February 2, 2010

European Union data: What are the rules?

by Cary J. Calderone, Esquire

Those who attended this session at Legal Tech learned some interesting things about data protection in the European Union (EU) from a very impressive panel of experts (bio information and links below). My first foray into this area, the conflicts between EU and US rules governing electronic data, began about 3 years ago. While researching this subject for a particular client, I learned that international corporations had virtually impossible responsibilities to balance and implement. It became apparent that most issues would remain unresolved even as the best of international companies made progress towards becoming compliant company-wide. I was very interested in hearing about the current state of the EU and US data rules.

Nigel Murray offered some background information:
  • January 28, 2010 was the 4th European Data Protection Day – they have made it a holiday!
  • The EU Data Protection Directive will be updated to reflect new technology.
  • EU Data Protection rules will be written so users know when their personal data may be stored and that they have the right to say “no!”
  • The European Union has 27 member countries-No Norway, Switzerland, or Lichtenstein.
  • Bulgaria, Romania, and Turkey are not in the EU, but they are trying to join.

Judge Peck began by describing why the EU and US rules are in conflict. He explained that in the US the standard for discovery is information that is “reasonably calculated to lead to the discovery of admissible evidence.” In the US, even a claim of Confidentiality is not a basis for refusing to disclose or produce data. Sensitive items relating to HIPAA, Social Security Numbers, or credit card information would be redacted in accordance with a protective order or agreement, but the information is discoverable. On the other hand, under EU rules, Privacy is a fundamental right and anything that contains personal information, broadly defined as anything that can be used to identify a person, (see Definition Personal Information) can not even be searched, let alone collected or disclosed without the individual user's un-coerced consent. Judge Peck commented that “in the ideal world, a US Judge does not want to have to worry about EU or Asian rules” but we are not in the "ideal" world.

A few legal cases were discussed by the panel to show that the trend has been, if data is in the US, then Courts have been very hesitant to use EU Data Protection rules to keep it out.

Other observations:
  • Within EU jurisdictions, moving data from country to country also causes problems. If it seems odd to us in the US, remember that the US does not have a history of countries crossing borders to expand their empires.
  • There are times when cooperation can work. George Rudoy described one instance when the representatives of a company made him take a drink with them to show that his data collection would be used for only legitimate purposes. It may have been water. It may have been vodka. His willingness to participate reassured them.
  • Maura Grossman shared that no matter what your risk profile, it would be a best practice to establish relationships and get input from local counsel. She explained that there are many data protection rules where the exception for litigation is specific to litigation in that country. If your matter is filed in another country, even another EU country, the exception simply does not apply.
  • Consent is sometimes an option but not always. There are stringent standards to follow for gaining consent, and in some cases, consent of the individual is irrelevant.
  • Another best practice is to be “super-surgical” in targeting requests at specific data, and keeping the scope of the request bound by the borders of that particular country. What makes this very tricky is that it is not just moving data that causes a problem. Merely accessing the data can violate the rules! If data is hosted in Germany, a lawyer violates the rules if he accesses the data from his office in NY.
  • If a corporation has been freely operating with its worldwide data in an “open” fashion i.e., journaling all email communications in the US then Judge Peck believes it is more likely a US Judge will not protect that information from disclosure under EU data protection rules. Judge Peck says that “if it is here”, it comes in subject to comity with foreign countries.
  • George Rudoy and Browning Marean echoed that we should follow local rules and implement the safest technology we can.
  • Nigel Murray also stresses that it is critical to have “local boots on the ground.”
  • Maura Grossman pointed out that there are some very specific and important differences in the International community. For example, before heading to China to take a deposition she learned that American lawyers are not allowed to take depositions in China. She would have been jailed!
  • Browning Marean mentioned that the Pension Committee (Judge Scheindlin) case reminds us that failure to issue a Legal Hold when litigation is reasonably anticipated is gross negligence. He also added that Legal Holds are more effective when created and dispersed internally than when an outside law firm issues them.
The panel considered quite a few other issues that make EU data discovery more complicated, like:
  • Where is the data housed?
  • What if it is in another country in a cloud?
  • Who controls the data in a parent-subsidiary situation?
  • What is considered “reviewing or accessing the data?”

In conclusion, the rules are still evolving and for now, you need very competent and probably local advise to perform a risk/reward analysis to determine what you may or may not do with EU and other "non-US" data. After 3 years of following this tricky legal area, I had hoped there would be a few more straight answers and solutions, but not yet.

Panel Members:
George I. Rudoy, Director, Global Practice Technology & Information Services, Shearman & Sterling
Nigel Murray, Managing Director, Trilantic
Honorable Andrew J. Peck, Magistrate Judge, Southern District of New York
Browning E. Marean, Partner, DLA Piper LLP
Maura Grossman, Counsel, Wachtel, Lipton, Rosen and Katz
Senior Master Steven Whitaker, Senior Master of the Senior Court of England and Wales
Chris Dale, E-Disclosure Information Project
Vince Neicho, Litigation Support Manger, Allen & Overy LLP

1 comment:

Roumiana Deltcheva said...

Cary, Thank you for this posting; it's very interesting and helpful.

Just a quick note: Bulgaria and Romania ARE part of the EU (since 2006), they are just not part of the Euro zone. Turkey is still trying to join.