Introduction

Evidence gathering differs greatly between common law and civil law jurisdictions. For example, while a U.S. judge may in many instances allow extensive pretrial discovery, a French judge would generally consider nearly any discovery to be improperly invasive. In this context, French Law No. 68-678 of July 26, 1968, relating to the transfer of documents and information of an economic, commercial, industrial, financial or technical nature to foreign natural or legal persons, amended by Law No. 80-538 of July 16, 1980 (the French Blocking Statute), is among the most well-known laws aimed at limiting — and in some instances restricting — cross-border discovery.

The French Blocking Statute has long been criticized for presenting French companies with a dilemma: either choose to comply with the request for disclosure and possibly expose the company or its employees to prosecution in France, or comply with the provisions of the French Blocking Statute and risk jeopardizing the company’s or individual’s legal positions or interests in proceedings abroad. Despite these tensions, the statute appears to have only been strengthened and revitalized by certain developments in France, the EU and the U.S. — all of which present new extraterritoriality issues and increase the complexities of complying with or resisting foreign discovery:

  1. French Law No. 2016-1691 (Sapin II Law), which, among other things, entrusts the Agence française anticorruption (AFA) with ensuring compliance with the French Blocking Statute by companies under investigation by foreign authorities that have entered into agreements requiring the appointment of a corporate monitor
  2. The new EU General Data Protection Regulation (GDPR), and in particular Article 48 thereof, which notably regulates the transfer of data outside of the EU, including to foreign courts and regulatory or administrative authorities
  3. The U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which establishes new procedures allowing the U.S. government to seek data from providers of electronic communication services across borders

These statutory developments reaffirm the centrality of the French Blocking Statute. French MP Raphaël Gauvain emphasized this impact in a recent report to the French prime minister on the challenges posed by extraterritorial legislation and the mechanisms available to protect French companies (the Gauvain Report). The Gauvain Report, which has not been formally made public, (i) emphasizes the role of the Service de l’information stratégique et de la sécurité économiques (SISSE, a service under the supervision of the Ministry of Finance) as watchdog in the context of foreign requests for documents and information, (ii) recommends the strict enforcement of the French Blocking Statute through the increased penalties provided by the statute and (iii) calls for the establishment of a legal privilege covering communications of in-house legal counsel to French companies.

The French Blocking Statute

The French Blocking Statute primarily imposes criminal sanctions on parties that export certain categories of documents, or respond to discovery requests, without going through the proper legal and administrative channels. The law consists of four articles.

Article 1 provides that “[s]ubject to treaties or international agreements it is prohibited for any individual of French nationality or who usually resides on French territory and for any officer, representative, agent or employee of an entity having a head office or establishment in France to communicate to foreign public authorities, in writing, orally or by any other means, anywhere, documents or information relating to economic, commercial, industrial, financial or technical matters, the communication of which is capable of harming the sovereignty, security or essential economic interests of France or contravening public policy, specified by the administrative authorities as necessary [emphasis added].” This provision becomes relevant, for example, in the context of international investigations of French nationals or companies conducted by foreign authorities — including, for instance, the U.S. Department of Justice, the U.S. Securities & Exchange Commission, the U.S. Federal Trade Commission and the British Serious Fraud Office — on issues such as anti-corruption, anti-money laundering, antitrust, etc.

Relatedly, Article 1bis provides that “[s]ubject to any treaties or international agreements and the laws and regulations in force, it is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof in light of foreign administrative or judicial proceedings or as a part of such proceedings [emphasis added].” The scope of this provision of Article 1bis is very broad, and the information requested or disclosed need not necessarily involve the sovereignty, security or essential economic interests of France.

However, under the French Blocking Statute, foreign disclosures remain possible due to mechanisms afforded by international agreements or treaties, such as Mutual Legal Assistance Treaties (MLAT) or the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters of March 18, 1970 (the Hague Evidence Convention), both in the civil and criminal context. Notably, in the civil and commercial context, the French Blocking Statute essentially points to the Hague Evidence Convention, which provides a specific framework for the cross-border communication of documents, specifically through letters rogatory sent by a court in the requesting state. For regulators or litigants seeking information that might otherwise be protected by the French Blocking Statute, these treaties provide a mechanism for reaching information or documents.

Article 2 requires that any request for information or document production falling within the scope of Articles 1 and 1bis be addressed without delay by the Minister of Foreign Affairs.

And finally, Article 3 provides that any violations of the French Blocking Statute are criminally punishable with fines up to €18.000 for individuals and €90.000 for legal entities and/or up to six months’ imprisonment. On penalties, the Gauvain Report has been reported to recommend an increase of the fines up to €2 million for individuals and €10 million for legal entities and/or up to two years’ imprisonment. These fines are more in line with the penalties now available under the GDPR, which can be as high as 4 percent of global revenue. For French companies seeking to export data or information outside of France, an increase in penalties may not necessarily be welcome.

Recent Legal Developments Reaffirming the Centrality of the French Blocking Statute

Sapin II Law

The Sapin II Law is aimed at bringing French legislation in line with European and international standards in the fight against corruption.

Article 3.5 of the Sapin II Law has entrusted the AFA, at the request of the French prime minister, with filtering the documents to be transmitted to foreign authorities on the basis of the criteria set forth in Article 1 of the French Blocking Statute, “in the context of the execution of a decision of foreign authorities imposing on a company with registered office in France an obligation to undergo a process aimed at improving its internal procedures of prevention and detection of corruption." The importance of this provision is twofold.

First, it responds to critiques that the French Blocking Statute is seldom, if ever, enforced. Indeed, in a large number of decisions concerning the taking of discovery from French companies, American and English courts have ordered the discovery, finding that there is no significant criminal risk in France of prosecution under the French Blocking Statute, despite the penalties for which it ostensibly provides.

The fact that a publicly designated body like the AFA is entrusted with ensuring the observance of Article 1 of the French Blocking Statute when a final decision of the foreign authority has been adopted (be that a criminal settlement or a judgment) shows a renewed commitment to the French Blocking Statute, as well as the clear intention of the French legislature and authorities to promote its enforcement. One outcome may be the increased use of letters rogatory in U.S. litigations to reach French information and documents when courts determine that the French Blocking Statute presents serious risk of penalty if violated.

Second, the authority vested in the AFA also appears to send a message to French companies that they have government support in resisting foreign discovery on the basis of the French Blocking Statute if foreign authorities make broad and uncircumscribed requests for documents or information. By acting as a point of contact between French companies and foreign authorities, the AFA may provide a “shielding effect” over French companies vis-à-vis foreign authorities, and help these companies ensure that foreign authorities are not engaged in improperly overbroad discovery or regulatory investigation.

As mentioned, the Sapin II Law limits the AFA's mission of filtering documents to be transmitted abroad to the situation in which the final decision of the foreign authority has already been adopted. Nothing is provided for the case in which documents must be transmitted during the investigation conducted by such an authority. By not specifying how the necessary filtering must be done during an investigation, the Sapin II Law does not exclude the application of the French Blocking Statute, but leaves it to the relevant companies to organize their compliance internally.

In this respect, the Gauvain Report appears to suggest that a French authority regulate the control process over the observance of the French Blocking Statute during an investigation as well. Indeed, the Gauvain Report appears to envision making it mandatory for companies to contact the SISSE when foreign requests are made. While this suggestion may be welcomed by some companies, it may set up a conflict between the SISSE and other French authorities in the course of multijurisdictional investigations. It also may invoke a level of regulatory oversight that is unwanted where companies would prefer to cooperate with the foreign disclosure.

Article 48 of the GDPR

Like blocking statutes, data privacy legislation may affect the transfer of data and information in the context of litigations and international investigations.

In a 2009 decision, the French National Commission of Data Protection (CNIL) noted that France had made a reservation to the Hague Evidence Convention allowing it to refuse to execute letters rogatory issued solely for the purpose of obtaining pretrial discovery if the documents sought were not specifically identified and did not have a direct and specific connection with the subject matter of the dispute. In its decision, the CNIL highlighted a close relationship, almost a parallelism, between data protection and the French Blocking Statute, which it defined as the “shield law adopted for the defense of French economic interests, for the protection of strategic business data, against abusive actions of foreign authorities to collect information of economic nature.”

It is in this context that the European legislature introduced a specific provision in the GDPR concerning the transfer of personal data to foreign courts and administrative authorities.

According to Article 48 of the GDPR, “[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter [emphasis added].”

Just like Articles 1 and 1bis of the French Blocking Statute, Article 48 of the GDPR requires the use of international agreements or treaties like MLATs and the Hague Evidence Convention to request and obtain personal data in the context of a litigation or investigation. In other words, just like the French Blocking Statute, Article 48 of the GDPR was introduced to address concerns of member states and data protection authorities in the context of discovery and pretrial discovery requests concerning large amounts of not specifically identified data.

Indeed, one objective of Article 48 of the GDPR was to address a perceived aggressive extraterritoriality by foreign authorities in bringing certain proceedings against European entities. In this respect, recital 115 of the GDPR explains that “[s]ome third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”

To that end, the French Blocking Statute and Article 48 of the GDPR share the following attributes or goals:

  1. Limiting certain proceedings brought against European entities by foreign authorities
  2. Providing tools to achieve this goal, that is, the recourse to international agreements or treaties like MLATs or the Hague Evidence Convention
  3. Providing a basic approach to the collection and sharing of data and information, or what the GDPR calls “minimization” — the fact that collection and transfer of data must be strictly necessary and proportionate to the purpose pursued corresponds to the French reservation during the ratification of the Hague Evidence Convention to limit the disclosure of evidence under pretrial discovery to documents strictly related to the specific subject of the dispute.

The “success” of the GDPR abroad will depend on the credibility of the European legislation and on the powers vested in national courts and the ECJ to impose penalties on violators. To advance that objective, EU-level guidance to national data protection authorities on Article 48 enforcement would be helpful.

The GDPR does present significant impediments to companies that desire to transfer data outside of France for use in legal or regulatory proceedings, because it imposes significant restrictions on the transfer of data, requiring, among other things, the use of standard contractual clauses and, in the case of certain data types, consents from the data owner. Guidance in these situations for the legal transfer of data extraterritorially would be welcome.

The U.S. CLOUD Act

The 2018 Consolidated Appropriations Act included a revision of the 1986 Stored Communications Act (SCA) allowing the U.S. government to access communications stored abroad by service providers subject to U.S. jurisdiction. This mechanism for reaching information and documents overseas is not available to civil litigants, but only to law enforcement. In particular, among other things, the CLOUD Act now establishes that the SCA provisions concerning the production of electronic communications extend to those held abroad.

Previously, the SCA was silent as to whether the U.S. government could require the production of electronic communications stored outside the U.S. Within this framework, in the well-known case Microsoft Corp. v. United States,[ the Supreme Court was asked to determine whether the U.S. government could use an SCA warrant to access records held by an affiliate of Microsoft on servers located in Ireland. In 2014, the U.S. District Court for the S.D.N.Y. declined to quash the government’s warrant, but on appeal, the Second Circuit reversed that decision. The government thereafter petitioned for a writ of certiorari, allowing for Supreme Court review of the decisions below, which was granted in October 2017. In the interim, the U.S. legislature passed the CLOUD Act into law, and the U.S. Supreme Court ruled that the matter had become moot.

As relates to the French Blocking Statute and Article 48 of the GDPR, the major changes to the SCA framework are the following.

  1. Extraterritoriality: Section 103 of the CLOUD Act amends the SCA by adding a new section expressly stating that the SCA applies extraterritorially. In particular, the CLOUD Act also includes Section 2713, which requires service providers to disclose communications even if they are “located [] outside of the United States.”
  2. Possibility to Challenge a SCA Warrant: Section 103 of the CLOUD Act also provides a mechanism for service providers to challenge SCA warrants. A court may quash a SCA warrant if it finds that (a) the disclosure would cause the provider to violate foreign laws; (b) “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed; and” (c) “the customer [] is not a United States person and does not reside in the United States.” Moreover, under the CLOUD Act, a court is required to undertake a comity analysis, taking into account, for example, “the interests of the United States, including the investigative interests of the governmental entity seeking to require the disclosure” and “the interests of the qualifying foreign government in preventing any prohibited disclosure.”
  3. International Agreement: Section 105 introduces a new provision defining criteria for the U.S. and other governments to sign executive agreements regulating cross-border requests for information, and authorizing service providers to respond to requests by foreign governments pursuant to such agreements.

In this context, there are at least two reasons why the French Blocking Statute may be implicated by enforcement of the CLOUD Act.

First, while the CLOUD Act is sometimes interpreted as a blocking statute in that the U.S. legislator has the right to establish conditions for international cooperation on cross-border access to digital data, the provision of data under the CLOUD Act can be challenged before U.S. courts and is subject to international agreements. Because these international agreements should result in negotiation by the two countries, in the case of France, drafting will likely take into account the French Blocking Statute, Article 48 of the GDPR and other French data protection laws.

Second, by introducing a procedure for pre-enforcement challenges to SCA warrants and requiring a comity analysis, the CLOUD Act effectively follows the approach stemming from the well-known Supreme Court decision in Société Nationale Industrielle Aérospatiale v. U.S. District Court, 482 U.S. 522 (1987), which requires a U.S. federal court to carry out a balancing analysis to decide whether to compel production of information from litigants or nonparties outside the U.S. Based on this precedent, in the case of companies based in France, U.S. courts have previously compelled production of information based on the fact that the French Blocking Statute was generally not enforced. In the interest of French companies and individuals seeking to resist production of their communications under the CLOUD Act, it may be helpful for the Ministry of Justice to issue guidance underlining the need for French prosecutors to strictly enforce the French Blocking Statute. Companies with an interest in the production of communications stored in France to U.S. regulators, however, may not share those interests.

Conclusion 

Cross-border discovery — in civil, criminal and regulatory contexts — remains difficult. Issues abound, only complicated by the passage of the GDPR and the uncertainties that remain around its terms and enforcement. The Gauvain Report may help alleviate some confusion in this area.