Obey the Law Here, Break It There: Navigate the clash between foreign privacy laws and American discovery

In a case where discoverable information sits in other countries, you can't simply collect it and bring it back to the U.S. for review--not even with data housed on servers belonging to your own company's subsidiary or parent company.

Privacy laws outside the U.S. make what is routine and procedural here illegal there. Lawyers representing litigants in U.S. civil actions have been prosecuted in Europe for collecting data for discovery. It's not that you can't take electronic data outside of countries with privacy protection laws--you can, but only if you do it the right way. Sometimes it's easier to work with it there instead of trying to get it out.

Other countries have comprehensive privacy protection laws. Other than a patchwork of topic-specific protections, such as medical information under HIPAA, the U.S. does not.

Privacy protection in the U.S. is mostly about avoiding governmental infringement, with protections such as the Fourth Amendment prohibiting unreasonable search and seizure. We don't care much about intrusions by non-governmental entities. Privacy protection in Europe is about protection not only from government, but also protection against abuses by private interests. For example, credit reporting on individuals is much more restricted in Europe, limited for the most part to a registry warning of persons who have defaulted on consumer debt.


Learning the Rules

Most other industrialized countries--civil code jurisdictions in particular--have a more restricted scope of discovery in civil litigation. However, that is not what prevents data in other countries from entering the US. The preventive factors are either or both of the following:

  • Directive 95/46/EC of the European Parliament and the corresponding privacy legislation of each of the member states, or, if you're dealing with Canada, that country's Personal Information Protection and Electronic Documents Act
  • "Blocking Statutes"

Directive 95/46 sets minimum standards for privacy legislation in the member countries. Some, such as Germany, go beyond the directive's requirements. But provided another member country's legislation meets the minimum requirements of the directive (they all do), then data can be transferred from one member country to another.

Outside of the European Union (EU), only two non-European countries have fulfilled the EU's requirements: Canada and Argentina.

Canada, like the EU countries, has comprehensive privacy legislation; the act mentioned above passed in 2000 and is known as "PIPEDA." Because of proximity, language, similarity of laws and culture and the fact that there is an e-discovery industry there, the Canada is the only countries relevant to this discussion. There is even a set of Sedona Canada principles for electronically stored information. If you're looking to gather electronic data situated in Canada, it's advisable to engage local counsel to assist you with this legislation and any other relevant provincial or federal Candian laws before bringing or transmitting data into the U.S.

Data situated in continental Europe that cannot be transferred into the U.S. because of EU Directive 95/46 probably can be transferred into Canada. How convenient. It's like having Europe just across our northern border, but with the same time zones, same language (mostly) and a legal culture that isn't shocked by our broad rules of discovery. Again, a caveat--before you ship a load of hard drives from Turin to Toronto to host on servers for your reviewers to access from Tallahassee, get the advice of local counsel in Europe and Canada to make doubly sure that this will be all right.

Defining "Transfer"

What does "transfer" mean? Is it copying data from its source and then loading it onto a server? If that server is within an EU member state or approved country, is everything OK? Or does transfering mean the mere ability to access data online? So, even if the information resides on a server on European soil, does a review room in New York with access to that European database violate the European country's privacy laws and the EU's directive?

The answers depend on specific countries' legislation. Some are so strict that the review room itself has to be on European soil. Others are fine with access from anywhere, as long as the digital files remain stored on media located within Europe or within one of the two countries certified by the EU as compliant with its privacy directive.

Another question: Does collection run afoul of European privacy laws, simply because the data is electronic, or is it because the data may contain personal information?

We're now into not just of differences in law, but of differences in culture.

In the U.S. an employee has no expectation of privacy when he or she uses employer-provided infrastructure to shop online or to send an e-mail reminding a spouse to pick up the dog from the veterinarian. In Europe an employer has no right to those personal communications even when they were made on company equipment.

But the rules go further than that. In our American way of thinking, a person has a "corporate self" and a "personal self." This split is an alien concept in Europe. An e-mail sent or received by an employee entirely in his or her corporate capacity is still "personal" in Europe because it has that employee's name on it.

Merely removing what we in the U.S would regard as the truly personal contents of an individual's corporate e-mail box (i.e. messages to friends and family and the receipts for online purchases) does not render the rest of it all right to transfer from Europe to the U.S.

So, when is it OK to transfer European or Canadian data to the U.S?

First, maybe consent will suffice. If consent to the transfer is given by the person identified as the "data subject," then it takes you a long way toward being allowed to bring it in. But you're not safe yet. In some countries, a consent given by an employee at the request of an employer is presumed to be involuntary. In addition, some countries' legislation may still prohibit further downstream distribution of the data, because when produced to the opposing party the data has to leave control of the company initially collecting it. By the law of the source country, the employee's consent, even if considered voluntary, may only extend as far as the entity doing the collecting. A possible solution to this problem is production by online access only to a server controlled by the collecting entity.

Second, consider getting official authorization. All EU countries and Canada have privacy commissioners, and their respective statutes all provide a procedure to seek approval of this official for transferring data out of the country. Make a good case that the removal of the data falls within one of the enumerated reasons to permit it, and you're good to go. Of course, the wheels of European bureaucracy can grind even more slowly than the wheels of U.S. justice, and you may find yourself seeking discovery extensions while pursuing this approval.

Safe Harbor and Blocking Statutes

Then there's the safe harbor route. The U.S. Department of Commerce maintains a list of companies certified as compliant with the EU privacy directives. They are recognized as "safe harbors." Data can be transferred from Europe to the U.S. if it is going into the hands of one of these companies. (This is not to be confused with a completely different "safe harbor" concept in Fed. R. Civ. P. 37.)

Safe Harbor certification is self-certification. The department does not have the resources to inspect the data handling practices of thousands of companies. Companies must re-certify themselves each year, and they may be audited by the Department of Commerce. An audit may be triggered by a complaint. If the company fails that audit, it is removed from the list and subject to other penalties for having inaccurately certified itself.

So, let's say you've satisfied the EU directive or Canada's PIPEDA. There still may be one more hurdle, and it can be a tough one. Some countries also have "blocking statutes." Many of these have been around longer than the EU directive.

Blocking statutes specifically prohibit the removal of certain kinds of data from a country. They often involve particularly influential or nationally strategic industries. For example, Canada has legislation preventing the removal of data pertaining to uranium. So after making sure you're onside with EU directive 95/46 or Canada's PIPEDA legislation, you still have to check for specific blocking statutes. Once again, assistance of local counsel is the way to go.

Active in litigation support and e-discovery since the late 1980s, Cliff Shnier is an attorney and independent electronic discovery consultant based in Scottsdale, Arizona. He has also owned a service bureau and held senior executive positions with national e-discovery providers. A graduate of the University of Toronto Faculty of Law, Cliff actively practiced law for 11 years and has extensive courtroom experience litigating complex commercial matters, as well as negligence and criminal cases. E-mail him at cliff@cliffshnier.com.

Join the Conversation

Advertisement. Closing in 15 seconds.