The differences between information sharing in the United States and information sharing in the European Union (EU) are rooted both in the law and in cultural attitude. In the United States, there is no fundamental right to privacy established in any overarching omnibus privacy law. While the United States does have some constitutional protections against state actors, the interactions between citizens and businesses and courts is addressed through a variety of laws applied in specific sectors, like health (the Health Insurance Portability and Accountability Act (HIPAA)) and credit (the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act). Accordingly, the United States has a patchwork of laws at both the federal and state levels relating to data protection and information sharing. This patchwork makes compliance challenging for businesses and litigators.
In the EU, data privacy is considered a fundamental human right, which is safeguarded by an omnibus law. All EU member states are signatories of the European Convention on Human Rights. Article 8 of the convention provides that every individual has the “right to respect for his private and family life, his home and his correspondence,” subject to certain restrictions. The EU Data Protection Directive, which is currently in effect, provides the regulatory framework to effect the privacy requirements of the convention and Article 8. Any of the 28 EU member states (soon to be 27, following Brexit) can enact greater protections. Litigators must take the time to learn how EU privacy regulations can affect international and transnational practice.
Data Transfer Outside the EU
The EU Data Protection Directive states that personal data should not be processed unless certain conditions are met, falling into the categories of (a) transparency, (b) legitimate purpose, and (c) proportionality. Personal data may be transferred to a country outside the EU only if that country provides an adequate level of protection. The EU has not deemed the United States to be adequate.
Four options exist for transferring personal data out of the EU and to a country without adequate levels of protection, like the United States. First, businesses may invoke model contracts, which include terms and conditions drafted and approved by the European Commission. Second, multinational groups of related organizations can adopt internal rules for information transfers called “binding corporate rules.” Third, the outside country can obtain the data subject’s unambiguous consent to the transfer. Finally, safe harbor programs are available to U.S. companies that have agreed to participate in the program; however, this is no longer adequate under EU law and will be eliminated with the directive’s replacement in 2018.
Contrasting Approaches to Information Events
The regulatory environment changes rapidly in both the United States and the EU. Reponses to these changes, however, vary in accordance with the cultural value placed on privacy. For example, the EU has the “right to be forgotten” precedent to address the availability of information on the Internet. The “right to be forgotten” allows a data subject to ask search engines like Google or Bing to remove links to the news articles relating to the data subject on the European versions of the website. In the United States, however, the First Amendment protects freedom of expression, which includes the right of an individual to speak freely. Accordingly, no consistent precedent exists that allows data subjects to delete or remove negative information about themselves online.
Likewise, data breaches are treated differently. In the EU, under new rules that will come into effect by 2018, any company must notify national regulators within three days of discovering a breach or face fines for not sufficiently protecting an individual’s data. In the United States, notification requirements vary by industry under federal and state laws. Currently, 48 states have their own data breach notification laws. With respect to federal law, each industry is treated differently with a different timetable for notification, and each state may have its own timetable. Sometimes the timetable is imprecise and open to discretion. For example, financial institutions are required to tell customers, “without unreasonable delay,” if a breach could lead to misuse of personal information (the Gramm-Leach-Bliley Act).
In the EU, a data subject can ask any company (typically for a modest handling fee) to send details about what data the company holds on the subject and how the company uses that information. Generally, companies must hand over the files within 30 days. Conversely, no single U.S. federal law or standard exists to allow data subjects to obtain copies of their records. Industry-specific rules exist; for example, HIPAA permits patients to request copies of their medical records from health care providers. Some businesses, like Twitter, permit customers to download their own archives as a customer-service feature.
What Litigators Should Know
In the United States, litigators must look to (1) what type of data is at issue in order to discern the applicable federal law, and (2) what states are implicated in order to review the applicable state laws. However, litigators in the EU will currently be focused on the EU Data Directive (the General Data Protection Regulation (GDPR) in 2018), as well as any additional regulations in place in the particular member state at issue.
The following are some general considerations for litigators seeking to transfer personally identifying information (PII) from the EU to the United States. Under the current EU directive, PII can be shared in pretrial discovery when the litigation is determined to be for a “legitimate purpose” (Article 7) or when such transfer takes place according to model contract clauses (Article 26). Each member state’s data commissioner guidance and law should be consulted to ensure compliance, as a member state’s requirements may be stricter than the requirements in the directive.
Discovery-blocking statutes. As with shopping for favorable forums on subject matter or political leaning, parties will choose to litigate in one nation or another to avoid the production of discovery information by invoking “blocking statutes” of selected EU member states. Blocking statutes are intended to protect the sovereignty of the EU nation, giving it a resource to avoid compliance with U.S. discovery requests. A party can seek to have the U.S. Federal Rules of Civil Procedure displaced by invoking the Hague Convention on the Taking of Evidence. The moving party bears the burden of showing the Hague Convention is applicable and must establish that the relevant EU blocking statute prohibits the discovery sought.
GDPR impacts. While the law is not in effect yet and the effects remain to be seen, the following are two areas that might affect litigation and discovery.
First, under the GDPR, orders from a foreign court compelling the transfer of PII are not valid, and such orders or requests will be recognized only insofar as they are based on agreements or treaties between the third country and the EU, such as the Hague Convention on the Taking of Evidence.
The second major impact is sanctions. Under Article 48 of the GDPR, there are questions as to whether discovery and the sharing of PII absent an explicit court order and Hague analysis recognized by the member state would violate the GDPR. If so, and if a party refuses to produce discovery citing the blocking statute or GDPR, could that party be sanctioned by the court under the Federal Rules of Civil Procedure for non-production? Only time will tell.
Best practices. Litigators should consider what they should do as much as what they can do. I often encourage clients to follow best practices to make it easier not only to comply with but also to fulfill the broader purposes of the law and best serve their customers. The same is true with litigators, provided the practices can be implemented without undue burden, cost, or restrictions that frustrate justice. Generally speaking, “best practices” encompass both legal requirements and the proven information privacy and security practices that provide superior protections to information, reduce risks associated with information in litigation, and provide transparency to the data subject.
Best practices include, but are not limited to, the following:
- Consent. With an individual’s consent, almost all regulatory restrictions on processing and transferring data are removed and the terms of the consent control—provided the consent meets regulatory requirements.
- Minimum use principles. Ask for no more than what you need, and redact or remove the rest. Be specific in your requests, and take steps to prevent unneeded PII from being included, especially Social Security numbers.
- Need-to-know basis. Share or grant access only to firm or company personnel who require access to the PII to complete discovery.
- Protective orders. Many laws require them, but they simply provide greater protections and direction to parties that may otherwise not think about privacy. Again, even more important when dealing with EU member states.
- Agreements. Get third parties that support litigation under clear written agreements that include expectations for administrative, technical, and physical safeguards for all information, and a duty to report security incidents or breaches. If those parties traffic in EU data, get warranties and representations that they satisfy each member state’s requirements.
- Security. You cannot warrant privacy without security. Secure whatever PII you collect, return it, or destroy it. Use encryption, lock up hard copies, and back up your data.