Cross-Border Discovery has always had its own challenges, including dealing with robust European data protection regulations. Now, it appears that dealing with such regulations was made even more difficult, due to the alleged actions of Edward Snowden.
This is described below in an entry written by Foster Gibbons, Senior Director, Managed Review of Xerox Litigation Services. Foster can be reached at email@example.com
Craig Brown is President of B3 Legal, a national contract attorney and paralegal firm. He is a former Litigation and Antitrust Associate with Kaye Scholer and Litigation Partner with McLaughlin & Stern.
Cross-Border Discovery in the Aftermath of the Edward Snowden Affair
Amid the cacophony of expressions of 'shock' in European capitals and in Congress over revelations concerning the breadth of NSA surveillance of private communications -- reminiscent of Captain Louis Renault's famous line from Casablanca* -- and the deterioration of US-Russian relations brought on by Russian granting of temporary asylum to the [fugitive/whistleblower] [take your pick] Edward Snowden, an interesting understory of the affair may well be its likely tangible effect on US litigation discovery practice, as repercussions play out in European parliaments and commissions in coming weeks and months. For the litigator conducting discovery involving European data sources, navigating a safe course through the regulatory labyrinth governing the protection and privacy of personal data of European citizens (i.e., a variety of national interpretations of and enactments based on the EEA/EU Data Protection Directive 95/46/EC ) will become increasingly challenging. At same time meeting responsibilities under US pre-trial discovery rules - inherently demanding in the best of times - might become a nightmare as European rules are tightened in the aftermath of the Snowden affair.
US discovery rules generally require preservation and production of "all" potentially relevant electronically stored information, regardless of where situated. EEA/EU data protection regulations, on the other hand, restrict access to, transfer, and exchange of data, principally data containing any personal information. Litigation-based requests for document production under US procedural laws can easily run into conflict with European privacy and data protection requirements. In the worst case, the US client with operations and personnel in European offices might face a legal obligation to disclose potentially relevant records in a U.S. court, while simultaneously under a legal obligation in one or more European states not to access, review, transfer or disclose those same records. How do US companies comply with their e-discovery obligations -- which may involve exporting European data to the US -- yet stay within the letter of European privacy and data protection laws?
The easy answer is, there is no easy answer. And detailed practice recommendations are beyond the scope of this piece. An excellent start at understanding the landscape is provided in the Sedona Conference Working Group 6 paper, Framework For Analysis Of Cross-Border Discovery Conflicts: A Practical Guide to Navigating the Competing Currents of International Data Privacy and e-Discovery (August 2008). It can also be recommended, generally, that US counsel consider the following: (i) seeking the advice of privacy counsel in the relevant EU country to assist in directing the discovery process in compliance with local privacy rules; (ii) narrowly targeting data collection; (iii) where feasible, seeking employees' consent to access their data (principally meaning work emails) for review for potential relevance to the underlying litigation; and (iv) processing and reviewing the data within the EU (redacting personal information where found), leaving to be exported to the US only a reduced volume of material as to which it reasonably can be argued disclosure is required by court order and/or applicable discovery rules in order to preserve or exercise a client's legal claims.
When personal data is transferred outside the EU, counsel is obligated to ensure an adequate level of protection is provided, consistent with EU Directive 95/46/EC. To date, the challenge on this front has been made easier by reason of the US-EU Safe Harbor program, which creates a process by which US law firms and discovery providers hosting data in the US can self-certify as to the integrity and security of their data handling procedures, vouching that they comply with EU privacy principles.
Some or all of the ground rules governing data protection are set to change, in any event. Under debate by the European Commission since before this writing is an updated regulatory schema, the General Data Protection Regulation (GDPR), which is intended to update and strengthen existing protections dating from 1995, contained in the EU Data Protection Directive cited above. Among various proposals for inclusion, a number would significantly restrict data transfers to non-EU nations, including ending the Safe Harbor program. That said, with the benefit of some effective lobbying by US and European business interests and the Obama administration, it had been expected that the new regime of regulation would be watered down and not include the most restrictive provisions. And it had been expected that Safe Harbor would be continued.
The Snowden effect on the direction of the GDPR debate and the fate of the Safe Harbor program - ultimately, if incidentally, affecting e-discovery practice in the US - has been immediate and could be significant. Disclosure of NSA's telecommunications surveillance and, especially, its PRISM program, under which US companies were compelled to surrender private emails, have made data protection and privacy hot topics in Germany's election campaign, and prompted calls by the German Conference of Data Protection Commissioners and others to immediately revoke the US-EU Safe Harbor program and to strengthen controls over the granting of access to the personal data of EU citizens. US litigators might well shudder at the prospect of having an obligation to produce in a US action client data residing in Europe - data that cannot legally be transferred under a new regime of EU regulations. No easy answer, indeed. Stay tuned.
* It could be argued that Snowden did not expose anything that was not already known--or at least suspected - respecting NSA's capabilities to gather and analyze SIGINT from global, and even domestic, sources.
i The term "personal data" is defined in EU directive 95/46/EC as follows,
Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity . . .
By Foster Gibbons, Senior Director, Managed Review, Xerox Litigation Services, firstname.lastname@example.org