Back in August of 2009, I wrote an article, European Union E-Discovery Rules: What Every Corporate Litigator Must Know, describing the privacy laws in the European Union and the significant implications for litigation based in the United States.
At the end of the article, I predicted that the EU would further shore up their privacy laws as business between U.S. and EU increased.
To anyone that follows EU law, my predication was more of an inevitability given the fast-paced development of EU privacy laws.
EU Privacy Law Just Got Tougher (Again).
Thus, it came as no surprise when the Financial Times reported this week that the EU just adopted a tougher e-privacy directive governing data protection and the use of internet tracking software.
Although the new EU guidelines are specific to the advertising industry, they highlight the increasing rigidity of EU privacy laws. These laws have significant implications for litigation based in the United States.
Gathering Evidence for U.S. Litigation
Collecting evidence for U.S. litigation among domestic states can be a challenging task. The task becomes backbreaking when dealing with EU nations. While not an impossible endeavor, it does require that attorneys become familiar with the requirements of EU data privacy law to ensure that data will be available upon request. Doing so will ensure that an e-discovery demand won’t expose their clients to prosecution for violation of EU data privacy laws.
Any litigation reaching the European continent promises to frustrate and confound with a level of complexity not normally present in a purely American lawsuit. It is imperative that counsel confer with their clients as to the laws that will govern data created in the EU.
This will guide clients in implementing procedures designed to streamline the flow of data should litigation ever occur. It is equally essential to have access to lawyers versed in European law when litigation does arise. In this manner, the e-discovery can be conducted in the EU itself, which will limit the risk of any liability for violation of its data privacy laws.
European Union Privacy Laws
Privacy laws in the European Union derive from EU Directive 95/46/EC and protect personal data from disclosure in virtually all cases. The protection afforded by this directive is in sharp contrast to Federal Rule of Civil Procedure 26, which mandates that parties disclose relevant information regarding “any matter not privileged.”
In addition to the EU privacy laws, it is imperative that corporate counsel become familiar with the various “blocking” statutes enacted by EU member states. Switzerland, France and the United Kingdom, for example, have enacted blocking statutes that restrict discovery of information meant for disclosure in a foreign jurisdiction.
How To Transfer Data From the E.U. to the U.S.
A limited exception to these laws allows personal data to be transferred outside of the European Union for “the establishment, exercise or defense of legal claims.” Because the EU has limited this exception to proceedings governed by the Hague Convention, it does not apply to U.S. proceedings conducted under the Federal Rules of Civil Procedure.
There are two important ways to legitimize the release of data in relation to e-discovery in the EU:
- Data may be released if the data subject gives their unambiguous consent.
- Data may be released if necessary to comply with a “legal obligation.” Although this provision is strictly interpreted, a US court order directing a company to produce data from a European subsidiary would most likely constitute a legal obligation. This may vary among EU member states. France, for example, has demonstrated an unwillingness to authorize the release of data pursuant to a foreign court order.
One often overlooked mechanism to streamline issues concerning the exchange of data in the EU is the US-European Union Safe Harbor Framework. The Framework offers a more simple and efficient means of complying with the adequacy requirements of EU privacy laws, which should particularly benefit small and medium enterprises.
The Framework applies only to US companies and allows for transfers of data without prior approval. A certification form can be found at the U.S. Department of Commerce’s Safe Harbor Self-Certification website.
Another technique that can ease the pressure of compliance, a multinational enterprise can utilize is to commit itself to a binding set of corporate rules surrounding its data transfers. This option allows transfers of human resources data, since it applies to intra-group transfers. It also applies to companies across the globe, not just in the US, as is the case with the Safe Harbor Framework
Conclusion
Counsel should work with their clients to determine which of these options is best tailored to the client’s needs. This should involve a thorough understanding of the corporate structure and IT department. Although any e-discovery would still need to constitute a legitimate exchange of information, proving legitimacy will usually prove to be an easier task than justifying a transfer of data to the US.
Trend to Watch: While the EU’s Privacy Laws Set the Regional Baseline, Look for Even Tougher and More Comprehensive Privacy Laws to Be Implemented in the Eastern Bloc Countries of the EU.
-Santiago