As the clock ticks down to May 25, 2018, when the European Union’s General Data Protection Regulation (“GDPR”) becomes fully enforceable throughout the EU, the Internet and airwaves have become saturated with guidance for companies about what to expect and how to prepare for its new protections and restrictions. However, we’ve seen little intelligence for companies and their litigation counsel in situations where electronically-stored information (“ESI”) containing “personal data” resides in the EU and is relevant to discovery requests in American civil litigation.
In many ways, the process and procedures relating to transfers of personal data to the U.S. under the GDPR are similar – and similarly burdensome – to those of the existing privacy regime. However, the GDPR does introduce new transfer options and clarifies others. It has also added record-keeping and compliance reporting requirements as well as hefty penalties for non-compliance.
Our GDPR e-discovery series will examine these new and clarified transfer options for ESI containing personal data. We begin our series with a newly added transfer option – the Hail Mary pass of transfer options – contained in a GDPR provision permitting a one-time limited transfer where necessary to further a “compelling interest” of the transferring party.
Before we get to the GDPR, however, some historical context is instructive about what makes transferring personal data from the EU to the U.S. for pre-trial e-discovery particularly taxing. The challenges stem largely from the expansive definition of personal data on which existing law is premised, which encompasses any information relating to “an identified or identifiable natural person.”
The issue with this definition is immediately apparent. In addition to information practitioners in the U.S. might typically consider “sensitive” or “private” personal data, such as social security numbers, financial account numbers, or medical treatment histories, the EU balloons the concept of personal data to include more innocuous information commonly contained in ESI, such as professional or personal email addresses, office addresses, and telephone numbers.
Existing EU privacy law further stipulates that such personal data cannot be transferred to a “third country” like the U.S. that does not ensure an adequate level of protection for personal data. Absent such an adequacy determination by EU privacy regulators, a data transferor must demonstrate either sufficient protective safeguards incorporated into a data transfer agreement in the form of standard contractual provisions addressing the handling of the personal data; or that an enumerated “derogation,” or exemption, to the privacy law supports the transfer.
These far-reaching definitions and limited transfer options have created a classic lose-lose for American litigants. On the one hand, U.S. courts generally observe that discovery of relevant documents in the EU cannot be avoided solely on the basis of its privacy law. On the other, companies that do not take appropriate steps to permissibly transfer personal data can be sanctioned by privacy regulators.
While there was hope that the GDPR would address this inherent tension and simplify the transfer process, the end result is not so much simplification, or even clarity, as it is a new set of potential hazards and prospects.
It is in this context that we examine Chapter 5 of the GDPR (Articles 44 through 50) that governs transfers of personal data to third countries such as the U.S. Of most relevance to transfers in the context of civil e-discovery are Article 46, which addresses transfers subject to standard contractual clauses relating to the handling of personal data, and Article 49, which carries over the “derogations” concept from existing law allowing for personal data transfers in the absence of Article 46 safeguards.
One Article 49 provision new to the GDPR specifically addresses the concept of a one-time limited personal data transfer, which sounds promising in the context of e-discovery. However, this new provision also appears to be an option of last resort, applicable only where none of the safeguards or options enumerated in Articles 46 or 49 otherwise apply. In such cases, a transfer of personal data may occur if:
- the transfer is not repetitive;
- the transfer concerns a limited number of data subjects;
- the transfer is necessary for purposes of a compelling interest of the transferor that is not overridden by the interests of the data subject; and if
- the transferor has provided suitable safeguards to protect the personal data during and after the transfer.
While this exemption sounds appealing, the jury is still out on its utility. Just how many subjects or how much data constitutes a “limited” transfer, for example, will likely remain a subjective judgment in the eye of data protection authorities. And, whether pre-trial e-discovery in American litigation will ultimately be considered a “compelling interest” is a new and unanswered question. Plus, who balances the interests between the transferor and the data subjects? Finally, this new provision subjects a transferor to significant disclosure requirements including informing the data subject about the transfer and the compelling interest being pursued as well as informing the data privacy authority of the transfer. These disclosure requirements introduce logistical problems in-and-of-themselves.
Based on these unknowns and reporting requirements, use of this provision may entail significant risk for the transferor. And, bear in mind that, although the GDPR was intended to harmonize some aspects of privacy law across the EU, Member States are left with the option to modify or supplement the default standard set out in Article 49. This means you will still need to review the privacy law of a particular Member State to assess whether the compelling interest exemption even applies and, if so, in what context.
Bear in mind also that no matter what transfer method is used, the GDPR requires both transferors and transferees to maintain a record of personal data transfers and details about what adequacy decision or safeguard applied to each transfer. Failures to do so may risk significant potential fines. Our recommendation is that American companies with operations, employees, or data in the EU and multinational companies at risk of lawsuits or investigations in the US develop a standard policy for assessing personal data transfer requests, including those in the context of civil e-discovery. This policy should recognize that every transfer may be different and allow flexibility based on the transfer options afforded by the GDPR. Importantly, this policy should be adhered to rigorously and dictate the documentation required for each transfer contemplated or undertaken.
We will continue to outline options that you might incorporate into such a policy right here at Privacy & Security Matters. Our next edition of our GDPR e-discovery series will examine developments in the GDPR relating to the derogation of consent.