On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.
The challenges discussed in the Working Document have considerable practical implications for companies, which are increasingly caught between U.S. requirements that personal data be retained and transferred to the United States for litigation purposes, and European legal restrictions on such retention and transfers. These challenges are not just theoretical, as in December 2007 the French Supreme Court (Cour de cassation) upheld a €10,000 criminal fine against a French attorney for collecting information as part of U.S. discovery proceedings. The Working Document is available here.
The Working Document identifies four data-related stages during the litigation process—retention, disclosure, onward transfer, and secondary use—and stresses that the “use of personal data at each of these stages will amount to processing” and “will require an appropriate condition to legitimate the processing.” It is tempting to focus only on the issues raised by transferring personal data to the United States, but collecting, storing, and analyzing personal data within Europe also require legal justifications and careful attention.
According to the Working Document, “it is unlikely that in most cases consent would provide a good basis for processing.” Instead, the Working Document points to Article 7(f) of the EU Data Protection Directive—processing necessary for the purpose of a legitimate interest of the controller or a third party—as a more likely basis for complying with U.S. civil discovery laws. The Working Document also leaves open the possibility that Article 7(c) of the Directive—compliance with a legal obligation—might also work, since some member states may impose a legal obligation to comply with the orders of foreign courts. However, a foreign legal obligation alone is insufficient to provide a legal basis for data processing under the Directive.
“Sensitive” personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life) could only be processed with unambiguous consent or if “necessary for the establishment, exercise or defence of legal claims.” Given the Working Party’s generally negative view towards consent or legal necessity as a basis for data processing in the discovery context, a practical solution to the issue of processing sensitive personal data still seems remote. In addition to requiring a legitimate basis for each stage of data processing in connection with civil discovery, the Working Document also stresses other key data protection requirements that must be complied with. For example, under Article 6, personal data must be “processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not used fort incompatible purposes.” Personal data must also be “adequate[,] relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”
The Working Document notes that compliance with these provisions may require “filtering” of personal data while still in Europe to limit the data to those relevant to a civil discovery demand, and may require “the services of a trusted third party in a Member State.”
Transparency is another key requirement stressed in the Working Document, which states that “in the context of pre-trial discovery this would require advance, general notice of the possibility of personal data being processed for litigation.” Additional notice would be required if data are actually produced as part of a judicial proceeding.
The Working Party also stressed the rights of access, rectification and erasure, and suggested that before complying with civil discovery orders, and during the trial itself, data subjects must have access to their data and an opportunity to “access and rectify incorrect, incomplete or outdated personal data prior to the transfer.”
Finally, the Working Document highlights the need to provide continuing security for personal data.
On the specific issue of transferring data to a third country (e.g., the United States) for production, the Working Party would require compliance with Safe Harbor, a data transfer agreement based on standard contract clauses approved by the European Commission, or a set of binding corporate rules that have been approved by the relevant Member States’ data protection authorities. The Working Document notes that compliance with a request under the Hague Convention would always “provide a formal basis for a transfer of personal data,” but goes on to observe that not all member states have signed the convention, many who have signed have entered reservation against the discovery provisions, and U.S. courts have been reluctant to follow Hague Convention procedures.
The Working Document is noteworthy for its thoroughness and moderate tone. While the Working Document is signed by Article 29 Working Party president Alex Türk of the French Data Protection Authority (the CNIL), the process that led to the Working Document included a subcommittee of the Working Party led by Dr. Alexander Dix, who has carefully studied the issues and who was a featured participant in the High-Level Workshop on U.S. Civil Discovery and European Data Protection co-sponsored by the Centre for Information Policy Leadership at Hunton & Williams, LLP, in October 2008. Many of the recommendations also appear to reflect the careful, moderate arrangements that Dix has negotiated or approved as Data Protection and Freedom of Information Commissioner of Berlin—calling for broad notice, a limited scope of data retention, close scrutiny within Europe, the negotiation with U.S. courts for appropriate limitations and protective orders, and continuing obligations that follow the data.
That said, the Working Document is likely to face three limitations. First, there are a number of issues it explicitly defers consideration of, for example, document retention and production in criminal and regulatory investigations and practical litigation management systems that store broad swaths of data to facilitate the retention and analysis of data in response to discovery requests.
Second, while Dr. Dix and his colleagues have developed significant understanding of the complex issues surrounding civil discovery and have provided guidelines noteworthy for their “balance” and “proportionality”—two words that appear frequently in the document—it is not clear that U.S. courts, unfamiliar with basic data protection concepts, will be similarly diplomatic in their outlook. Instead, U.S. judges may well perceive some of the recommended steps to accommodate privacy interests as time-consuming and burdensome at best, or as a threat to their judicial authority at worst. So translating the Working Party’s broad guidelines into practical reality may be the greatest challenge ahead.
Third, the Working Document explicitly notes that its guidelines are an “initial consideration” of how to manage the issues surrounding pre-trial discovery, but that resolving those issues is “beyond the scope of an Opinion by the Working Party” and can “only be resolved on a governmental basis, perhaps with the introduction of further global agreements along the lines of the Hague Convention.” The Working Document might best be understood as a first step—an important first step to be sure—towards a more distant goal.
The Working Document concludes with an “an invitation to public consultation with interested parties, courts in other jurisdictions and others to enter a dialogue with the Working Party.”