Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obligations
-
Upload
altheim-law -
Category
Business
-
view
1.486 -
download
0
description
Transcript of Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obligations
Mind the Gap: Bridging U.S.
Cross-border E-discovery and EU Data Protection Obligations
Overview
• The Catch 22 U.S. Discovery – E.U. Data Protection Conundrum
• Imminent changes of the proposed EU regulation affecting cross-border discovery
1. The Catch 22 U.S. Discovery – E.U. Data Protection Conundrum
• U.S. Discovery Obligations:
1.Duty to disclose (Rule 26, FRCP)2.Duty to preserve and Legal Hold3.Sanctions for Non-Compliance
• Do US Discovery Obligations Apply to Companies Established outside the US?
YESExtra-territorial Application of US Discovery Obligation (Rule 34, FRCP) confirmed by case law
• Rule 34 FRCP: (a) In General. A party may serve on any other
party a request within the scope of Rule 26(b): to produce and permit the requesting party or
its representative to inspect, copy, test, or sample the following items in the responding party's possession, custody, or control
But, what about the Hague Evidence Convention?
• Request under The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters
or
• US Court Order under Rule 34 FRCP?
Aérospatiale (Société Nationale Industrielle Aérospatiale v United States District Court, 482 U.S. 522, 544 n.28 )(1987)
Court has option to order discovery under FRCP, despite Hague Evidence Convention.
However, “International Comity” demands following balancing test to decide whether Hague Convention is applicable:
1) the importance to the litigation of the information requested; 2) the
degree of specificity of request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; (5) the extent to which non-compliance would undermine the interests of the United States or compliance with the request would undermine the interests of a foreign sovereign nation.
•
Catch 22 Conflict of Obligations for Companies Established in the EU and Subject to U.S. Discovery
• Which obligations to comply with: local data protection obligations or US discovery obligations?
• Proposed Solutions:
Art. 29 WP 158 on Pre-Trial Discovery for Cross Border Civil Litigation
The Sedona Conference International Principles on
Discovery, Disclosure & Data Protection
2. Imminent changes of the proposed EU regulation affecting cross-border discovery
All changes will affect data controllers/processors involved in cross-border discovery
• Processing New Rules for Processors (art. 26). Ex. Processors need consent of controller to appoint sub-
processor.
Consent of data subject: from “freely given, specific and informed” to “freely given, specific, informed and explicit”
Limitation of use of consent as basis for processing when significant imbalance of power. (employment context)
• Transfer to third countries: (art. 40-44) Adequacy: Commission may design separate sectors as
adequate.
BCRs expressly mentioned. Includes BCRs for processors.
Standard Data Protection Clauses don’t need authorization.
Non-standard Contractual Clauses with authorization.
• Transfer to third countries: (art. 40-44)
Is Safe Harbor safe? Yes.
Legitimate interest : no frequent & massive transfers; data controllers & processors must provide documentation of proper safeguards.
Non-Legally Binding Instrument- with authorization. (art. 42 (5))
@Eudiscovery and @MoniqueAltheim
16
M. James Daley
• Partner, Daley & Fey LLP – over 30 years of complex litigation experience
• Founder and Chair, The Sedona Conference® Working Group on International Discovery, Disclosure and Data Protection
• Technologist – Masters in Management of Information Systems• Certified Information Privacy Professional (CIPP/US)• Senior Editor, The Sedona Conference® International Principles on
Discovery, Disclosure and Data Protection (2011)• Editor-in Chief, The Sedona Conference® Framework for Analysis of
Cross-Border Discovery Conflicts (2008)
M. James Daley, Esq., CIPP/USDaley & Fey LLP
Sedona International Principles
2011 Sedona International Principles 4
The Sedona Conference International Principles on Discovery, Disclosure & Data Protection
Who • Created by international experts in Working Group 6 • Addressed to courts, private parties, counsel and
data controllers
What 6 principles that address discovery of protected data
Where Worldwide
Why Provide guidance where multiple jurisdictions impose conflicting duties to produce and protect data
When Released December 2011
2011 Sedona Conference Principles
1. With regard to data that is subject to preservation, disclosure, or discovery, courts and parties should demonstrate due respect to the Data Protection Laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws.
2. Where full compliance with both Data Protection Laws and preservation, disclosure, and discovery obligations presents a conflict, a party’s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness.
3. Preservation or discovery of Protected Data should be limited in scope to that which is relevant and necessary to support any party’s claim or defense in order to minimize conflicts of law and impact on the Data Subject.
2011 Sedona Conference Principles
4. Where a conflict exists between Data Protection Laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect Protected Data and minimize the conflict.
5. A Data Controller subject to preservation, disclosure, or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted.
6. Data Controllers should retain Protected Data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, Data Controllers should preserve relevant information, including relevant Protected Data, with appropriate data safeguards.
Framework for Cross-Border Discovery
2013 International Conference
The Fifth Annual Sedona International Conference®
on Cross-Border eDiscovery, eDisclosure &
Data Privacy
June 19-21, 2013Zurich, Switzerland
12.04.23 ©Alexander Dix 23
E-Discovery – the EU Data Protection Authorities‘
approach
Breakout Session Mind the Gap: Bridging U.S. Cross-border E-
discovery and EU Data Protection Obligations
Dr. Alexander Dix, LL.M.Berlin Commissioner for Data Protection
and Freedom of InformationIAPP Europe Data Protection Congress 2012
15.11.2012Brussels
12.04.23 ©Alexander Dix 24
Overview
• Focus on transatlantic civil law suits
• Dialogue between Sedona and Art. 29 WP
• The latest response from Europe
• Draft General Data Protection Regulation – any new ideas on transnational discovery ?
12.04.23 ©Alexander Dix 25
Focus on transatlantic civil law suits
• Discovery requests by LEAs (e.g. DoJ) and administrative bodies (SEC) covered by mutual legal assistance treaties (e.g. EU-US)
• Procedures of MLA-treaties should be observed, no direct requests to controllers in the EU
• Focus here: transatlantic pre-trial discovery in civil law suits
12.04.23 ©Alexander Dix 26
Dialogue between The Sedona Conference and Art. 29
Working Party • The Sedona Conference (TSC) Framework
for Analysis of Cross-Border Discovery Conflicts (2008)
• Art. 29 Working Party WP 158 on pre-trial dicovery for cross-border civil litigation (2009) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp158_en.pdf
• TSC International Principles on Discovery, Disclosure and Data Protection (2011)
12.04.23 ©Alexander Dix 27
The latest response from Europe
• Art. 29 Working Party has welcomed the International Principles, especially their emphasis on - necessity, proportionality and a phased approach to discovery (Principle 3),- the need to minimize the disclosure of personal data (Principle 3),- encouraging organizations to implement privacy by design (Principle 6).
• Zuständig für Beweiserhebungsersuchen nach dem Haager Übereinkommen von 1970 sind die Landesjustizverwaltungen
Quotes from the TSC International Principles
• Highlighting the importance of a restrictive data retention policy in vow of the fact that „many organizations worldwide have become data hoarders“
• Pointing to serious legal risks which may arise from the „over-retention of information“
12.04.23 ©Alexander Dix 28
Remaining issues
• Independence of EU DPAs (COM ./. Germany, Austria) and the US courts
• International Principles without binding effect
• HR and customer data
• Telecommunications secrecy
12.04.23 ©Alexander Dix 29
Cloud Computing
• Discovery in the Cloud (p. v TSC Principles)
• Cf. Sopot-Memorandum of the International Working Group on Data Protection in Telecommunications („Berlin Group“) 2012www.datenschutz-berlin.de/content/europa-international/international-working-group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by-the-working-group
12.04.23 ©Alexander Dix 30
EU Draft General Data Protection Regulation
• „Leaked version“ v. 29.11.2011 contained restrictive rule on discovery (Art. 42)
• Apparently deleted at the request of US Government
• Patriot Act-issue is addressed in recital 90 of the current draft (public interest)
• Legal situation would remain unchanged should the Draft become law (cf. Art. 44 Abs. 1 e) of the Draft Regulation and Art. 26 Abs. 1 d) of Directive 95/46)
12.04.23 ©Alexander Dix 31
12.04.23 ©Alexander Dix 32
Summing up (1)
• Despite basic differences between legal cultures on both sides of the Atlantic practical ways and means to bridge the gap between European data protection law and US discovery are available
• European companies should make use of all possibilities of US procedural law to comply with their obligations under EU data protection law
• Restrictive retention policies are key
12.04.23 ©Alexander Dix 33
Summing up (2)
• Get the company‘s Data Protection Officer involved as early as possible
• Point to restrictions under Data Protection Laws as early as possible (even prior to the meet and confer stage)
• Highlight the risk of criminal prosecution when processing data falling under telecommunications secrecy or patients‘ confidentiality
• Phased culling in the country of origin• Check the requirements for exporting data to third
countries• Apply for a protective court order