Uploaded byLogikcull
632 views

Will the GDPR Kibosh EU-US Discovery?

If you're a legal or security professional, the looming General Data Protection Regulation, or GDPR, is likely causing your blood pressure to rise. Expected to impose strict limitations on organizations that do business in the European Union, or otherwise collect the data of European citizens, the regulation is said to raise the stakes for privacy compliance as well as for transcontinental discovery. Organizations that don't meet its standards by May 2018 will be the subject of potentially business-rattling sanctions. That's the expectation, anyway. Then again, no privacy law has yet to stifle cross-border discovery, despite best efforts. Join our panel of experts as they dive into these hot-button topics.

Law
Related topics:
European Union

Embed presentation

Download to read offline
Will the GDPR Kibosh EU-US Discovery? November 7, 2017
Agenda Background: Societe Nationale and our history of giving deference to foreign legal interests, and then ignoring them How GDPR Article 48 may make US-EU eDiscovery much more difficult “So, what do I do now?” Practical advice for dealing with the uncertainty
Presenters Ken Rashbaum Partner | Barton LLP Michael Simon Attorney and Consultant | Seventh Samurai
1. How GDPR Article 48 may make US-EU eDiscovery much more difficult
Preface: International Legal Relations 101 • Discovery comes from Common Law (UK) system • Even then “Discovery in the federal court system is far broader than in most (maybe all) foreign countries” Heraeus v. Biomet, 633 F.3d 591 (7th Cir. 2011) • EU = typically no discovery or only through specific requests to judge • Also the whole rest of the World too . . . we just don’t have time today Image courtesy of California Globetrotter blog
Preface: International Data Protection 101 • EU: current = EC 95/46 Data Protection Directive • EU soon = General Data Protection Regulation (May 25, 2018) • Many others (Russia, China, Qatar and Japan, more) - recently enacted or strengthened their rules • But again, we just have time for EU
Preface: GDPR 101 • A uniform regulation (unlike DPD) • Jaw-droppingly huge potential fines • Broad definitions of “Personal data” • New data subject rights, including right to be forgotten • Data breach notification rules • Expansion of responsibility for processing - important for eDiscovery vendors who are often just Processors
GDPR Article 48 Transfers or disclosures not authorised by Union law “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Unknown: Is the Privacy Shield a qualifying “International Agreement?” Transfers or disclosures not authorised by Union law “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Recital 115 (non-binding, but still important) Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
Discovery = Breach of GDPR? Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
“No aspect of the extension of the American legal system beyond the territorial frontier of the United States has given rise to so much friction as the requests for documents in investigation and litigation in the United States.” RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW OF THE UNITED STATES § 442, Reporters’ Notes ¶ 1 (1987). Blocking statutes Image courtesy of the ABA Journal of the Section of More than 15 blocking statutes France Germany Even the UK (and they created the common law system!)
Article 29 Working Party “Working Document 1/2009 on pre-trial discovery for cross border civil litigation” Art. 29 WP = EU advisory body (name to be changed with GDPR) Legal Holds = Processing: “Although in the US the storage of personal data for litigation hold is not considered to be processing, under Directive 95/46 any retention, preservation, or archiving of data for such purposes would amount to processing.”
Article 29 Working Party “Working Document 1/2009 on pre-trial discovery for cross border civil litigation” Legal Holds = potential violations of EU Data Protection laws “Controllers in the European Union have no legal ground to store personal data at random for an unlimited period of time because of the possibility of litigation in the United States . . ..”
Just a paper tiger? For decades, no fines or harm done under blocking statutes
In Re: Advocate Christopher X, French Supreme Court, 2008 • Complied with US court deposition request in Strauss v. Credit Lyonnais, S.A., 2000 U.S. Dist. Lexis 38378 (E.D.N.Y. May 25, 2007). • French attorney fined €10,000 for violating blocking statute 16
2. Background: Societe Nationale and our history of giving deference to foreign legal interests, and then ignoring them
Societe Nationale Industrielle Aerospatiale v. US Dist Ct. SD IA, 482 US 522 (1987) “The World’s safest and most economical STOL plane” . . . . . . . crashed in Iowa Injured US fliers sought discovery from French manufacturers
Respondents move to block, claim Hague Convention is exclusive means US Supreme Court on blocking statutes: “do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” On Hague convention: “not a pre-emptive replacement” or “first resort” but an optional procedure used when appropriate 19
5 factor comity test Restatement (Third) of Foreign Relations Law § 442(c) (1987) 1. The importance to the … litigation of the documents or other information requested; 2. The degree of the specificity of the request; 3. Whether the information originated in the United States; 4. The availability of alternative means of securing the information; and 5. The extent to which noncompliance with the request would undermine interests of the United States, or compliance with the request would undermine interests of the state where the information is located.
“ . . . comity became a frivolous argument . . .” “For three decades . . . U.S. courts applied a balancing test to weigh the interests of foreign countries against U.S. interests, and ruled almost unanimously in favor of U.S. interests . . .” Diego Zambrano, A Comity of Errors: The Rise, Fall, and Return of International Comity in Transnational Discovery, 34 Berkeley J. Int’l Law. 157 (2016).
US v. Microsoft likely to make this worse Stored Communications Act warrant (18 U.S.C. § 2703) Microsoft produced emails on US Cloud storage, but not in Ireland Drew massive anger from EU – especially Ireland Second Circuit vacated contempt order US DoJ got Supreme Court to accept Cert.
3. “So, what do I do now?” Practical advice for dealing with the uncertainty
Options A. Privacy Shield B. MLAT C. Binding Corporate Rules D. Standard Contract Clauses E. Hague Convention F. Letters Rogatory G. Party agreement
Agreement between EU and certain US agencies Available to companies under FTC and Department of Transportation jurisdiction (Not Telecoms or FinServ/banks) Replaces prior Safe Harbor – invalidated by Court of Justice of the European Union (CJEU) on suit by privacy activist Max Schrems A. Privacy Shield
EU Privacy activists have filed lawsuits - CJEU takes up Schrems’ new case from Irish High Court (with Irish DPA support) Annual review found many problems, but “adequate” so far WP29 will soon issue opinion – have historically had negative view Cracked Shield?
1. Notice 2. Choice 3. Onward transfer 4. Security data 5. Integrity 6. Access  7. Enforcement  7 Key principles (inherited from Safe Harbor)
1. Notice 2. Choice 3. Onward transfer 4. Security data 5. Integrity 6. Access  7. Enforcement  7 Key principles (inherited from Safe Harbor)
3. ACCOUNTABILITY FOR ONWARD TRANSFER “To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.   Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
eDiscovery violates this provision “To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.   Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
eDiscovery really violates this provision “To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.   Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
So far, nobody has gotten burned . . . Yet Use at your own peril?
B. MLAT For requesting and obtaining evidence for criminal investigations and prosecutions Can be through Letters Rogatory or central authority – depending upon the specific treaty Need local expert help on this
US MLATS (EU member states in red) Antigua and Barb. Argentina Australia Austria Bahamas Barbados Belize Bermuda Brazil Bulgaria Canada China Cyprus Czech Rep. Denmark Dominica Egypt Estonia France Germany Greece Grenada Hong Kong Hungary India Ireland Israel Japan Latvia Liechtenstein Lithuania Luxembourg Malaysia Philippines Poland Romania Russia Saint Lucia South Africa St. Kitts and Nevis St. Vin. and Gren. Sweden Switzerland Trinidad and Tobago Ukraine United Kingdom Venezuela
C. Binding Corporate Rules
 Articles 46(2)(b) and 47 How do you get the other side to sign? (even assuming that they are a corporation)
D. Standard Contract Clauses
 Articles 46(2)(c) and 93(2) How do you get the other side to sign? Use as evidence creates an Onward Transfer problem Schrems is attacking these as well – CJEU also taken up this issue through Irish High Court
E. Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters Goal of many signers was to limit scope of US discovery abroad Actively sponsored and signed by the US in 1972 Most, but not all of the EU has signed Full list here
Big problem = Art. 23 reservations “a contracting state may at the time of signature, ratification or accession declare that it will not execute letters of request issued for the purposes of obtaining pre-trial discovery of documents.” France, Germany, Spain, UK and the Netherlands plus others in EU all use this to block US discovery Check the official list 38
Essentially a way of asking politely* 39 It’s complicated: see ABA/NYSBA guidelines and forms here Draft Letter of Request (a/k/a “Letters Rogatory”**) Send to Central Authorities (there is a list, can use a service) Central Authorities send to local authorities Local authorities are supposed to compel custodian to comply Estimated to take 2-4 months (yes, really) * So, why hasn’t Canada signed up? ** Yes, this is confusing: Letters Rogatory predate the Convention and are usable with non- signers
40 To get good results Likely need to help the judge Make it easy to comply Not be a stereotypical loud-mouth, pushy American Be reasonable Be specific – narrow the request as much as possible Get help if you need it – especially local help! But best to start with agreement, and if not agreement get a court order
F. Letters Rogatory For countries that didn’t sign the Hague Convention And for those with HC Art. 23 reservations Again – is asking nicely Many hoops to jump through – same advice (do it right, get help, be nice, be specific!) No compulsory aspect Which, means that you need to expect it to take 6-12 months (yes, really!)
Work it out between the parties Get a court order if possible Be creative 42 G. Party Agreement
Questions and Answers Questions can be submitted using the “Questions” box in your GoToWebinar control panel ?
Ken Rashbaum krashbaum@barton.com 212-885-8836 BartonEsq.com Michael Simon michael.simon@seventhsamurai.com 508-429-0923 Twitter: @roninmike
More Resources: See a demo of Logikcull, the powerfully simple, highly secure eDiscovery and data management software. For technology and eDiscovery news and tips, interviews with judges and practitioners, and more, sign up for Logikcull’s blog, Closing the Loop. Text of the GDPR (English) Barton GDPR Compliance Group site

More Related Content

PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PDF
Navigating the High-Stakes World of eDiscovery Billing
byLogikcull
 
PPTX
2018: Emerging Trends in eDiscovery
byLogikcull
 
PDF
Slack, Social Media and Self-Deleting Texts: Developments in Employment Law
byLogikcull
 
PDF
Webinar: Bitcoin, Blockchain, and the Law
byLogikcull
 
PDF
Social Media and the Law
byLogikcull
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
Navigating the High-Stakes World of eDiscovery Billing
byLogikcull
 
2018: Emerging Trends in eDiscovery
byLogikcull
 
Slack, Social Media and Self-Deleting Texts: Developments in Employment Law
byLogikcull
 
Webinar: Bitcoin, Blockchain, and the Law
byLogikcull
 
Social Media and the Law
byLogikcull
 

Recently uploaded

PPT
Decision Making - it's theory&approaches
byShanta Bhandari
 
PDF
A Brief Introduction About Suneet Sandhu Atlanta GA
bySuneet Sandhu Atlanta GA
 
PDF
Meetings between Go X and Federal Agencies
byrusomafioso1
 
PDF
30988_2019_3_29_58213_Order_03-Jan-2025.pdf
bysabranghindi
 
PDF
Paper on- Children in conflict with laws and its Causative factor
byShanta Bhandari
 
PPTX
Buying_Under_Construction_Property_Legal_Risks.pptx
byRaj Kumar
 
PPTX
Graft and Corrupt Practices Seminar.pptx
byMichaelCleofasAsuten
 
PDF
The U.S. DOJ Investigation On Guardianships In Missouri.pdf
byChristopher Cross, M.A., C.M.A., D.S.P. (ret.)
 
PDF
30988_2019_2_20_64213_Order_15-Sep-2025.pdf
bysabranghindi
 
PDF
FY2027 H1B Cap Filing Secrets: Why You Should Plan Now?
byVisaPro Immigration Services LLC
 
PPTX
Advancement in Legal Translation presentation.pptx
bygourivb
 
PDF
260119-ED-251024-Attacks-on-dalits-Links-1.pdf
bysabranghindi
 
PDF
BJS Excellence: The FIR Protocols-by Judge Nazmul Hasan.pdf
by Judge Nazmul Hasan.
 
PPTX
2025 RACCS, RA 6713 and Liabilities.pptx
byMichaelCleofasAsuten
 
PPTX
Crime and Its elements and Stages of Crime.pptx
bykrishpurohith
 
PDF
FY2027 H-1B Cap Filing Mistakes: How To Avoid Them?
byVisaPro Immigration Services LLC
 
PDF
FY2027 H-1B Visa Predictions: What Are Your Chances of Being Selected?
byVisaPro Immigration Services LLC
 
PPTX
INTRODUCTION FORENSIC SCIENCE - UNIT 01 .pptx
bysilpam338
 
PDF
Free FY2027 H1 Visa Timeline Template - Download Now
byVisaPro Immigration Services LLC
 
PPTX
BJS Preparation Series- Understanding FIR.pptx
by Judge Nazmul Hasan.
 
Decision Making - it's theory&approaches
byShanta Bhandari
 
A Brief Introduction About Suneet Sandhu Atlanta GA
bySuneet Sandhu Atlanta GA
 
Meetings between Go X and Federal Agencies
byrusomafioso1
 
30988_2019_3_29_58213_Order_03-Jan-2025.pdf
bysabranghindi
 
Paper on- Children in conflict with laws and its Causative factor
byShanta Bhandari
 
Buying_Under_Construction_Property_Legal_Risks.pptx
byRaj Kumar
 
Graft and Corrupt Practices Seminar.pptx
byMichaelCleofasAsuten
 
The U.S. DOJ Investigation On Guardianships In Missouri.pdf
byChristopher Cross, M.A., C.M.A., D.S.P. (ret.)
 
30988_2019_2_20_64213_Order_15-Sep-2025.pdf
bysabranghindi
 
FY2027 H1B Cap Filing Secrets: Why You Should Plan Now?
byVisaPro Immigration Services LLC
 
Advancement in Legal Translation presentation.pptx
bygourivb
 
260119-ED-251024-Attacks-on-dalits-Links-1.pdf
bysabranghindi
 
BJS Excellence: The FIR Protocols-by Judge Nazmul Hasan.pdf
by Judge Nazmul Hasan.
 
2025 RACCS, RA 6713 and Liabilities.pptx
byMichaelCleofasAsuten
 
Crime and Its elements and Stages of Crime.pptx
bykrishpurohith
 
FY2027 H-1B Cap Filing Mistakes: How To Avoid Them?
byVisaPro Immigration Services LLC
 
FY2027 H-1B Visa Predictions: What Are Your Chances of Being Selected?
byVisaPro Immigration Services LLC
 
INTRODUCTION FORENSIC SCIENCE - UNIT 01 .pptx
bysilpam338
 
Free FY2027 H1 Visa Timeline Template - Download Now
byVisaPro Immigration Services LLC
 
BJS Preparation Series- Understanding FIR.pptx
by Judge Nazmul Hasan.
 

Featured

PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
PDF
Introduction to Data Science
byChristy Abraham Joy
 
PDF
Time Management & Productivity - Best Practices
byVit Horky
 
PDF
The six step guide to practical project management
byMindGenius
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
Skeleton Culture Code
bySkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Getting into the tech field. what next
byTessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
byChristy Abraham Joy
 
Time Management & Productivity - Best Practices
byVit Horky
 
The six step guide to practical project management
byMindGenius
 

Will the GDPR Kibosh EU-US Discovery?

  • 1.
    Will the GDPRKibosh EU-US Discovery? November 7, 2017
  • 2.
    Agenda Background: Societe Nationaleand our history of giving deference to foreign legal interests, and then ignoring them How GDPR Article 48 may make US-EU eDiscovery much more difficult “So, what do I do now?” Practical advice for dealing with the uncertainty
  • 3.
    Presenters Ken Rashbaum Partner |Barton LLP Michael Simon Attorney and Consultant | Seventh Samurai
  • 4.
    1. How GDPRArticle 48 may make US-EU eDiscovery much more difficult
  • 5.
    Preface: International LegalRelations 101 • Discovery comes from Common Law (UK) system • Even then “Discovery in the federal court system is far broader than in most (maybe all) foreign countries” Heraeus v. Biomet, 633 F.3d 591 (7th Cir. 2011) • EU = typically no discovery or only through specific requests to judge • Also the whole rest of the World too . . . we just don’t have time today Image courtesy of California Globetrotter blog
  • 6.
    Preface: International DataProtection 101 • EU: current = EC 95/46 Data Protection Directive • EU soon = General Data Protection Regulation (May 25, 2018) • Many others (Russia, China, Qatar and Japan, more) - recently enacted or strengthened their rules • But again, we just have time for EU
  • 7.
    Preface: GDPR 101 •A uniform regulation (unlike DPD) • Jaw-droppingly huge potential fines • Broad definitions of “Personal data” • New data subject rights, including right to be forgotten • Data breach notification rules • Expansion of responsibility for processing - important for eDiscovery vendors who are often just Processors
  • 8.
    GDPR Article 48 Transfersor disclosures not authorised by Union law “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
  • 9.
    Unknown: Is thePrivacy Shield a qualifying “International Agreement?” Transfers or disclosures not authorised by Union law “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
  • 10.
    Recital 115 (non-binding,but still important) Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
  • 11.
    Discovery = Breachof GDPR? Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
  • 12.
    “No aspect ofthe extension of the American legal system beyond the territorial frontier of the United States has given rise to so much friction as the requests for documents in investigation and litigation in the United States.” RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW OF THE UNITED STATES § 442, Reporters’ Notes ¶ 1 (1987). Blocking statutes Image courtesy of the ABA Journal of the Section of More than 15 blocking statutes France Germany Even the UK (and they created the common law system!)
  • 13.
    Article 29 WorkingParty “Working Document 1/2009 on pre-trial discovery for cross border civil litigation” Art. 29 WP = EU advisory body (name to be changed with GDPR) Legal Holds = Processing: “Although in the US the storage of personal data for litigation hold is not considered to be processing, under Directive 95/46 any retention, preservation, or archiving of data for such purposes would amount to processing.”
  • 14.
    Article 29 WorkingParty “Working Document 1/2009 on pre-trial discovery for cross border civil litigation” Legal Holds = potential violations of EU Data Protection laws “Controllers in the European Union have no legal ground to store personal data at random for an unlimited period of time because of the possibility of litigation in the United States . . ..”
  • 15.
    Just a papertiger? For decades, no fines or harm done under blocking statutes
  • 16.
    In Re: AdvocateChristopher X, French Supreme Court, 2008 • Complied with US court deposition request in Strauss v. Credit Lyonnais, S.A., 2000 U.S. Dist. Lexis 38378 (E.D.N.Y. May 25, 2007). • French attorney fined €10,000 for violating blocking statute 16
  • 17.
    2. Background: SocieteNationale and our history of giving deference to foreign legal interests, and then ignoring them
  • 18.
    Societe Nationale IndustrielleAerospatiale v. US Dist Ct. SD IA, 482 US 522 (1987) “The World’s safest and most economical STOL plane” . . . . . . . crashed in Iowa Injured US fliers sought discovery from French manufacturers
  • 19.
    Respondents move toblock, claim Hague Convention is exclusive means US Supreme Court on blocking statutes: “do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” On Hague convention: “not a pre-emptive replacement” or “first resort” but an optional procedure used when appropriate 19
  • 20.
    5 factor comitytest Restatement (Third) of Foreign Relations Law § 442(c) (1987) 1. The importance to the … litigation of the documents or other information requested; 2. The degree of the specificity of the request; 3. Whether the information originated in the United States; 4. The availability of alternative means of securing the information; and 5. The extent to which noncompliance with the request would undermine interests of the United States, or compliance with the request would undermine interests of the state where the information is located.
  • 21.
    “ . .. comity became a frivolous argument . . .” “For three decades . . . U.S. courts applied a balancing test to weigh the interests of foreign countries against U.S. interests, and ruled almost unanimously in favor of U.S. interests . . .” Diego Zambrano, A Comity of Errors: The Rise, Fall, and Return of International Comity in Transnational Discovery, 34 Berkeley J. Int’l Law. 157 (2016).
  • 22.
    US v. Microsoftlikely to make this worse Stored Communications Act warrant (18 U.S.C. § 2703) Microsoft produced emails on US Cloud storage, but not in Ireland Drew massive anger from EU – especially Ireland Second Circuit vacated contempt order US DoJ got Supreme Court to accept Cert.
  • 23.
    3. “So, whatdo I do now?” Practical advice for dealing with the uncertainty
  • 24.
    Options A. Privacy Shield B.MLAT C. Binding Corporate Rules D. Standard Contract Clauses E. Hague Convention F. Letters Rogatory G. Party agreement
  • 25.
    Agreement between EUand certain US agencies Available to companies under FTC and Department of Transportation jurisdiction (Not Telecoms or FinServ/banks) Replaces prior Safe Harbor – invalidated by Court of Justice of the European Union (CJEU) on suit by privacy activist Max Schrems A. Privacy Shield
  • 26.
    EU Privacy activistshave filed lawsuits - CJEU takes up Schrems’ new case from Irish High Court (with Irish DPA support) Annual review found many problems, but “adequate” so far WP29 will soon issue opinion – have historically had negative view Cracked Shield?
  • 27.
    1. Notice 2. Choice 3.Onward transfer 4. Security data 5. Integrity 6. Access  7. Enforcement  7 Key principles (inherited from Safe Harbor)
  • 28.
    1. Notice 2. Choice 3.Onward transfer 4. Security data 5. Integrity 6. Access  7. Enforcement  7 Key principles (inherited from Safe Harbor)
  • 29.
    3. ACCOUNTABILITY FORONWARD TRANSFER “To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.   Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
  • 30.
    eDiscovery violates thisprovision “To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.   Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
  • 31.
    eDiscovery really violatesthis provision “To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.   Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
  • 32.
    So far, nobodyhas gotten burned . . . Yet Use at your own peril?
  • 33.
    B. MLAT For requestingand obtaining evidence for criminal investigations and prosecutions Can be through Letters Rogatory or central authority – depending upon the specific treaty Need local expert help on this
  • 34.
    US MLATS (EUmember states in red) Antigua and Barb. Argentina Australia Austria Bahamas Barbados Belize Bermuda Brazil Bulgaria Canada China Cyprus Czech Rep. Denmark Dominica Egypt Estonia France Germany Greece Grenada Hong Kong Hungary India Ireland Israel Japan Latvia Liechtenstein Lithuania Luxembourg Malaysia Philippines Poland Romania Russia Saint Lucia South Africa St. Kitts and Nevis St. Vin. and Gren. Sweden Switzerland Trinidad and Tobago Ukraine United Kingdom Venezuela
  • 35.
    C. Binding CorporateRules
 Articles 46(2)(b) and 47 How do you get the other side to sign? (even assuming that they are a corporation)
  • 36.
    D. Standard ContractClauses
 Articles 46(2)(c) and 93(2) How do you get the other side to sign? Use as evidence creates an Onward Transfer problem Schrems is attacking these as well – CJEU also taken up this issue through Irish High Court
  • 37.
    E. Hague Conventionon the Taking of Evidence Abroad in Civil or Commercial Matters Goal of many signers was to limit scope of US discovery abroad Actively sponsored and signed by the US in 1972 Most, but not all of the EU has signed Full list here
  • 38.
    Big problem =Art. 23 reservations “a contracting state may at the time of signature, ratification or accession declare that it will not execute letters of request issued for the purposes of obtaining pre-trial discovery of documents.” France, Germany, Spain, UK and the Netherlands plus others in EU all use this to block US discovery Check the official list 38
  • 39.
    Essentially a wayof asking politely* 39 It’s complicated: see ABA/NYSBA guidelines and forms here Draft Letter of Request (a/k/a “Letters Rogatory”**) Send to Central Authorities (there is a list, can use a service) Central Authorities send to local authorities Local authorities are supposed to compel custodian to comply Estimated to take 2-4 months (yes, really) * So, why hasn’t Canada signed up? ** Yes, this is confusing: Letters Rogatory predate the Convention and are usable with non- signers
  • 40.
    40 To get goodresults Likely need to help the judge Make it easy to comply Not be a stereotypical loud-mouth, pushy American Be reasonable Be specific – narrow the request as much as possible Get help if you need it – especially local help! But best to start with agreement, and if not agreement get a court order
  • 41.
    F. Letters Rogatory Forcountries that didn’t sign the Hague Convention And for those with HC Art. 23 reservations Again – is asking nicely Many hoops to jump through – same advice (do it right, get help, be nice, be specific!) No compulsory aspect Which, means that you need to expect it to take 6-12 months (yes, really!)
  • 42.
    Work it outbetween the parties Get a court order if possible Be creative 42 G. Party Agreement
  • 43.
    Questions and Answers Questionscan be submitted using the “Questions” box in your GoToWebinar control panel ?
  • 44.
  • 45.
    More Resources: See ademo of Logikcull, the powerfully simple, highly secure eDiscovery and data management software. For technology and eDiscovery news and tips, interviews with judges and practitioners, and more, sign up for Logikcull’s blog, Closing the Loop. Text of the GDPR (English) Barton GDPR Compliance Group site