International Privacy Laws & Cross-Border Discovery Disputes
Countries around the world have widely divergent legal systems and hold vastly differing attitudes toward data privacy and discovery. These conflicting views often come to light in cross-border discovery disputes.
Most often, legal conflicts arise when the production of information located outside U.S. borders stands in violation of foreign laws restricting the transfer and processing of that data, despite being in accordance with liberal United States discovery laws.
Europe possesses a long-standing reputation for fierce promotion, protection and preservation of an individual’s right to privacy. The modern promulgation of this perspective came in 1995, via the European Commission’s adoption of the European Union Data Protection Directive 95/46/EC (Directive). The Directive, which established minimum protections applicable to personal data, provides that all member states “shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” The vulnerability of electronically stored personal data to abuse was the principal justification for the need for formal protection, and today the Directive has been adopted by all member states of the European Union.
The Directive imposes strict regulations pertinent to data processing and the transfer of data outside of the EU. In cross-border discovery disputes, these requirements pose significant challenges to litigators in the U.S. Specifically, the Directive’s principles governing the protection, processing and onward transfer of data located within the EU often stand in direct conflict with the liberal discovery system employed in the U.S.
Processing, as defined in Article 2(b) of the Directive, encompasses any operation performed upon personal data, including “collection, recording, organization, storage, adaptation or alteration, retrieval consultation, use disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” Given this broad definition, the Directive’s heightened processing protections have a direct effect on U.S. litigators engaged in pretrial processes, including electronic document collection and review. Consequently, compliance with the Directive requirements often creates limitations on standard U.S. discovery procedures.
The Directive also provides stringent regulations governing the transfer of data outside of the EU by prohibiting transfers to countries that do not afford “adequate” levels of protection. Essentially, this restriction requires data protection procedures parallel to those in the EU in order to effectuate data transfers. Particularly relevant to litigators is the fact that the U.S. has not been deemed by the EU to provide adequate levels of data protection. In response to this classification, the U.S. Department of Commerce (DOC) adopted the Safe Harbor Privacy Principles, which were subsequently approved by the EU. The Safe Harbor program allows U.S. organizations to certify to the DOC that privacy protections in accordance with the EU Directive will be provided when data is transferred outside of the EU. However, the Safe Harbor is not a requirement, but merely a voluntary registration. Therefore, onward transfer regulations still have the potential to generate considerable impediments to traditional U.S. production processes in international legal conflicts.
In analyzing international data protection laws, the Directive, while useful as a starting point, is just the tip of the iceberg. First, the EU consists of only 27 member states. Secondly, the Directive provides only minimum required protections. Each individual member state has the ability to provide more stringent protections – as many of them have – as it deems warranted. In addition, numerous countries elsewhere around the world have created guidelines and implemented legislation designed to protect data within their borders. Some nations have enacted blocking statutes, which are designed to prevent the international transmission of data for view in foreign judiciaries. For instance, French Penal Law 80-538 provides that “subject to international treaties or agreements and laws and regulations in force, it is forbidden for any person to request, seek or communicate, in writing, orally or in any other form, documents or information of an economic, commercial, industrial, financial or technical nature leading to the constitution of evidence with a view to foreign judicial or administrative procedures or in the context of such procedures.”
One method – albeit a largely insufficient one – for overcoming international data transmission issues is the procedure set forth in the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters. This treaty, signed by the U.S., EU and 67 other countries, sets forth a uniform procedure for obtaining information outside one’s borders involving the issuance of a letter of request or petition to a central authority, followed by subsequent approval. An approved letter of request permits the transfer and processing of data. Although fair, the Hague Convention is impractical, seldom used and severely limited in several respects:
- Many nations are not signatories to the Hague Convention.
- Even signatory nations may declare that they will not approve letters of request for the purpose of obtaining pretrial discovery of documents.
- A signatory may deny any letter of request if it “considers that its sovereignty of security would be prejudiced.”
- Obtaining an approved letter of request is time consuming, often taking 6 to 12 months.
Given these limitations, in an age where discovery – electronic discovery in particular – has become increasingly complex, the Hague Convention’s method of international discovery is obsolete. Moreover, the U.S. Supreme Court has held that the Hague Convention is merely an optional method of obtaining evidence internationally, referring to the procedures as “unduly time consuming and burdensome.”1 The Hague Convention is simply not designed to accommodate the vast amounts of electronically stored information, nor the increased frequency of modern international litigation.
Foreign data privacy, protection and discovery laws undoubtedly further complicate the world of international litigation and cross-border discovery disputes. Although there is no simple answer as to how to overcome these hurdles, awareness of these many laws on the part of counsel is crucial. Knowledge and understanding of regulations and potential conflicts is the first step in determining an effective cross-border discovery dispute plan of action.
1 Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for Southern Dist. of Iowa, 482 U.S. 522, 544 n. 28 (1987).