On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation. The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements. What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S. discovery rules and the European privacy framework.
The Working Document offers guidance to EU data controllers responding to U.S. discovery requests. As the Working Document explains, those controllers often find themselves in a bind. On the one hand, U.S. law allows for broad discovery, which may require a controller to provide, or “process,” personal data of customers or employees. On the other hand, Article 7 of EU Directive 95/46 limits a member state’s authority to process such data.
Under Article 7, a member state may process personal data only if one of six identified grounds for processing applies. The Working Document considers the Article 7 grounds most likely to supply a legitimate basis for compliance with a discovery request – namely 1) consent, 2) necessary for compliance with a legal obligation, and 3) necessary for the purposes of a legitimate interest, where such interests are not "overridden by the interests for fundamental rights and freedoms of the data subject." Recognizing that the "interests of justice would be served by not unnecessarily limiting the ability of an organisation to act to promote or defend a legal right," the Working Document suggests that the third basis – necessary for the purposes of a legitimate interest – will often provide a ground for processing data in response to a U.S. discovery request.
In addition to advising controllers on the identification of a proper basis for processing, the Document reminds controllers that when sensitive personal data is involved, they must identify a proper basis for processing that data in accordance with Article 8. Finally, data controllers are reminded to: 1) take appropriate steps to ensure that discovery is limited to that which is objectively relevant to the issues being litigated; 2) ensure transparency by informing those whose data is shared, unless there is a substantial risk that such notification would jeopardize the investigation; and 3) protect data subjects’ rights of access and rectification by seeking protective orders, and 4) take steps to preserve the security of the data – an obligation that extends to law firms, experts, and others with whom the data is shared.
While the Working Document offers advice to member jurisdictions, the Working Party was also careful to note that "resolving the issues of pre-trial discovery is beyond the scope of an Opinion by the working party and . . . these matters can only be resolved on a governmental basis." Although the Working Document applies only in EU member jurisdictions, it serves as a reminder that entities involved in litigation must be mindful of fundamental information security concerns that could limit discovery during litigation – a proposition that is increasingly recognized by U.S. Courts and institutions as well.