Obey the Law Here, Break It There: Navigate the clash between foreign privacy laws and American discovery

In a case where discoverable information sits in other countries, you can't simply collect it and bring it back to the U.S. for review--not even with data housed on servers belonging to your own company's subsidiary or parent company.

Privacy laws outside the U.S. make what is routine and procedural here illegal there. Lawyers representing litigants in U.S. civil actions have been prosecuted in Europe for collecting data for discovery. It's not that you can't take electronic data outside of countries with privacy protection laws--you can, but only if you do it the right way. Sometimes it's easier to work with it there instead of trying to get it out.

Defining "Transfer"

What does "transfer" mean? Is it copying data from its source and then loading it onto a server? If that server is within an EU member state or approved country, is everything OK? Or does transfering mean the mere ability to access data online? So, even if the information resides on a server on European soil, does a review room in New York with access to that European database violate the European country's privacy laws and the EU's directive?

Safe Harbor and Blocking Statutes

Then there's the safe harbor route. The U.S. Department of Commerce maintains a list of companies certified as compliant with the EU privacy directives. They are recognized as "safe harbors." Data can be transferred from Europe to the U.S. if it is going into the hands of one of these companies. (This is not to be confused with a completely different "safe harbor" concept in Fed. R. Civ. P. 37.)

Clifford F. Shnier

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.