Since at least the first century AD, it has been recognised that “[n]o [one] can serve two masters.” Luke 16;13. Roughly 2,000 years on, it is a pity that many judges on either side of the Atlantic have not appreciated the dilemma conflicting laws have placed on twenty-first century lawyers and their multinational clients, who are often forced to choose between honouring a US discovery obligation or certain European data privacy laws that forbid it.
Electronic discovery is a major issue in modern litigation, but its complexities rise when discovery cuts across borders. At these crossroads, the liberal discovery rules of the US legal system meet the advent of data privacy laws, like those developed in the European Union.
This article briefly examines the intersection of US discovery and EU privacy laws. We divide our discussion into three sections: the EU framework for data privacy; how US courts have applied those laws; and best practices for counsel working to protect the rights of their clients and employees under those laws.
EU Framework for Regulating Cross-Border Discovery
When US courts must adjudicate the propriety of discovery requests directed to EU-based companies, three distinct international discovery laws confront them: First, EU member states have enacted robust data privacy laws in the wake of the EU Data Protection Directive (Directive 95/46/EC); Directive 95/46 recognises data privacy as a fundamental human right and requires EU member states to provide strong protection for individuals’ “right to privacy with respect to the processing of personal data.”
The first tension in US litigation arises with the directive’s definition of “personal data” and “processing”, which are much broader than the common US understanding of the terms. Under the directive “personal data” encompasses (but is not limited to) social security numbers or medical information, and more broadly includes “any information relating to an identified or identifiable natural person.” (Directive article 2(a)). “Processing” includes not only formatting conversions, re-duplication, filtering, and indexing as understood in the American system, but also any collection or manipulation of the data, including storage as part of a routine litigation hold “Directive Art. 2(b); see also Data Protection Working Party, Working Doc. 1/2009, Art. 29 (describing this tension)).
In substance, the directive prohibits the transfer of personal data to any non-EU state, unless that country “ensures an adequate level of protection” for the data (Directive article 25). The directive does provide an exception for “the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims” (id. Article 26(1)(d)) but local law can provide otherwise. The EU and US have developed “safe harbour” principles for the sharing of information, but their limited scope fails to facilitate discovery.
Second, the Hague Convention on the Taking of Evidence (the Convention) provides a procedure to facilitate the discovery of information sought in transnational litigation (23 UST 2555, 847 UNTS 231). Fifty-four countries have acceded to the Convention, including the US, whose signature was ratified by a unanimous vote of the Senate in 1972. These signatory states agreed that judicial authorities in the contracting states “may […] request the competent authority of another Contracting State, by means of a Letter of Request, to obtain evidence, or to perform some other judicial act” (Article 1). But the Convention is equally significant for its provision that allows countries to “declare that it will not execute letters of request issued for the purpose of obtaining pre-trial discovery of documents” (Article 23).
Third, several European countries have enacted “blocking statutes” intended to restrict the production of documents within their borders outside the procedure established by the Hague Convention. Switzerland, for example, requires the use of its local courts to facilitate the gathering of evidence within its borders for discovery in litigation abroad (Swiss Penal Code article 271, 273). France has criminal penalties for private parties that conduct discovery within its borders for litigation abroad (French Penal Law No. 80-538). Other European countries – including Germany, Spain, and Belgium – have adopted similar laws to regulate the disclosure of information in litigation abroad (see The Sedona Conference, Framework For Analysis Of Cross-border Discovery Conflicts 17–22 (2008) (discussing blocking statutes worldwide); The US Discovery – EU Privacy Directive Conflict: Constructing a Three-Tiered Compliance Strategy, 19 Duke J. Comp. & Int’l L. 357 (2009)).
Deference Afforded to these Laws by United States Courts
These discovery limits, of course, run headlong into the liberal discovery rules of the Federal Rules of Civil Procedure, and US courts have not always given them deference in that context. The decision of the US Supreme Court in Aérospatiale is the classic example of the interplay between these foreign statutes and the federal rules, and has set the tone for the application of international discovery law in US courts (Société Nationale Industrielle Aérospatiale v US Dist. Court for the S. Dist. of Iowa, 482 US 522 (1987)).
In Aérospatiale, plaintiffs brought a products liability action in an Iowa federal court against two corporations owned by France. Both sides engaged in initial discovery efforts under the federal rules of civil procedure. But when the plaintiffs served additional requests, the defendants moved for a protective order on the basis that the plaintiffs had not complied with the Hague Convention and so to respond would violate France’s blocking statute. The magistrate judge compelled production and the Eighth Circuit affirmed.
The US Supreme Court also affirmed in relevant part, holding that although the procedures of the Hague Evidence Convention apply to discovery demands made of foreign companies, they are but “one method of seeking evidence that a court may elect to employ” (Aérospatiale, 482 US at 541). The court held that the convention procedures are neither mandatory nor a required first step before resort to the procedure provided in the Federal Rules of Civil Procedure. Instead, in the court’s view, the Convention sets the “minimum standards” vis-à-vis cross-border discovery by simply defining “the common ground between” the signatory nations (Id. at 537 No. 23).
Predictably, other US courts followed suit and limited application of international discovery rules.
Some courts have even held that they may order production of documents notwithstanding that compliance with the order would likely violate another sovereign’s law (see United States v First Nat’l City Bank, 396 F.2d 897, 903 (2d Cir. 1968)). Commentators predicted that the 2008 conviction of a French lawyer under the French blocking statute could change this reality (see Sedona Conference At 21–22) but that hope has yet to materialise (see In re Global Power Equip. Group, 418 BR 833 (Bankr. D. Del. 2009); Strauss v Credit Lyonnais, SA, 249 FRD. 429, 442–43 (EDNY 2008)).
But Aérospatiale is by no means the end of the story. Aérospatiale requires US district courts to “supervise pretrial proceedings particularly closely to prevent discovery abuses,” and to monitor cross-border requests to ensure their reasonableness, using the Convention if necessary to achieve that end (Id. at 545–46).
Later, courts and commentators assessed reasonableness using six factors (see Restatement (Third) Of Foreign Relations Law, section 442(1)(c) (1989)). And the Supreme Court reinforced that US courts must “consider the demands of comity” and accord “due respect for any special problem confronted by the foreign litigant on account of its nationality or the location of its operations, and for any sovereign interest expressed by a foreign state” (Id. at 546).
Notwithstanding the view that the Hague Convention is but one option for discovery, some courts have required parties to use the procedure, especially when the applicability of foreign privacy laws was uncertain (see Ings v Ferguson, 282 F.2d 149 (2d Cir. 1960); Hudson v Hermann Pfauter GmbH & Co., 117 FRD 33 (NDNY 1987); Husa v Labs. Servier SA, 740 A.2d 1092 (NJ Super Ct 1999)). Another court, in view of the sovereign interests implicated by the French blocking statute, has required the parties to use the Convention procedures (see In re Perrier Bottled Water Litig., 138 F.R.D. 348 (D. Conn. 1991)).
US courts seem more willing to defer to foreign privacy and industry-specific secrecy laws than the blanket protections of blocking statutes (see Linde v Arab Bank, PLC, 2009 WL 1456573 (EDNY 2009); Old Ladder Litig. Co v Investcorp Bank, 2008 WL 2224292 (SDNY 2008); see also, Volkswagen, AG v Valdez, 909 S.W.2d 900 (Tex. 1995)).
This trend is especially true when the requesting party had other means to obtain the documents. International comity and respect for sovereign interests is often the overriding concern (see Old Ladder; In re Chase Manhattan Bank, 297 F.2d 611 (2nd Cir. 1962); Gerling Global Reins. Corp. of Am. v Quackenbush, 2000 WL 777978 (ED Cal 2000)).
Another common thread in these cases is the courts’ concern that documents requested in cross-border discovery be relevant to the claims and defences within the litigation. Courts have held that limited relevance in the face of EU data privacy laws trumps the need for discovery and denied motions to compel the production of performance evaluations (In re Baycol Prods. Litig., 2003 WL 22023449 (D. Minn. 2003)); personnel files of employees (Salerno v Lecia, Inc., 1999 WL 299306 (WDNY 1999)); as well as bank transaction information (Minpeco, SA v Conticommodity Svcs, Inc, 116 FRD 517 (SDNY 1987)). Courts are more apt to compel information that is essential to a plaintiff’s claim or that provides direct evidence of liability (see, Linde v Arab Bank, PLC, 463 F. Supp. 2d 310 (EDNY 2006)).
Finally, at least one court has found a middle ground. In a case in which the plaintiffs sought calendars, expense logs, and telephone records from the employees of German and Swiss companies, the court, mindful of EU data privacy concerns, ordered the defendants to produce a privacy log that described each claim in detail (In re Vitamins Antitrust Litig., 2001 WL 1049433 (DDC 2001)).
Managing Cross-Border Discovery in US Courts
US courts are willing to apply EU data privacy laws and international discovery rules, but these issues are, quite literally, foreign to most American courts, who are altogether accustomed to rote discovery procedures that apply in most cases. To invoke these protections, then, requires planning, flexibility, and persistence on the part of outside counsel:
Educate the court early and often about data privacy laws. Courts are likely to be unaware that the scope of privacy laws in the EU are much broader than in the US. Counsel should raise privacy issues with the court (and opposing counsel) early in the case and continue to bring them to the forefront throughout the litigation.
Remind the court of the domestic scope of the litigation
Parties often seek cross-border discovery as part of a kitchen sink strategy to get as much information as possible, even when the alleged harm is domestically based. Courts are often sensitive to relevance concerns in cross-border discovery. Outside counsel should reframe discovery disputes within the context of the litigation as a whole and precisely define for the court the operative claims and defences.
Emphasise comity, sovereignty, and privacy. Opposing counsel will no doubt attempt to frame any discovery dispute as just that: a discovery dispute. Outside counsel must emphasise that the dispute is really about international comity, which at least has an analog in familiar choice-of-law principles. Courts should be more inclined to limit discovery when its effect is framed in terms of individual privacy rights and territorial sovereignty.
Cross-border discovery is one of the greatest challenges today to the effective management of global litigation. US courts appreciate issues of comity and fairness but are often so tied to the liberal domestic discovery practice that they fail to fully appreciate the scope of data privacy laws worldwide, especially in the EU. Counsel must be mindful of this reality and take care to develop a strategy early – often before discovery is served – to educate the court on the nuances of these laws. Courts, by the same token, should take care to understand, appreciate, and respect EU privacy laws and the rights of foreign litigants as they intersect with the US legal system in the increasingly shrinking world of global business.