France’s data protection authority, the CNIL, has decided to focus on transatlantic data transfers in the context of U.S. litigation and administrative investigations. The CNIL held a number of hearings in spring 2008 to understand the scope of the problem and potential solutions.
On June 6, 2008, the American Chamber of Commerce in France presented to the CNIL a position paper intended to educate the CNIL about U.S. procedures, and in particular the ability of parties in a civil litigation to seek a protective order to safeguard the confidentiality of personal data.
The CNIL has not yet issued any recommendations, but intends to raise the issue at a European level within the Article 29 Working Party. (CNIL Chairman Alex Türk also currently chairs the Article 29 Working Party.)
Pre-trial discovery has often been a source of confusion and concern for Europeans. France enacted a blocking statute decades ago to protect French companies from discovery requests and administrative investigations in the United States.
At the time, the concern was that far-reaching discovery requests could be a way for U.S. companies to obtain competitively sensitive information about their European counterparts. Now the concern seems to be that U.S. litigation may require the transfer of massive amounts of personal data to the United States without adequate protection. During its testimony before the CNIL, the American Chamber of Commerce in France emphasized that discovery requests are subject to intense negotiation between the parties, the objective being to narrow the discovery request to cover only information that is truly relevant to the litigation. So-called “fishing expeditions” are not tolerated by U.S. courts.
The American Chamber of Commerce delegation also explained that the parties may ask the court to issue a protective order to ensure that information communicated to the other party in the context of U.S. litigation is kept confidential and destroyed or returned once the litigation is finished.
The CNIL has not yet issued formal guidelines regarding how to comply with discovery requests while still respecting European data protection law. One approach the CNIL (and the Article 29 Working Party) may consider is to issue a blanket authorization that would apply to the processing and transfer of personal data in the context of U.S. litigation, provided that the information is covered by a protective order issued by a U.S. court, which guarantees a certain level of protection.
The CNIL and/or the Article 29 Working Party would likely establish a list of criteria that the U.S. protective order would have to satisfy to qualify for the blanket authorization. This approach would equate to creating a special safe harbor for discovery requests that meet certain criteria.