A recent article by my Kroll Ontrack colleagues from across the pond, Lawrence Ryz and Tracey Stretton, details the new EU Data Protection Regulation, which aims to solidify and unify the European Union’s data protection laws. As the Regulation takes effect, American companies with operations or customers in the EU will soon find themselves having to comply with a new set of laws.
U.S. Discovery and EU Privacy Collide
In US litigation, the fundamental principle of broad discovery conflicts with the wide-ranging privacy framework of the European Union. US civil litigation under the Federal Rules of Civil Procedure (FRCP) is premised on the idea that expansive pre-trial discovery cuts to the heart of a dispute because it allows judges to focus on the legal issues with a well-developed record. European law is founded on the idea that citizens have a broad right to privacy, with little government intervention. The strengthened Regulation prohibits the transfer of any personal data processed in the European Union to a country whose privacy laws are considered inadequate by the EU’s determination such as the United States, which poses a significant conflict with US discovery obligations.
EU Gains Sword to go with its Shield
The extraterritoriality of the new Regulation is particularly worrisome for discovery in the United States. While the European Union has strengthened its shield against data collectors with the Regulation, it has also equipped itself with a shiny new sword. When the fundamental principles of American discovery and European privacy collide in a US court judges must choose between adhering to the traditional discovery rules of the FRCP and respecting an EU litigant’s legitimate right to privacy. Furthermore, with the addition of pending changes to the EU-US Privacy Shield agreement (a replacement for the Safe Harbor data transfer agreement which was invalidated by the European Court of Justice last October), the landscape of international data privacy and data transfer laws grows more complex by the day.
Impact on Ediscovery Providers
The current Directive only applies to data controllers, but the Regulation introduces a number of detailed obligations and restrictions on data processors and is therefore likely to have a significant impact on ediscovery providers and those that engage them. In the future, penalties can be imposed on data processors that do not comply with their new responsibilities and, if they act outside of the instructions received from data controllers, they could be held to be joint controllers subject to higher standards of accountability. The new obligations include the following:
- Maintain documentation about the processing operations under their responsibility
- Implement appropriate security measures
- Carry out data protection impact assessments
- Obtain prior authorization or undertake prior consultation
- Comply with the international data transfer requirements
- Cooperate with a supervisory authority
For more on the new EU Data Protection Regulation and its impact, be sure to read the full article, EU Data Protection Gains a Sword to go with its Shield.