Since 25 May 2018, the GDPR applies to the processing of personal data in Belgium. The provisions of the GDPR are complemented by the Data Protection Law. In most legal proceedings where the production of ESI is ordered, personal data will be retained, disclosed and transferred, and the data protection rules apply. The GDPR will apply to discovery when either the requesting or the controlling party is established in the European Union, as both the collection and the transfer of personal data are processing activities to which the GDPR applies.
As a result, an assessment must be made in accordance with the GDPR as to whether (1) there is a legitimate basis for processing the (sensitive) personal data contained in the ESI for the purpose of discovery; (2) the processing is necessary and proportionate for that purpose; (3) the personal data is not retained longer than is necessary for that purpose; (4) the data subjects' rights are observed; (5) sufficient technical and organisational precautions are taken to protect the data; and (6) for foreign discovery orders, whether the principles with regard to the transfer of personal data to third countries are complied with.
For the discovery of personal data contained in ESI to be lawful, it must be based on one of the legitimate grounds set out in Articles 6 and 9 of the GDPR. The relevant legitimate bases in this regard are: consent; the need to comply with a legal obligation; the overriding legitimate interest of the requestor or controller of the ESI; or the need for the establishment, exercise or defence of legal claims. As consent is generally not accepted in an employer–employee relationship and can be withdrawn at any time, it is not a recommended basis for discovery actions. Additionally, the need to comply with a legal obligation can only be invoked in the context of a production order by a national court based on Belgian law and cannot be based on a foreign legal stature or regulation.
In the context of cross-border discovery, parties therefore generally rely on their overriding legitimate interest of complying with the requirements of the litigation process to collect or disclose personal ESI. However, this legitimate interest of the parties does not automatically justify the processing of personal data for the purpose of discovery as it requires a careful balancing with the privacy interests of the data subjects concerned, taking into account the principle of proportionality, the relevance of the personal data to the litigation and the potential consequences for the data subject. As this balancing exercise also requires that adequate safeguards are put in place, parties should first consider anonymising or at least pseudonymising the personal data that is not strictly necessary for the discovery action.
Specifically for ESI containing sensitive data, such as data concerning health, the parties must ensure that the disclosure of this data is strictly necessary for the establishment, exercise or defence of legal claims. Otherwise, this data should be redacted or anonymised (e.g., in the form of statistical data). Due account must also be taken of other duties of confidentiality, such as professional secrecy obligations, with regard to sensitive data.
Personal correspondence, such as emails or letters, are also subject to the applicable data protection regulations and generally require the consent of both the sender and the receiver to be accessed and disclosed. Criminal sanctions apply to any person who opens or discloses personal communication without the authorisation of the persons involved. With regard to employees' emails, specific rules apply. Article 128 of the Law on Electronic Communication provides that an employer may record and retain emails of its employees in the context of legal business transactions in order to prove a commercial transaction or another business communication, subject to the conditions that the persons involved are properly informed and that the data is deleted after the statute of limitations for challenging the transaction has passed. Employers must also comply with various collective labour agreements that govern privacy in the employment relationship. Collective Labour Agreement 81 concerns the monitoring of electronic online communication by employers. In this context, e-discovery actions pertaining to employee emails are only justified for the following purposes: the prevention of unlawful or defamatory facts, or facts contrary to public decency or capable of damaging the dignity of another person; the protection of the economic, trade or financial interests of the company; and bona fide compliance with the company's policies and rules for the use of online technologies. In contrast to emails, personal files and documents created and saved by an employee on his or her work computer are not considered electronic communication data and – together with the connected IDs and passwords – can be the subject of a production order in legal proceedings.
For foreign production orders resulting in the transfer of electronically stored personal information to third countries outside the European Union, notably the United States, specific data protection obligations apply. Apart from transparency obligations towards the data subjects involved, the GDPR requires that there exists an adequate (i.e., equivalent) level of protection of personal data in the receiving country. This could either be based on an adequacy decision by the European Commission or on the incorporation of safeguards for the transfer of personal ESI, such as standard contractual clauses or binding corporate rules. As the United States is not deemed to have an adequate level of protection, parties must rely on these safeguards in the context of a US discovery order. The recipient in the United States could also subscribe to the EU–US Privacy Shield to warrant the protection of personal data during the discovery process. In the absence of these safeguards, a party may only transfer the personal data contained in the ESI for the purpose of discovery in a third country insofar as this is strictly necessary for the establishment, exercise or defence of legal claims. However, the latter derogation cannot be used to justify the transfer of all employee files to a recipient in, for example, the United States in the anticipation of a potential legal action. The derogation only justifies a single transfer of relevant information pursuant to a threat of legal action.