Download a printable PDF of this article (membership required).
April 01, 2014
Global Litigator: Privacy Challenges in Obtaining Discovery from Europe
Litigators increasingly find themselves trapped between U.S. discovery requirements and European privacy laws.
Kate J. Brimsted
The curtain rises on the opening scene in a transatlantic privacy drama. A multinational automotive components business, Company, Inc., headquartered in the United States, has fallen out with a vendor over failures in the company’s new global distribution management system. Trust is breaking down between the protagonists and it appears inevitable that litigation in the United States (and possibly also elsewhere) will ensue. It is a classic tale of misunderstandings and disagreement over the contracted-for scope and functionality, part of which was scoped by Company, Inc.’s European logistics teams. The U.S. central procurement team are red faced and the logistics team are ashen faced at the prospect of failures to meet future customer commitments. Enter Tom Mynfield, the new general counsel, who is belatedly made aware of all this and decides he urgently needs to review a range of emails and other documents, some of which are held only by the European subsidiaries. Tom asks the global information technology (IT) team in the United States to remotely access the European server in London and copy the documents he needs.
Mindful that some further information might be stored locally on European employees’ laptops or smartphones, to complete his review, Tom contacts his French, German, and British counterparts to arrange for the gathering of this company property for imaging and also to make them aware that a central document hold is in place and that it also affects documents created by or received by personnel at the European companies.
Tom then hears suspicions that there may be deeper issues than those that have appeared so far (he has now heard a rumor about lavish hospitality that might have been accepted by company procurement staff from the contractor).
Tom learns from his European colleagues that European data privacy law does not permit the unfiltered copying and delivery to the United States of all the material on employees’ laptops. Tom explains to them that documents and emails are about to be imaged remotely. They advise him to halt this immediately and take some advice on European Union (EU) privacy law, or the group could face potential criminal liability.
Feeling poleaxed, Tom goes home that day and describes something of his predicament to his wife, Sarah (a chief privacy officer at another multinational company). Sarah tells him to look at data transfer mechanisms for privacy called “safe harbor,” “binding corporate rules,” and “EU model data transfer contracts.” More convinced than ever that it is a mistake to bring work home, Tom ponders whether the lack of cooperation from the European group companies could in fact be a case of overzealousness (or maybe even internal politics). Even if there is substance to his colleagues’ concerns, with the potentially serious adverse consequences in the United States hanging over the company, Tom wonders whether he needs to be overly concerned about potential European privacy law scrapes.
The next day, Tom broaches the situation with the chief executive officer, Alec, who favors adopting a robust stance and insists that all material is Company, Inc., property and that notions of “privacy” in this context are nonsensical and redundant. Tom the Slightly Tentative can see Alec starting to wonder whether Tom has the requisite “fire in the belly” to serve Company, Inc.’s interests properly. It is at this point that we are called by the now rather troubled Tom.
Having been down this road before, we know the benefits of using the following six-step strategy for managing document discovery in an EU-privacy friendly way, and commence walking Tom through it immediately.
Step 1. Determine whether there is a need to obtain data currently held in Europe.
Step 2. Determine whether the data must include some personal data.
Step 3. Pre-filter the data in Europe to ensure unnecessary personal data are removed prior to the transfer.
Step 4. Identify compliance gateways, including necessity, model contracts, safe harbor, or others.
Step 5. Review the protections in place for the data once sent, and request protective orders, as appropriate.
Step 6. Log and memorialize the process to prepare for possible enquiries from EU privacy regulators, aggrieved individuals, U.S. courts, litigation adversaries, or other regulators.
Europe’s Privacy Roadmap
Inevitably, effective trade requires some use of information relating to individuals—knowing a customer’s delivery address for goods ordered, verifying bank details for payments to online merchants, ensuring that only authenticated individuals are able to access appropriate government services, e.g., online tax return filing. Of course, the existence of trade between nations (or even within a common market) does not require underlying cultures or even privacy standards to be perfectly aligned, but some kind of agreed “map” is pretty useful. So, to create a common legal framework for data privacy in Europe, a valiant effort was undertaken in the form of the European Data Protection Directive (95/46/EC), passed in 1995 and now in force in each of the 28 EU member states (which include the countries Tom is concerned with: France, Germany, and the United Kingdom (UK)). The motivation for the directive was to promote the internal EU market by removing barriers to flows of personal information within Europe, while at the same time ensuring that individuals’ privacy and fundamental rights were not compromised by this, as well as recognizing the greater threats presented by more and more advanced information technology and communications systems.
The directive sets out minimum levels of legal protection for digital personal information across the EU. Because it was negotiated in the mid-1990s before there was any familiarity with the Internet and before “big data” and behavioral advertising were even a twinkle in a digital marketer’s eye, some of the restrictions are particularly difficult to navigate in the current digital global age, not least the restrictions on transborder flows of digital information linked to individuals. The directive, nearing the end of a root-and-branch reform process, has some major changes in store—about which more later—but even if helpful, they will be too late for Tom.
He might be able to take some comfort that these complexities have come about for the laudable reason that Europe recognizes data privacy as a fundamental human right, to be protected as such by legislation. There have been a number of earlier international initiatives, by no means all of them exclusively European. In 1980, the Organisation for Economic Co-operation and Development, of which the United States and major European countries were founding members, published specific guidelines concerning the protection of privacy and transborder flows of personal data; those guidelines were revised and reissued in September 2013.
Tom the Troubled is not surprised to hear that privacy is regulated in Europe, but what does shock him is the breadth of coverage and its extension into ordinary business operations. Company, Inc., does not deal with individual consumers; it does not engage in any behavioral advertising, sophisticated individual loyalty programs, cold calling, or website trend analysis. Tom privately shares Alec’s reaction: what has getting discovery-type material to the United States got to do with anybody’s privacy?
The root of this is found in the directive and the broad interpretation it takes to protected “personal data” including names, addresses, dates of birth, national security numbers, banking details, and biometrics. It also includes employment, familial, sexual, health, political, racial, and philosophical and religious attributes. “Personal data” covers opinions about people (so not just objective information about them), as well as expressions of intention (for example, “Bob appears to lack motivation, and we should start actively managing his performance”). The directive focuses on protecting digital-form information, although information stored in certain highly organized manual (e.g., paper) filing systems may be covered, too. The law does not regulate the purely domestic—e.g., someone’s noncommercial, private social media account activity—but it goes beyond what many might consider to be a personal, private context. Employment details, such as job titles, work email addresses and phone numbers, name of employer, and professional associations are all an individual’s “personal data,” assuming they are or can be linked to an identifiable person. In other words, information about employees going about their ordinary duties will also be covered. It is clear how these facts can have far-reaching consequences, particularly in the context of discovery-driven document reviews.
EU data protection does not sit comfortably with the common notion of what constitutes company property (illustrated by Alec the CEO’s reaction). While bald statements in employment handbooks or policies—such as “the company owns all information on its IT systems and issued equipment, and no such information shall be private to the employees”—may be helpful up to a point, they certainly do not release an EU company from the duties of what the directive calls a “data controller,” an organization that controls how personal data are used. Nevertheless, it would still be worthwhile for Tom the Thorough to check what the relevant Company, Inc., policies and documentation tell employees (and possibly third-party business contacts) about how their personal data may be used.
An organization will be considered a data controller of the personal data of its employees (and hence fall within the scope of the directive) because it gets to decide (within certain legal constraints, such as confidentiality) the purpose for which it uses the information. Primarily, the purpose for which such information will be used is to employ, reward, and discipline employees, protect them from or compensate them for injury at work, and make workplace adjustments for disabilities or special needs. An employer also gets to decide the manner in which it uses the information—for example, it can choose to deploy a human resource information system, paper personnel files, electronic “clocking in,” or work monitoring systems. Or it can decide to subcontract to a third party to provide services, such as payroll processing. A data controller that is an employer also gets to decide (subject to rules set out in the directive) the extent to which it shares information about its employees with other group companies, particularly when there is an overseas parent company. The directive also gives certain, direct rights to individuals to control how their personal data are used and to gain access.
What Is Covered
Of course, not every entity in the world that determines how personal data are used will be covered by the EU data protection regime, so Tom the truly Tested may well be forgiven for thinking “To blazes with all this” and direct his efforts at circumnavigating the EU rules. This is not advisable because parts of the Company, Inc., group are clearly within its scope. To be a regulated “data controller,” (a) an organization needs to be established in an EU member state (“established” broadly means legally incorporated, or having a branch or office or “regular course of dealing” there) and to be processing personal data within the context of that establishment; or (b) if it is not “established” in the EU, then an entity outside the EU would still be covered if it was making use of equipment located in the EU to process personal data. The “use of equipment” test (limb (b)) has been interpreted widely by privacy experts advising the EU’s executive body, the European Commission. These experts (who make up the EU Data Protection Article 29 Working Party (EU WP)) take the view that “making use of equipment” includes the dropping of Internet cookies on the computers of users in the EU by website operators not based in the EU. The rationale is that deploying such cookies, if it involves personal data processing, amounts to a use of the website visitor’s computer in the EU by the website operator and is therefore a “use of equipment” and subject to the directive. (There may, of course, be considerable practical difficulties in enforcing compliance in such a situation.)
In our transatlantic privacy drama, even though the U.S. parent company does not appear to fall within the direct scope of the directive, it is likely that the French, German, and British companies will each be processing personal data within the context of an “establishment” in the EU and will therefore be required to comply with the directive when it comes to releasing and exporting any personal data from Europe to the U.S. parent company. Moreover, because the directive is a framework law and does not have direct effect in law in the EU, each EU member state had to pass (or amend) national laws to bring it into effect, resulting in slight differences between their laws. In addition, other related laws may have an impact. For example, Tom should consider whether there is a German Works Council and, if so, whether to consult it about the proposed export of employee data. (In practice, there is a considerable amount of variation in implementation of the directive between the EU member states, and the effect of separate laws, such as labor law, cause difficulties within Europe.) Tom the Tenacious sees that he needs not just one “European” privacy specialist, but backup advice on the specific laws applying in France, Germany, and Britain.
Tom’s major challenges will be (1) meeting overall mandated standards of fairness and lawfulness when using personal data; (2) complying with individuals’ specific rights, especially of access and transparency about the purposes behind the processing; and (3) satisfying the restrictions on extra-EU transfers of personal data. The requirements can conveniently be thought of as a number of different gateways, arranged in three rows.
The first row of gateways concerns the overarching requirement to treat personal data fairly and lawfully; these gateways include (i) obtaining the freely given, specific, and informed consent of individuals affected, or (ii) limiting the processing of personal data to what is necessary for the organization’s legitimate interests (or those of the party receiving the data) (while ensuring at the same time this processing is not unwarranted by reason of prejudice to the individuals’ rights and freedoms and legitimate interests, e.g., by overriding duties of confidence owed to them). “Necessary” tends to be given its literal meaning: Under English law, it refers to something that is more than convenient (e.g., the proposition that “it would be useful for our executive team to have full access to all employee data” is unlikely to be deemed necessary and therefore would not meet this requirement). At the same time, in order to be necessary, something does not have to be essential or a sine qua non.
Part of meeting overall standards of fairness and lawfulness is the duty of the data controller (subject to some exemptions) to ensure that individuals have basic information about how, why, and by whom their personal data are being used. Sometimes it can be assumed from the context that individuals have this (e.g., if you provide a vendor your delivery address when you shop online, it is obvious the vendor will use it to send you your order), and sometimes exemptions apply (e.g., where you did not obtain the information directly from the individual and the effort required to contact the individual and give him or her the information would be disproportionate). In practical terms, the requisite information is generally provided to individuals by means of statements in policies and terms of business.
The second row of gateways—complying with individuals’ specific rights—must be negotiated only if “sensitive” or special category data, such as health, criminal record, political affiliation, sex life, ethnicity, race, or religion, are involved. In the circumstances, it is unlikely that the information sought by Company, Inc., should need to include any sensitive personal data (and the six-step methodology suggested at the beginning of this article should serve to exclude it as far as possible). So, all that is required here is an awareness that information of this kind should not be included in what is sent to Company, Inc., and if they spot any that inadvertently has been sent to them, it needs to be handled with greater care.
Where Tom the Tactical should direct his concentration is on the last aspect (making up the final, third row of gateways): overcoming the restriction on exporting personal data from the EU to jurisdictions with inadequate privacy protection (as the EU Commission sees it). The architects of the directive identified data exports as a major potential loophole that could nullify EU citizens’ data privacy, so they built in a ban on sending personal data to any location outside the European Economic Area (the 28 EU member states plus Norway, Liechtenstein, and Iceland) lacking an “adequate” level of privacy protection. The European Commission—which has researched and formally recognized certain “white list jurisdictions” such as Canada, Argentina, and Israel—determines adequacy. Other recognized methods of meeting the EU privacy adequacy standards are through safe harbor membership, by adopting so-called “binding corporate rules,” or by putting in place EU model contract clauses as described in more detail below. If adequacy cannot be achieved by these means, then the third row of “gateways” from the directive comes into play, and at least one of these gateways needs to be “unlocked” in order lawfully to export personal data out of the EU.
How U.S. Companies Comply
The safe harbor scheme, operated by the U.S. Department of Commerce (see www.export.gov/safeharbor), was the result of urgent negotiations in the late 1990s between the European Commission and the Department of Commerce to address the potential difficulties to transatlantic trade the then-new directive posed. A U.S. entity is deemed to be providing “adequate protection” to personal data it receives from the EU and thus overcomes the restrictions on receiving personal data from an EU originator if it voluntarily adheres to the seven safe harbor principles and is listed publicly on the safe harbor list. Only U.S. organizations subject to the jurisdiction of the Federal Trade Commission or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation may participate in the safe harbor, so certain financial institutions such as banks, investment houses, credit unions, savings and loan institutions, and telecommunication common carriers are excluded.
Company, Inc., could potentially join the safe harbor, but it will likely take months of preparation, so Tom the Tested needs to press on.
Another route to achieving “European-grade” adequacy is for the exporting and importing parties to enter into a data transfer contract including model clauses approved by the European Commission. This is not an uncommon approach within multinational companies, albeit usually less attractive for transfers between unrelated entities. Even though adopting data transfer agreements (and completing the associated regulatory formalities) can quickly turn into something of a contractual Gordian knot, international groups can still find this to be the “least bad” option.
Last but not least, a more holistic compliance option for achieving adequacy is for an organization to adopt so-called binding corporate rules (BCRs) that ensure protection of personal data across its multinational structure. Here, an organization draws up appropriate internal policies and arrangements (including a method of rendering them legally binding intra-company), and then submits these for formal examination and approval by the European data protection authorities. Once approved, the corporate group is then authorized to carry out intra-group transfers of personal data freely on the terms of the BCRs’ approval (e.g., those BCRs might cover only employees’ data, only customers’ data, or both). BCRs are not a quick-fix solution and typically take at least 18 months to put in place.
If none of the above methods of achieving adequacy applies, there is the final row of gateways, discussed in detail in In re Bernard L Madoff Investment Securities LLC and In re Madoff Securities International Ltd, [2009] EWHC 442 (Ch). There, the English High Court had been asked to rule on whether the joint provisional liquidators of an English company in the group formerly run by Bernard Madoff were entitled to transfer information including personal data (protected by the UK Data Protection Act of 1998) to the New York–based trustee in bankruptcy of the U.S. parent company. The court ruled that they could, notwithstanding data transfer restrictions in the UK Act, because even though the United States is not recognized as providing adequate protection (it is not a “white list country,” nor were model data transfer agreements or BCRs applicable here), three possible exemptions (i.e., the “gateways”) applied: The transfer would be (1) necessary for reasons of substantial public interest, (2) necessary for the purpose of legal proceedings (including prospective ones), and (3) necessary for the purposes of establishing, exercising, or defending legal rights.
The judge found that transferring the data was necessary to investigate Mr. Madoff’s alleged $50 billion fraud and also that unraveling the fraud would undoubtedly involve legal proceedings (and already had, both in New York and in the UK), and the establishment of legal rights would no doubt be necessary to wind up the affairs of the relevant companies in an orderly fashion.
Europe Discovery Differs
Pre-action discovery is a special case, and although Tom has not yet reached that point, he likely soon will, and so similar principles apply. First, it is worth keeping in mind that the majority of the EU member states operate civil-law legal systems in contrast to the common-law systems in the United States and UK. Litigation disclosure (as discovery is called in English procedure) has a far more fundamental role in the litigation process of common-law systems than in civil-law countries, where there is a far more restricted process or no formal process at all. In France and Spain, for example, discovery is restricted to only those documents that are admissible at trial.
Not only is there a fundamental difference in scope but some European countries (mainly civil-law ones) have brought in so-called blocking statutes specifically aimed at preventing cross-border discovery of information intended to be used in discovery in foreign jurisdictions. Some of these laws, for example in France, prohibit disclosure from the country of certain types of documents or information where the same is to be used as evidence for foreign judicial or administrative procedures. Breaches of such laws can result in criminal as well as civil sanctions. In 2008, the French Supreme Court upheld the criminal conviction of a French lawyer for breaching a blocking statute by complying with a request from U.S. courts; the lawyer was also fined approximately $15,000. Unfortunately, it appears that the U.S. courts do not recognize such laws as providing a defense against discovery in relation to U.S. litigation.
A U.S. court may order a person subject to its jurisdiction to produce evidence located outside the United States, provided that the person possesses, controls, or has custody or authorized access to information from the United States via computer, wherever such data may be physically located. So, European-based entities can indeed potentially find themselves between a rock and a hard place (or a hard law, certainly), which, if Tom were of a caustic disposition, he might by now be ruefully thinking neatly sums up the whole European story. Tom should take heart, though, as these tensions have not gone unaddressed.
In 2009 the expert data protection advisory body to the European Commission (the EU WP mentioned above) published Working Document 1/2009 on pretrial discovery for cross-border civil litigation (see ec.europa.eu/justice/ data-protection/article-29/documentation/index_en.htm). Extensive work in this area has also been done by the U.S. research and education institute The Sedona Conference, in particular in its International Principles on Discovery, Disclosure & Data Protection published in December 2011 by its Working Group 6 (WG6) (Best Practices, Recommendations & Principles for Addressing the Preservation & Discovery of Protected Data in U.S. Litigation) (see https:// thesedonaconference.org/publications).
The EU WP guidance represents the EU data protection regulators’ collective view on how to comply with the Data Protection Directive in this area but is not a statement of the law or legally binding; it recommends a series of steps, which many organizations may feel are not easy to achieve. Perhaps the most challenging suggestion (which seldom is possible in practice) is to consider whether the information really needs to be in an identifiable form and, if not, to anonymize all information prior to sending it out of the EU for discovery purposes. (By making information truly anonymous, it is no longer “personal data”; therefore, the directive does not apply to it.)
Certainly, EU data controllers should be seeking to test the extent to which personal—i.e., identifiable—information is really necessary for the purposes sought. The Sedona Conference WG6 is supportive of this; their Principle 3 states, “Preservation or discovery of [personal data] should be limited in scope to that which is relevant and necessary to support any party’s claim or defense in order to minimize conflicts of law and impact on the [individual who is the subject of the data].” The EU WP recommends that any filtering process, even if conducted by an agent, should be carried out in the EU.
Returning to the successive rows of compliance gateways mentioned earlier, the EU WP explains it is first necessary to ensure that the processing (the actual disclosure to a separate entity from the data controller) is in itself legitimate (part of the first row of gateways). Once that is established, a separate look needs to be taken as to whether the transfer out of the European Economic Area meets a further gateway (the third row of gateways).
The most relevant gateways in the first row (fair and lawful processing) are consent by the individuals, necessity for compliance with a legal obligation, and necessity for the purposes of a legitimate interest (counterbalanced against the risk of prejudice to the individuals’ rights and interests).
There are untold practical difficulties with consent. It would seem unfair, the EU WP notes, to infer that just because a customer has chosen to do business with a (say) UK company that is part of an international group, the individual has consented to the transfer of his or personal information from the UK to a third party, including one outside the European Economic Area. Achieving freely given, informed, and specific consent from individuals is such a high bar that an alternative gateway is recommended for the disclosure and international transfer of data.
The EU WP does not consider an obligation imposed by a foreign statute or regulation to be capable of qualifying as a legal obligation by which data processing in the EU can be made legitimate. Initially, this appears surprising, though it is a logical corollary of preserving national sovereignty—to find otherwise could seriously undermine the effectiveness of the EU regime. The position is different if there is a binding legal obligation in the EU to comply with an order of a foreign court seeking discovery; this could occur, for example, under the procedure set down in the Hague Evidence Convention, although that convention is not attractive or popular in practice, and U.S. courts have commented that it was “unduly time consuming and expensive, as well as less certain to produce needed evidence than direct use of the Federal Rules [of Civil Procedure].” Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 542 (1987).
The remaining potential gateway in our first row of gateways is where the disclosure is necessary for the purposes of a legitimate interest pursued by the data controller or by the third party to whom the data are disclosed. At the same time, this would only be satisfied if these legitimate interests were not overridden by the legitimate interests or fundamental rights and freedoms of the individuals who are the subject of the data. Individuals who could be affected in the case of Tom’s request for material include employees of the European companies, as well as, possibly, employees of corporate customers or third-party organizations. All these individuals are recognized as having rights under the directive. The EU WP recognizes that the interests of justice would not be served by unnecessarily limiting the ability of an organization to defend or establish a legal right, but proportionality is seen as important: organizations should ask themselves how relevant is this information to the litigation and what consequences could this have for the individuals if their data are disclosed. (Note that it is not all possible interests of the individuals that are protected, rather only their legitimate interests.) However, if a reasoned, proportionate approach is taken to selecting relevant personal data (and excluding irrelevant data), it will usually be possible to maneuver through this first row of gateways.
Then we have the row of gateways applicable to transfers of personal data to countries outside the European Economic Area where there is no EU-recognized adequacy of protection. The EU WP guidance reiterates the methods of achieving adequacy described earlier (“white list” countries, safe harbor, model contracts, and binding corporate rules). If none of these is available, the EU WP states that, provided the transfer for litigation purposes is likely to be a single transfer of all relevant information, it would be possible to rely on the “gateway” that the transfer is necessary for the establishment, exercise, or defense of legal claims. This is intended to be construed narrowly, however, and the EU WP makes it clear that the speculative transfer of all employee files to a group parent company on the grounds that there might one day be legal proceedings in U.S. courts would not clear this gateway.
The EU WP and WG6 are agreed that involving corporate data protection officers in the process at an early stage is sound advice. (Data protection officers are mandatory in Germany and in some other EU jurisdictions.) WG6 notes that U.S. courts are encouraged to take up such issues at the first conference in every case (See U.S. Fed. R. Civ. P. 16(b)). WG6 is also supportive of the EU WP suggestion that EU data controllers approach the U.S. courts to explain the data protection obligations placed on them and also to request protective orders to enable them to comply with the directive. WG6 proposes, as Principle 4 of its International Principles on Discovery, Disclosure & Data Protection, that “where a conflict exists between Data Protection Laws and preservation, disclosure or discovery obligations, a stipulation or court order should be employed to protect [personal data] and minimise the conflict.”
So, after the hard trudging along the stony tracks to the various gateways, there is some comfort for Tom in his tribulations: Taking account of these recommendations of the EU WP and the Sedona Conference WG6 could help make the span between the EU privacy rock and hard place more comfortable.
Enforcement in Practice
While the European Data Protection Directive’s detailed and demanding rules have been in force for almost 20 years, the enforcement of restrictions on transfers out of the European Economic Area so far has been relatively limited; the enforcement focus has tended to be on security breaches. This may have meant the risk of adverse consequences was tolerable for many multinational organizations caught up in a data privacy conflict of laws over transferring personal data out of the European Economic Area. That situation has started to change. Data security breaches and data “scandals” are sensitizing individuals in Europe, which in turn captures the attention of governments and legislators. This has been further heightened by revelations contained in material leaked by Edward Snowden about the apparent extent of the NSA’s monitoring of EU citizens’ communications, and even those of EU executive bodies via surveillance at the United Nations Headquarters. In the EU, to describe this as a politically charged issue is probably an understatement. At the time of writing, EU data protection authorities are carrying out their own investigations into whether privacy rules have been breached by secret U.S. surveillance programs, and Germany and Brazil submitted a draft resolution to the United Nations General Assembly calling for an end to human rights violations that may result from the conduct of surveillance of communications, including extraterritorial surveillance. The row even briefly threatened to delay trade talks between the EU and the United States, but they are understood to have agreed to establish a working group to look into the alleged surveillance activities in parallel with the trade negotiations.
Far-reaching data protection legal reforms are currently being negotiated in the EU with the aim of updating the 1995-era law. The draft law takes the form of a regulation (with direct and therefore more harmonized effect throughout the EU) and signifies a major reform of the general data protection law. Fines of up to 5 percent of global annual sales or 100 million euros—whichever is greater—are proposed, as well as greater cooperation and coordination between the data protection authorities in the EU. If adopted substantially in that form, it represents a comprehensive revision and strengthening of data protection laws in the EU, which are already considered to be among the most stringent in the world.
When the ambitious new EU law comes into effect (currently expected to be in around 2016), multinationals may face even greater difficulties over transatlantic data flows. What will certainly have an effect, though, is the new sanctions regime, in particular the maximum fines of 5 percent of global annual sales. The hard place looks set to get harder.
So now let’s return to Trusty Tom and consider his next steps and those of his European colleagues. It has been agreed that his colleagues in France, Germany, and the UK will conduct a search of the emails of relevant procurement staff who are known to have been involved in the ailing project. The search for emails will cover a limited, 18-month date range that is most pertinent to the issues; keywords relevant to the project will be used to search the emails, and any “hits” will be reviewed by the local legal teams or their external, in-country counsel. Any private or personal emails accidentally picked up (little Billy’s school report, doctors’ appointments, or even intimate messages between partners) will be removed, and the filtered material will be sent (securely) to Tom the Triumphant, for his consideration. It has also been agreed that prior to production of the documents in U.S. discovery (as and when litigation arises), Company, Inc., will ask the U.S. court for a protective order.
So then, as an epilogue to our drama, our protagonist could have ended up despairing like Timon of Athens, the man who lost everything: “I am sick of this false world and will love nought but even the mere necessities upon’t” (act 4, scene 1). But fortunately, thanks to the six-step strategy, Tom the Transatlantic found he was made of tougher stuff.