Much has been written over the past year concerning the difficulties multinational corporations face in preparing for and responding to discovery requests that implicate personal data originating from the European Union. As commentators have pointed out, the requirements of the U.S. Federal Rules of Civil Procedure concerning preservation and production of documents and electronically stored information can conflict with privacy obligations under the EU Data Protection Directive. These concerns have not gone unnoticed by European data protection authorities (DPAs), who raised the issue with the Article 29 Working Party in April 2007. In January of 2008, the CNIL, the French DPA, released a statement announcing four areas where data processing and transfers could give rise to problems under "French or European Law," particularly privacy:
1. Litigation hold/litigation freeze;
2. Pre-trial discovery;
3. Information injunctions by public U.S. authorities; and
4. Creation of a new offense called "information destruction."
All of these issues spring from U.S. litigation, and more stringent regulation in Europe could squeeze multinational companies even more tightly in the United States.
Finally, on February 18, the Working Party, an advisory body established under the Directive and composed of DPAs from each member state, included pre-trial discovery on its agenda for 2008 as a high priority. The Working Party facilitates harmonized implementation of the Directive throughout the European Union.
While it is unlikely that the Working Party will issue an opinion on this issue before the second half of 2008, the general contours of the Working Party's ultimate thinking can already be predicted based on its prior body of decisions. We outline below how the Working Party might assess this issue and highlight those areas in which companies working on both sides of the Atlantic may wish to provide input. Any statement by the Working Party on pre-trial discovery will have a serious impact on international discovery in the United States and potentially could make it more difficult to extract potentially relevant personal data from the European Union. As litigants in U.S. courts with data in the European Union, multinational companies should enter into a respectful dialogue with the Working Party in order to explain their perspective and, hopefully, work toward a pre-trial discovery protocol that allows companies to efficiently litigate their matters in the United States and respect the rights of their employees and other data subjects in the European Union.
Background On EU Data Protection Directive
For readers who have not been following this issue, some background is in order. The Directive is an omnibus privacy law that restricts how businesses may use and disclose personal data. (As a technical matter, the Directive is not self-implementing but instead requires each EU member state to adopt its own implementing law, similar in function to a federal mandate. Each member state has done so.) "Personal data" includes not only information relating to an identified person, but also identifiable information. The Directive states that personal data may not be "processed" (i.e., collected, used, disclosedetc.) unless necessary for one of several enumerated purposes. These purposes include processing that is necessary to meet a legal obligation and processing that is necessary for an overriding interest of the "data controller" (i.e., the entity that determines the purposes and means of data processing) or a third party to whom the data is disclosed.
European DPAs have made clear in prior decisions that the Directive's reference to a "legal obligation" is not universally applicable but instead refers to an obligation imposed by community or member state law. Moreover, they have indicated that in determining whether a data controller or third-party recipient has an overriding interest in processing data, a balancing of interests test must be conducted that takes into account the rights and interests of the data subject. These rights and interests include, inter alia : the interest in transparency, including being provided with notice of the identity of the controller, the purposes of the processing, and recipients of the data; the right to access personal data about oneself and have inaccurate or incomplete data amended or deleted; and the interest in having personal data about oneself safeguarded from loss, misuse, unauthorized access, and other security risks.
While the focus of the Directive is on limiting access to and use of personal data, U.S. discovery rules focus on the preservation and production of information that is potentially relevant to litigation. The goal is to give each party access to information that could be used to support its claims or defenses, thereby facilitating fairness in the proceedings and arrival at a just outcome. While U.S. discovery is not unbounded, it is broader than anything in Europe.
Working Party's Review Of "Pre-Trial Discovery" Processing
In a world in which most potentially relevant records could easily be found in electronic format, every pre-trial discovery operation that is performed upon personal data in the European Union may be affected by the Working Party's analysis - from litigation holds, to searches, to collection and production. Each of these is a processing activity and, as such, implicates the Directive.
Discovery-related processing may be found necessary for purposes of a "legitimate interest" pursued by the data controller or a third-party recipient of the data provided that such interests are not overridden by the interests for fundamental rights and freedoms of the data subject (Article 7(f)). In its opinion on the application of EU data protection rules to Sarbanes-Oxley (SOx) whistle-blowing schemes, the Working Party indicates that this balancing of interests must take into account issues of proportionality, data retention, transparency, access and amendment, and data security. The Working Party is likely to recognize that multinational corporations have a "legitimate interest" in complying with U.S. discovery obligations. Moreover, they surely will acknowledge that parties involved in litigation have a legitimate interest in accessing information that is necessary to make or defend a claim. Therefore, the only real issue is whether the interests of the parties to the litigation who seek this information are outweighed by the fundamental rights and interests of the data subject. The Working Party's analysis of pre-trial discovery is therefore likely to focus on the same five balancing of interests factors that predominated the SOx Opinion.
Proportionality: Article 6 of the Directive states that data must be relevant and not excessive in relation to the purposes for which they are processed. The Working Party may stipulate that it is incumbent on data controllers involved in U.S. litigation to take appropriate steps to limit the discovery of personal data to that which is objectively pertinent to the issue being litigated. What is less clear, however, is whether DPAs will demand confirmation of this fact, for example through "prior checking," discussed below. If so, this opens the door to a DPA disagreeing with a U.S. Court's opinion of what information is objectively relevant. Moreover, the Working Party's SOx Opinion suggests in these circumstances a preference for personal data to be processed locally (e.g., in the native country). How much processing and how much culling must be done locally is still an open question and one which both sides need to engage.
Data Retention: The Directive limits the retention of personal data to the period necessary for the purposes for which the data were collected or for which they are further processed. The Working Party may insist that, upon the conclusion of legal proceedings, personal data should be destroyed. However, this may run afoul of U.S. obligations if the personal data remains relevant to additional pending or reasonably foreseeable future litigation. A process to handle this serial litigation concern - so that a company need not destroy the data and then re-establish its legitimate right to process the data - is an issue that needs to be brought before the Working Party. A possible solution lies in what some Member States refer to as data archiving. This would require the data to be stored separately and securely, and access limited to only a few key individuals.
Transparency: Articles 10 and 11 of the Directive address information that must be provided to data subjects concerning processing operations. In the context of pre-trial discovery, they will likely be interpreted to require: (1) advance, general notice of the possibility of personal data being processed for litigation; and (2) when data is actually processed for litigation purposes, notice of the identity of any recipients, the purposes of the processing, the categories of data concerned, and the existence of their rights. Like in the context of whistle-blowing schemes, the Working Party may find that "where there is substantial risk that such notification would jeopardize the ability of the company to effectively investigate the allegation or gather the necessary evidence, notification to the incriminated individual may be delayed as long as such risk exists." This could be the case, for example, in Foreign Corrupt Practices Act (FCPA) investigations and litigation.
Access and Amendment: The Working Party is likely to restate Article 12 of the Directive which guarantees data subjects the right to access personal data about him/her in order to check its accuracy and completeness, and, as necessary, request the correction or deletion of inaccurate or incomplete data. The Working Party is likely to emphasize that these rights may be restricted only on a case-by-case basis under Article 13 when necessary to protect the rights and freedoms of others. They are unlikely to agree to a general waiver of access/amendment rights. It would be helpful if the Working Party could clarify how Articles 12 and 13 interplay with a company's duty to preserve evidence. Again, this is an area were multinational companies' perspective could be critical.
Data Security: The Working Party is likely to highlight the need for security controls (appropriate technical and organizational measures to protect personal data) in contracts with law firms, litigation support services and all other vendors involved in collecting or reviewing information. It would be helpful to litigants, however, if a standardized "pre-trial discovery" contract could be created and implemented. Input from litigants and other parties interested in U.S. litigation is essential for this process.
Review Of Prior Checking In "Pre-Trial Discovery"
While determining the legitimacy of data processing is a predicate act, in some Member States data controllers may be required to notify and check with national DPAs before commencing processing. Such individualized approval could prove quite burdensome and make it difficult for companies to comply with discovery requests in a timely manner.Moreover, to the extent certain preservation requirements are considered "processing," this could delay implementation. It would be in multinational companies' best interests if the Working Party agreed upon a standardized process that avoids the need for checking with the national DPA before processing.
Conclusion
What the Working Party says about the interplay between pre-trial discovery and the EU Data Protection Directive will affect how U.S. companies undertake U.S. litigation and, eventually, how they store data and do business in Europe and the United States. All corporate counsel with data in the European Union not only need to monitor this situation, but need to provide input to the Working Party to provide it with the best information from each different perspective. Much of our insight into how the Working Party may look at the issue of pre-trial discovery comes from its opinion on SOx whistle-blowing. Problems that the Opinion created were able to be largely resolved through later negotiations between the SEC and the Working Party. There is no obvious corresponding party to the SEC to discuss these issues in the context of U.S. discovery. Who should speak for the federal judiciary and all 50 state judiciary? Who should speak for plaintiffs and defendants? Record requesters and discovery responders? That is why it is incumbent on companies doing business in both the United States and Europe to become involved because they are likely to be the ones most affected by the Working Party's inclusion of pre-trial discovery in its 2008 Agenda.
Published May 1, 2008.