eDiscovery and the EU: European Data Privacy Regulations Every Litigator Should Know

With the ever-increasing expansion of multinational corporations and globalized business transactions, it is exceedingly likely that attorneys will have to conduct cross-border e-discovery investigations at some point in their careers. E-discovery can already be incredibly complex in a single-country context, and adding new jurisdictions with different rules on electronically stored information only intensifies that complexity.

The European Union's stringent system for protecting the data privacy rights of the individual represents a unique challenge for attorneys. Those who wish to transfer data from the EU to the US to present it as evidence in a lawsuit face significant challenges. While not an impossible task, it does require that attorneys know the requirements of EU data privacy law to ensure that data will be available and that an e-discovery investigation won't open their clients up to prosecution for violation of the EU data privacy directive.

The US Approach: Regulating Data by Sector

In the United States, the federal government's approach to data privacy is a sector-based one and Congress has passed laws on different industries, such as the financial and telecommunications industries. If a business does not fall under one of these sector-based laws, it is generally free to use data as it sees fit for its business. Data created with a company's assets is generally seen as belonging to the company, and they can transfer and use the data without notifying or gaining consent from the data subject.

The EU Approach: Data Privacy as a Human Right

The EU, on the other hand, views data privacy as a human rights issue and guarantees the right to privacy in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

The European system is laid out in the General Data Protection Regulation, which replaced the framework created by Directive 95/46/EC in the 1990s. GDPR provides robust rights for EU residents regarding their data and applies to all data handlers regardless of EU membership. However, paragraph 15 of the GDPR's preamble provides a safe haven for legitimate information flows like e-discovery:

"Files or sets of files...which are not structured according to specific criteria do not fall within the scope of this Regulation."

What does that mean, exactly? It separates structured data, such as customer databases, from loose individual files which makes all the difference when it comes to conducting e-discovery.

Obtaining Unstructured Data Under GDPR

Since electronic evidence is most often contracts, meeting minutes, emails, or other communications, much of it falls into the category of unstructured data. Therefore, in some cases, litigators can conduct e-discovery without worrying about GDPR requirements. When they do, the regulation provides exemptions for data used in litigation.

Exemptions for Litigation

antiThe normal steps taken to collect, preserve, and transmit data for litigation do constitute "processing" under the GDPR. However, the regulation allows EU member states to provide exemptions for when processing data as part of a legal proceeding. In light of this, it is important for attorneys anticipating litigation in the EU to check the relevant EU country's laws.

Regulating the Transfer of Data

These rules relating to processing only tell half the story, however. In addition to ensuring the legitimacy of the actual processing of the information, e-discovery investigators hoping to use the data in the US must also comply with rules regulating the transfer of data to non-EU countries.

One method of ensuring data transfers follow European standards is the EU-U.S. Privacy Shield Framework. Companies join Privacy Shield by self-certifying to the U.S. Department of Commerce that they comply with Privacy Shield Principles, which include:

  • Notice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Recourse, Enforcement, and Liability

One thing to keep in mind is, although Privacy Shield includes many of the same principles as the GDPR, it is not a GDPR compliance mechanism. Rather, it helps participating organizations meet EU requirements for transferring data.

Conclusion

Any litigation with a European e-discovery component holds layers of complexity not normally present in a lawsuit taking place wholly in the United States. Lawyers need to counsel their clients as to the rules that will govern data created in the EU so that the clients can organize their IT structures and choose a proper transfer regime to smooth the flow of data should litigation ever occur. It is also crucial to have access to lawyers versed in European law when litigation does arise. That way, much of the e-discovery can occur in the EU itself, which will minimize the risk of any liability for data privacy violations.