If you're a legal or security professional, the looming General Data Protection Regulation, or GDPR, is likely causing your blood pressure to rise. Expected to impose strict limitations on organizations that do business in the European Union, or otherwise collect the data of European citizens, the regulation is said to raise the stakes for privacy compliance as well as for transcontinental discovery. Organizations that don't meet its standards by May 2018 will be the subject of potentially business-rattling sanctions.
1. Will the GDPR Kibosh EU-US
Discovery?
November 7, 2017
2. Agenda
Background: Societe Nationale and our history of giving deference to
foreign legal interests, and then ignoring them
How GDPR Article 48 may make US-EU eDiscovery much more difficult
“So, what do I do now?” Practical advice for dealing with the uncertainty
4. 1. How GDPR Article 48 may make US-EU
eDiscovery much more difficult
5. Preface: International Legal Relations 101
• Discovery comes from Common
Law (UK) system
• Even then “Discovery in the
federal court system is far broader
than in most (maybe all) foreign
countries”
Heraeus v. Biomet, 633 F.3d 591 (7th Cir. 2011)
• EU = typically no discovery or only
through specific requests to judge
• Also the whole rest of the World
too . . . we just don’t have time
today
Image courtesy of California Globetrotter
blog
6. Preface: International Data Protection 101
• EU: current = EC 95/46 Data
Protection Directive
• EU soon = General Data
Protection Regulation (May 25,
2018)
• Many others (Russia, China, Qatar
and Japan, more) - recently
enacted or strengthened their
rules
• But again, we just have time for
EU
7. Preface: GDPR 101
• A uniform regulation (unlike DPD)
• Jaw-droppingly huge potential fines
• Broad definitions of “Personal data”
• New data subject rights, including
right to be forgotten
• Data breach notification rules
• Expansion of responsibility for
processing - important for eDiscovery
vendors who are often just
Processors
8. GDPR Article 48
Transfers or disclosures not authorised by Union law
“Any judgment of a court or tribunal and any decision of an
administrative authority of a third country requiring a controller
or processor to transfer or disclose personal data may only be
recognised or enforceable in any manner if based on an
international agreement, such as a mutual legal assistance
treaty, in force between the requesting third country and the
Union or a Member State, without prejudice to other grounds for
transfer pursuant to this Chapter.”
9. Unknown: Is the Privacy Shield a qualifying
“International Agreement?”
Transfers or disclosures not authorised by Union law
“Any judgment of a court or tribunal and any decision of an
administrative authority of a third country requiring a controller
or processor to transfer or disclose personal data may only be
recognised or enforceable in any manner if based on an
international agreement, such as a mutual legal assistance
treaty, in force between the requesting third country and the
Union or a Member State, without prejudice to other grounds for
transfer pursuant to this Chapter.”
10. Recital 115 (non-binding, but still important)
Rules in third countries contrary to the Regulation
Some third countries adopt laws, regulations and other legal acts which purport to directly
regulate the processing activities of natural and legal persons under the jurisdiction of the
Member States. This may include judgments of courts or tribunals or decisions of
administrative authorities in third countries requiring a controller or processor to transfer
or disclose personal data, and which are not based on an international agreement, such as a
mutual legal assistance treaty, in force between the requesting third country and the Union
or a Member State. The extraterritorial application of those laws, regulations and other
legal acts may be in breach of international law and may impede the attainment of the
protection of natural persons ensured in the Union by this Regulation. Transfers should only
be allowed where the conditions of this Regulation for a transfer to third countries are met.
This may be the case, inter alia, where disclosure is necessary for an important ground of
public interest recognised in Union or Member State law to which the controller is subject.
11. Discovery = Breach of GDPR?
Rules in third countries contrary to the Regulation
Some third countries adopt laws, regulations and other legal acts which purport to directly
regulate the processing activities of natural and legal persons under the jurisdiction of the
Member States. This may include judgments of courts or tribunals or decisions of
administrative authorities in third countries requiring a controller or processor to transfer
or disclose personal data, and which are not based on an international agreement, such as a
mutual legal assistance treaty, in force between the requesting third country and the Union
or a Member State. The extraterritorial application of those laws, regulations and other
legal acts may be in breach of international law and may impede the attainment of the
protection of natural persons ensured in the Union by this Regulation. Transfers should only
be allowed where the conditions of this Regulation for a transfer to third countries are met.
This may be the case, inter alia, where disclosure is necessary for an important ground of
public interest recognised in Union or Member State law to which the controller is subject.
12. “No aspect of the extension of the American legal system beyond the
territorial frontier of the United States has given rise to so much
friction as the requests for documents in investigation and litigation
in the United States.” RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW OF THE
UNITED STATES § 442, Reporters’ Notes ¶ 1 (1987).
Blocking statutes
Image courtesy of the ABA Journal of the Section of
More than 15 blocking
statutes
France
Germany
Even the UK (and they created
the common law system!)
13. Article 29 Working Party “Working Document 1/2009
on pre-trial discovery for cross border civil litigation”
Art. 29 WP = EU advisory body (name to be changed with GDPR)
Legal Holds = Processing:
“Although in the US the storage of personal data for litigation
hold is not considered to be processing, under Directive 95/46
any retention, preservation, or archiving of data for such
purposes would amount to processing.”
14. Article 29 Working Party “Working Document 1/2009
on pre-trial discovery for cross border civil litigation”
Legal Holds = potential violations of EU Data Protection laws
“Controllers in the European Union have no legal ground to
store personal data at random for an unlimited period of time
because of the possibility of litigation in the United States . . ..”
15. Just a paper tiger?
For decades, no fines or harm
done under blocking statutes
16. In Re: Advocate Christopher X, French
Supreme Court, 2008
• Complied with US court deposition request in Strauss v. Credit
Lyonnais, S.A., 2000 U.S. Dist. Lexis 38378 (E.D.N.Y. May 25,
2007).
• French attorney fined €10,000 for violating blocking statute
16
17. 2. Background: Societe Nationale and our history of
giving deference to foreign legal interests, and then
ignoring them
18. Societe Nationale Industrielle Aerospatiale
v. US Dist Ct. SD IA, 482 US 522 (1987)
“The World’s safest and most economical STOL plane” . . . .
. . . crashed in Iowa
Injured US fliers sought discovery from French manufacturers
19. Respondents move to block, claim Hague
Convention is exclusive means
US Supreme Court on blocking statutes:
“do not deprive an American court of the power to order a
party subject to its jurisdiction to produce evidence even
though the act of production may violate that statute.”
On Hague convention:
“not a pre-emptive replacement” or “first resort”
but an optional procedure used when appropriate
19
20. 5 factor comity test
Restatement (Third) of Foreign Relations Law § 442(c) (1987)
1. The importance to the … litigation of the documents or other
information requested;
2. The degree of the specificity of the request;
3. Whether the information originated in the United States;
4. The availability of alternative means of securing the information; and
5. The extent to which noncompliance with the request would
undermine interests of the United States, or compliance with the
request would undermine interests of the state where the information
is located.
21. “ . . . comity became a frivolous argument . .
.”
“For three decades . . . U.S. courts applied a balancing test to
weigh the interests of foreign countries against U.S. interests, and
ruled almost unanimously in favor of U.S. interests . . .”
Diego Zambrano, A Comity of Errors: The Rise, Fall, and Return of International Comity in
Transnational Discovery, 34 Berkeley J. Int’l Law. 157 (2016).
22. US v. Microsoft likely to make this worse
Stored Communications Act warrant (18 U.S.C. § 2703)
Microsoft produced emails on US Cloud storage, but not in
Ireland
Drew massive anger from EU – especially Ireland
Second Circuit vacated contempt order
US DoJ got Supreme Court to accept Cert.
23. 3. “So, what do I do now?”
Practical advice for dealing with the uncertainty
24. Options
A. Privacy Shield
B. MLAT
C. Binding Corporate Rules
D. Standard Contract Clauses
E. Hague Convention
F. Letters Rogatory
G. Party agreement
25. Agreement between EU and certain US agencies
Available to companies under FTC and Department of
Transportation jurisdiction (Not Telecoms or FinServ/banks)
Replaces prior Safe Harbor – invalidated by Court of Justice of
the European Union (CJEU) on suit by privacy activist Max
Schrems
A. Privacy Shield
26. EU Privacy activists have filed lawsuits - CJEU takes up Schrems’
new case from Irish High Court (with Irish DPA support)
Annual review found many problems, but “adequate” so far
WP29 will soon issue opinion – have historically had negative view
Cracked Shield?
27. 1. Notice
2. Choice
3. Onward transfer
4. Security data
5. Integrity
6. Access
7. Enforcement
7 Key principles (inherited from Safe
Harbor)
28. 1. Notice
2. Choice
3. Onward transfer
4. Security data
5. Integrity
6. Access
7. Enforcement
7 Key principles (inherited from Safe
Harbor)
29. 3. ACCOUNTABILITY FOR ONWARD
TRANSFER
“To transfer personal information to a third party acting as a
controller, organizations must comply with the Notice and Choice
Principles.
Organizations must also enter into a contract with the third-party
controller that provides that such data may only be processed for
limited and specified purposes consistent with the consent provided
by the individual and that the recipient will provide the same level
of protection as the Principles and will notify the organization if it
makes a determination that it can no longer meet this obligation.
The contract shall provide that when such a determination is made
the third party controller ceases processing or takes other
reasonable and appropriate steps to remediate.”
30. eDiscovery violates this provision
“To transfer personal information to a third party acting as a
controller, organizations must comply with the Notice and Choice
Principles.
Organizations must also enter into a contract with the third-party
controller that provides that such data may only be processed for
limited and specified purposes consistent with the consent provided
by the individual and that the recipient will provide the same level
of protection as the Principles and will notify the organization if it
makes a determination that it can no longer meet this obligation.
The contract shall provide that when such a determination is made
the third party controller ceases processing or takes other
reasonable and appropriate steps to remediate.”
31. eDiscovery really violates this provision
“To transfer personal information to a third party acting as a
controller, organizations must comply with the Notice and Choice
Principles.
Organizations must also enter into a contract with the third-party
controller that provides that such data may only be processed for
limited and specified purposes consistent with the consent
provided by the individual and that the recipient will provide the
same level of protection as the Principles and will notify the
organization if it makes a determination that it can no longer meet
this obligation.
The contract shall provide that when such a determination is made
the third party controller ceases processing or takes other reasonable
and appropriate steps to remediate.”
32. So far, nobody has gotten burned . . .
Yet
Use at your own peril?
33. B. MLAT
For requesting and obtaining evidence for criminal investigations
and prosecutions
Can be through Letters Rogatory or central authority – depending
upon the specific treaty
Need local expert help on this
34. US MLATS (EU member states in red)
Antigua and Barb.
Argentina
Australia
Austria
Bahamas
Barbados
Belize
Bermuda
Brazil
Bulgaria
Canada
China
Cyprus
Czech Rep.
Denmark
Dominica
Egypt
Estonia
France
Germany
Greece
Grenada
Hong Kong
Hungary
India
Ireland
Israel
Japan
Latvia
Liechtenstein
Lithuania
Luxembourg
Malaysia
Philippines
Poland
Romania
Russia
Saint Lucia
South Africa
St. Kitts and Nevis
St. Vin. and Gren.
Sweden
Switzerland
Trinidad and Tobago
Ukraine
United Kingdom
Venezuela
35. C. Binding Corporate Rules
Articles 46(2)(b) and 47
How do you get the
other side to sign?
(even assuming that
they are a corporation)
36. D. Standard Contract Clauses
Articles 46(2)(c) and 93(2)
How do you get the other side to
sign?
Use as evidence creates an Onward
Transfer problem
Schrems is attacking these as well –
CJEU also taken up this issue
through Irish High Court
37. E. Hague Convention on the Taking of Evidence
Abroad in Civil or Commercial Matters
Goal of many signers was to limit scope of US discovery abroad
Actively sponsored and signed by the US in 1972
Most, but not all of the EU has signed
Full list here
38. Big problem = Art. 23 reservations
“a contracting state may at the time of signature, ratification or
accession declare that it will not execute letters of request
issued for the purposes of obtaining pre-trial discovery of
documents.”
France, Germany, Spain, UK and the Netherlands plus others
in EU all use this to block US discovery
Check the official list
38
39. Essentially a way of asking politely*
39
It’s complicated: see ABA/NYSBA guidelines and forms here
Draft Letter of Request (a/k/a “Letters Rogatory”**)
Send to Central Authorities (there is a list, can use a service)
Central Authorities send to local authorities
Local authorities are supposed to compel custodian to comply
Estimated to take 2-4 months (yes, really)
* So, why hasn’t Canada signed up?
** Yes, this is confusing: Letters Rogatory predate the Convention and are usable with non-
signers
40. 40
To get good results
Likely need to help the judge
Make it easy to comply
Not be a stereotypical loud-mouth, pushy American
Be reasonable
Be specific – narrow the request as much as possible
Get help if you need it – especially local help!
But best to start with agreement, and if not agreement get a court
order
41. F. Letters Rogatory
For countries that didn’t sign the Hague
Convention
And for those with HC Art. 23 reservations
Again – is asking nicely
Many hoops to jump through – same advice
(do it right, get help, be nice, be specific!)
No compulsory aspect
Which, means that you need to expect it
to take 6-12 months (yes, really!)
42. Work it out between the parties
Get a court order if possible
Be creative
42
G. Party Agreement
45. More Resources:
See a demo of Logikcull, the powerfully simple, highly secure eDiscovery
and data management software.
For technology and eDiscovery news
and tips, interviews with judges and
practitioners, and more, sign up for
Logikcull’s blog, Closing the Loop.
Text of the GDPR (English)
Barton GDPR Compliance Group site