Privacy, data and different jurisdictions: How legal approaches differ between the U.S. and EU
We will examine how cultural expectations, history and legal approaches concerning data privacy differ markedly between the U.S. and EU countries, and the practical implications for in-house counsel.
March 19, 2014 at 04:00 AM
9 minute read
The original version of this story was published on Law.com
In an increasingly globalized economy, the practice of law has expanded across borders as companies' employees, actions and influence continue to spread through multiple jurisdictions. The varying privacy laws of different countries, industries and even states have far-reaching implications for law practitioners within the electronic discovery sphere. The growth in big data and cloud storage has only compounded these challenges for e-discovery professionals.
In the first two articles of this series, we explored the challenges around data privacy laws that exist within the United States and international jurisdictions outside the European Union. Here, we will examine how cultural expectations, history and legal approaches concerning data privacy differ markedly between the United States and EU countries, and the practical implications for in-house counsel.
Worlds apart
When it comes to data privacy laws and attitudes, there can be significant variances between jurisdictions within the United States and between the United States and non-EU countries. However, perhaps the greatest differences lie between the United States and the European Union. Some of this is based on history and culture. Having witnessed firsthand how a tyrannical government in Nazi Germany was able to persecute a specific sector of society, Europeans tend to hold strong beliefs about the need to protect the personal information of citizens from those who might do them harm.
Not only are attitudes on privacy between the EU member states and the United States very different, within the EU itself there are variations. For example, Germany has some of the most stringent laws of all the nations within Europe, while the United Kingdom allows more leeway.
In the United States, the importance of freedom of information tends to outweigh the desire to protect personal data. While there are some obvious limits to this, such as the Health Insurance Portability and Accountability Act (HIPAA), Americans generally accept that they do not have a guaranteed right to cloak their personal information in privacy, whereas Europeans believe this right to be paramount.
Americans and Europeans also have diverging attitudes toward litigation. The United States is a far more litigious society, perhaps in part because discovery has a much farther reach than in Europe. In the EU, it is also more likely that losing parties will be obliged to cover not only their own discovery expenses, but the other side's costs. In turn, that persuades those in EU countries to draft narrower discovery requests, rather than launch so-called “fishing expeditions.”
Regulations across the EU
The main privacy law governing data in the EU is the Data Protection Directive, known formally as Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In essence, the directive prohibits the disclosure to a government entity of what any individual may deem to be personal, such as age, ethnicity or religion.
The directive includes two stipulations: a) the Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data; and b) the Directive on the Protection of Individuals with Regard to Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data.
Along with the Data Protection Directive, each member state of the EU has its own privacy laws. This can hamper some data from moving freely even within the EU. For example, a matter in one EU member state may include data that a legal team could prefer to process in the United Kingdom, because of that country's sophisticated market and lower expenses. However, privacy laws in the member state where the data resides may prevent this movement of information outside the state.
Since these regulations also prevent a vast amount of data from being brought to the United States, legal teams either must filter out all “personal information” from data collected from an EU nation before moving it to the United States or find other solutions.
Managing data across borders
U.S. in-house counsel have several options when managing potentially responsive data from EU countries. The right approach may be different for different matters.
Some e-discovery providers have recognized the situation and set up international data centers to process information in-country where possible. Others have adopted an EU safe harbor certification, which treats U.S. data centers like an EU embassy. However, most EU countries do not recognize these safe harbors because they are self-regulated. A final option available in instances when data sets are relatively small is to set up a mobile processing center. In this instance, data is effectively culled at the source to weed out all personal information before it can then be reviewed by counsel.
Privacy laws can vary significantly across jurisdictions, even within the same country. In order to remain in compliance wherever clients face litigation, in-house counsel needs to be prepared and plan ahead.
In an increasingly globalized economy, the practice of law has expanded across borders as companies' employees, actions and influence continue to spread through multiple jurisdictions. The varying privacy laws of different countries, industries and even states have far-reaching implications for law practitioners within the electronic discovery sphere. The growth in big data and cloud storage has only compounded these challenges for e-discovery professionals.
In the first two articles of this series, we explored the challenges around data privacy laws that exist within the United States and international jurisdictions outside the European Union. Here, we will examine how cultural expectations, history and legal approaches concerning data privacy differ markedly between the United States and EU countries, and the practical implications for in-house counsel.
Worlds apart
When it comes to data privacy laws and attitudes, there can be significant variances between jurisdictions within the United States and between the United States and non-EU countries. However, perhaps the greatest differences lie between the United States and the European Union. Some of this is based on history and culture. Having witnessed firsthand how a tyrannical government in Nazi Germany was able to persecute a specific sector of society, Europeans tend to hold strong beliefs about the need to protect the personal information of citizens from those who might do them harm.
Not only are attitudes on privacy between the EU member states and the United States very different, within the EU itself there are variations. For example, Germany has some of the most stringent laws of all the nations within Europe, while the United Kingdom allows more leeway.
In the United States, the importance of freedom of information tends to outweigh the desire to protect personal data. While there are some obvious limits to this, such as the Health Insurance Portability and Accountability Act (HIPAA), Americans generally accept that they do not have a guaranteed right to cloak their personal information in privacy, whereas Europeans believe this right to be paramount.
Americans and Europeans also have diverging attitudes toward litigation. The United States is a far more litigious society, perhaps in part because discovery has a much farther reach than in Europe. In the EU, it is also more likely that losing parties will be obliged to cover not only their own discovery expenses, but the other side's costs. In turn, that persuades those in EU countries to draft narrower discovery requests, rather than launch so-called “fishing expeditions.”
Regulations across the EU
The main privacy law governing data in the EU is the Data Protection Directive, known formally as Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In essence, the directive prohibits the disclosure to a government entity of what any individual may deem to be personal, such as age, ethnicity or religion.
The directive includes two stipulations: a) the Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data; and b) the Directive on the Protection of Individuals with Regard to Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data.
Along with the Data Protection Directive, each member state of the EU has its own privacy laws. This can hamper some data from moving freely even within the EU. For example, a matter in one EU member state may include data that a legal team could prefer to process in the United Kingdom, because of that country's sophisticated market and lower expenses. However, privacy laws in the member state where the data resides may prevent this movement of information outside the state.
Since these regulations also prevent a vast amount of data from being brought to the United States, legal teams either must filter out all “personal information” from data collected from an EU nation before moving it to the United States or find other solutions.
Managing data across borders
U.S. in-house counsel have several options when managing potentially responsive data from EU countries. The right approach may be different for different matters.
Some e-discovery providers have recognized the situation and set up international data centers to process information in-country where possible. Others have adopted an EU safe harbor certification, which treats U.S. data centers like an EU embassy. However, most EU countries do not recognize these safe harbors because they are self-regulated. A final option available in instances when data sets are relatively small is to set up a mobile processing center. In this instance, data is effectively culled at the source to weed out all personal information before it can then be reviewed by counsel.
Privacy laws can vary significantly across jurisdictions, even within the same country. In order to remain in compliance wherever clients face litigation, in-house counsel needs to be prepared and plan ahead.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Inside Track: How 2 Big Financial Stories—an Antitrust Case and a Megamerger—Became Intertwined
CLOs Still Jazzed About Gen Al, Even as They Realize Successfully Implementing It Is Harder Than It Looks
2 minute read
AT&T General Counsel Joins ADM Board as Company Reels From Accounting Scandal
How Gen AI Is Changing Legal Work for In-House Counsel
Trending Stories
- 1Trump's Return to the White House: The Legal Industry Reacts
- 2Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 3Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 4Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 5Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
