Data Protection Working Party
Article 29 Data Protection Working Party adopted Working Document 1/2009 on pre-trial discovery for cross-border civil litigation on 11 February 2009.26 As Article 29 Working Party is the independent EU advisory body on data privacy, it must promote the uniform application of the Directive’s general principles among EU Member States.27
Article 29 Data Protection Working Party acknowledges that the Directive allows a transfer of personal data for litigation purposes pursuant to Article 26 Subsection 1 (d) of the Directive. This, in turn, permits the transfer of personal data for litigation purposes under the same conditions as Section 4c Subsection 1 No. 4 BDSG. However, Article 29 Data Protection Working Party requires the transfer to be compliant with certain European data privacy requirements. Therefore, although Article 29 Data Protection Working Party acknowledges both the German and the European allowance for such data transfer, it refers to the obligation of the transferring party to adhere to certain European standards, rather than simply relying on the data subject’s legal permission, i.e., the data subject’s consent.28
Moreover, Article 29 Data Protection Working Party strictly interprets the identical European exception provision in order to ensure that “the exception does not become the rule.”29 Where the transfer of personal data for litigation purposes is likely to be a single transfer of all relevant information, there would be possible grounds for processing under Article 26 Subsection 1 (d) of the Directive where it is required for the establishment, exercise or defense of legal claims. Where a significant amount of data is to be transferred, Article 29 Data Protection Working Party recommends using Binding Corporate Rules (BCR) or Safe Harbor to provide an adequate level of data privacy.30
Reasons to Apply Restrictive Requirements to Data Transfers
Absent a restrictive approach to data transfer, German and European data privacy principles would be undermined and could no longer be adhered to. Accepting each demand for disclosure as required by US courts would open the door to foreign jurisdictions reaching into the German legal system.31
A broad interpretation of data privacy would not be compliant with European and German data privacy law. The exception provision does not allow an extensive transfer of data. Rather, it covers only the transfer of data required for the litigation proceeding. Thus, because it is an exception, the provision needs to be interpreted narrowly.32
If it is concluded that the transfer of data is permissible, the transfer would have to comply with the German data privacy principles of binding purpose (Zweckbindung), requirement (Erforderlichkeit) and data reduction and data economy (Datensparsamkeit).33 Only such an approach can satisfy the need of European and German data privacy laws’ enforcement. Further, because this exception is part of German law, German legal measures apply.34
Are there blocking statutes in other European countries?
Other European countries provide more specific blocking statutes. For example, in France, there are explicit blocking statutes for international judicial proceedings. The French national Blocking Statute no. 68-678 prohibits the disclosure of information in “foreign judicial and administrative proceedings.”
Article 1 of French Law no. 68-678, dated July 26, 1968, as modified by Law no. 80-538, dated July 16, 1980 (the “French Blocking Statute”), prohibits the “disclosure in writing, orally or under any other form, [and] in any place to foreign public authorities, of documents or information of a business, commercial, industrial, financial or technical nature which would interfere with French sovereignty, security and essential economic interests or public order…,” as well as the “claiming [or], seeking [by the parties to litigation] or disclosure [by both the parties to the foreign litigation and third parties], [whether] in writing, orally or in any other form, documents or information of an economic, commercial, industrial, financial or technical nature for the purpose of constituting evidence in view of foreign judicial or administrative proceedings or in relation thereto.”
In addition, under Article 2 of the French Blocking Statute, the requested party must inform the French Minister of Foreign Affairs immediately upon receipt of the request. Article 3 of the French Blocking Statute provides that “without prejudice to any more serious sanctions permitted by law, any violation of the provisions of Articles 1 and 1b of this law shall be punished by a sentence up to 6 months of imprisonment and a fine up to EUR 18,000 or only one of these two sentences.”
The French Blocking Statute is applicable, for instance, in the case of deposition requests, even if the deposition is taken outside of France. The statute applies, too, if the victim of the offense is a French national or if an act made in preparation of the deposition has been made on French soil (such as gathering documents to be produced before a US court).
In order to avoid any risks, it is generally recommended that a foreign court should resort to the 1970 Hague Convention on Taking of Evidence Abroad in Civil or Commercial Matters (the “Hague Convention”). This is because the French Blocking Statute is not applicable if the taking of evidence abroad is conducted via the Hague Convention (and, more generally, in compliance with French law or treaties and international conventions).
Suggestions for Practical Implementation
The conflict between US disclosure requirements and European data privacy law is not yet resolved, and there are no provisions guiding this conflict. As a result, parties to relevant international litigation should obey certain principles in order to ensure compliance with the European and respective national data privacy laws. This will help avoid negative consequences if the laws are violated.
What Do German Authorities Recommend?
German data privacy regulatory authorities have provided a two-tiered plan pursuant to which German companies can react to US court disclosure requirements and still remain compliant with the BDSG. As a first step, the data shall be rendered anonymous before it is sent to the US court. If identity-specific information is required, the data shall be sent to the US courts in non-anonymous form.35 US courts have accepted such procedures in the past.36
To comply with the need to transfer only such data as is “required” for litigation purposes, German authorities suggest the following procedure. First, the data should be filtered in Germany or in any other country covered by the EU Data Privacy Directive. Then, the data can be transferred. This procedure, however, applies only if filtering would not be disproportionate.37 Another approach is to base every transfer of data to US courts on prior consent of the data subjects (if practicable),38 or to involve a data trustee.39
What should companies operating in Europe do?
European companies involved in a US trial or e-discovery will often be challenged to comply with national privacy laws such as the German Federal Data Privacy Act and the European Directive 46/95/EC. They must be mindful of the relevant requirements for a permissible transfer of personal data from Europe, and especially from Germany, to US courts. Therefore, companies may wish to pursue several actions when transferring information to the United States, such as:
- Attempt to convince the US court not to demand access to personal data in the European Union that would not be compliant with EU data privacy laws. In practice, US courts do not generally refuse to obey European data privacy laws.40 As the US Supreme Court stressed in the Aérospatiale case: “American courts, in supervising pre-trial proceedings should exercise special vigilance to protect foreign litigants from the danger that unrequired or unduly burdensome discovery may place them in a disadvantageous position.”41
However, in a decision dated January 2010, the US District Court of Utah did not accept the German Data Privacy Act as a justification to not disclose information.42 Nevertheless, raising the problem before a US court might lead to a compromise.
- Argue the conflict with the US court and demonstrate that the company is trying to fulfill the discovery requirement but is hindered by German law. It is essential for German parties to substantiate the German legal requirements.43 By suggesting ways to obey the court orders while remaining compliant with German data privacy laws, the court may agree that the party is using its best endeavors to cooperate with the court. That may lead the court to abstain from sanctioning the company. This holds true even if the company does not disclose the required information if this was discussed with the opposing party in a discovery conference.44
- Render personal data anonymous or pseudonymous and then transfer the depersonalized information. This can be done by simply redacting information in the respective documents.
- Limit the information to the personal data that is required as proof in the proceedings, and filter the respective data in Germany.
- Restrict use of the delivered personal data to the litigation only; i.e., the purpose for which the data was transferred.45 The data must not be revealed to the public, to the media or to competing enterprises.46
- Strive to convince the US court to protect the personal data against access by third parties by issuing protective orders or filing under seal.47
- Seek to enter into a litigation agreement pursuant to which the opposing party’s lawyers have access to the documents but the parties themselves do not.48
- Delete personal data after it is used, and request deletion by other parties.
- Safeguard the legal findings with technical and organizational measures.49
If conflicts between the two legal systems cannot be resolved prior to trial, it is recommended that European companies consult and cooperate with the responsible data privacy regulatory authorities to get approval for each situation.
The conflict between US disclosure requirements and European—especially German—data privacy law is ongoing and has not yet been resolved. International regulations are still absent and are urgently needed. Nevertheless, the practical solutions discussed above can help German companies involved in US litigation proceedings to adequately react to disclosure requirements and still remain compliant with German data privacy law.