In an effort to bridge the divide between European data protection laws and U.S. pre-trial discovery rules, an advisory body established under the European Data Privacy Directive adopted on February 11, 2009 a set of recommendations for dealing with "pre-trial discovery for cross-border civil litigation."
For years, multinational corporations with U.S. and European operations have found themselves squeezed between European laws that tightly control the retention and transfer of personal data and U.S. civil procedure rules that allow for broad pre-trial discovery in civil litigation. Compounding the problem, the concept of broad pre-trial discovery is antithetical to European litigation practice. Most European countries do not permit it at all, or only to a very limited degree. Even the U.K., which has a common law litigation model most similar to the U.S., does not provide nearly the breadth of pre-trial discovery that is routine in American litigation.
Moreover, the strict European regulation of personal data is generally foreign to the U.S. While U.S. courts have the authority to consider privacy concerns in exercising their power to supervise discovery, the general tenor of American civil procedure is to grant the parties in litigation broad latitude to discover any information that is potentially relevant to the issues in the litigation or might lead to the discovery of evidence. Generally, any information that is in the possession of a party, or to which it has access, is fair game for discovery in American litigation. The fact that information may be in the possession of a European parent or affiliate, or that European law would not permit the transfer of the information to the U.S. for purposes of litigation, generally is not recognized by U.S. courts as a proper basis to withhold information. Although the Hague Convention provides a procedure for U.S. courts to request assistance from European authorities to aid in discovery, there is no general requirement in U.S. civil procedure for the parties or the courts to utilize the Convention as opposed to conventional discovery procedures.
Against this background, the Article 29 Working Party (established under Article 29 of the Data Privacy Directive) adopted a series of recommendations designed to reconcile the competing interests and claims of U.S. litigants and courts, multinational corporations, European data protection authorities and individuals in Europe whose personal data (as employees or customers, for example) could get swept up in American discovery demands.
Under the Data Privacy Directive, data may be processed or transmitted outside of the EU only in certain enumerated circumstances, including (i) with the consent of the data subject, (ii) to comply with a legal obligation, or (iii) for the purpose of a legitimate interest pursued by the data controller or by the third party to whom the data are disclosed. Consent, the Working Party noted, is unlikely to be applicable in most litigation contexts. In most cases, the data subjects (employees or customers) whose data are being discovered were not informed about the litigation purpose when the data were collected, and without such information there could be no consent. Moreover, consent is valid only if it is freely given and could freely be withheld without penalty — an unlikely scenario in most litigations.
In general, compliance with U.S. laws is not recognized as a "legal obligation," compliance with which is recognized under the data privacy directive as a legitimate basis for processing and transmitting personal information. To the extent that a European court orders production of data requested pursuant to the Hague Convention, the legal obligation exception to data privacy rules could apply; but not every European country is a party to the Hague Convention, and some have accepted the Convention with reservations, so the Convention does not solve the conflict between U.S. and European laws. Nevertheless, the Working Party recommends that American courts consider requiring litigants to utilize the procedures of the Hague Convention if available, and build in sufficient time in the litigation schedule for them to do so.
The last exception to EU data privacy considered by the Working Party is the authorization to process personal data where necessary for the purposes of a legitimate interest of the data controller or the third party seeking to obtain the data. Even here, however, the Working Party did not view compliance with U.S. discovery obligations as sufficient, standing alone, to justify disclosure of personal data of a European data subject. The U.S. litigation obligation is but one factor to be considered, to be weighed against the interests of the data subject and his right under the EU directive to object to the disclosure and the consideration of his particular circumstances. Moreover, the EU directive affords data subjects the right to review personal data before it is disclosed and to correct erroneous data — rights that are inconsistent with American discovery procedures.
Generally, the Working Party considers it the duty of the data controller involved in processing data pursuant to a U.S. discovery demand to take appropriate steps to "limit the discovery of personal data to that which is objectively relevant to the issues being litigated." Preferably, only anonymized data will be produced. In some cases, the litigants will agree to these restrictions, but in the absence of an agreement, the court where the litigation is being heard will have to rule on the European data controller's attempt to restrict the production of data. Thus, the Working Party "would urge the parties to the litigation to involve the data protection officers from the earliest stage [of the litigation]," and would also "encourage the EU data controllers to approach the U.S. courts in part to be able to explain the data protection obligations upon them and ask U.S. courts for relevant protective orders to comply with EU and national data protection rules." Historically, U.S. courts have not been especially deferential to EU data protection concerns.
The Working Party also noted the requirements of EU law to provide transparency to data subjects, who generally are entitled to know when information about them is being processed or transmitted to third parties and to review and correct personal data before it is transmitted. The Working Party acknowledged that it would be difficult to reconcile these rights with American litigation practice, but otherwise had no solution for the conflict.
Finally, the Working Party noted the obligation of data controllers to maintain the security of personal data is not reduced by virtue of the production of personal data in litigation. These obligations would apply to anyone receiving the data in the course of the American litigation, including lawyers, experts and court personnel. How these obligations are to be imposed or enforced in the context of an American litigation is not discussed in the Working Party paper.
In sum, the Working Party has acknowledged and enumerated the many conflicts between the European Data Privacy Directive and American civil litigation rules, but has not resolved them. Where the Hague Convention applies, the Working Party urges the parties to use it. Otherwise, multinational corporations will continue to find themselves in an uncomfortable squeeze between the U.S. and European legal systems.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
