will the gdpr kibosh eu-us discovery?
TRANSCRIPT
![Page 1: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/1.jpg)
Will the GDPR Kibosh EU-US Discovery?November 7, 2017
![Page 2: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/2.jpg)
Agenda
Background: Societe Nationale and our history of giving deference to foreign legal interests, and then ignoring them
How GDPR Article 48 may make US-EU eDiscovery much more difficult
“So, what do I do now?” Practical advice for dealing with the uncertainty
![Page 3: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/3.jpg)
Presenters
Ken Rashbaum Partner | Barton LLP
Michael Simon Attorney and Consultant | Seventh Samurai
![Page 4: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/4.jpg)
1. How GDPR Article 48 may make US-EU eDiscovery much more difficult
![Page 5: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/5.jpg)
Preface: International Legal Relations 101• Discovery comes from Common
Law (UK) system
• Even then “Discovery in the federal court system is far broader than in most (maybe all) foreign countries” Heraeus v. Biomet, 633 F.3d 591 (7th Cir. 2011)
• EU = typically no discovery or only through specific requests to judge
• Also the whole rest of the World too . . . we just don’t have time today
Image courtesy of California Globetrotter blog
![Page 6: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/6.jpg)
Preface: International Data Protection 101• EU: current = EC 95/46 Data
Protection Directive
• EU soon = General Data Protection Regulation (May 25, 2018)
• Many others (Russia, China, Qatar and Japan, more) - recently enacted or strengthened their rules
• But again, we just have time for EU
![Page 7: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/7.jpg)
Preface: GDPR 101• A uniform regulation (unlike DPD)
• Jaw-droppingly huge potential fines
• Broad definitions of “Personal data”
• New data subject rights, including right to be forgotten
• Data breach notification rules
• Expansion of responsibility for processing - important for eDiscovery vendors who are often just Processors
![Page 8: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/8.jpg)
GDPR Article 48Transfers or disclosures not authorised by Union law
“Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
![Page 9: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/9.jpg)
Unknown: Is the Privacy Shield a qualifying “International Agreement?”Transfers or disclosures not authorised by Union law
“Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
![Page 10: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/10.jpg)
Recital 115 (non-binding, but still important)
Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
![Page 11: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/11.jpg)
Discovery = Breach of GDPR?Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
![Page 12: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/12.jpg)
“No aspect of the extension of the American legal system beyond the territorial frontier of the United States has given rise to so much friction as the requests for documents in investigation and litigation in the United States.” RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW OF THE UNITED STATES § 442, Reporters’ Notes ¶ 1 (1987).
Blocking statutes
Image courtesy of the ABA Journal of the Section of Litigation
More than 15 blocking statutes
France
Germany
Even the UK (and they created the common law system!)
![Page 13: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/13.jpg)
Article 29 Working Party “Working Document 1/2009 on pre-trial discovery for cross border civil litigation”Art. 29 WP = EU advisory body (name to be changed with GDPR) Legal Holds = Processing:
“Although in the US the storage of personal data for litigation hold is not considered to be processing, under Directive 95/46 any retention, preservation, or archiving of data for such purposes would amount to processing.”
![Page 14: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/14.jpg)
Article 29 Working Party “Working Document 1/2009 on pre-trial discovery for cross border civil litigation”Legal Holds = potential violations of EU Data Protection laws
“Controllers in the European Union have no legal ground to store personal data at random for an unlimited period of time because of the possibility of litigation in the United States . . ..”
![Page 15: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/15.jpg)
Just a paper tiger?For decades, no fines or harm done under blocking statutes
![Page 16: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/16.jpg)
In Re: Advocate Christopher X, French Supreme Court, 2008• Complied with US court deposition request in Strauss v. Credit
Lyonnais, S.A., 2000 U.S. Dist. Lexis 38378 (E.D.N.Y. May 25, 2007). • French attorney fined €10,000 for violating blocking statute
16
![Page 17: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/17.jpg)
2. Background: Societe Nationale and our history of giving deference to foreign legal interests, and then ignoring them
![Page 18: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/18.jpg)
Societe Nationale Industrielle Aerospatiale v. US Dist Ct. SD IA, 482 US 522 (1987)
“The World’s safest and most economical STOL plane” . . . . . . . crashed in Iowa Injured US fliers sought discovery from French manufacturers
![Page 19: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/19.jpg)
Respondents move to block, claim Hague Convention is exclusive meansUS Supreme Court on blocking statutes:
“do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”
On Hague convention: “not a pre-emptive replacement” or “first resort” but an optional procedure used when appropriate
19
![Page 20: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/20.jpg)
5 factor comity testRestatement (Third) of Foreign Relations Law § 442(c) (1987) 1. The importance to the … litigation of the documents or other
information requested; 2. The degree of the specificity of the request; 3. Whether the information originated in the United States; 4. The availability of alternative means of securing the information; and 5. The extent to which noncompliance with the request would
undermine interests of the United States, or compliance with the request would undermine interests of the state where the information is located.
![Page 21: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/21.jpg)
“ . . . comity became a frivolous argument . . .”“For three decades . . . U.S. courts applied a balancing test to weigh the interests of foreign countries against U.S. interests, and ruled almost unanimously in favor of U.S. interests . . .” Diego Zambrano, A Comity of Errors: The Rise, Fall, and Return of International Comity in Transnational Discovery, 34 Berkeley J. Int’l Law. 157 (2016).
![Page 22: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/22.jpg)
US v. Microsoft likely to make this worseStored Communications Act warrant (18 U.S.C. § 2703) Microsoft produced emails on US Cloud storage, but not in Ireland Drew massive anger from EU – especially Ireland Second Circuit vacated contempt order US DoJ got Supreme Court to accept Cert.
![Page 23: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/23.jpg)
3. “So, what do I do now?” Practical advice for dealing with the uncertainty
![Page 24: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/24.jpg)
Options
A. Privacy Shield B. MLAT C. Binding Corporate Rules D. Standard Contract Clauses E. Hague Convention F. Letters Rogatory G. Party agreement
![Page 25: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/25.jpg)
Agreement between EU and certain US agencies Available to companies under FTC and Department of Transportation jurisdiction (Not Telecoms or FinServ/banks) Replaces prior Safe Harbor – invalidated by Court of Justice of the European Union (CJEU) on suit by privacy activist Max Schrems
A. Privacy Shield
![Page 26: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/26.jpg)
EU Privacy activists have filed lawsuits - CJEU takes up Schrems’ new case from Irish High Court (with Irish DPA support) Annual review found many problems, but “adequate” so far WP29 will soon issue opinion – have historically had negative view
Cracked Shield?
![Page 27: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/27.jpg)
1. Notice 2. Choice 3. Onward transfer 4. Security data 5. Integrity 6. Access 7. Enforcement
7 Key principles (inherited from Safe Harbor)
![Page 28: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/28.jpg)
1. Notice 2. Choice 3. Onward transfer 4. Security data 5. Integrity 6. Access 7. Enforcement
7 Key principles (inherited from Safe Harbor)
![Page 29: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/29.jpg)
3. ACCOUNTABILITY FOR ONWARD TRANSFER“To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
![Page 30: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/30.jpg)
eDiscovery violates this provision“To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
![Page 31: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/31.jpg)
eDiscovery really violates this provision“To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
![Page 32: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/32.jpg)
So far, nobody has gotten burned . . .
Yet
Use at your own peril?
![Page 33: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/33.jpg)
B. MLATFor requesting and obtaining evidence for criminal investigations and prosecutions Can be through Letters Rogatory or central authority – depending upon the specific treaty Need local expert help on this
![Page 34: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/34.jpg)
US MLATS (EU member states in red)
Antigua and Barb.
Argentina
Australia
Austria Bahamas
Barbados
Belize
Bermuda
Brazil
Bulgaria Canada
China
Cyprus Czech Rep. Denmark Dominica Egypt Estonia France Germany Greece Grenada Hong Kong Hungary
India Ireland Israel Japan Latvia Liechtenstein Lithuania Luxembourg Malaysia Philippines Poland Romania
Russia Saint Lucia South Africa St. Kitts and Nevis St. Vin. and Gren. Sweden Switzerland Trinidad and Tobago Ukraine United Kingdom Venezuela
![Page 35: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/35.jpg)
C. Binding Corporate RulesArticles 46(2)(b) and 47
How do you get the other side to sign?
(even assuming that they are a corporation)
![Page 36: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/36.jpg)
D. Standard Contract ClausesArticles 46(2)(c) and 93(2)
How do you get the other side to sign? Use as evidence creates an Onward Transfer problem Schrems is attacking these as well – CJEU also taken up this issue through Irish High Court
![Page 37: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/37.jpg)
E. Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters
Goal of many signers was to limit scope of US discovery abroad Actively sponsored and signed by the US in 1972 Most, but not all of the EU has signed Full list here
![Page 38: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/38.jpg)
Big problem = Art. 23 reservations“a contracting state may at the time of signature, ratification or accession declare that it will not execute letters of request issued for the purposes of obtaining pre-trial discovery of documents.”
France, Germany, Spain, UK and the Netherlands plus others in EU all use this to block US discovery
Check the official list
38
![Page 39: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/39.jpg)
Essentially a way of asking politely*
39
It’s complicated: see ABA/NYSBA guidelines and forms here Draft Letter of Request (a/k/a “Letters Rogatory”**) Send to Central Authorities (there is a list, can use a service) Central Authorities send to local authorities Local authorities are supposed to compel custodian to comply Estimated to take 2-4 months (yes, really)
* So, why hasn’t Canada signed up?
** Yes, this is confusing: Letters Rogatory predate the Convention and are usable with non-signers
![Page 40: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/40.jpg)
40
To get good resultsLikely need to help the judge Make it easy to comply Not be a stereotypical loud-mouth, pushy American Be reasonable Be specific – narrow the request as much as possible Get help if you need it – especially local help!
But best to start with agreement, and if not agreement get a court order
![Page 41: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/41.jpg)
F. Letters RogatoryFor countries that didn’t sign the Hague Convention
And for those with HC Art. 23 reservations
Again – is asking nicely
Many hoops to jump through – same advice (do it right, get help, be nice, be specific!)
No compulsory aspect
Which, means that you need to expect it to take 6-12 months (yes, really!)
![Page 42: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/42.jpg)
Work it out between the parties Get a court order if possible Be creative
42
G. Party Agreement
![Page 43: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/43.jpg)
Questions and Answers
Questions can be submitted using the “Questions” box in your GoToWebinar control panel ?
![Page 44: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/44.jpg)
Ken Rashbaum [email protected] 212-885-8836 BartonEsq.com
Michael Simon [email protected] 508-429-0923 Twitter: @roninmike
![Page 45: Will the GDPR Kibosh EU-US Discovery?](https://reader030.vdocument.in/reader030/viewer/2022020213/5a647a747f8b9a27568b4a99/html5/thumbnails/45.jpg)
More Resources:
See a demo of Logikcull, the powerfully simple, highly secure eDiscovery and data management software.
For technology and eDiscovery news and tips, interviews with judges and practitioners, and more, sign up for Logikcull’s blog, Closing the Loop.
Text of the GDPR (English)
Barton GDPR Compliance Group site