by John Lapraik
on November 03, 2015
Legal & Industry Education
At this year’s Relativity Fest, in the session “Collecting and Reviewing European Documents in U.S. Litigation,” I discussed how and why the European Data Protection Directive (the Directive) protects “personal” data in the European Union member states plus Iceland, Norway, and Lichtenstein—together known as the European Economic Area (EEA).
The Directive is, in effect, an instruction to each country to pass its own law—each country implements the terms of the Directive independently (and can, if it wishes, choose to include additional, more stringent, provisions).
Not least because of the troubled history of many European countries over the last 80 years—often involving widespread spying on peoples and the maintenance of databases recording their daily activities—the need to control what is collected and done with personal data is taken extremely seriously.
“Personal data” is defined as any information that can be related to a living person—so even a name and address on a letter is personal data.
A breach of the law can result in significant sanctions.
As a gross over-simplification, it is relatively easy to transfer personal data between EEA countries (and indeed to any other countries that have been adjudged to have adequate data protection controls).
In contrast, there are significant restrictions on transferring personal data to other countries (such as the United States) where no adequate protection has been found to exist.
If one of the specified grounds permitting the transfer of personal data has not been established, there can be no lawful access from such countries—even if the information is required for, say, U.S. litigation.
Generally there is a lot of emphasis in the EU Directive on the importance of obtaining the consent of the data subject to the processing of their data, but it is important to note that obtaining consent from employees is often impossible because consent will not have been “freely” given due to the perceived risk of coercion by the employer.
With these differences in mind, there are several actions you should take to work with European data. A preliminary step is to seek advice from a local expert. Someone who regularly works in the area will know the applicable national and regional laws and will be able to advise as to what approach is likely to be adopted in interpreting and enforcing the law.
It is important to be alive to the fact that the concept of discovery simply doesn’t exist in the majority of EEA countries.
Sending a typical “legal hold” notice in Europe often won’t achieve the desired goal—you need to have a conversation with each individual to explain the purpose and process of a legal hold.
Equally, the attitude to collecting data differs—data on a custodian’s computer is perceived as in some ways being “private” to that individual rather than simply belonging to the employer.
It’s helpful to narrow down your search and request only the documents that might be relevant to your case—you’ll need to justify the necessity of transferring the data.
The goal should be to:
Generally it will be appropriate and necessary to process the data and carry out an initial relevance review locally due to the need to:
If you’re collecting from multiple EEA countries, it is often desirable to consolidate the data in one country so as to have one set of rules to comply with when transferring the data out of the EEA to the U.S.
A final word of advice is to ensure U.S. parties and their lawyers fully understand the restrictions on data transfers outside of the EEA. It is critical to manage the judge’s expectations and show that you have a plan to identify and produce the material that is relevant to the case while respecting the EEA data protection laws.
John Lapraik is a solicitor and e-discovery consultant at Millnet, an Advanced Discovery Company where he consults and provides advice on e-discovery and the manipulation and searching of electronic data. His unique skill-set, combining legal and IT expertise, enables John to provide sound commercial legal advice and consultancy around the application of IT to lawyers’ working practices.
Before You Take e-Discovery Across Borders, Have You Considered This?
How Lawyers Are Training and Testing on e-Disclosure in Changing Times
Cross-border Employees and Their International Data
Now in Relativity Analytics: 3 Customer-Driven Enhancements
4 Ways to Move e-Discovery Data That You May Not Know About