As debates about data privacy rage in the United States—the Wikileaks Twitter case is a recent and prominent example—it is important for multinational corporations and other potential litigants (both plaintiffs and defendants) not only to understand the nuances of the markedly different privacy definitions and security standards in the European Union (“EU”), but also to master this legal landscape with the indispensable help of expert local counsel in foreign jurisdictions. These differences are especially important given that U.S. courts engaged in the litigation discovery process routinely expect litigants to be able to produce relevant data through cross-border discovery according to the same standards and restrictions that apply at home. A highly informative webinar hosted by RenewData, a provider of services for the discovery, archiving, and governance of electronically stored information (“ESI”), and featuring Ken Rashbaum of the law firm Rashbaum Associates, discussed these issues and others vital to corporate counsel.
European Definitions of Privacy and Personal Data
The EU and its member nations have expansive definitions of privacy with respect to personal data. These have been codified to include the right to respect for one’s personal and family life, as well as one’s correspondence. According to Rashbaum, the EU’s concept of personal data extends to any information relating to an identified natural person (“data subject”) who can be identified, directly or indirectly, “in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” These can include IP addresses as well as Internet traffic data and search queries. As discussed below, there is a distinct lack of inter- and intranational (not to mention provincial and local) jurisdictional harmony within the EU when it comes to definitions of personal data.
Rashbaum states that both France and Germany have definitions far stricter than the EU. However, the most comprehensive (and thus protective) definitions have emerged from the former Communist Bloc eastern European countries that now belong to the 27-member EU. Where privacy was once trampled upon, it is now held dear and protected by law. Notwithstanding differences among member States, the EU’s overarching philosophy is to both (i) prevent the misuse of personal data and (ii) ensure the free flow of data within the EU by enacting data protection statutes that regulate almost all instances where personal data is at issue. Even so, it is vital to remember that EU laws such as the European Privacy Directive are only floors that the laws of member States may raise.
How To Transfer Data From The European Union
In order to address how data may be transferred from the EU—and individual States whose laws differ from the EU’s overarching federal structure—we must first examine what constitutes an unlawful transfer of data. There are nuanced answers to this question beyond our scope, but one fundamental rule (subject to certain carve-outs) stands above others. Personal data cannot be sent from the EU to any country that has lesser protections than the EU. The EU uses a so-called “adequacy approach” to verify that a foreign country ensures commensurate protection of personal data before it allows data to be transferred to that country. Given that the universe of nations with privacy laws that match the EU’s standards is limited to Canada, Argentina, and Switerzerland (part of the so-called EU Economic Area, but not a member of the EU), U.S. multinational corporations have a variety of legal issues on their hands. This applies not only in the context of litigation, but even when a European-based subsidiary wishes to transfer personal data such as employee emails back to its headquarters in the United States. This is no small matter, as I hope my hypothetical at the end of this piece shows.
Nor is the fact that not all EU member nations even allow the transfer of data for the defense of claims abroad. According to Rashbaum, there is “[n]o general exception in EU data protection law allowing companies to transfer data outside the EU just because they are legally compelled to do so by a foreign government.” In other words, the EU tells such corporate litigants, “Go back to your courts and figure it out.” There is an exception. When a multinational parent company established in a parent country (e.g., the United States) is sued by an employee of that parent who is posted abroad, data concerning that person may be sent home. Naturally, EU citizens, as natural domiciliaries of an EU member State, fall outside the exception. The EU protects its own – and so too, it would seem, the many foreigners who live and work within its borders yet fall outside this limited corporate exception (e.g., an American journalist working for Le Monde).
Getting Your Company’s Personal Data Back Into the United States
First, a company can agree contractually with all its employees to afford their data the same heightened data privacy protections that it would receive in the EU. However, this does not apply to HR-related data because EU law presumes that negotiations between employer and employee with respect to such data necessarily involves duress, implicit or otherwise.
Second, a company that falls under the jurisdiction of the Federal Trade Commission (“FTC”) or the Department of Transportation may register with the Department of Commerce—an interesting mishmash of jurisdictions, as the Europeans have noted—and apply for an existing safe harbor already approved by the EU. U.S. companies can thereby certify annually that they have implemented adequate safeguards with respect to data privacy. Yet EU officials have expressed concern as to the jurisdiction of the FTC to enforce the safe harbor, as well as dissatisfaction with the fact that numerous regulatory agencies adjudicate disputes under the safe harbor, which may result in inconsistent rulings and uncertain application of the rule. According to the Applied Discovery Black Letter Book 49-51 (4th ed. 2011), companies certifying compliance must adhere to a number of safe harbor principles:
- They must notify those individuals whose ESI is being collected of the intended use of those data sets. They must also inform them how they can contact the company with questions or complaints.
- Companies must take reasonable precautions to secure “personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.”
- A company should take reasonable steps to ensure data integrity – the data must be reliable, accurate, compete, and current.
- The individual whose data is being collected must have access to his or her personal information held by the company in order to correct or delete inaccurate information.
- The company must self enforce its own regulations. Individual complaints must be heard. The company must verify the implementation of all safe harbor mechanisms. And there must be “sanctions sufficiently rigorous to ensure compliance.”
- In the event that the company wishes to transfer the individual’s data to a third party, that recipient must be a safe-harbored entity subject to the EU’s adequacy finding standards.
Rashbaum adds that companies can “adopt a uniform set of [internally binding] data protection rules applicable to all intra-group transfers of personal data originating in the EU.” Any such rules necessarily will have to embody the most stringent privacy rules among EU nations so that they may be approved by each State. One can also expect any such approval to be conditioned upon the explicit permission of judicial enforcement of said rules. Not surprisingly, numerous large multinational corporations are following this path to secure their rights without having to fall under the EU-approved and U.S.-administered safe harbor.
Consider This Scenario
You are the founder and Chairman of a medium-sized U.S. investment bank with a presence in Frankfurt. A German national working at the your Frankfurt trade desk conspires with his American colleagues in your New York headquarters to engage in activities that lead to an investigation by the Securities Exchange Commission (“SEC”). That employee’s correspondence—just daily emails for the sake of argument—contains information (i) vital to the SEC’s prosecution of some colleagues, but also (ii) that exculpates others – valued employees and friends. Those emails are stuck in Germany under both EU law and the higher standards adopted by relevant German authorities.
Your company has done nothing in advance to prepare for such a situation. It has not registered for the aforementioned safe harbor. It has no internal guidance with respect to data transfer that has been pre-approved by EU or German authorities. Yet a federal district court instructs that said emails be produced. You want to cooperate with the SEC. You wish to clear the names of your innocent colleagues. Yet EU and German authorities tell you repeatedly that those emails cannot be transferred to the United States.