Transcript Privacy and E

Data Privacy in the EU and
How It Impacts Firms in the U.S.
Presentation to ILTA Conference
August 23, 2007
Debra L. Bromson, Esq.
Jeff D. Isenberg
Shalini K. Rajoo, Esq.
Howard J. Reissner, Esq.
What You Should Know About
U.S. Discovery Rules
Shalini K. Rajoo, Esq.
Associate, Willkie Farr & Gallagher LLP
U.S. Discovery – The Framework
•
Discovery governed by the Federal Rules of Civil
Procedure (FRCP). Individual states vary on privilege and
waiver issues.
•
Framework for discovery in the U.S. is VERY different from
framework for discovery in the E.U. – different
expectations of privacy in the workplace, court-driven vs.
party-driven discovery, jury trials vs. non-jury trials.
•
FRCP permits broad discovery. Rule 26 (b)(1) permits
discovery of any material that is “relevant” to the claims or
defenses of any party.
•
Amendments to FRCP in December 2006 further extend
(and complicate) discovery obligations for U.S. litigants.
The E-Discovery Amendments
•
FRCP amended in December 2006 to cater specifically for
electronically stored information (ESI).
•
Rule 16(b) amended so that initial scheduling order may
include provisions for disclosure or discovery of
electronically stored information.
•
Rule 26(b) amended to limit discovery of ESI so that
parties need not provide discovery of ESI from sources
that are “not reasonably accessible because of undue
burden or cost”.
•
Rule 26(f) amended to include new topics for the meet and
confer: (1) preservation of discoverable information; and
(2) disclosure or discovery of ESI.
The E-Discovery Amendments – Bottom Line
•
The FRCP amendments have extended our discovery
obligations and require us to be much better informed
about where discoverable information resides within the
client’s organization.
•
At a very early stage in the game litigants are now required
to: (1) educate themselves about ALL possible sources of
discoverable (relevant) ESI; (2) make an assessment
about the accessibility of the identified sources of ESI; and
(3) negotiate an agreement about the sources of ESI from
which data will be retrieved and the form in which that data
will be produced.
E.U. Data Protection Directive
•
What if one of the sources of ESI that you identify resides
in the E.U.?
•
First, you need to understand the E.U. Data Protection
Directive. The Directive limits the processing and
transfer of personal data outside the E.U.
•
Second, you need to understand how the E.U. Directive
has been implemented in the member state where you
believe discoverable ESI resides.
•
Third, you need to make a thorough assessment of your
ability to meet the requirements of the Directive as
implemented in the member state.
How do U.S. courts respond to claims of
foreign law prohibition on production?
•
Raise the issue immediately. Richmark Corp. v. Timber Falling
Consultants, 959 F.2d 1468 (9th Cir. 1992). Rule 44.1 and the
amended Rule 26(f) reinforce this obligation.
•
Not enough simply to allege inability to produce based on
foreign law. It’s a balancing test: (1) importance of the info; (2)
specificity of the request; (3) did info originate in the U.S.?; (4)
alternative means of securing the information; (5) U.S. interests
v. foreign state’s interests. Société Nationale Industrielle
Aérospatiale v. U.S. Dist. Court for Southern Dist. of Iowa, 482
U.S. 522 (1987).
How do U.S. courts respond to claims of foreign
law prohibition on production? (cont’d)
•
Courts won’t accept glib assertions that the data is
irrelevant/unimportant. In re Vitamins Antitrust Litigation, No.
99-197TFH, 2001 WL 1049433, (D.D.C., June 20, 2001).
•
Courts are less inclined to ignore interests of foreign state
where litigation does not stand or fall on the disputed
discovery. Richmark, 959 F.2d 1468; In re Rubber
Chemicals Antitrust Litigation, 486 F.Supp.2d 1078 (N.D.Ca.
2007).
U.S. E-Discovery and the
EU Data Privacy Directive —
Can They Coexist?
Debra L. Bromson, Esq.
Senior Counsel and Chief Privacy Officer
AstraZeneca Pharmaceuticals LP
EU Data Protection Directive
•
Requires justification of processing of all personal data; a
company can only collect the information it needs
•
Requires the giving of data protection notices about the
purpose for which personal information will be used
•
•
Requires security measures to be taken to safeguard data
•
Grants rights to individuals to gain access to information a
company has about them
•
Requires deletion of information when the purpose is
fulfilled
Prohibits transfers of personal data to non-EEA countries
unless they provide adequate level of protection
EU Data Protection Dictionary
• data controller: a natural or legal person which alone (or jointly with
others) determines the purposes and means of the processing of
personal data
• data processor: is any person, other than the data controller’s
employees, who processes personal data on behalf of the data
controller
• data subject: an identified or identifiable natural person
• personal data: any information relating to a data subject, including
name, address, birthday, government identifiers
• sensitive personal data: racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, health or
sex life
• processing: any operation or set of operations which is performed
upon personal data, including, collection, recording, organization,
storage, adaptation, retrieval, consultation, use, disclosure,
dissemination, combination, blocking and destruction
EU Data Protection Directive
•
Imposes obligations on data controllers who are
either (i) established in a Member State; or (ii) who
use equipment in a Member State for processing
personal data (otherwise than for the purpose of
transit only)
• Additional notice and consent are required for
secondary uses/disclosures, and data subjects can
block such secondary uses/disclosures
• Directive has been implemented in different ways in
Member States, resulting in different provisions and
interpretations
Compliance Challenges
• What is the legal basis for processing the data
located in the EU?
– Must have grounds to process the information in the first
place
• What is the legal basis for transfer of data from EU to
the US?
– Must meet requirements for transfer or an Article 26
derogation
– If an Article 26 derogation applies, it only authorizes the
international transfer (not initial/additional processing)
EU Authorities are Aware and Concerned with
this Issue
“A similar, related matter of concern to the Working Party
is the issue of pre-trial discovery, which compels
companies based in Europe to disclose data to entities
within the US. This question raises concerns on a far
broader scale than originally thought.”
Press Release on 17-18 April Meeting of Article 29 Working Party
(See
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_20_04_07_en.pdf )
Problems with Processing in EU
•
Possible grounds for processing include:
–
–
–
–
•
Consent
Performance of a contract with an individual
Overriding interest of the data controller
Compliance with a court order
Consent must be freely given and capable of being revoked to
be valid. In the employment context, consent is problematic.
– For example, under Rule 34, companies cannot permit
employees to opt-out of having their documents examined in
connection with document production requests but this is a
requirement under EU law.
•
Overriding interest of the data controller—requires balancing
test looking at proportionality, subsidiarity and consequences
for the data subject, and the data subjects may object.
Problems with Processing in EU
•
Article 29 Party does not agree that compliance with a US
discovery request is a clear legal basis to justify processing
of employee data in Europe.
– Article 29 exception "for the establishment, exercise or
defense of legal claims" requires compliance with the Hague
Conventions on Taking of Evidence, to which the US is not a
signatory
– EU authorities have previously concluded that the Directive’s
reference to compliance with a legal obligation refers to
compliance with a domestic legal obligation
– Moreover, case law holds that this exception can't be used to
justify the transfer of employee files on the grounds of the
possibility of some future legal proceeding. Transfer must be of
data related to the particular claims
– Therefore, automatic scanning and copying of records for
relevance to possible future litigation would not be permitted
Transferring EU Data to the US
• The EU Data Protection Directive prohibits the
transfer of personal data outside of the EU unless
there is an “adequate level of protection”
– For the US these include Safe Harbor, Model Contracts
and Consent
• Companies usually bring EU employee data to
the US pursuant to Safe Harbor or Model
Contracts
– Subject to FRCP Rule 34
Problems with Transfer to US
•
Safe Harbor doesn't cover processing in EU before the
transfer. Nor does the Safe Harbor apply to PI collected
through the employment relationship that is used for nonemployment purposes.
– Safe Harbor FAQ 9
…where an organization intends to use personal information collected
through the employment relationship for non-employment-related
purposes…, the U.S. organization must provide the affected
individuals with choice before doing so, unless they have already
authorized the use of the information for such purposes..
• Model contracts require data exporter and data importer
to comply with applicable EU laws. This means that the
problems with "processing" apply here as well.
Managing the Processing and
Transfer of EU Data
Howard J. Reissner, Esq.
Chief Executive Officer
Planet Data Solutions, Inc
Data Privacy
• What is Data?
– Information being processed by equipment for a
particular purpose (e.g.: computer)
– Result is a structured filing system- specific information
can be found
• What is “Processing of Data”?
– Obtaining, recording or holding information or data
(includes organization, retrieval, use of or
transmission)
Data Privacy
• What is a Data Controller?
– Person or entity who determines purpose and manner of
processing
– EU Directive imposes obligation to protect personal data
– Potential liability for failure to fulfill obligations
– Responsible for directing and controlling actions of Data
Processor
• What is a Data Processor?
– Processes data on behalf of and at the direction of Data
Controller
– Must follow instructions of Data Controller
Transferring Data From EU to United States
•
•
Data must be lawfully processed in EU
Transfer is allowed outside of EU only if recipient
country offers “adequate protections” of personal data
• US does not offer “adequate protections”
• May transfer data to US utilizing
• Model Contract
• US Safe Harbor
• Other exceptions
Safe Harbor Provides Necessary
Level of Protection
•
•
Hiring a third party “Data Processor”
Data Controller- remains responsible for EU legal
requirements e.g.: notice, choice, security, integrity,
access, enforcement
•
Data Processor – agent of Controller (subject to Controller
direction)
Data Controller should contractually define respective
roles and responsibilities
Data Processor must comply with Safe Harbor principles,
ie: training, security
•
•
Practical Considerations
•
Now you are in a position to make the necessary costbenefit analysis. Ask yourself the following questions:
– What is the true value of this source of information relative to
(a) other more easily accessible sources of information and
(b) the litigation as a whole?
– What are the projected costs of complying with the EU Data
Protection Directive?
– What are the projected costs of defending a discovery
dispute?
– What are the relative strengths and weaknesses of each
side on discovery issues?
Practical Considerations (con’t)
•
Is the data reasonably accessible—can you argue
there is an undue burden or cost to get the data?
•
Can you use phased discovery to limit or narrow EU
discovery?
•
Are you using a third party for document collection/
review?
– This implicates not only the company’s, but also the 3rd
party’s, obligations with respect to the EU laws.
– 3rd party’s interests may be different than the company’s.
– 3rd party may refuse to produce information.
Practical Considerations (con’t)
•
Are you treating data in a consistent manner in all
litigation? Are you taking consistent positions with
respect to disclosure or non-disclosure?
– Have you considered developing a litigation protocol?
•
Other factors to be considered:
– Importance of Information Requested
– Did the data originate in the EU or the US?
– Degree of specificity of request
– Availability of alternatives means to get the information
– Does non-compliance undermine important interest of the US
or a state?
If compliance isn’t feasible and your
adversary is not agreeable…
• You will be engaged in a discovery dispute and you will most likely
argue that the data is not accessible under Rule 26(b)(2)(B).
• Be prepared to educate the court about the Directive and the
requirements for complying with the Directive.
• Be cautious about relying solely on arguments based on the cost of
producing the data.
• Be completely familiar with the different sources of information within
the client’s organization.
• Court may still compel production on “good cause” but argue for
reasonable limitations and conditions on production. Costsharing/shifting!!
What if…?

Your client, Manufacture Corp. (“MC”), is a global
manufacturing company organized in the U.S.


MC has subsidiaries in the E.U. as well.
?
What are the issues you should start discussing
with your client? When and how do you start
addressing these issues?
MC is being sued for product liability in the U.S. but
it has become clear that much of the
correspondence and information relevant to the
claims in this case are located in the E.U.