Archives

E-Discovery Vs EU Data Protection Conflict

USA

Electronic Discovery (or e-Discovery) is the process of identifying, preserving, collecting, preparing, reviewing, and producing electrically stored information (ESI) in the event of a legal request for such information. Rule 34 of the Federal Rules of Civil Procedure 2006 provide that a party may serve on any other party a request for any ESI within any medium, or ‘any designated tangible things.’ The scope of pre-trial discovery in the US is considered to be the widest of any common law country. Some of the most common areas of US litigation where data may be affected include:

  • Document preservation in anticipation of proceedings before US courts or in response to request s for litigation;
  • Pre-trial discovery requests in US civil litigation;
  • Document production for US criminal and regulatory investigations;
  • Criminal offences in the US relating to data destruction.

US companies must pre-emptively retain all documents that may be relevant to actual or reasonably foreseeable litigation. Where a company fails to preserve such information, they may be fined or possibly be subjected to criminal sanctions.

Thus far, US courts have not been lenient to parties raising EU privacy concerns. This places US companies in the difficult position of having to decide whether to breach EU data protection laws or US e-discovery court orders.

EU

In the EU, data protection is protected by Article 8 of the Charter of Fundamental Rights of the European Union. It is primarily regulated by the Data Protection Directive 95/46/EC, which considers personal data to be “any information that relates to an identified or identifiable natural person.” Although this directive has been implemented throughout the EU, the level of protection is uneven. For this reason, the European Commission has proposed a new Data Protection regulation that is intended to apply the same principles of protection throughout the EU States.

Directive 95/46/EC contains two primary principles relation to discovery obligations:

i)                    Purpose Limitation

This limitation provides that European companies should only collect personal data for specific, legitimate purposes, and should use, disclose and retain the data only as needed for those purposes. Using business records which contain personal data in the course of litigation is a secondary use of the data which, generally, is not permitted.

ii)                   Export limitation

Article 25 of the directive provides that the transfer of personal data to a third country may only take place if the third country ensures an ‘adequate’ level of protection. The US is not currently on the list of countries that are considered to provide such protection.

Article 26 of the directive provides exceptions to this restriction for cases such as where the data transfer is legally required in legal disputes. This exception has been interpreted strictly and is considered to be inapplicable to e-discovery requests except where individual EU member states have enacted exceptions.

Many civil law countries in the EU do not have any formal discovery processes. France and Spain, for example, restrict disclosure to documents that are admissible at trial. In Germany, litigants are not required to disclose documents to the other party; parties need only produce the documents that will support their case.

Conflict

There is a conflict for US firms that contain affiliates in EU countries. On the one hand, federal and state rules authorise the retention and production of all relevant data, even if the data is located outside of the US. However, EU data protection laws lay down strict rules for personal data, which severely restricts the transfer of data to jurisdictions outside of the EU.

Until the EU publish further regulations, it is unlikely that any such issues will be resolved and US companies will need to ensure that their discovery policies comply with the strictest EU data protection laws.

The Article 29 Working Party of the EU stated that there is a need to reconcile the requirements of the US litigation rules and EU data protection provisions. The Working Party report provided three relevant grounds that may allow the processing of personal data to be legitimate:

  • Where there is consent from the data subject;
  • Where the compliance with the pre-trial discovery requirements is necessary for compliance with a legal obligation;
  • Where the compliance with the pre-trial discovery requirements is necessary for the purposes of a legitimate interest. This basis would only be acceptable where such legitimate interests are not “overridden by the interests for fundamental rights and freedoms of the data subject.”

Conclusion

Conflict remains between US and EU data laws. This conflict is starting to be recognised on both sides of the Atlantic. However, at present, no definitive solution exists.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Resolving multinational compliance conflicts (I.C.j.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>