At this year’s Relativity Fest, in the session “Collecting and Reviewing European Documents in U.S. Litigation,” I discussed how and why the European Data Protection Directive (the Directive) protects “personal” data in the European Union member states plus Iceland, Norway, and Lichtenstein—together known as the European Economic Area (EEA).
The Directive is, in effect, an instruction to each country to pass its own law—each country implements the terms of the Directive independently (and can, if it wishes, choose to include additional, more stringent, provisions).
Not least because of the troubled history of many European countries over the last 80 years—often involving widespread spying on peoples and the maintenance of databases recording their daily activities—the need to control what is collected and done with personal data is taken extremely seriously.
“Personal data” is defined as any information that can be related to a living person—so even a name and address on a letter is personal data.
A breach of the law can result in significant sanctions.
Understanding the EU Data Protection Law
As a gross over-simplification, it is relatively easy to transfer personal data between EEA countries (and indeed to any other countries that have been adjudged to have adequate data protection controls).
In contrast, there are significant restrictions on transferring personal data to other countries (such as the United States) where no adequate protection has been found to exist.
If one of the specified grounds permitting the transfer of personal data has not been established, there can be no lawful access from such countries—even if the information is required for, say, U.S. litigation.
Generally there is a lot of emphasis in the EU Directive on the importance of obtaining the consent of the data subject to the processing of their data, but it is important to note that obtaining consent from employees is often impossible because consent will not have been “freely” given due to the perceived risk of coercion by the employer.
How to Handle the Collection and Review of European Data
With these differences in mind, there are several actions you should take to work with European data. A preliminary step is to seek advice from a local expert. Someone who regularly works in the area will know the applicable national and regional laws and will be able to advise as to what approach is likely to be adopted in interpreting and enforcing the law.
It is important to be alive to the fact that the concept of discovery simply doesn’t exist in the majority of EEA countries.
Sending a typical “legal hold” notice in Europe often won’t achieve the desired goal—you need to have a conversation with each individual to explain the purpose and process of a legal hold.
Equally, the attitude to collecting data differs—data on a custodian’s computer is perceived as in some ways being “private” to that individual rather than simply belonging to the employer.
It’s helpful to narrow down your search and request only the documents that might be relevant to your case—you’ll need to justify the necessity of transferring the data.
The goal should be to:
- Have a detailed explanation as to what data is required and why it is needed (ideally backed up by a U.S. Court Protective Order that gives comfort that the data will be treated by all parties in a way that respects the spirit of the EU Directive).
- Seek to obtain the support and agreement of all relevant custodians with your scoping, collection, and initial relevance review plan.
Generally it will be appropriate and necessary to process the data and carry out an initial relevance review locally due to the need to:
- Establish what responsive data exists and the extent to which it contains personal data.
- Consider how much of the responsive material can be redacted to remove personal data without compromising the ability of the lawyers to use the material for the litigation process.
- Comply with the legal, security, and data control requirements.
If you’re collecting from multiple EEA countries, it is often desirable to consolidate the data in one country so as to have one set of rules to comply with when transferring the data out of the EEA to the U.S.
A final word of advice is to ensure U.S. parties and their lawyers fully understand the restrictions on data transfers outside of the EEA. It is critical to manage the judge’s expectations and show that you have a plan to identify and produce the material that is relevant to the case while respecting the EEA data protection laws.
John Lapraik is a solicitor and e-discovery consultant at Millnet, an Advanced Discovery Company where he consults and provides advice on e-discovery and the manipulation and searching of electronic data. His unique skill-set, combining legal and IT expertise, enables John to provide sound commercial legal advice and consultancy around the application of IT to lawyers’ working practices.