EU Data Privacy and U.S. Legal Holds: Between a Rock and a Hard Place

Photo: Shutterstock.com

As the economy has become increasingly globalized, the incidence of cross-border commercial litigation and governmental investigations has also increased. As a consequence, clashes between U.S. discovery obligations and non-U.S. data privacy considerations, particularly in the Europe Union in light of the recently-effective General Data Protection Regulation (GDPR), have become inevitable.

Differences in the scope of discovery between the U.S. and European legal systems, and differing approaches to the protection of personal information between the U.S. and Europe, can cause what may appear to be insoluble conflicts. The use of technology, and especially auto-classification solutions, can help improve the effectiveness and efficiency of both U.S. discovery (particularly electronic discovery) and European data privacy compliance.

Data Privacy Under GDPR and in the United States

In the EU, data privacy is seen as a fundamental human right. As of May 25, 2018, that right was enshrined in the GDPR, which protects the rights of European individuals (“data subjects”) to be secure in their personal data, including information that may need to be preserved or produced for litigation in U.S. legal proceedings.

The GDPR was adopted to update and standardize the EU's 1995 framework data privacy directive, which had left implementation and enforcement standards up to individual countries, resulting in a patchwork of often conflicting requirements. The GDPR applies to all organizations, wherever located, that collect, store, or process personal data of EU citizens and residents, or otherwise have operations or sales in the EU (and Switzerland). Under the GDPR, there must now be a more intentional process and framework around managing and safeguarding personal information.

Because data subjects have the right to know what personal information an organization has about them and how it is being used, the right to obtain a copy of that information, and under most circumstances the right to have it deleted (the so-called “right to be forgotten”), organizations need to know what personal data they have, where it's located, how it's protected, and how it can be deleted. In addition, many European countries have data deletion requirements that require certain information, such as that associated with terminated employees, for example, to be destroyed after a fixed period of time. Such information could include emails to, from, or relating to that employee. Penalties for violating the GDPR can be significant—up to the greater of €20 million or four times annual worldwide revenue.

In contrast, while there are some industry-based and sectoral protections in the U.S., such as for financial service/credit and health care data, there is no comprehensive federal data privacy law. At the state level, the California Consumer Privacy Act of 2018, which has been referred to as a “mini-GDPR,” takes effect January 1, 2020, and other state and local jurisdictions are considering similar measures.

Conflicts Between U.S. Discovery and European Data Privacy Requirements

Consider several scenarios that may arise:

• Data from someone who has requested to be forgotten under the GDPR is relevant to a U.S. discovery request and needs to be put on hold.
• A file's normal retention period has expired, and European regulations require that it be deleted, but it is under an ongoing legal hold.
• A file is responsive to a discovery request, but it contains sensitive personal information under the GDPR.

Historically, U.S. courts have largely taken the view that U.S. laws and U.S. interests in administrating justice in the U.S. for U.S. cases and controversies, particularly with regard to preserving and accessing potentially relevant European evidence, overrides any contrary European data privacy considerations. Even when such considerations were raised, the relatively small number of European enforcement actions and the relatively small amounts of fines imposed for data privacy violations, compared to the threat of the loss of a case in the U.S. court, tended to make data privacy compliance a secondary priority. However, the enactment of greater penalties under GDPR, and early indications that European enforcement will be increasingly stringent, is appropriately causing many organizations to take the GDPR requirements more seriously.

What Can We Do?

How can organizations comply with their U.S. discovery preservation and production obligations, in light of mandatory data deletion requirements under the GDPR? Ideally, in order to comply with discovery obligations, organizations would know what data they have, where it's located, and how to preserve it. This requires having a documented litigation readiness or discovery response plan that can be activated when needed, as well as a current data map of types of data, storage locations, and data owners and managers throughout the organization. And when it comes to GDPR compliance, the same requirements apply. Organizations should have a data map showing the locations and custodians of personal data, the authorized limitations on its use and a protocol for producing it in response to subject access requests and deleting it in response to requests to be forgotten.

One way to approach the data mapping issue, particularly for organizations with large quantities of unstructured data such as email and file shares, is through the use of technological tools such as auto-classification software. Many organizations are taking advantage of such software as part of a well-crafted Information Governance program in order to be proactive in complying with both data preservation and GDPR requirements. Such software can help with the data minimization and management requirements of the GDPR while also facilitating the identification of relevant information for preservation in compliance with U.S. discovery obligations.

Storing data “in the cloud” has sometimes led to confusion, with some thinking that just because it's in the cloud, it's beyond the jurisdiction of European privacy law or U.S. discovery. But since all cloud data is actually hosted in servers in a physical facility, identifiable by country, if those servers are in the EU the GDPR will apply. And since the standard for U.S. discovery is whether relevant information is under the “possession, custody or control” (FRCP 26(a)) of the party from whom it is being sought, cloud-based data is also subject to discovery, including any applicable preservation obligations.

There is a derogation under Article 49 that allows for the transfer outside one of these approved areas of data for the defense of assertion of a legal claim. Article 49 does not stand on its own. It's very clear from the guidance that this is not an “end run” around data protection. Companies still have to abide by the earlier principles that are outlined—data minimization, transparency, and data protection measures. But there is now potentially a basis to take the data outside of an approved area for a legal claim.

Organizations are overcoming these obstacles and mitigating risk by focusing on information governance as a coordinated team effort. Historically, the litigation and data privacy/compliance functions worked in separate silos. Now they have a shared goal in identifying, understanding and managing enterprise information. While it might have been hard to justify purchasing software and equipment simply to analyze content, increasingly there are common budgets in place to take on these important tasks for the good of the organization as a whole.

In any case, when confronted with the need for European data in a U.S. legal proceeding, litigators need to be sensitive to GDPR considerations, and particularly to be aware that putting a legal hold in place outside the U.S. may incur regulatory risk. Bringing such concerns to the attention of the court and opposing parties as early as possible, trying to find work-arounds, and attempting to secure informed consent from the data owner(s) where feasible are best practices.

In addition, there is a derogation under GDPR Article 49 that allows for the transfer of personal data outside of the EU or other approved areas when necessary for the “establishment, exercise or defense of legal claims”. It's very clear from the guidance that this is not an “end run” around data protection, and organizations still have to abide by the earlier principles that are outlined—data minimization, transparency, and data protection measures. It is not yet clear whether this provision may be applicable to the defense of claims that are being litigated outside of the EU, or whether it will apply to data preservation as well as cross-border transfers, questions that have not yet been tested and which will need to await further guidance.

In the meantime, as the workforce and commercial activity continue to globalize, it's crucial to be aware of data privacy issues early, and to implement effective data storage, processing, and management practices as part of an integrated information governance program.

Samantha Green, Esq. serves as the Manager of Thought Leadership for Epiq, in which capacity she serves as a subject matter expert on all aspects of electronic discovery and data privacy law, drawing on her more than fifteen years of litigation and consulting experience.