Data privacy laws and blocking statutes can seriously impact investigations and litigation that reach outside of U.S. borders. In this article, we discuss the effect of data privacy laws and blocking statutes on U.S.-based corporations, and offer some practical strategies for counsel when dealing with international investigations and litigation.
Data Privacy Laws
Data privacy laws prohibit misuse or disclosure of private individuals’ data. At least 89 countries have enacted them, and more countries are expected to enact their own data privacy laws in coming years. The European Union (EU) has some of the most stringent data privacy laws in the world. In January 2012, the EU proposed comprehensive reforms of data protection rules in the form of a draft European General Data Protection Regulation (GDPR) that is intended to harmonize the various data protection laws currently in place in the EU member states. The GDPR will also serve to replace the existing 1995 Data Protection Directive, 95/46/EC. The reforms are intended to “make Europe fit for the digital age,” and stem from the reported desire of more than 90% of Europeans to harmonize data protection rights across the EU. See, GDRP. In December 2015, the European Parliament and other law makers reached agreement on the new data protection rules. The Rules will become applicable two years after formal adoption and publication. Id.
Germany’s data protection laws provide a significant example of an EU member state’s position on data protection. In addition to Germany’s Federal Data Protection Act (DPA), or Bundesdatenschutzgesetz (BDSG), there are other federal data protection regulations, and state data protection acts. Special regulations govern many specific areas at both the federal and state level. Eighteen different federal and regional supervisory authorities monitor and implement data protection. See, http://bit.ly/2fEOHe4.
Personal data is defined under the DPA as “any information concerning the personal or material circumstances of an identified or identifiable individual.” The requirement that the information concerns a “personal or material circumstance” is construed very broadly. Id. Personal data may be processed as long as one of the standard conditions for processing personal data is met. Id. However, special requirements apply to employee data, personal data used for marketing and address trading, scoring, and market and opinion research. Id.
Transfer of personal data from Germany to the United States has always been problematic. The situation became even more complicated following the October 2015 Schrems decision that invalidated the Safe Harbor self-certification framework U.S. companies had used to conduct data transfers from the EU to the U.S. See, Maximillian Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14. Normally, data transfers to a country outside of the EU or European Economic Area are allowed only if adequate data protection is guaranteed. Id.
Prior to Schrems, U.S. entities could guarantee an adequate level of protection by adhering to the Safe Harbor agreement. Id. That invalidated agreement has now been effectively supplanted by the EU – U.S. Privacy Shield, a self-certification framework for data transfers between the EU and the U.S, adopted by the European Commission in July 2016. Certification will require that companies submit to, and demonstrate, robust compliance with Privacy Shield principles, including limiting the collection of personal information, adhering to tightened conditions for onward data transfers, and ensuring compliance with handling, processing and other requirements established by European Data Protection Authorities.
An additional method for conducting a legally admissible data transfer from Germany to the U.S. requires obtaining authorization from the competent supervisory authority in Germany. This may be accomplished by using the standard contractual clauses governing data transfers set forth by the EU, but success is not guaranteed. See, GDP.
Individual consent is also an avenue for cross-border data transfers from Germany to the U.S. Id. This consent must be “informed,” however, meaning that the individual receives a detailed explanation of what will happen to their data in the U.S. and who will have access to it, including whether their data will be accessible to regulatory agencies such as the NSA. Id. The individual consent must also be voluntary and in writing. Id. U.S.-based companies need to be particularly careful when attempting to obtain consent to data transfers from their German employees, and ensure that a separate consent document is signed. Id.
In response to broad American discovery requirements, many countries have enacted blocking statutes. Blocking statutes vary in their scope and enforcement, but all have the underlying goal of preventing foreign nationals’ acquiescence to U.S. discovery requests. See, e.g., Compagnie Francaise D’Assurance v. Phillips Petroleum Co., 105 F.R.D. 16, 30 (S.D.N.Y. 1984). Blocking statutes differ from data privacy laws in that data privacy laws are intended to protect individuals’ data privacy, whereas blocking statutes are intended to protect the sovereignty of the state and its citizens from foreign litigation.
Foreign nationals often cite a blocking statute in order to avoid complying with a U.S. discovery request or to avoid sanctions for failing to comply. See, 71 Am. Jur. Trials 1 (Originally published in 1999). However, blocking statutes do not always excuse foreign nationals from having to comply with a U.S. discovery order, and these statutes often have limited effect helping foreign nationals avoid producing documents. The Supreme Court has weighed in on blocking statutes, holding that they “do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Société Nationale Industrielle Aéreospatiale v. U.S. Dist. Court for the Southern District of Iowa, 482 U.S. 522, 544 n.29 (1987) (Aerospatiale).
France’s blocking statute is among the best known, and imposes criminal penalties on French nationals and residents. Although the Hague Evidence Convention provides a specific framework for cross-border communication of documents, France has invoked an exception to the Convention, and French parties often challenge their obligation to comply with U.S. discovery requests.
In Aerospatiale, the U.S. Supreme Court addressed blocking statutes, and laid out a balancing test for courts to use in determining whether to order cross-border discovery. (The factors in this balancing test are also codified in the Restatement (Third) of Foreign Relations Law §442(c) (1987)). The Court ruled that the Hague Convention dictated the procedures that must be followed for pre-trial discovery, and emphasized that a ruling that the Hague Convention did not apply to the discovery demands would have a negative impact on both domestic litigants and foreign litigants. Regarding the blocking statute, however, the Court noted that it was “well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” 482 U.S. at 526, 544 n.29.
The Court also cited the concerns to be considered in any comity analysis from the Restatement of Foreign Relations Law:
- The importance to the … litigation of the documents or other information requested;
- The degree of the specificity of the request;
- Whether the information originated in the United States;
- The availability of alternative means of securing the information; and
- The extent to which noncompliance with the request would undermine interests of the United States, or compliance with the request would undermine interests of the state where the information is located.
Id. n. 29.
In the decades since Aerospatiale, courts have often applied the factors outlined there, and have usually, but not always, held that the U.S. discovery interests outweigh the foreign interests inherent in the blocking statute. U.S. courts have noted that blocking statutes have not been regularly enforced, but in one case the defendant was ordered to produce documents which resulted in a French lawyer being convicted and fined €10,000 for violating the blocking statute. See, Strauss v. Credit Lyonnais, S.A., 242 F.R.D 199 (E.D.N.Y 2007) (ordering document production despite violation of blocking statute), and Art. 29 Data Prot. Working Party, Working Doc. 1/2009 on Pre-trial Discovery for Cross Border Civil Litigation, p.5, n.3, Doc. No. 000339/09/EN WP 158 (Feb. 11, 2009).
Practical Strategies for Counsel
Confronting data privacy laws and blocking statutes during discovery can be daunting to both newcomers and seasoned practitioners. Below are some strategies for counsel to follow when confronted with data privacy laws and blocking statutes.
Be cognizant of the data privacy laws specific to the country with which you are dealing.
Online data privacy maps allow users to compare different countries’ approaches. Switzerland, for example, follows its own definition of what constitutes “personal data,” and the Swiss Penal Code may be implicated if certain actions are taken; counsel must be mindful to work with someone knowledgeable in this area to avoid missteps. Sedona Conference Practical In-House Approaches for Cross-Border Discovery and Data Protection (September 2015 Public Comment Version, p.40).
For in-house counsel, consider the Sedona Conference practice pointers for conducting cross-border discovery.
The Sedona Conference Practical In-House Approaches for Cross-Border Discovery and Data Protection offers several useful practice points, including:
- Balance the need for urgency in preserving information with the need to proceed deliberately in countries with comprehensive data protection laws.
- Identify and define privacy issues with opposing parties or regulators through outside counsel where possible.
- Set up transparency “checkpoints,” beginning with preservation and continuing through the life of the matter, to avoid revocation of consent.
- Plan a successful in-country collection with detailed surveys of appropriate systems well in advance.
- Use the processing stage of discovery as an opportunity to balance compliance with both discovery and data protection laws.
- Consider ways to limit the production of protected data; when production of protected data is necessary, safeguards can be established to demonstrate due respect for both discovery and data protection laws.
Consider seeking support of the foreign consulate/embassy, and look for alternative solutions that can accommodate both jurisdictions.
A foreign party from which discovery has been requested may seek the assistance of that country’s consulate or embassy to support the position that there is a “national interest” in keeping the information confidential. In addition, the party should look for alternative solutions that can accommodate the discovery laws of both jurisdictions, such as the Hague Convention on the Taking of Evidence Abroad in Civil and Commercial Matters. 3 Bus. & Com. Litig. Fed. Cts. §22.52 (3d ed.), at 2.
Know the data: where it is, what it is, and why it is important.
Before making an international discovery request, counsel should make sure that the evidence at issue is not available somewhere in-country. Counsel should also determine how important the evidence is to the case: is it worth the time, effort, and expense of going up against strict data privacy laws and blocking statutes?
Be aware of the impact of and developments following Schrems.
As discussed above, the Schrems decision invalidated the EU-U.S. Safe Harbor self-certification framework used to conduct personal data transfers from the EU to the U.S. The EU – U.S. Privacy Shield does provide an alternative framework that ensures compliance with the strict personal data requirements of EU law, and seems to address many of the key concerns of the Article 29 Working Party (WP29), a body representing all EU data protection authorities. However, the WP29 has highlighted a number of issues that still remain, particularly regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU. Organizations attempting to transfer data from the EU to the U.S. need to be fully aware of the ramifications of the Schrems decision, and keep abreast of developments, challenges and decisions related to the Privacy Shield and its adequacy as a method of data transfer.
Alternatively, it may be possible to provide an adequate level of data protection by using standard contractual agreements or sets of EU model clause transfers. See, e.g., Commission Decision 2001/497 EC: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC; Commission Decision 2004/915 of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries. Certain EU countries may still not approve of the level of protection offered by the standard contractual clauses, so counsel should approach any personal data transfer question with caution and on a country-by-country basis.
Data privacy laws and blocking statutes can have a serious impact on international litigation. By understanding the international discovery landscape and following the practical strategies outlined above, counsel can achieve experienced management of international discovery situations in the representation of the client.
Ashish Prasad, Esq. is the vice president and general counsel of eTERA Consulting, a Washington, DC-based electronic discovery, document review and technology consulting company. He is a former Litigation Partner and Chair of the Electronic Discovery and Records Management Practice at Mayer Brown LLP. Patrick Oot, Esq. is a partner at Shook, Hardy & Bacon L.L.P. He previously served as Senior Special Counsel for Electronic Discovery in the Office of the General Counsel at the SEC. Prior to his service with the SEC, Oot was in-house counsel in Verizon’s electronic discovery practice as Director of Electronic Discovery and Senior Litigation Counsel.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.