Parties in the US are allowed broad and liberal discovery of electronically stored information (ESI) relevant and proportional to the claims and defenses in a legal action. When a US-based litigant seeks ESI stored in other countries, however, it raises thorny legal and practical issues. ACEDS recently conducted a webinar on this topic entitled “Now What? Cross-Border and International Discovery Post-Schrems II” with Bryant Isbell from Baker & McKenzie and Eric Mandel from Driven. We thought it made sense to share the recent developments in this area on the ACEDS blog.
EU Courts Invalidate Privacy Shield
For several years now, practitioners have relied on what is called the Privacy Shield to effectively transfer ESI across borders. The Privacy Shield consisted of agreements between the US, the EU and Switzerland to permit cross-border data transfers. The agreements were administered by the US Federal Trade Commission and required that those using the Privacy Shield adhere to seven primary data protection principles and sixteen self-certification principles. The agreements opened communication channels between US and EU data protection authorities, and they provide for binding arbitration to resolve any disputes.
In July, this all changed as the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, and then about a month later the Swiss data protection authorities did the same. The CJEU ruled in Data Protection Commissioner v. Facebook Ireland and Maximillan Schrems (“Schrems II”) that the Privacy Shield did not adequately protect the privacy citizens in the EU.
To keep things in context, outside of the US, the idea that someone can file a lawsuit and demand large volumes of ESI, including sensitive business, government, or personal information, is truly a “foreign” concept and is viewed cautiously, if not with outright alarm.
Data Still Needs to Move Across Borders
But the fact remains that ESI will still need to be moved across borders. If a request for ESI includes information that is located outside of the US, and it is determined that information is within the possession, custody, or control of the party receiving the document request, that party must determine how that data may be transferred to the US.
Practitioners in the US need to be aware of and take into consideration the differing laws, legal rights, and obligations in other jurisdictions that are rooted in local cultural and political views.
Data Protection Laws and Regulations
Around the globe, laws and regulations restrict cross-border data transfers and limit the ability of parties to access information for use in US litigation. Many jurisdictions have data protection laws and regulations designed to protect against the unlawful use of individual’s personal information, including the transfer of information to other jurisdictions that lack adequate data protections. Other countries have blocking statutes designed to prohibit the transfer of information their governments consider to be necessary to protect citizens and local businesses, and some have state secret laws that protect data held by state-owned or subsidized enterprises. Yet other jurisdictions have established “works councils” to protect employee rights.
The European Union General Data Protection Regulation (“GDPR”) is the most well-known data protection law. Many other countries have enacted (or are in the process of rolling out) data protection laws as well. The intent of these laws is to ensure that information that identifies a natural person is used only for authorized or lawful purposes.
Under the GDPR, there are limitations on collecting, processing, reviewing, and producing ESI that contains personal data. In the absence of a lawful basis for processing the ESI, or another specifically recognized legal reason, processing of such data is a violation of the law.
Data minimization is also a component of most data protection laws. This means that ongoing processing and retention of personal data should be limited to only what is reasonably necessary and established at the time of collection. Personal data should then be promptly destroyed; it should not be indefinitely preserved or retained.
How to Overcome Restrictions on Cross-border Data Transfers
There are several ways to overcome data privacy restrictions and enable cross-border transfers. These methods may be used individually or in combination with others depending on the restriction imposed or objection presented. It is important to note, however, that there are significant complexities to this area of law and practice, and experienced, qualified legal counsel should be consulted when faced with cross-border data transfers for the first time.
1. Removing Personal Data from Data Sets
First, if ESI does not contain personal data, it is generally outside the scope of data protection laws. In other words, if the ESI sought contains no personal data, either because none existed or the personal data has been removed, there is no legal restriction under a data protection laws like the GDPR preventing transfer of that ESI to the US. However, other superseding limitations on the transfer of that ESI may apply, including blocking statutes, state secrets laws.
Personal information can be removed from ESI in a few ways. The first is an agreement between the parties to strip all personal data of foreign data subjects from any information that will be transferred to the US. This can occur, for example, with data sets where any personal data is discretely separated, such as in structured data, and the fields containing personal data are simply not exported. However, too often personal data is integrated into the document set such that excising it would require altering the documents, which could raise issues of authentication and subsequently impact admissibility.
The second option for removing personal data is to perform anonymization or deidentification on the data set to permanently hide all personal data of protected data subjects. This can generally be accomplished using redaction technology, but it can be expensive and would need to be performed prior to transferring the data to the US. Pseudonymization of personal data does not sufficiently cleanse a data set; it is merely considered one of many appropriate safeguards that can (or should) be used in the overall scheme of protecting personal data from unauthorized disclosure.
2. Consent of the Data Subject
Some jurisdictions permit transfers of personal data to the US based solely on consent of the individual. It is important to check with local counsel or data protection authorities for advice on a particular country. Individuals may consent to the processing of their personal data, but obtaining consent is no simple matter, and as such is a least preferred basis for processing.
To be effective, consent must be given freely, voluntarily, and knowingly; it cannot be coerced, even mildly, by an employer. Evidence of consent must be clear, and importantly, consent, once given, may be revoked. Where obtaining consent is not feasible, the party from whom documents are requested must at least disclose to affected persons that their personal information will be processed and possibly disclosed and offer such persons the opportunity to object.
3. Binding Corporate Rules
Under the GDPR there is a safeguard known as Binding Corporate Rules (BCR) that allows the cross-border transfer of ESI to countries that lack adequate data protections. Binding Corporate Rules are data protection policies companies use to transfer personal data outside the EU within an organization. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers.
Approved BCR policies are used in day-to-day business for large international companies that need to regularly transfer personal data between offices around the world. They are complex instruments that require specific drafting and approval by data protection authorities. They should not be considered for use in one-off situations, such as a specific litigation, but rather as a long-term solution to ongoing cross-border data transfer needs.
4. Standard Contractual Clauses
Another way to transfer of ESI containing personal data to the US, and perhaps the most common, is known as Standard Contractual Clauses (SCC). Standard Contractual Clauses are form contractual documents issued by the European Commission to be completed by the contracting parties. One form contract is for the transfer of data from one data controller to another data controller outside of the EU, while the second contract form is between a data controller and a data processor outside of the EU. This second contract is used for the transfer of documents containing personal data for discovery for US litigation. The form contains four parts and is completed by the data controller/exporter and the recipient of the data. Much of the forms cannot be changed and the parties are essentially agreeing to protect the data.
Once the SCC is filled in, signed, and completed by the data controller and the US-based data processor, the personal data can be transferred to the US, subject to the terms of the SCC. Unlike Binding Corporate Rules, SCC’s are good for one-off data transfers, although they can be used for continuing data transfers if and as specified.
5. Transfers Through the Hague Convention
Many countries are parties to an international agreement called the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, commonly referred to as the “Hague Convention.” It is a process, originating in the 1960s, that is used in legal matters for service of judicial process from one contracting country to another without diplomatic or consular channels. The Hague Convention is not specifically related to requests for ESI, but rather for the service of process or a subpoena and related documents in a legal matter. The formal request is commonly referred to as “letters rogatory.”
When using the Hague Convention for the cross-border transfer of personal data that is subject to a data protection regime, considerations will still need to be made as to fulfilling legal obligations and the demands of the supervisory authority for the jurisdiction. And practitioners should note, too, that the process under the Hague Convention can be quite lengthy.
While the United States continues to adhere to civil procedure rules that allow for very broad discovery, it is important to understand that the rest of the world does not view discovery in the same way. Some countries view broad disclosure of information as outright suspicious and even criminal. When conducting international discovery or seeking to move ESI relevant to a matter across borders, it is critically important that the parties understand the rules of the locality in which the data resides.