“Business without borders” is an economic reality with often harrowing legal implications. American lawyers have long accepted that litigating abroad involves learning (and adhering to) foreign rules and court customs, but they are often ill-prepared when they discover that foreign law has been unexpectedly thrust into their U.S.-based litigation. It is increasingly important to recognize that as companies spread across the globe so does their data. American litigants seeking to use E.U. information must therefore be prepared for objections based on foreign privacy laws.
Note: If you are new to foreign data privacy law, definitions of key words and phrases (identified in bold) are provided in the Glossary at the end of this document.
E.U. PRIVACY LEGISLATION
The European Convention’s Charter of Fundamental Rights, Article 81 recognizes privacy as a fundamental human right, which is an overriding principle for the making and interpretation of more detailed E.U. privacy laws. The E.U. privacy law is the Data Protection Directive.2 The Data Protection Directive introduced an extensive regime by imposing broad obligations on those who collect “personal data,” as well as conferring broad rights on individuals about whom data is collected. The Directive was intended to harmonize national data protection laws throughout the E.U. In reality, differences between national implementing laws have arisen as the Directive gives member states a fair degree of discretion in implementing its provisions and member states have also interpreted certain provisions of the Directive differently.
Article 29 of the Directive created the “Working Party on the Protection of Individuals With Regard to the Processing of Personal Data,”3 also known as the Article 29 Working Party.
The Working Party, similar in nature to the Sedona Conference’s Working Group 64 in the U.S., offers advice, solicits information and engages in cross-border dialogue about the transfer of data outside of the E.U.
PRIVACY IN PRACTICE
The American litigator with international corporate clients is likely to encounter one or both of these “E.U. data privacy” scenarios: (1) The government is investigating your client, or may soon be, and you want to conduct your own internal investigation, including company sites abroad; or (2) Your client is a litigant in a U.S. court and seeks E.U. data from the opposing party or a non-party, or needs to gather data from its own E.U. offices for review and production in compliance with the governing discovery rules. This article will focus primarily on the latter topic.
- In the first scenario, the use of an intra-company agreement embodying the Model (or Standard) Contract Clauses, or for larger multi-national companies, implementing Binding Corporate Rules (BCRs)--both of which reflect the E.U. privacy principles governing worldwide intra-group transfers--will help facilitate cross-border data sharing. Contacting counsel, as well as the company’s Chief Privacy Officer (CPO), will make implementation and execution of the company’s model contract clauses or BCRs more likely to be successful.
- The second scenario pertains to litigants subject to U.S. discovery rules and the penalties for failure to comply with these rules. Compliance by either party may be difficult, however, if the data sought originates from or is held in the E.U. A large majority of E.U. member states do not allow for pretrial discovery and many disfavor the practice. Therefore, aside from the privacy implications, there is not strong support for assisting U.S. litigants in the attempt to gather such information. Nonetheless, with the awareness that the price of playing a part in the global economy is complying with the laws of the territories where the company conducts business, cooperation, if often reluctantly given, can be achieved.
This cooperation, however, becomes much more difficult to gain if the discovery is sought by a private litigant and involves data the E.U. defines as “personal” or “sensitive” data protected under E.U. privacy rules. (Given the expansive definition of personal data, this potentially captures a significant amount of information that might be sought by a litigant.) E.U. authorities generally believe that a citizen’s fundamental right to privacy trumps the need of a U.S. litigant to comply with, or take advantage of, what is perceived as extremely permissive discovery rules.5 Additionally, while several countries outside the E.U. have been judged to provide “adequate protection” of personal data,6 the U.S. has failed to meet this standard.
Although the process takes steps forward and backward over time,7 authorities, legal scholars and practitioners from both the U.S. and E.U. are working together to help ease the tension between the often conflicting bodies of law. While there is not always consensus on the best approach, this international dialogue has produced some practical and some theoretical mechanisms to effect data transfer.8 U.S courts and non-government litigants now generally use one or more of the following approaches to international discovery:
- MODEL CONTRACTS – Similar in principle to the Binding Corporate Rules, Model Contract Clauses have been offered by E.U. authorities as a mechanism for legally effecting the transfer of data from the E.U. to the U.S. (or any other country deemed to provide inadequate protection of data).9 In order to be considered legitimate, the clauses must be adopted verbatim into the controlling contract10 and in some foreign territories must be formally approved on a case-by-case basis by the local Data Protection Authority (DPA). These clauses must bind all data exporters and recipients. Finally, parties interested in using the clauses still need to comply with the local privacy laws of the country in which the data is first collected and processed. Absent strict adherence to these laws, the model clauses cannot legitimize the transfer of the data abroad.
- THE HAGUE EVIDENCE CONVENTION & FOREIGN RELATIONS LAW – Though U.S. courts and litigants will sometimes attempt to follow the mechanisms of the Hague Convention and use a Letter of Request11 to obtain data from the E.U., the U.S. Supreme Court, in the case commonly referred to as “Aerospatiale,”12 held that use of the Convention procedures is not mandatory and that litigants may use the Federal Rules to get extraterritorial evidence during discovery in U.S. courts.13
When a U.S. court is asked to consider ordering (or denying) production of E.U. data despite the applicability of foreign law preventing the transfer, the judge may apply the test set forth in the Restatement of Foreign Relations Law.14 This analysis is similar in tone to the “inaccessible data” discovery analysis courts will conduct under Fed. R. Civ. P. 26(b), and includes consideration of: (i) the importance of the documents or information requested to the litigation; (ii) whether the information originated in the United States; (iii) the availability of alternative means of retrieving the information; and (iv) the extent to which (non)compliance with the request would undermine important national interests.15
- THE U.S. LAW APPROACH – If the E.U. data discovery dispute is going to be resolved with a U.S. law approach (i.e., according to the jurisdiction’s evidentiary and procedural rules), there are several protection mechanisms built into the Federal Rules of Civil Procedure and common practice that the parties may use to alleviate privacy concerns to the extent possible. These include protective orders, custodian consent forms, the proposed new certificate of compliance and various technology-based strategies available through the more sophisticated eDiscovery software on the market. Practical tips for each of these approaches are in the Take-Away section below.
According to E.U. data protection authorities, the United States fails to provide adequate protection of personal data. As a result, effecting a legal transfer of data from the E.U. solely for internal company use or for compliance with U.S. discovery rules requires additional efforts. As technology continues to evolve and the economy becomes increasingly global, attorneys in the United States need to be aware of international privacy laws and how best to serve their clients when there is a need for data from abroad. Accordingly, the following best practices should be considered:
CHIEF PRIVACY OFFICER – Know the company’s Chief Privacy Officer or determine whether the company needs one. A dedicated privacy employee at the senior executive level is especially, though not exclusively, important for companies doing business in the international arena. He or she is a valuable counselor and can also serve the function of being a designated individual accountable for privacy compliance.
BINDING CORPORATE RULES – A multinational corporation may consider adopting Binding Corporate Rules to facilitate the transfer of data internally between E.U. and U.S. offices. Drafting and implementing BCRs is a significant undertaking and should not be attempted without thoughtful consideration at the outset. The process is challenging from an organizational and structural perspective. The task will consume a considerable amount of attorney time and may involve multiple negotiations with privacy regulators.
Before committing to the implementation of BCRs, consider the following:
- The volume of data traveling between the E.U. and U.S. and the frequency of those transfers;
- Would (and if so, how much) business operations be impacted if E.U. regulators stemmed the flow of the data to the U.S.; and
- Are other options, such as Safe Harbor or intra-company agreements, more appropriate?
If the company chooses the BCRs, they must be specifically tailored to the company and also capture certain mandatory content, including:
- The data will only be processed and used for a stated purpose (e.g., maintaining employee benefit information);
- The data will be accurate and, where necessary, kept up to date;
- The processed data will be relevant to the stated purpose for processing and must not be excessive in quantity in relation to that purpose;
- The affected individuals will be told the purpose for which their information is being processed, the identity of the controller and be given the contact information of the person he or she can call with questions or concerns;
- The company will implement and enforce technical and organizational security measures to reduce corruption and breach risks presented by the processing;
- The company will implement a process for allowing data subjects to obtain a copy of all data relating to them, to correct inaccurate information and to formally object to the use of personal data; and
- The company will take steps to ensure that any recipient of onward transfers of the personal data is also subject to rules affording an adequate level of protection and that such transfer complies with the stated purpose principle mentioned above.
MODEL CONTRACT CLAUSES – If the personal E.U. data is sought as discovery material in U.S.-based litigation, consider signing a contract incorporating one of the E.U. approved model contract clauses. The contract is executed between the exporter and the importer. The clauses are available on the European Commission Justice website.16 Model Contracts may also be used to effect intra-company transers. Consultation with counsel is recommended before incorporation of these clauses into a contract.
PROTECTIVE ORDER – Once it is apparent that E.U. data will be needed in active litigation, ask the judge sign a Protective Order. This order should: (i) identify the specific purpose for which the E.U. personal data will be used; (ii) ensure that the data sought and produced is directly relevant to that purpose and proportionate in scope and volume; and (iii) designate this material as Highly Confidential, defining the protections associated with Highly Confidential material (including the restricted scope of individuals allowed to access the information).
The order should also establish a procedure for the return of sensitive data or other E.U. information inadvertently disclosed. Finally, the order should instruct the parties on when and how to dispose of personal data after the expiration of its legitimate usefulness to the lawsuit. When considering data disposal, consider whether shorter retention periods for E.U. personal data should be permitted.
CUSTODIAN CONSENT – When reasonably possible, the party seeking to gather E.U. data for review and production should get the E.U. custodian’s consent for such processing. While in most cases it may not be realistic to obtain the consent of every individual possibly identifiable in the documents sought, a well-drafted Consent Form signed by the custodian demonstrates a company’s good faith attempt to honor the privacy rights of its E.U. employees.
The consent should: (i) describe the lawsuit and the relevance of the custodian’s data to that lawsuit; (ii) describe the processes involved in the data identification, collection, review and production; (iii) establish the custodian’s right to review and correct the data; (iv) include the contact information of the person to be called with questions or objections; and (v) describe the protections assured by the protective order, including the ultimate disposition of the data and any copies made thereof.
CERTIFICATE OF COMPLIANCE – A Certificate of Compliance is a proposed new mechanism, described in a Sedona Conference Journal article on international data transfers,17 for addressing data privacy laws in the E.U. when effecting the transfer of data to the U.S. A company and its counsel would draft a single document, the Certificate of Compliance (referred to as “a modern-day bill of lading”),18 to accompany data as it is transmitted through any foreign territory. The certificate would serve as evidence that the company seeking the transfer is aware of and understands its obligations under the governing privacy laws in each jurisdiction and would state the company’s present and future intent to comply with those laws. The certificate would be filed with each local Data Protection Authority.
MACHINE TECHNOLOGY – There are many opportunities to strategically use machine technology to reduce the type and volume of personal data exported from the E.U., especially when offered by a Safe Harbor certified eDiscovery vendor. Current eDiscovery analytic technology can automatically organize and categorize data using a statistical analysis of words. A program could then be run to mask or redact data that has a high probability of being personal data.
Also consider using a data processing vendor with facilities in the E.U. This will reduce the risk of privacy law violations, as the data would only be leaving the E.U. for final review and production. Ideally, the E.U.-based portion of the review would prevent the transfer abroad of most of the truly personal data contained in the discovery materials. While the broad definition of “personal” data would serve to handicap a U.S. litigant’s ability to legitimately receive much of the discovery sought, E.U. privacy authorities are most concerned about preventing the export of information in which the individual has an actual expectation of privacy. This excludes information that is publically available or is effectively public by the frequency of its use in day-to-day business operations (i.e., a work email address).
THE CLOUD – In the eDiscovery context, as discussed in Orrick’s Cloud Computing Client Alert, information in the cloud provides some challenges. For example: Who has custody and control of the data? Who is responsible for preservation efforts at the onset of a lawsuit? Who bears the expense of producing data from the hosted cloud in a litigation?
Cloud-based technologies face even greater challenges in the E.U. The cloud network spans the globe and information traveling to and from a cloud environment may pass through several E.U. territories before reaching its destination. For example, a U.S.-based cloud service provider may receive data in Hungary destined for the U.S. server via Germany and France. As certain E.U. member state privacy laws may require the permission of the DPA before the data is allowed to leave its territory, a single data transfer may require multiple time-consuming approvals.
The U.S.-E.U. and U.S.-Switzerland Safe Harbor agreements permit American cloud providers to transfer data out of Europe if the cloud provider agrees to follow the privacy framework established by the U.S. Department of Commerce and the European Commission.19 Multinational clients should inquire about and verify the Safe Harbor status of any cloud vendor it considers using to host data. Counsel should closely scrutinize cloud services contracts to understand the discovery implications of all relevant terms.
These terms do not have universally accepted definitions, but those provided below are in common usage and sufficient to serve the purposes of this article and to inform your general dialogue.
Binding Corporate Rules – The adoption of certain binding codes of corporate conduct, or binding corporate rules (BCRs), is another manner by which some companies attempt to achieve compliance with E.U. rules on data transfers. Binding corporate rules are designed to regulate only worldwide intra-group transfers, meaning exchanges of personal data between companies that are part of the same corporate group and that are bound by these corporate rules.20 Binding corporate rules do not cover international transfers of personal data to companies outside the corporate group. BCRs are very helpful to in-house attorneys conducting internal investigations. If the company has a Privacy Officer, he or she should be involved in the drafting of the BCRs, especially if that person sits in the E.U. and can provide perspective from that vantage point. Implementing BCRs is a challenging and time-consuming endeavor. Companies should consult counsel before committing to this approach.
Blocking Statute – This is a law enacted in one jurisdiction to obstruct the local application of a law enacted in another jurisdiction.21 In general, U.S. courts do not respond positively when a litigant in a U.S. lawsuit relies on a foreign blocking statute to justify its refusal to turn over E.U. data. In order to entertain the application of foreign privacy law in a U.S. court, the presiding judge will usually require a substantive basis, the likelihood and severity of penalties in the E.U. for the producing party or the implication of a legitimate foreign interest in preventing the personal data from leaving the country.22
Data Protection Authority – An E.U. Data Protection Authority, or DPA, is an “independent public authority responsible for monitoring the application of data protection law within its territory.”23 Each of the 27 E.U. member states has a National Data Protection Commissioner.24 Among other powers, the DPA has standing to initiate legal proceedings when it believes there has been a violation of the privacy law in that territory.
Data Controller – A controller is a natural or legal person, organization or any other entity responsible for the personal data it holds, and with the power to direct, alone or jointly with others, the processing of personal data.25
If an organization holds personal data, but some other organization or person controls what happens to the data, the data holder is called a “processor” and the decision-maker, the “data controller.”
Data Subject – The data subject is usually the person who creates the information and has it in his or her custody (like the American “custodian” in the eDiscovery context); however, it expands to include anyone “identified or identifiable [and] to whom the personal data relates.”26
Hague Convention – The Hague Evidence Convention, or the Convention of March 18, 1970 on the Taking of Evidence Abroad in Civil or Commercial Matters,27 is a multi-lateral treaty that allows Convention signatories to share evidence among them. The mechanism used to obtain the evidence is called a “Letter of Request” and is issued by the court presiding over the litigation. A Letter of Request may seek testimony or documentary evidence.
Refusal to oblige the author of a Letter of Request is only appropriate in one of two instances (though signatories are permitted to opt out of or to limit their willingness to accept the various provisions of the Hague Convention): (1) when the action requested is not within its judiciary duties; and (2) when the state addressed considers that its sovereignty or security may be compromised.
Model Contract Clauses – If a party cannot offer Safe Harbor protections for private data transferred out of the E.U., standard, or Model, contract clauses are another way of providing the necessary safeguards of E.U. privacy laws. These terms also help facilitate intracompany data transfer.
All signatories to the contract must agree to be bound by the set of clauses. Additionally, depending on the country from which you will be receiving data, the clauses may have to be approved specifically by the Data Protection Authority in that territory.28
Personal Data and Sensitive Data – Personal information, or data, is anything relating to “an identified or identifiable natural person,”29 who is also called the “data subject.” An identifiable person is someone who can be identified, directly or indirectly, by reference to an identification number or by a description of his or her physical, physiological, economic, professional, cultural or social identity. It is irrelevant whether the person is actually identifiable by information within the document’s virtual four corners. If the information could be pieced together with other information theoretically “out there,” then it qualifies as personal data.30
Sensitive Data is data we, as Americans, may think to call “personal” (though not private in all instances). For example, it is information about someone’s racial or ethnic origin, political opinions, religious beliefs, organization memberships, as well as data concerning health, sex life and criminal history.
Processing – In the context of international privacy law, “processing” encompasses, but far exceeds, the American understanding of technical data processing in the discovery context. As the E.U. privacy authorities use it, “processing” means “any operation or set of operations” performed on or with data.31 This includes data “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”32
Protected Data – For our purposes, Protected Data is E.U.-originating Personal and Sensitive data. In order to receive Protected Data in the U.S., certain conditions and rules must be met and followed. These conditions attempt to satisfy E.U. privacy concerns and U.S. corporate and discovery needs, but conflict is frequent and often inevitable.
The significant benefit of certification is that the Safe Harbor organization will be deemed by all E.U. member states to provide adequate data privacy protection. However, when data is destined for a third party, as in a lawsuit, extra steps must be taken by the organization to ensure that all recipients abide by the privacy protections provided by the Safe Harbor provisions.
Note: Only organizations regulated by the U.S. Federal Trade Commission or Department of Transportation can participate in Safe Harbor, and though compliance with the Safe Harbor principles is self-regulated, there is a threat of a U.S. government enforcement action if an organization has failed in its commitment to the policies.