Where can I go to find out about EU data privacy protection laws and how they affect the discovery of European data in U.S. litigation?
As a preliminary matter, there is no one place to go for information about European data protection laws. However, an excellent starting place is the European Commission’s Data Protection website.
National data protection laws are based on European Commission Directive 95/46 EC, which provides an overarching framework and minimum standards. Furthermore, the Directive encourages each state to interpret and enact its own version. The European Commission website provides the Directive in multiple languages and an overview of the statuses of the legislation in the 30 member states that make up the European Economic Area—the 27 EU member states plus Iceland, Liechtenstein and Norway. There are also links to each of those statutes and their amendments (and, for Austria and Germany, to the laws enacted by the federated Länder or states) with English translations where available, with the caveat that translations are often “unofficial” and for informational purposes only.
The Article 29 Working Party is the independent EU advisory body on data protection and privacy set up under the Directive. Links to this group’s published opinions interpreting key issues and concepts in data privacy law are organized by year and include the 1/2009 WP 158 on pre-trial discovery for cross-border civil litigation (PDF), which specifically addresses issues surrounding data processing and, to a lesser extent, transfer. In addition, the Commission’sFAQs on transferring personal data out of Europe to third-party countries includes a step-by-step decision tree to assist with the analysis. Keep in mind that opinions of the Article 29 Working Party, though persuasive, are not binding on European national enforcement agencies.
National data privacy administration and enforcement authorities’ websites also have useful information. For example, the French CNIL’s website, available in English and Spanish, explains data privacy rights and obligations and includes topics and news items.
Among the blogs in this field, Chris Dale of the UK eDisclosure Information Project site provides timely analysis that manages to be both thoughtful and entertaining.
In addition to the national data protection acts and their related notices and other requirements, a host of other laws and issues can come into play. Labor laws, general and issue-specific “blocking” statutes, telecommunications laws, and regulations are among the many issues that you need to consider. The Sedona Conference® International Working Group WG6 has published two useful papers providing a broader perspective, including the 8/2008 Framework for Analysis of Cross-Border Discovery Conflicts and the 9/2009 International Overview of Discovery Data Privacy and Disclosure Requirements, which give detailed information concerning the legal system and data privacy laws of 12 countries, including seven European countries. One of these is Switzerland, which, being outside of the EEA, is not represented on the Commission’s site. The Sedona Conference lists these papers on its homepage under “Recent Publications” and requires users to provide their name and e-mail address to access them. Guidance Software has published a series of helpful white papers addressing EU data discovery issues, including “Seeking a Balance in the Discovery Equation,” which provides an overview of European data protection laws and their implications for U.S. discovery, and several on UK and German data protection and compliance issues.
Finally, if you are dealing with an actual data protection matter, it is essential to consult local counsel in the EU member state(s) where the data at issue is located.
Denise Backhouse is an associate in the eData Practice of Morgan, Lewis & Bockius, LLP.