In Homer’s Odyssey, Odysseus must pilot his ship through a strait with a large rock on each side. On one of the rocks is Scylla, a monster with 12 misshapen feet and 6 long necks, each capped by a frightful head with 3 rows of teeth. If Odysseus sails too close to Scylla, she will shoot out all her heads at once and carry off a man in each mouth. Below the other rock is Charybdis, a whirlpool that vomits forth her waters three times a day before she sucks them down again. Because the strait is so narrow, Odysseus is forced to choose which monster to confront. U.S. litigators face a similar—though, perhaps, slightly less vivid—dilemma as they dance between U.S. discovery obligations and the ever-evolving European data-protection laws.
Welcome to your nightmare. Later today you will discover that you have inadvertently undermined your firm’s relationship with one of its best clients. And you have no inkling of what is to come.
This morning you lost a seemingly routine discovery dispute. The judge ordered your client to produce forthwith employee emails relating to the quality testing of a widget at issue in the litigation. You called the client and requested the documents from its human resources and accounts payable departments in New York. So far, nothing particularly unusual appears to have occurred.
Unbeknownst to you, however, these departments moved to Paris last year
after a French pharmaceutical conglomerate acquired your client. Only upon learning of the move do you realize that France’s restrictive data-protection laws must now be central to your thinking going foward. Put simply, your client now has two equally troubling options: refuse to comply with the U.S. court’s order to produce the indisputably relevant documents and face sanctions or opt to transport the documents from Paris to the United States for production and, in so doing, expose you and the company to stiff sanctions for violating French data-protection laws. Unsurprisingly, neither of these options will please your client.
European Data-Protection: the World’s Strictest Standards
The member states of the European Union (EU) have put in place the world’s most comprehensive data-protection regime. More specifically, European Parliament Directive 95/46/EEC mandates that those collecting personal data safeguard the “personal data” at issue; grant enforceable rights to individuals about whom data are collected; and, moreover, restrict the “processing” of documents containing personal data.
As so often is true, the devil is in the details. The directive broadly defines “personal data” to include “any information relating to an identified or identifiable natural person.” Any documents located in Europe containing information relating to a company’s employees, customers, clients, or other individuals—including, of course, your company’s employee emails—may thus contain “personal data” subject to protection. “Processing,” in turn, is defined broadly to include the collection of documents, the analysis and disclosure of those documents to others in the EU, and, significantly, any transfer of those documents to non-EU countries, including the United States. As a result, even issuing a standard litigation hold notice may constitute processing under EU law.
Also critical to your client, if data are to be transferred outside the European Economic Area (EEA), the exporter of the data must consider whether the recipient country and the circumstances surrounding the transfer ensure an adequate level of protection for the data. The exporter of the data should, as a consequence, pursue one of the following avenues:
A finding of adequacy by the European Commission. The European Commission, the executive body of the EU, has the power to find that a country has an “adequate level of protection.” As it stands, the United States is not deemed to be a “safe country.”
Compliance with a safe-harbor scheme. When undertaking data transfers from the EEA to the United States, a data exporter can rely on a U.S. company’s inclusion on a safe-harbor list by representing to the Department of Commerce that it complies with a framework developed by the Department of Commerce and the European Commission. This is an entirely voluntary process and relies on companies’ self-certification. While the U.S. is not considered a “safe country,” U.S. entities that meet the safe-harbor requirements are deemed to be adequately protective. However, most U.S. companies do not meet the most basic requirements of the framework.
An assessment of adequacy by the “controller” (exporter) of the data. If the data-protection regime of a third country has not been the subject of a European Commission finding of adequacy, the exporting controller may assess adequacy in a manner consistent with the directive. This means that prior to transferring data, a controller may make its own assessment as to the adequacy of the importing country’s data-protection regime. In making an assessment of adequacy, the data exporter must consider the nature of the data being transferred; how the information will be used and for how long; the country of final destination of the data; the laws and practices of the importing country, including any standards and security measures that must be complied with; and any guidance provided by the importing country’s local data-protection authority.
Why is the EU so worked up about data privacy? Restrictive EU data-protection laws have been put in place to protect individuals against misuses of their personal data. Recent breaches of security in Europe have threatened the privacy of thousands of people. For example:
In January 2008, the United Kingdom’s Information Commissioner’s Office (ICO) issued an enforcement notice against retailer Marks & Spencer after a contractor stole an unencrypted laptop containing personal and sensitive information about the pension arrangements of approximately 26,000 Marks & Spencer employees. The ICO found Marks & Spencer in default of its obligations under the data-protection laws because it failed to ensure that the laptop was encrypted.
In September 2010, ACS:Law, a now-defunct U.K. law firm, illegally published lists containing data relating to more than 5,000 Sky broadband subscribers suspected of downloading adult films and to more than 8,000 Sky broadband subscribers and 400 PlusNet users suspected of illegally sharing music and films. ACS:Law’s website was hacked, and the data were uploaded to a file-sharing website. Many suspected this to be a coordinated attack by the online group Anonymous. In May 2011, the ICO fined the former ACS:Law’s boss £1,000 for lax information technology security. The ICO said that were it not for the fact that ACS:Law ceased trading, a penalty of £200,000 would have been imposed.
The Global Litigator’s Dilemma
Given the clear conflict between EU data-protection laws and broad U.S. discovery rules, how should a flesh-and-blood U.S. litigator respond to these tricky issues? In our ever-more-interwoven global economy, litigation in U.S. courts routinely requires the transfer of personal data from the EU, whether it be from a European entity doing business in the U.S., a European subsidiary of a U.S. parent, or a third party. And although these conflicts may not arise in every case, it pays to carefully consider whether this may become an issue in your case. After all, if your client has any international affiliates—whether parent, subsidiary, or other entity—or simply transacts business internationally, the very real potential for international discovery problems exists. From the onset of any litigation (and, arguably, even earlier), you and your client need to understand data-protection policies and compliance obligations from preservation to production.
The proliferation of international commerce and electronic storage of data require that, at the outset of any litigation or compliance discussion, you place international discovery and e-discovery issues at the top of your discovery checklist. For example:
Research all potentially applicable data privacy laws. U.S. litigators must understand what data the various jurisdictions’ data-protection laws seek to safeguard. Most U.S. litigators are relatively new to these issues. Because of this and because differences in national laws exist, you should retain local counsel to assist in complying with the relevant law and to inform the client of the time and expense necessary to complete the process. Consider also whether you need to obtain local employment advice—which may be necessary if, for example, the client intends to transfer employees’ personal data—as employment law differs greatly from country to country.
Incorporate international data-protection laws into any objections made in the course of discovery. Assert objections to document requests that would require violation of any data-protection or privacy laws in the jurisdiction at issue. Consider objecting on the grounds that the documents sought are not reasonably accessible because of undue burden or cost under Federal Rule of Civil Procedure 26(b)(2)(B).
Decide what position you will take regarding whether your client has control over documents held by a related entity in Europe. The mere fact that the documents are housed abroad does not mean that they are not discoverable under U.S. law. If a discovery dispute arises over documents located in the E.U. within the control of your client, prepare for an uphill battle. It rests on the litigator to convince the judge to weigh the likely relevance and importance of obtaining these documents against the potentially significant (to put it mildly) burden of forcing the client to violate another country’s laws.
Understand your client’s data-protection policies and record of compliance. You will want to prove to a court or foreign government that your client takes EU data-protection laws seriously and that your client has sought, and will continue to seek, to comply with its legal obligations.
Good litigators will strive to present a compelling case as to why the client should be excused from producing the data in question. The court must understand that this nuanced issue warrants attention and poses great risks, both financial and reputational, for the client. Retention of an expert to explain why the laws at issue apply and the extent to which compliance is either possible or impossible will almost certainly help inform the court (not to mention help advance your position). If compliance is possible, the court needs to understand the expense and burden of compliance, as well as what liability the company will be exposed to if it violates (or, rather, is forced to violate) foreign data-protection laws. Also consider retaining a technical expert to explain the issues involved in recovering or converting the data.
A Possible Middle Ground
If you are unable to convince the court not to compel production, consider phased discovery. Try to persuade opposing counsel (and the court) to conduct discovery in the United States first, before opening the doors to international discovery. If opposing counsel finds that the U.S. discovery provides enough information for their case, foreign discovery may be avoided altogether. If it cannot be avoided, suggest limiting foreign discovery to filling the gaps left after U.S. discovery has concluded.
If you are compelled to produce some of the documents, consider sending lawyers to the foreign jurisdiction to review the universe of potentially relevant documents. Again, any effort you can make to narrow the scope of relevant documents located abroad will help. This will also demonstrate to the U.S. court and foreign government that your client takes its legal obligations in both the U.S. and EU jurisdictions seriously and seeks to strike an appropriate balance between competing and contradictory laws. Following such a deliberately phased approach, moreover, gives the client more time to navigate foreign data-protection laws, while limiting the volume of required discovery.
If you decide to (or are required to) move data to the United States, consider whether documents can be redacted to exclude personal data. Further, take all reasonable steps to preserve the security of the data. Whether in the hands of your client, your law firm, litigation support services, or expert witnesses, the data must be protected from destruction, loss, or unauthorized access. If you outsource the processing of personal data to a third party, ensure that the third party guarantees that the processor acts only on your instructions, provides appropriate safeguards concerning the security measures in place, and provides you with the right to take reasonable steps to ensure compliance with those measures (such as audits). You will want to be able to demonstrate to foreign authorities that you took all possible steps to protect the data.
Of course, you must also ensure that you (and your client) create a reliable record of all the data-protection issues that have arisen throughout the case, the decisions made along the way, and all measures taken to protect the data. Such a record will prove invaluable if the authorities later decide to challenge the transfer.
What You Don’t Know Can Hurt You
Transferring data from the EU to the U.S. for use in civil litigation is, as we have seen, a treacherous process. Indeed, as privacy concerns dominate public discourse, more and more countries will likely expand the protections offered to their citizens. Mexico recently passed new broad data-protection and privacy laws, allowing for a $1.5 million penalty. Singapore recently took another step toward a data-protection law regime when the government set up an online consultation platform to encourage public feedback on the scope the legislation should have. Sanctions have also been increased in many countries, including the United Kingdom, where fines of £500,000 are now possible. In fact, on January 25, 2012, the European Commission released its proposals to revise the EU Data-protection Directive, which signify a major reform of the data-protection law, and propose fines of up to 2% of global revenue.
Nobody expects that U.S. litigators will become overnight experts on EU data-protection laws. That said, it is entirely reasonable to expect that they know the laws exist and that they develop a basic understanding of the issues their clients face when presented with such dueling obligations. Knowing when and how to anticipate and deal with these issues will help you better serve your client’s needs, avoid unpleasant surprises, and develop a litigation plan that is as consistent as possible with both U.S. and EU laws. After all, the first step to navigating that narrow and treacherous straight between Scylla and Charybdis is to understand the dangers you face.
The author gratefully acknowledges the assistance of Aaron Gopen, Nicola Birney, and Charles Golsong of Fulbright’s Los Angeles and London offices.