eDiscovery and the EU: European Data Privacy Regulations Every Litigator Should Know

With the ever-increasing expansion of multinational corporations and globalized business transactions, it is exceedingly likely that attorneys will eventually have to conduct cross-border e-discovery investigations at some point in their careers. E-discovery can already be incredibly complex in a single-country context, and adding new countries, with different rules pertaining to electronically stored information, only intensifies that complexity.

The European Union, with its stringent system for protecting the data privacy rights of the individual, represents a unique challenge for attorneys who wish to transfer data from the EU to the US in order to present it as evidence in a lawsuit. While not an impossible task, it does require that attorneys know the requirements of EU data privacy law in order to assure that data will be available, and that an e-discovery investigation won't open their clients up to prosecution for violation of the EU data privacy directive.

The US Approach

In the US, the federal legal approach to data privacy is a sectoral one: Congress has passed laws pertaining to different industries, such as the financial and telecommunications industries. If a business does not fall under one of these sectoral laws, it is generally free to use data as it sees fit for its business. Data created with a company's assets is generally held to belong to the company, and they can transfer and use the data without notifying or gaining the consent of the data subject.

The EU Approach

The EU, on the other hand, views data privacy as a human rights issue, and guarantees the right to privacy in the European Convention for the Protection of Human Rights and Fundamental Freedoms. The EU has a comprehensive system of data protection in place that covers almost every collector of personal data. The European system is laid out in Directive 95/46/EC of the European Parliament and of the European Council, and Individual states within the EU have enacted national laws to put the Directive's rules into effect.

In essence, the EU considers personal data to be any information about an identified or identifiable natural person. Directive 95/46/EC restricts the processing of personal data unless certain conditions are met. Processing includes just about any action that a collector can take towards personal data, including a transfer across a national border. It also covers e-discovery investigations conducted within the EU, regardless of whether or not data is ever transferred across borders.

Processing

There are two important ways to legitimize data processing activities in relation to e-discovery, as expressed in Article 7 of the data privacy directive. First, processing can occur if the data subject gives her unambiguous consent. Individual member states have different requirements for "consent," but it is usually interpreted strictly regardless of the country.

Second, processing may take place if necessary to comply with a legal obligation of the collector. This provision is also interpreted strictly, but a US court order directing a company to produce data from a European subsidiary would most likely constitute a legal obligation. This could vary among EU member states, however - France, in particular, has demonstrated an unwillingness to legitimize data processing required by a foreign court order.

There are also special categories of processing - basically the processing of "sensitive data" such as racial, health, sexual or political information - that are generally forbidden under the directive's Article 8. One crucial exception to this blanket prohibition is when the processing is necessary for the establishment, exercise or defense of legal claims.

Regulating the Transfer of Data

These rules relating to processing only tell half the story, however. In addition to ensuring the legitimacy of the actual processing of the information, e-discovery investigators hoping to use the data in the US must also comply with rules regulating the transfer of data to non-EU countries. Any transfer to a non-EU country can only occur where the outside country has put "adequate" data privacy protections into place. This step contains particular difficulties for transfers to the US, since the EU has deemed data privacy protections in the US inadequate to support a transfer.

There are two crucial exceptions to this roadblock, however: under Article 26(1)(d), a transfer may occur when in furtherance of "an important public interest" or the "exercise, establishment or defence (sic) of legal claims." The meanings of these provisions are hotly contested, and an independent EU advisory board on data protection and privacy has interpreted them quite restrictively, especially the public interest exception. For instance, the group determined that SWIFT transfers of banking information to the US, ostensibly to supply the Bush administration with information to track the financing of terror operations, did not satisfy the public interest exception since the group held that there were other international avenues where the data would receive adequate protection.

For purposes of e-discovery, the legal claims exception probably carries more weight, but still has important limitations to consider. The advisory board has accepted the idea that the exception would most likely apply if the parent company of a multinational group were to be sued by employees of a European subsidiary. The litigation must already have commenced or be imminent, however, and the exception would not apply to large-scale prophylactic data transfers in preparation for the possibility of litigation sometime in the future.

There are also three transfer regimes that will allow for EU-US data transfers: the US-EU Safe Harbor, Model Contracts, and Binding Corporate Rules. First, any company under the jurisdiction of the FTC or the Department of Transportation automatically enjoys Safe Harbor protections, and other companies can voluntarily apply for protections after pledging to adhere to the principles of EU data privacy law. This only applies to US companies, but it allows for transfers of data without prior approval.

Next, Model Contracts are starting to be employed in order to create an enforceable pledge between a data exporter and a data importer that the importer will comply with EU law, respect the human rights of the data subject, and allow audits of its data handling methods. This can cover all types of data between two companies, but must necessarily exclude transfers of a single company's data since a company cannot create a valid contract with itself. Moreover, the data subject has enormous rights under this system, and could possibly block the production of emails or other electronically stored information.

Finally, a large multinational group can commit itself to a binding set of corporate rules surrounding its data transfers. This option allows transfers of human resources data, since it applies to intra-group transfers. It also applies to companies across the globe, not just in the US, as is the case with the Safe Harbor. There are still onerous requirements, however, since the corporation must ensure that the rules are internally binding within the group, get approval from each EU member state, and allow for judicial enforcement of the rules within each member state. So far, no multinational group has obtained full EU approval for its rules.

Attorneys should work with their clients to determine which of these regimes would best suit the client's needs. This entails examinations of the corporate structure, along with a detailed investigation of the IT department. If one of these three regimes would meet the client's requirements, the data transfer problem becomes much less of a concern. Any e-discovery would still need to constitute a legitimate processing of personal information, though, but proving legitimacy will usually prove to be an easier task than justifying a transfer of data to the US.

Conclusion

Clearly, any litigation with a European e-discovery component holds layers of complexity not normally present in an all-American lawsuit. It is important for lawyers to counsel their clients as to the rules that will govern data created in the EU so that the clients can organize their IT structures and choose a proper transfer regime in order to smooth the flow of data should litigation ever occur. It is also crucial to have access to lawyers versed in European law when litigation does arise. That way, much of the e-discovery can occur in the EU itself, which will minimize the risk of any liability for data privacy violations.