We are thrilled to present the following article by ediscovery and privacy experts Karen Lust and David Cohen.
Karen Lust is Counsel at Reed Smith and part of the firm’s global Records & E-Discovery (RED) Practice Group. She is also an EU-Certified Information Privacy Professional pursuant to IAPP’s certification programme.
David Cohen is a partner at Reed Smith, where he leads the RED Group. He also chairs EDRM’s Project Trustees and co-chairs the EDRM Cross-Border Discovery Committee.
Since the European General Data Protection Regulation (“GDPR”) first came into effect in May 2018, data protection authorities across Europe have imposed steep fines and penalties for noncompliance with the law. Due to the GDPR’s extraterritorial effect, organizations outside of Europe are also potentially at risk for enforcement actions, with fines for each violation that can reach up to 4% of the entity’s annual revenue or €20 million (over $26 million USD), whichever is greater.
Past fines and decisions issued by regulators have resulted from data breaches, over-retention of data, failure to minimize the amount of data collected, failure to obtain adequate consent from data subjects regarding their personal data, and more. There have not yet been any publicly-announced fines or enforcement actions driven by compliance with U.S. discovery requirements, but few experts doubt those are coming.
The GDPR defines ‘personal data’ quite broadly, even to include any name, any email address, or any other information which, alone or in combination with other available data, allows the identification of any individual.
The application of many GDPR provisions — and uncertainties remaining in regard to appropriate mechanisms for the transfer of personal data across borders – is illustrated by the duality of the Schrems cases. In 2015, Schrems I invalidated the U.S.-EU Safe Harbor Framework as insufficient to meet GDPR data privacy standards.That led directly to the creation of the EU-U.S. Privacy Shield. In Schrems II, a judgment issued by the Court of Justice of the EU on July 16, 2020, invalidated the Privacy Shield, finding that it is likewise inadequate to protect the personal data of EU data subjects to the extent required by the GDPR.
Transfers of Personal Data Outside of the EU
In today’s global commercial landscape, the exchange of personal data across borders is commonplace, particularly to, from and within multinational entities. Chapter 5 of the GDPR deals exclusively with transferring personal data to countries outside of the EU.
Such transfers generally are prohibited, absent certain strict requirements being met. Ideally, the destination country should be a jurisdiction with a regulatory framework that meets “adequacy” standards for personal data protection, but most of the world – including the U.S. – is not judged by the EU to have protections sufficient to meet the high “adequacy” threshold of the GDPR.
In the absence of an adequacy certification, only certain mechanisms allow for permissible cross-border transfers of personal data out of the EU to “third countries.” The Privacy Shield was formerly touted as one such mechanism, but now has been invalidated.
Remaining bases for data transfers include:
- The use of standard contractual clauses (“SCCs”) approved by the European Commission in an agreement where the receiving party agrees to apply, and is able to apply, adequate safeguards to the personal data received by the originating party.
- Situations where the transfer is necessary for the establishment, exercise, or defense of ripe legal claims, although multiple EU data protection officials have indicated that this provision applies to EU legal claims, not U.S. legal claims.
- Situations where the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for purposes of a compelling legitimate interest not overridden by the interests and rights or freedoms of the data subjects, suitable safeguards are provided to protect the personal data, and the data subjects and relevant supervisory authority are notified about the transfer.
As with all circumstances in which EU personal data is involved, the general principles of the GDPR must also be satisfied. These include minimization (processing as little personal data as possible), accountability (documentation of what is processed, and the justification for doing so), and transparency (informing the data subjects how and why their information is being processed, etc.).
The transfer must also be based on legitimate interests of the litigant, which must be balanced against the interests and fundamental rights of the data subjects. Adequate safeguards must also be taken to protect the data through appropriate organizational and technical measures. In the context of ediscovery specifically, there are practical measures that litigants should take to advance compliance with GDPR, while also complying with ediscovery requirements.
Cross-Border Ediscovery Challenges Before Schrems II
Even prior to the Schrems II decision, cross-border discovery was fraught with difficult issues to navigate in the face of conflicting EU and U.S. principles and norms. For example:
- “Processing” of data is tightly regulated by the GDPR and includes even passive preservation-in-place of potentially relevant information, as well as more active processes such as collection, filtering, review and production;
- Personal privacy is considered a fundamental human right in the EU in a way that many U.S. practitioners and courts do not understand;
- Consent requirements are virtually impossible to meet in the context of discovery because consent must be obtained from all data subjects identifiable from the documents (e.g. every person sending, receiving, or otherwise identifiable from every email in a collection); the consent generally is not deemed voluntary if obtained from an employee (because of inherent coercive elements of the employer-employee relationship); and finally the consent has to be revocable at any time (which is impractical in a litigation context with regard to documents produced to adverse parties or submitted to a court).
- In most European countries, the concept of pretrial discovery does not exist the way it does in the United States courts, and so many European data protection authorities do not understand the legal obligations imposed upon litigation parties by U.S. discovery demands.
Adding to the difficulty for U.S. litigants, and the attorneys and litigation support companies they employ, is the fact that U.S. courts have generally prioritized the fulfillment of U.S. legal obligations by finding that reasonable U.S. discovery interests outweigh EU privacy interests reflected in the GDPR. Accordingly, U.S. litigants may face seemingly irreconcilable conflicts when trying to comply with both U.S. discovery requirements and the GDPR.
Challenges Introduced/Enhanced by Schrems II
The Schrems II case invalidated the Privacy Shield based on reasoning that the U.S. could not provide an adequate level of protection for data subjects, due to the wide-ranging abilities of U.S. intelligence authorities and the government to access the data without any remedies available to data subjects in the EU.
Although the decision did not invalidate SCCs, the reasoning from the opinion also sheds doubt on the viability of such SCCs as a mechanism for transferring data to the United States for litigation discovery.
SCCs are generally private agreements between the data originator and recipient (also referred to as the data exporter and importer) that have not been subject to external scrutiny or called into question. They are the approved standard clauses, expressly provided for by the European Commission for transfers between EU and non-EU countries.
The provisions are clear – but what is not clear is whether or not each individual data importer is actually complying with those provisions—indeed, whether that is even possible in the context of litigation discovery, which requires further “onward transfers” of the personal data. Accordingly, in light of Schrems II decision, any party that has been relying on SCCs as a basis of transferring data for U.S. discovery, should re-examine whether GDPR requirements are being met.
Nevertheless, there are a number of practical measures that may be taken to reduce compliance risks. Such steps include, for example: (i) pushing back against overbroad cross-border discovery requests; (ii) pursuing alternative methods of obtaining data needed for discovery (e.g. from sources outside Europe, or pursuant to the Hague convention); (iii) proceeding under GDPR derogations for data processing and transfer (see, e.g., GDPR Articles 6 and 49); (iv) data minimization steps prior to transfer; (v) pseudonymization of personal information; (vi) taking other appropriate organizational and technical measures to protect the personal data; and (vii) employing protective orders in the U.S. litigation to require that other litigation parties also take suitable measures to protect the personal data, use it only as needed for the litigation, and delete it as soon as no longer needed for the litigation.
While there is no “easy button” you can press to be sure you are complying with both the GDPR and U.S. discovery requirements, matter-specific advice from knowledgeable legal counsel can be invaluable to eliminate or at least minimize the significant risk exposure resulting from non-compliance.