The Sedona Conference’s recent publication of best practices in managing cross-border discovery underscores the intensifying conflict between broad US discovery practices and international privacy laws. The draft document, appropriately subtitled “European Union Edition,” outlines six broad principles intended to aid litigants in navigating the often contradictory requirements in the preservation, disclosure and ultimate transfer of data across international borders. In sum:
- Courts and parties should demonstrate due respect for the data protection laws of foreign sovereigns and the interests of parties subject to or benefiting from those laws.
- Where international legal obligations conflict, a party’s conduct should be judged using a standard of good faith and reasonableness.
- In order to minimize conflicts of law, the scope of discoverable data should be limited to relevant and necessary information to support a party’s claim or defense.
- Stipulations between the parties and court orders should be employed to limit conflicts where possible.
- Companies should be prepared to demonstrate their compliance with data protection rules and safeguards.
- Companies should retain protected information only as long as necessary to satisfy legal or business requirements, and appropriate safeguards should always be employed around data subject to preservation requirements.
Since the late 1990’s, the EU Data Protection Directive has required minimum data protection standards across all its European Union member states. The rules include, among other things, the requirement that companies give “data subjects” (customers, employees, etc.) the ability to correct their data, use personal data only for the purpose for which it was obtained, and not transfer data to any country failing to enact adequate data protection laws.
Even by these minimum standards, the potential conflicts with US preservation and discovery laws, as well as internal corporate retention policies, are clear. Add to this issue that individual EU member states may elect to adopt more stringent standards than the Directive requires and often do. For example, blocking statutes protect citizens of certain member states from the compelled production of information for legal proceedings outside their borders. Not only do these statutes provide a loophole for parties seeking to escape US discovery requirements, but when enforced, they can proactively penalize an EU citizen or litigant for complying with US law (see, for example, In re Advocat “Christopher X,” Cour de Cassation, Appeal No. 07-83228 (Dec. 12, 2007), in which the Criminal Chamber of the French Supreme Court upheld the conviction and fine of a French lawyer for violation of the blocking statute).
Although the United States signed the Hague Evidence Convention, American data privacy protections fall short of European Union standards – and even shorter when compared to particular member states – causing a strain between US courts and foreign authorities. The EU’s mistrust of American data protection practices is not without merit, considering the US Supreme Court’s 1987 decision describing Hague Convention procedures as optional and not superseding the Federal Rules of Civil Procedure. See Societe Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522 (1987). Cases throughout 2011 continue to demonstrate the American judiciary’s willingness to enforce broad discovery interests in the face of conflicting foreign privacy laws, although some courts did require the requesting party to exhaust Hague Convention procedures before attempting to enforce US discovery rules. See S.E.C. v. Stanford Int’l Bank, Ltd., Civil Action No. 3:09-CV-0298N, 2011 WL 1378470, at *3 (N.D. Tex. Apr. 6, 2011), citing Aerospatiale.
This year promises intensification of the issue, as legal and business communities await the European Commission’s proposal for reinvigorating data protection rules, due for publication in the coming weeks. In addition to existing data protection principles like transparency, finality, proportionality and data quality, the new legislation is expected to add data minimization (limiting a company’s collection of personal information to data “directly relevant and necessary to accomplish a specified purpose,” and prohibiting the data from being kept beyond the period of time necessary to achieve that purpose) and accountability (placing direct responsibility and liability for the processing of personal data with the controller, i.e. the person charged with data protection compliance at any company or institution).
Regardless of what regulations make it into the final legislation; a couple of things are clear: first, privacy impact assessments will become as commonplace and necessary as data retention policies. Second, we can expect a steady increase in investigations by data protection regulators, competing only with the increasing frequency of internal investigations as private businesses attempt to root out risk and liability preemptively. As the European Union strengthens its resolve to protect personal data and privacy rights in this digital era, US courts will undoubtedly face a growing number of challenges to conflicting preservation and discovery rules. Let’s hope the Sedona’s latest set of recommendations succeed in easing the pain of parties caught in the middle.