New York, USA

monique@altheimlaw.com

www.altheimlaw.com

Mind the Gap: Bridging U.S.

Cross-border E-discovery and EU Data Protection Obligations

Overview

• The Catch 22 U.S. Discovery – E.U. Data Protection Conundrum

• Imminent changes of the proposed EU regulation affecting cross-border discovery

1. The Catch 22 U.S. Discovery – E.U. Data Protection Conundrum

• U.S. Discovery Obligations:

1.Duty to disclose (Rule 26, FRCP)2.Duty to preserve and Legal Hold3.Sanctions for Non-Compliance

• Do US Discovery Obligations Apply to Companies Established outside the US?

YESExtra-territorial Application of US Discovery Obligation (Rule 34, FRCP) confirmed by case law

• Rule 34 FRCP: (a) In General. A party may serve on any other

party a request within the scope of Rule 26(b): to produce and permit the requesting party or

its representative to inspect, copy, test, or sample the following items in the responding party's possession, custody, or control

But, what about the Hague Evidence Convention?

• Request under The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters

or

• US Court Order under Rule 34 FRCP?

Aérospatiale (Société Nationale Industrielle Aérospatiale v United States District Court, 482 U.S. 522, 544 n.28 )(1987)

Court has option to order discovery under FRCP, despite Hague Evidence Convention.

However, “International Comity” demands following balancing test to decide whether Hague Convention is applicable:

1) the importance to the litigation of the information requested; 2) the

degree of specificity of request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; (5) the extent to which non-compliance would undermine the interests of the United States or compliance with the request would undermine the interests of a foreign sovereign nation.

 

•  

Catch 22 Conflict of Obligations for Companies Established in the EU and Subject to U.S. Discovery

• Which obligations to comply with: local data protection obligations or US discovery obligations?

• Proposed Solutions:

Art. 29 WP 158 on Pre-Trial Discovery for Cross Border Civil Litigation

The Sedona Conference International Principles on

Discovery, Disclosure & Data Protection

2. Imminent changes of the proposed EU regulation affecting cross-border discovery

All changes will affect data controllers/processors involved in cross-border discovery

• Processing New Rules for Processors (art. 26). Ex. Processors need consent of controller to appoint sub-

processor.

Consent of data subject: from “freely given, specific and informed” to “freely given, specific, informed and explicit”

Limitation of use of consent as basis for processing when significant imbalance of power. (employment context)

• Transfer to third countries: (art. 40-44) Adequacy: Commission may design separate sectors as

adequate.

BCRs expressly mentioned. Includes BCRs for processors.

Standard Data Protection Clauses don’t need authorization.

Non-standard Contractual Clauses with authorization.

• Transfer to third countries: (art. 40-44)

Is Safe Harbor safe? Yes.

Legitimate interest : no frequent & massive transfers; data controllers & processors must provide documentation of proper safeguards.

Non-Legally Binding Instrument- with authorization. (art. 42 (5))

@Eudiscovery and @MoniqueAltheim

16

M. James Daley

• Partner, Daley & Fey LLP – over 30 years of complex litigation experience

• Founder and Chair, The Sedona Conference® Working Group on International Discovery, Disclosure and Data Protection

• Technologist – Masters in Management of Information Systems• Certified Information Privacy Professional (CIPP/US)• Senior Editor, The Sedona Conference® International Principles on

Discovery, Disclosure and Data Protection (2011)• Editor-in Chief, The Sedona Conference® Framework for Analysis of

Cross-Border Discovery Conflicts (2008)

M. James Daley, Esq., CIPP/USDaley & Fey LLP

Sedona International Principles

2011 Sedona International Principles 4

The Sedona Conference International Principles on Discovery, Disclosure & Data Protection

Who • Created by international experts in Working Group 6 • Addressed to courts, private parties, counsel and

data controllers

What 6 principles that address discovery of protected data

Where Worldwide

Why Provide guidance where multiple jurisdictions impose conflicting duties to produce and protect data

When Released December 2011

2011 Sedona Conference Principles

1. With regard to data that is subject to preservation, disclosure, or discovery, courts and parties should demonstrate due respect to the Data Protection Laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws.

2. Where full compliance with both Data Protection Laws and preservation, disclosure, and discovery obligations presents a conflict, a party’s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness.

3. Preservation or discovery of Protected Data should be limited in scope to that which is relevant and necessary to support any party’s claim or defense in order to minimize conflicts of law and impact on the Data Subject.

2011 Sedona Conference Principles

4. Where a conflict exists between Data Protection Laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect Protected Data and minimize the conflict.

5. A Data Controller subject to preservation, disclosure, or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted.

6. Data Controllers should retain Protected Data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, Data Controllers should preserve relevant information, including relevant Protected Data, with appropriate data safeguards.

Framework for Cross-Border Discovery

2013 International Conference

The Fifth Annual Sedona International Conference®

on Cross-Border eDiscovery, eDisclosure &

Data Privacy

June 19-21, 2013Zurich, Switzerland

12.04.23 ©Alexander Dix 23

E-Discovery – the EU Data Protection Authorities‘

approach

Breakout Session Mind the Gap: Bridging U.S. Cross-border E-

discovery and EU Data Protection Obligations

Dr. Alexander Dix, LL.M.Berlin Commissioner for Data Protection

and Freedom of InformationIAPP Europe Data Protection Congress 2012

15.11.2012Brussels

12.04.23 ©Alexander Dix 24

Overview

• Focus on transatlantic civil law suits

• Dialogue between Sedona and Art. 29 WP

• The latest response from Europe

• Draft General Data Protection Regulation – any new ideas on transnational discovery ?

12.04.23 ©Alexander Dix 25

Focus on transatlantic civil law suits

• Discovery requests by LEAs (e.g. DoJ) and administrative bodies (SEC) covered by mutual legal assistance treaties (e.g. EU-US)

• Procedures of MLA-treaties should be observed, no direct requests to controllers in the EU

• Focus here: transatlantic pre-trial discovery in civil law suits

12.04.23 ©Alexander Dix 26

Dialogue between The Sedona Conference and Art. 29

Working Party • The Sedona Conference (TSC) Framework

for Analysis of Cross-Border Discovery Conflicts (2008)

• Art. 29 Working Party WP 158 on pre-trial dicovery for cross-border civil litigation (2009) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp158_en.pdf

• TSC International Principles on Discovery, Disclosure and Data Protection (2011)

12.04.23 ©Alexander Dix 27

The latest response from Europe

• Art. 29 Working Party has welcomed the International Principles, especially their emphasis on - necessity, proportionality and a phased approach to discovery (Principle 3),- the need to minimize the disclosure of personal data (Principle 3),- encouraging organizations to implement privacy by design (Principle 6).

• Zuständig für Beweiserhebungsersuchen nach dem Haager Übereinkommen von 1970 sind die Landesjustizverwaltungen

Quotes from the TSC International Principles

• Highlighting the importance of a restrictive data retention policy in vow of the fact that „many organizations worldwide have become data hoarders“

• Pointing to serious legal risks which may arise from the „over-retention of information“

12.04.23 ©Alexander Dix 28

Remaining issues

• Independence of EU DPAs (COM ./. Germany, Austria) and the US courts

• International Principles without binding effect

• HR and customer data

• Telecommunications secrecy

12.04.23 ©Alexander Dix 29

Cloud Computing

• Discovery in the Cloud (p. v TSC Principles)

• Cf. Sopot-Memorandum of the International Working Group on Data Protection in Telecommunications („Berlin Group“) 2012www.datenschutz-berlin.de/content/europa-international/international-working-group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by-the-working-group

12.04.23 ©Alexander Dix 30

EU Draft General Data Protection Regulation

• „Leaked version“ v. 29.11.2011 contained restrictive rule on discovery (Art. 42)

• Apparently deleted at the request of US Government

• Patriot Act-issue is addressed in recital 90 of the current draft (public interest)

• Legal situation would remain unchanged should the Draft become law (cf. Art. 44 Abs. 1 e) of the Draft Regulation and Art. 26 Abs. 1 d) of Directive 95/46)

12.04.23 ©Alexander Dix 31

12.04.23 ©Alexander Dix 32

Summing up (1)

• Despite basic differences between legal cultures on both sides of the Atlantic practical ways and means to bridge the gap between European data protection law and US discovery are available

• European companies should make use of all possibilities of US procedural law to comply with their obligations under EU data protection law

• Restrictive retention policies are key

12.04.23 ©Alexander Dix 33

Summing up (2)

• Get the company‘s Data Protection Officer involved as early as possible

• Point to restrictions under Data Protection Laws as early as possible (even prior to the meet and confer stage)

• Highlight the risk of criminal prosecution when processing data falling under telecommunications secrecy or patients‘ confidentiality

• Phased culling in the country of origin• Check the requirements for exporting data to third

countries• Apply for a protective court order

12.04.23 ©Alexander Dix 34

Thank you – any questions ?

dix@privacy.de