Members of the European Parliament (“MEPs”)1 have introduced a controversial amendment to the proposed EU Data Protection Regulation that would prohibit third countries (such as the United States and other non-EU Member States) from accessing personal data in the EU where required by a non-EU court or administrative authority without prior authorization by an EU Data Protection Authority (“DPA”). This provision, known as “Article 42” or informally in the U.S. as an “anti-net tapping clause” or “anti-FISA clause” has the potential to frustrate compliance programs for global business and could severely curtail the ability of U.S. companies to engage in international litigation. While this provision is ostensibly an “anti-FISA” amendment2 aimed at curtailing the ability of the U.S. government to obtain data on European citizens, its broad language could result in a far wider application and runs counter to current efforts in the U.S. and the EU to promote greater inter-operability and may also diminish cross-border data flows.
The European legislature has been discussing the proposed EU Data Protection Regulation for the last eighteen months since the European Commission published the proposals in January 2012. The proposals have been described as one of the most lobbied pieces of European legislation in history due to the significant impact that the proposals could have on virtually every industry. The main recipient of those comments has been the European Parliament’s Civil Liberties Committee which has received over 4,000 amendments from industry and other Parliamentary Committees. Under a mountain of amendments, the Committee has once again delayed its vote on the proposals until September or October 2013. (Sidley Update Links: New EU Data Protection Regulation Announced; Amendments to Proposed EU Data Protection Regulation Raise Concerns in Global Life Sciences Industry).
The proposal to reinsert Article 42 follows the much-publicized claims that the United States government engaged with technology firms to monitor data transmissions of non-U.S. users under a surveillance program known as PRISM. It is not clear, however, how Article 42 would affect PRISM or other surveillance efforts purportedly involving data collected in the United States and not from Europe. Article 2 of the proposed EU General Data Protection Regulation states that “[the] Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security; … (e) by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.” Thus, any purported U.S. surveillance programs would likely fall outside of the scope of the Regulation. Instead, it is more probable that Article 42, if enacted in its present form, would affect multi-national firms that need to send personal data for legal compliance in international civil discovery or government investigations. The proposed Article 42 also has the potential to interfere with global litigation by making U.S. discovery orders subject to EU DPA review, unless the Hague Convention or a similar process is followed.
Importantly, Article 42 would presumptively invalidate law enforcement requests, court orders, or other legal documents—including any “judgment of a court or tribunal” or “decision of an administrative authority of a third country”—if it involves “requiring a controller or processor to disclose personal data” unless the requirement came through a mutual assistance treaty (e.g., an “MLAT”), an international agreement between the requesting country and the EU or an EU member state (e.g., the Hague Convention) or is approved by an EU DPA.3 This inflexible approach signals a lack of comity considerations for legal obligations existing under non-EU law, and is unlikely to result in greater global respect for extraterritorial impositions under EU law.
In addition, Article 42 would impose requirements, such as notifying an EU DPA and data subjects, which may contradict legal requirements of secrecy or non-disclosure associated with law enforcement requests.
As a result, these proposals may easily cause conflicting obligations for multinational businesses. In large part, this is due to the extremely broad language of Article 42, which purports to invalidate any “judgment of a court or tribunal [or] decision of an administrative authority of a third country requiring a controller or processor to disclose personal data,” which in the U.S. would include not only FISA court orders and National Security Letters, but also routine discovery orders, warrants, subpoenas, administrative orders, SEC and other oversight requests, or other ordinary forms of legal requests for information that are quotidian to global businesses.
As drafted, Article 42 also has the potential to greatly hinder global compliance programs. For instance, organizational efforts to comply with anti-bribery laws (including the Foreign Corrupt Practices Act in the United States and the Bribery Act in the United Kingdom) often involve internal investigations into activities by employees. In many instances, subpoenas or other government requests for information trigger the investigation. Under Article 42, however, such legal requests would likely have no legal effect in the EU, and as mentioned, compliance with Article 42 would require that international organizations notify EU DPAs and data subjects when such a request is received. This may easily lead to situations where it is difficult for a global enterprise to comply with both U.S. or other foreign laws and with EU data protection requirements. Indeed, European regulators, such as the European Anti-Fraud Office (“OLAF”), use similar procedures to those of U.S. regulators in requiring document preservation and production and those approaches have been found to be compliant with EU data protection requirements, provided that the agency demonstrates “respect” for the data throughout the course of an investigation.4 The approach required under proposed Article 42 could run counter to legal obligations imposed on global businesses by U.S. or other legal regimes.
This concern carries over to cross-border civil litigation, where the methods of obtaining information relevant to a matter before the court vary within the EU and between EU member states and third countries. U.S. discovery requirements are routinely enforced with discovery sanctions, including contempt of court. Under Article 42, however, a judicial order from a court in the United States compelling the production of information related to a lawsuit would have no legal effect and would require DPA and data subject notification, and approval by the DPA after review for compliance with EU norms. Thus, an EU DPA could review and order partial or potentially no compliance with the U.S. discovery order, setting up a true conflict of law with the global company caught in between.
The prospects for passage of such an amendment seemed slim before the publicity about PRISM, and the recent re-introduction of Article 42 does not mean that it will be adopted or that it will be adopted in its current form. Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, however, has expressed misgivings about the PRISM program, and has requested a detailed explanation of the program from U.S. counterparts. Commissioner Reding stated she would look favorably upon the proposed re-introduction of Article 42, and has pressed for the European Parliament’s swift approval of the Data Protection Regulation. Article 42 was included in the Data Protection Regulation as it was originally proposed by the European Commission, but educational efforts by the Obama Administration and U.S. industry coalitions had apparently been successful in making clear the potential damage to EU-U.S. cooperation in law enforcement and trade, and European lawmakers seemed to have abandoned Article 42 in January 2012 when a sizeable majority of the European Commissioners withdrew support. The PRISM stories, however, have given new life to the proposed Article 42.
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work or
Alan Raul Partner202.736.8477
Edward McNicholas Partner
1 Axel Voss MEP, European People’s Party (EPP) Group Shadow Rapporteur for Data Protection in the Civil Liberties Committee of the European Parliament, Sean Kelly MEP, Rapporteur for the Industry, Energy and Research Committee, Marielle Gallo MEP, Rapporteur for the Legal Affairs Committee, and Lara Comi MEP, Rapporteur for the Internal Market and Consumer Protection Committee.2 The Foreign Intelligence Surveillance Act, 36 U.S.C. § 1801 et seq., as amended, establishes standards for the U.S. federal government to obtain a court order authorizing foreign intelligence electronic surveillance. Of particular concern are the provisions of the USA PATRIOT Act that amended FISA to establish a procedure that broadened existing authority allowing the Director of the FBI (or specified designees) to apply for court orders compelling disclosure of business records where the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. 36 U.S.C. § 1861. 3 The proposed text of the Article is:
Disclosures not authorized by Union law
- No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
- Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorization for the transfer by the supervisory authority in accordance with point (b) of Article 31(1).
- The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 41.
- The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorization by the supervisory authority.
4 Association des Fournisseurs d’Accès et de Services Internet (AFA) v Ministère de l’Interieur (Conseil d’Etat, Aug. 7, 2007).
The Privacy, Data Security & Information Law Practice of Sidley Austin LLPWe offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property, and criminal issues. Sidley provides services in the following areas:
- Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance
- Data Breach, Incident Response, and Cybersecurity Advice
- Global Data Protection, International Data Transfer Solutions and Cross-Border Issues
- Corporate Data Protection, Compliance Programs and Information Governance Assessments
- FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices
- Social Media, Cloud Computing, Online Advertising, E-Commerce and Internet Issues
- EU, China and Japan Data Protection and Compliance Counseling
- Gramm-Leach-Bliley and Financial Privacy
- HIPAA and Healthcare Privacy
- Communications Law and Data Protection
- Workplace Privacy and Employee Monitoring
- Website Policies Online Trademarks and Domain Name Protection
- Records Retention, Electronic Discovery, Government Access and National Security
To receive Sidley updates via email, please click here.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.