Data Privacy in the EU and How It Impacts Firms in the U.S.

Presentation to ILTA ConferenceAugust 23, 2007

Debra L. Bromson, Esq.Jeff D. Isenberg

Shalini K. Rajoo, Esq.Howard J. Reissner, Esq.

What You Should Know About U.S. Discovery Rules

Shalini K. Rajoo, Esq.Associate, Willkie Farr & Gallagher LLP

U.S. Discovery – The Framework

• Discovery governed by the Federal Rules of Civil Procedure (FRCP). Individual states vary on privilege and waiver issues.

• Framework for discovery in the U.S. is VERY different from framework for discovery in the E.U. – different expectations of privacy in the workplace, court-driven vs. party-driven discovery, jury trials vs. non-jury trials.

• FRCP permits broad discovery. Rule 26 (b)(1) permits discovery of any material that is “relevant” to the claims or defenses of any party.

• Amendments to FRCP in December 2006 further extend (and complicate) discovery obligations for U.S. litigants.

The E-Discovery Amendments

• FRCP amended in December 2006 to cater specifically for electronically stored information (ESI).

• Rule 16(b) amended so that initial scheduling order may include provisions for disclosure or discovery of electronically stored information.

• Rule 26(b) amended to limit discovery of ESI so that parties need not provide discovery of ESI from sources that are “not reasonably accessible because of undue burden or cost”.

• Rule 26(f) amended to include new topics for the meet and confer: (1) preservation of discoverable information; and (2) disclosure or discovery of ESI.

The E-Discovery Amendments – Bottom Line

• The FRCP amendments have extended our discovery obligations and require us to be much better informed about where discoverable information resides within the client’s organization.

• At a very early stage in the game litigants are now required to: (1) educate themselves about ALL possible sources of discoverable (relevant) ESI; (2) make an assessment about the accessibility of the identified sources of ESI; and (3) negotiate an agreement about the sources of ESI from which data will be retrieved and the form in which that data will be produced.

E.U. Data Protection Directive

• What if one of the sources of ESI that you identify resides in the E.U.?

• First, you need to understand the E.U. Data Protection Directive. The Directive limits the processing and transfer of personal data outside the E.U.

• Second, you need to understand how the E.U. Directive has been implemented in the member state where you believe discoverable ESI resides.

• Third, you need to make a thorough assessment of your ability to meet the requirements of the Directive as implemented in the member state.

How do U.S. courts respond to claims of foreign law prohibition on production?

• Raise the issue immediately. Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468 (9th Cir. 1992). Rule 44.1 and the amended Rule 26(f) reinforce this obligation.

• Not enough simply to allege inability to produce based on foreign law. It’s a balancing test: (1) importance of the info; (2) specificity of the request; (3) did info originate in the U.S.?; (4) alternative means of securing the information; (5) U.S. interests v. foreign state’s interests. Société Nationale Industrielle Aérospatiale v. U.S. Dist. Court for Southern Dist. of Iowa, 482 U.S. 522 (1987).

How do U.S. courts respond to claims of foreign law prohibition on production? (cont’d)

• Courts won’t accept glib assertions that the data is irrelevant/unimportant. In re Vitamins Antitrust Litigation, No. 99-197TFH, 2001 WL 1049433, (D.D.C., June 20, 2001).

• Courts are less inclined to ignore interests of foreign state where litigation does not stand or fall on the disputed discovery. Richmark, 959 F.2d 1468; In re Rubber Chemicals Antitrust Litigation, 486 F.Supp.2d 1078 (N.D.Ca. 2007).

U.S. E-Discovery and the EU Data Privacy Directive — Can They Coexist?

Debra L. Bromson, Esq.Senior Counsel and Chief Privacy Officer

AstraZeneca Pharmaceuticals LP

EU Data Protection Directive

• Requires justification of processing of all personal data; a company can only collect the information it needs

• Requires the giving of data protection notices about the purpose for which personal information will be used

• Requires security measures to be taken to safeguard data

• Prohibits transfers of personal data to non-EEA countries unless they provide adequate level of protection

• Grants rights to individuals to gain access to information a company has about them

• Requires deletion of information when the purpose is fulfilled

EU Data Protection Dictionary• data controller: a natural or legal person which alone (or jointly with

others) determines the purposes and means of the processing of personal data

• data processor: is any person, other than the data controller’s employees, who processes personal data on behalf of the data controller

• data subject: an identified or identifiable natural person

• personal data: any information relating to a data subject, including name, address, birthday, government identifiers

• sensitive personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life

• processing: any operation or set of operations which is performed upon personal data, including, collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, combination, blocking and destruction

EU Data Protection Directive

• Imposes obligations on data controllers who are either (i) established in a Member State; or (ii) who use equipment in a Member State for processing personal data (otherwise than for the purpose of transit only)

• Additional notice and consent are required for secondary uses/disclosures, and data subjects can block such secondary uses/disclosures

• Directive has been implemented in different ways in Member States, resulting in different provisions and interpretations

Compliance Challenges

• What is the legal basis for processing the data located in the EU?– Must have grounds to process the information in the first

place

• What is the legal basis for transfer of data from EU to the US?– Must meet requirements for transfer or an Article 26

derogation

– If an Article 26 derogation applies, it only authorizes the international transfer (not initial/additional processing)

EU Authorities are Aware and Concerned with this Issue

“A similar, related matter of concern to the Working Party is the issue of pre-trial discovery, which compels companies based in Europe to disclose data to entities within the US. This question raises concerns on a far broader scale than originally thought.”

Press Release on 17-18 April Meeting of Article 29 Working Party

(See http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_20_04_07_en.pdf )

Problems with Processing in EU

• Possible grounds for processing include:– Consent– Performance of a contract with an individual– Overriding interest of the data controller– Compliance with a court order

• Consent must be freely given and capable of being revoked to be valid.  In the employment context, consent is problematic.  – For example, under Rule 34, companies cannot permit

employees to opt-out of having their documents examined in connection with document production requests but this is a requirement under EU law.

• Overriding interest of the data controller—requires balancing test looking at proportionality, subsidiarity and consequences for the data subject, and the data subjects may object.

Problems with Processing in EU• Article 29 Party does not agree that compliance with a US

discovery request is a clear legal basis to justify processing of employee data in Europe.

– Article 29 exception "for the establishment, exercise or defense of legal claims" requires compliance with the Hague Conventions on Taking of Evidence, to which the US is not a signatory 

– EU authorities have previously concluded that the Directive’s reference to compliance with a legal obligation refers to compliance with a domestic legal obligation

– Moreover, case law holds that this exception can't be used to justify the transfer of employee files on the grounds of the possibility of some future legal proceeding. Transfer must be of data related to the particular claims

– Therefore, automatic scanning and copying of records for relevance to possible future litigation would not be permitted

Transferring EU Data to the US

• The EU Data Protection Directive prohibits the transfer of personal data outside of the EU unless there is an “adequate level of protection”

– For the US these include Safe Harbor, Model Contracts and Consent

• Companies usually bring EU employee data to the US pursuant to Safe Harbor or Model Contracts

– Subject to FRCP Rule 34

Problems with Transfer to US

• Safe Harbor doesn't cover processing in EU before the transfer.  Nor does the Safe Harbor apply to PI collected through the employment relationship that is used for non-employment purposes. – Safe Harbor FAQ 9

…where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes…, the U.S. organization must provide the affected individuals with choice before doing so, unless they have already authorized the use of the information for such purposes..

• Model contracts require data exporter and data importer to comply with applicable EU laws.  This means that the problems with "processing" apply here as well.

Howard J. Reissner, Esq.Chief Executive Officer

Planet Data Solutions, Inc

Managing the Processing and Transfer of EU Data

Data Privacy

• What is Data?

– Information being processed by equipment for a particular purpose (e.g.: computer)

– Result is a structured filing system- specific information can be found

• What is “Processing of Data”?

– Obtaining, recording or holding information or data (includes organization, retrieval, use of or transmission)

Data Privacy• What is a Data Controller?

– Person or entity who determines purpose and manner of processing

– EU Directive imposes obligation to protect personal data

– Potential liability for failure to fulfill obligations

– Responsible for directing and controlling actions of Data Processor

• What is a Data Processor?– Processes data on behalf of and at the direction of Data

Controller

– Must follow instructions of Data Controller

Transferring Data From EU to United States

• Data must be lawfully processed in EU

• Transfer is allowed outside of EU only if recipient country offers “adequate protections” of personal data

• US does not offer “adequate protections”

• May transfer data to US utilizing

• Model Contract

• US Safe Harbor

• Other exceptions

Safe Harbor Provides Necessary Level of Protection

• Hiring a third party “Data Processor”

• Data Controller- remains responsible for EU legal requirements e.g.: notice, choice, security, integrity, access, enforcement

• Data Processor – agent of Controller (subject to Controller direction)

• Data Controller should contractually define respective roles and responsibilities

• Data Processor must comply with Safe Harbor principles, ie: training, security

Practical Considerations

• Now you are in a position to make the necessary cost-benefit analysis. Ask yourself the following questions:

– What is the true value of this source of information relative to (a) other more easily accessible sources of information and (b) the litigation as a whole?

– What are the projected costs of complying with the EU Data Protection Directive?

– What are the projected costs of defending a discovery dispute?

– What are the relative strengths and weaknesses of each side on discovery issues?

Practical Considerations (con’t)

• Is the data reasonably accessible—can you argue there is an undue burden or cost to get the data?

• Can you use phased discovery to limit or narrow EU discovery?

• Are you using a third party for document collection/ review?

– This implicates not only the company’s, but also the 3rd party’s, obligations with respect to the EU laws.

– 3rd party’s interests may be different than the company’s.

– 3rd party may refuse to produce information.

Practical Considerations (con’t)

• Are you treating data in a consistent manner in all litigation? Are you taking consistent positions with respect to disclosure or non-disclosure?– Have you considered developing a litigation protocol?

• Other factors to be considered: – Importance of Information Requested

– Did the data originate in the EU or the US?

– Degree of specificity of request

– Availability of alternatives means to get the information

– Does non-compliance undermine important interest of the US or a state?

If compliance isn’t feasible and your adversary is not agreeable…

• You will be engaged in a discovery dispute and you will most likely argue that the data is not accessible under Rule 26(b)(2)(B).

• Be prepared to educate the court about the Directive and the requirements for complying with the Directive.

• Be cautious about relying solely on arguments based on the cost of producing the data.

• Be completely familiar with the different sources of information within the client’s organization.

• Court may still compel production on “good cause” but argue for reasonable limitations and conditions on production. Cost-sharing/shifting!!

What if…?

Your client, Manufacture Corp. (“MC”), is a global manufacturing company organized in the U.S.

MC has subsidiaries in the E.U. as well.

MC is being sued for product liability in the U.S. but it has become clear that much of the correspondence and information relevant to the claims in this case are located in the E.U.

? What are the issues you should start discussing with your client? When and how do you start addressing these issues?