Effective discovery is an essential element of all financial services litigation. Obtaining the documents needed for the persuasive presentation of evidence at trial is no small task. It is well-known that electronic discovery under the revised Federal Rules of Civil Procedure can be burdensome, time-consuming and expensive. For multinational financial services companies, however, complying with U.S. discovery obligations also can expose the company to criminal sanctions from other nations.
Multinational financial services companies often litigate matters involving crucial documents located within foreign borders, and thereby are subject to foreign laws and rules. The U.S. system routinely requires the collection, review and transfer of electronic documents to fulfill a party's discovery obligations. When either party to the litigation is a company with relevant documents located within the European Union, this task becomes tricky and sometimes almost impossible.
Understanding the European Union's data privacy laws and how they impact the multinational financial services company's discovery obligations is imperative for survival in this global litigation age.
The foundation upon which the European data privacy laws are built is Directive 95/46/EC of the European Parliament, adopted by the European Commission Oct. 24, 1995.1 The objective of this Directive is to enhance the free transfer of information among the Member States within the European Union. The Directive attempts to accomplish its goals by synchronizing the private data protections offered by Member States, and thereby "protect fundamental rights and freedoms, notably the right to privacy."2
Unlike the U.S. system, the EU views data privacy as a human rights issue and recognizes that fact in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.3
As it pertains to the U.S. electronic discovery process, the Directive separately regulates both the "processing" of personal data and the "transfer" of such data to countries that are outside of the Union and that do not adhere to the strict data protection principles embraced by the Union.
Under the Directive, "personal data" encompasses a variety of data, including mundane information such as names and positions of employees within a company. According to the Directive, "any information relating to an identified or identifiable natural person ('data subject')" is personal data subject to protection.4 Virtually all information relating to a company's identifiable employees falls within this protection.
The "processing" of such personal data is very broadly defined in the Directive. Under the Directive, processing encompasses "any operation or set of operations which is performed upon personal data, whether or not by automatic means" and includes the "collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction" of such data.5
Therefore, U.S. practitioners should be keenly aware that simply collecting and reviewing emails from a particular employee, whether or not that information is used in any way, will be considered to be "processing" that employee's personal data, and therefore subject to the dictates of the EU's data privacy laws.
Even if personal data is properly processed, it is of no use at trial unless it can be properly transferred to the United States. Unfortunately, the "transfer" of personal data to non-Member States that do not provide the same level of protections offered by the EU, is strictly prohibited by the Directive without the clear, unambiguous and revocable consent of the data subject.6 The European Commission already has made clear its determination that the United States does not offer adequate levels of protection for personal data, and therefore transfer of such information to the United States is restricted.
Legal Obligation Exceptions
The Directive offers several criteria for making data processing legitimate, and on its face, appears to offer a broad exception that would allow the processing of personal data to comply with legal obligations. Given that the U.S. discovery requirements are legal obligations, one would think that processing data for this purpose would be covered by this exception. However, it is not quite so simple.
Article 7 of the Directive states:
Member States shall provide that personal data may be processed only if:
- the data subject has unambiguously given his consent; or
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
- processing is necessary for compliance with a legal obligation to which the controller is subject; or
- processing is necessary in order to protect the vital interests of the data subject; or
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1).
Council Directive 95/46/EC, art. 7, O.J. (L281) (emphasis added).
Similarly, Article 26 of the Directive purports to allow the transfer of personal data to non-EU countries that do not maintain the required adequate level of protections, where the transfer is legally required to establish, exercise or defend legal claims.
Specifically, Article 26 states in pertinent part as follows:
By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) may take place on condition that:
- the data subject has given his consent unambiguously to the proposed transfer; or
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
- the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
- the transfer is necessary in order to protect the vital interests of the data subject; or
- the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
Council Directive 95/46/EC, art. 26, O.J. (L281) (emphasis added).
Unfortunately, this "legal requirement" exception does not appear to protect parties seeking to fulfill U.S. discovery obligations. The sticking point lies in the fact that apparently, these provisions only apply to EU-imposed legal obligations.
Foreign Legal Obligations
Although Articles 7(c) and 26(d) have created exceptions for processing and transferring personal data to comply with a legal requirement or obligation, current indications are that these exceptions are inapplicable to non-EU imposed legal obligations. Therefore, these provisions likely do not protect the production of information for U.S. discovery.
Article 29 of the Directive established an advisory group, The Data Protection Working Party, which is charged with the "protection of individuals with regard to the Processing of personal data."7 The group is comprised of representatives from each EU Member State, as well as a representative of the European Commission. The Working Party renders advisory opinions regarding the interpretation of EU data protection laws, and the application of those laws to Member and non-Member states.
In a Feb. 1, 2006 decision, the Working Party rendered an opinion addressing a company's obligations under the U.S. Sarbanes-Oxley Act to provide guidance on how the "internal whistle blowing schemes can be implemented in compliance with the EU data protection rules."8
The Working Party asserted that "an obligation imposed by a foreign legal statute or regulation which would require the establishment of reporting systems may not qualify as a legal obligation by virtue of which data processing in the EU would be made legitimate. Any other interpretation would make it easy for foreign rules to circumvent the EU rules laid down in Directive 95/46/EC. As a result, SOX whistleblowing provisions may not be considered as a legitimate basis for processing on the basis of Article 7(c)."9
Following the guidance of this advisory opinion, a logical conclusion is that foreign legal obligations, such as U.S. discovery obligations, do not qualify under the Directive's exceptions allowing processing and transferring of personal data pursuant to Articles 7(c) and 26(d).10
Member State Privacy Laws
Although this article focuses on the dictates of the Directive, it is important to note that each EU Member State has implemented its own national legislation adopting the principles of Directive. The specific privacy laws of the individual Member States, however, are by no means identical. While the Directive provides a mandated minimum level of protection for private data held by Member States, some states require a heightened level of protection that is strictly enforced.
For some states, these protections appear to make it impossible to collect or transport personal data to the United States for any purpose without violating the applicable Member State's laws. It is extremely important that U.S. practitioners understand the applicable laws in the particular state in which discovery is sought. Accordingly, the insight of a local practitioner who practices in the subject Member State is invaluable.
Penalties for violating the data protection laws of EU Member States vary from state to state. Hence, to understand the potential exposure faced by a particular company, practitioners must familiarize themselves with the penalties dictated by the data protection laws of the applicable Member State(s).
In the United Kingdom, violations of the Data Protection Act can result in the issuance of enforcement notices compelling a company to comply with applicable data protection restrictions. Failing to adhere with these enforcement notices can result in severe criminal penalties being brought against the company. Because the penalties for violating UK data privacy laws include unlimited fines, a company's financial exposure and ultimate expenditure could be tremendous.11
The situation is similar in France, where, in 2006, authorities imposed a €30,000 fine against Tyco Healthcare France for alleged violations of France's data protection act.12 Other Member States have imposed penalties that are even more severe.
Currently, the truly safe way to process and transport personal data from the European Union to the United States is to obtain a court order from the subject Member State that authorizes such production. Federal Rule of Civil Procedure 28(b) allows for obtaining such a foreign ruling through the use of a Letter of Request submitted under the Hague Evidence Convention. Once an order from the EU Member State court has been obtained, a recognized "legal obligation" is born.
This legal obligation then will fall squarely within the exceptions created by Articles 7(c) and 26(d) of the Directive, thereby allowing the safe processing and transfer of the subject personal data.
Though seeking a court order adds time and cost to the discovery process, companies must weigh the security provided by this method against the severe penalties that may be levied against those that violate the dictates of the Directive and corresponding national privacy laws of individual EU Member States.