US discovery rules will likely override your EU privacy obligation: Plan ahead!

The E.D. Michigan held that despite European data protection laws that might restrict disclosure of personal information, a US litigant must comply with federal discovery rules even if that means producing documents stored in the EU.  Under EU Directive 46/1995 and the national implementation legislation,[i] personal information can only be processed according to privacy rules. Disclosure in a court proceeding is processing. Article 7 provides that processing of personal data can be done only on one of the grounds provided in that Article, the most notable being consent of the person whose data is processed (called “data subject”).  In the absence of consent, two other grounds for processing are compliance with a legal obligation to which the controller is subject,[ii] and “legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.” However, the transfer to a third country (as is the US) of data stored in Europe, would require anyway the consent of the data subject[iii] even if an alternative ground for processing is used.

Parties to US litigation required to produce documents stored in the EU have claimed that the production would be incompatible with their obligations under the EU data protection rules. That was exactly the situation in the Michigan case. These arguments are similar to those raised with reference to blocking statutes, i.e. foreign statutes (quite common in Europe, e.g., French statute N° 80-538 of July 16, 1980) that “criminalize the very act of providing information requested in the course of foreign legal proceedings when the request is brought outside of the procedures established by the Hague Convention [on Taking of Evidence Abroad] (Nathan M. Crystal and Francesca Giannoni-Crystal (2011) Understanding Akzo Nobel: A Comparison of the Status of In-House Counsel, the Scope of the Attorney-Client Privilege, and Discovery in the U.S. and EuropeGlobal Jurist: Vol. 11: Iss. 1 (Topics), Article 1). While U.S. courts have found that foreign statutes do not per se exclude the duty of production, American courts have given weight to those statutes to decide when production is warranted (among other factors, they have considered the importance of the sought documents, the existence of possible alternatives, and the US interests. See leading US Supreme Court case Societe Nationale Industrielle Aerospatiale and Societe’ de Construction d’Avions de Tourisme of 1987, holding that the Hague Convention does not provide exclusive or mandatory procedures for obtaining documents and information located in a foreign signatory’s territory and that blocking statutes cannot have the automatic effect of prohibiting discovery outside of the Convention).

The Michigan federal court had to decide whether it could compel the production of documents stored in the EU notwithstanding the party’s EU privacy arguments. The Court held that those concerns were not enough to shield production because the U.S. had a substantial interest in vindicating the rights of American plaintiff and the EU privacy rules cannot have the effect of impeding the court’s informed decision of the case.

The Court considered the situations under EU Directive 46/1995. On May 25, 2018, a new Regulation, the GDPR, will substitute the Directive. This change should not affect decisions like the one from Michigan, but it might increase its potential impact.  The new Directive will broaden the types of organizations subject to EU data protection to, among others, those non EU-established organizations that target the European market and process data of EU citizens. GDPR Article 3.2. Many American-based organizations will become directly subject to the Regulation.

Companies will have to seriously consider implementation of policies and procedures to try to reconcile conflicting obligations. Among others, the following might be useful. Before litigation arises: 1) retention policies providing for periodic destruction of unnecessary data; 2) processing of data on EU citizens living in Europe only where really necessary; 3) planning ahead on ways to be able to respond to discovery request while respecting the EU data protection rules (e.g., getting consent from data subject for disclosure of their data in discovery and to transfer of that data abroad); 4) employment of counsel who are familiar with EU data protection laws and ediscovery regulations to suggest strategies; 4) segregating information of EU citizens from information of non-EU citizens if possible from a technical and organizational point of view; 5) anonymization or pseudononymization if feasible. When litigation is foreseeable: 1) identification of alternative sources of information for production in discovery; 2) retention of counsel who are familiar with EU data protection law and ediscovery regulations for advice about possible solutions; 3) Consideration of transfer issues under the Privacy Shield, the Model Clauses, and binding corporate rules. When litigation has started: 1) discussion between parties of EU privacy issues with the effort to negotiate solutions complaint with EU law (including use of anonymized and pseudonymized data if feasible); 2) assertion of  EU data protection law with the court as soon as possible and, when the moment of production comes, request of a discovery order from the court (also incorporating possible production agreements with the other side); 3) involvement of  the DPO (data protection officer) if one exists and there is no risk of waiving attorney-client privilege; 4) participation of  a vendor with experience with EU data protection to produce only what is both necessary to comply with discovery duties and EU data protection; 5) separation of data that  is covered by EU data protection from what is not covered and production of what is not covered to show good faith effort (then you will have to find a solution to produce also what is covered); 7) Application for protective orders. (These suggestions are a modified version of the best practices suggested in The Impact on U.S. Discovery of EU Data Protection and Discovery Blocking Statutes, January 2013, Hughes, Hubbard & Reed LLP)

For more information on the interaction of data protection/GDPR and ediscovery: Francesca Giannoni-Crystal 

—–

[i] Directive 46/1995 will be soon substituted the GDPR (General Data Protection Legislation) entering into force on May 25, 2018. Unlike the Directive, the GDPR is a Regulation and will be applied directly in all the member states without needing implementation by domestic legislation. Processing is

[ii] Note that while under the Directive legal obligation ground for processing is wider that under the GDPR. Under the Directive, processing is permitted ‘if it is necessary for compliance with a legal obligation.” (art. 7.1(c)) That ground could have used by the Michigan parties to allow disclosure of data to comply with discovery rules. Under the GDPR, instead, the legal obligation ground is limited to “compliance with a legal obligation under EU law or the laws of a Member State.” Therefore, the compliance under US discovery obligations would not qualify.

[iii] Consent of the data subject is not required if the receiving party is Privacy Shield certified (read here more about the Privacy Shield) or other methods of authorized transfer apply (i.e., the Model Clauses, and binding corporate rules)