The U.S. Discovery-EU Privacy Directive Conflict: Constructing a Three-Tiered Compliance Strategy

Beginning of article

INTRODUCTION

Because of the different regulatory approaches of the United States and the European Union, litigants involved in U.S.-EU transborder litigation face a difficult situation regarding discovery. U.S. discovery procedures require litigants to produce any requested information under their control without regard to whether the information originated within U.S. borders. (1) Meanwhile, the European Union prohibits the transfer of data originating within its borders to the United States because it has determined that the United States lacks adequate data protection standards. (2) The steady increase of trans-border litigation has brought the conflict between U.S. discovery rules and EU data protection laws into sharp focus and spurred intense debate.

Despite calls from EU member states' data protection authorities for the Article 29 Working Party ("Working Party") to comment on the issue, (3) the lead EU administrative data protection body has remained silent. In the absence of such guidance from the Working Party, litigants in U.S.-EU trans-border disputes are left floundering in their attempts to comply with U.S. discovery rules without violating EU data protection law. This note sifts through the quagmire of regulations to help trans-border litigants view the U.S. discovery-EU data protection conflict through a transnational legal lens, and thereby, construct a strategy for compliance that respects U.S., EU and international law.

This note proceeds in three parts. Part I describes the nature and scope of the U.S. discovery-EU Privacy Directive conflict and investigates its roots in the larger differences between civil and common legal systems' approach to evidence gathering. Part II examines possible solutions to the legal quandary posed by the conflicting requirements, and Part III constructs the best possible compliance strategy for real world litigants.

I. UNDERSTANDING THE CURRENT CONFLICT AND ITS HISTORICAL ROOTS

Litigants in U.S. courts face strict penalties for failure to comply with the discovery process. (4) When data involved in the discovery process is located or originated in the European Union, these same litigants face strict penalties under EU data protection law for transferring the data to the United States. (5) This places litigants in U.S.-EU trans-border disputes in a difficult position. The conflict between the two sets of requirements has been a recent source of heated debate, (6) fueled, in part, by the long-standing disagreement between civil and common legal systems over the appropriate nature of evidence-gathering procedures.

A. The Conflict: EU data protection law confronts U.S. discovery rules.

The European Union began harmonizing the data protection laws of its member states with the adoption of Directive 95/46/EC ("Privacy Directive"). (7) The Privacy Directive restricts the transfer and processing of "personal data," which is broadly defined as "any information relating to an identified or identifiable natural person." (8) Privacy Directive Article 25 forbids the transfer of personal data to a third country unless the third country provides an adequate level of data protection. (9) Furthermore, if a specific third country is found to lack adequate data protection, EU member states are required to take affirmative steps to prevent the transfer of personal data to that country. (10) The EU position is that the United States lacks adequate data protection standards. (11) As a result, the United States and the European Union negotiated a safe harbor mechanism by which companies may voluntarily increase their level of data protection and become eligible for data transfers from the European Union. (12) The safe harbor, however, does not cover all sectors of data, (13) and, while specifically designed to govern data transfers, it also imposes restrictions on data processing which render the use of the Safe Harbor framework problematic in the U.S. discovery context. (14)

The Privacy Directive also places a variety of restrictions on the processing of personal data. For example, Privacy Directive Article 6 requires personal data to "be processed fairly and lawfully[,] ... be collected for specified, explicit and legitimate purposes, and not be used for incompatible purposes." (15) Furthermore, "the processed data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed." (16) Additionally, data subjects must have the opportunity to correct erroneous data, (17) and personal data may not be retained longer than necessary. (18)

The Privacy Directive restrictions on transfers and processing of personal data pose a problem for litigants involved in U.S.-EU transborder litigation. First, the Privacy Directive transfer provisions restrict the scope of discoverable data. Second, because "processing" is defined as the "collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction" of personal data, (19) the processing requirements apply to "virtually any action that a U.S. litigator would take" in preparation for trial. (20)

Thus, parties to U.S.-EU trans-border litigation may not be able to comply with U.S. discovery requirements without violating EU data protection law. However, full compliance with the Privacy Directive may require refusal to comply with a U.S. discovery request. Notably, entities subject to the Privacy Directive face strict monetary penalties for any violation, (21) and failure to comply with U.S. discovery requests can result in "severe sanctions, including contempt proceedings, monetary fines, prosecution for obstruction of justice, prejudicial jury instructions, and dismissal of claims." (22) Litigants are therefore left to decide which set of laws to violate--EU data protection or U.S. discovery.

B. The U.S. discovery-EU Privacy Directive conflict is part of a larger disjunction between common and civil legal approaches to evidence gathering.

The tension between EU data protection law and U.S. discovery rules presents a new manifestation of an enduring conflict between civil and common law evidence-gathering procedures. The differences in common and civil legal systems with regard to evidence gathering have been the source of tension for decades. At its core, the disagreement centers not on the goals of evidence gathering, but on the mechanism for achieving those goals.

The United States, a common law jurisdiction, employs an evidence-gathering procedure referred to as pre-trial discovery. (23) Pretrial discovery is the gathering of evidence after a lawsuit is filed but prior to trial. (24) The United States adopted pre-trial discovery procedures to encourage the free flow of information, truth-finding, and informational equity between parties. (25) Specifically, the pre-trial discovery rules embodied in the Federal Rules of Civil Procedure (26) allow litigants to obtain any information relevant to the claim or defense of a party. (27) To be discoverable, information need not be admissible at trial; it must only be relevant and reasonably calculated to lead to the discovery of admissible evidence. (28) Notably, the scope of information potentially covered by the discovery rules is extremely broad, and it is the parties themselves that gather the evidence. (29) These two aspects of the discovery process give rise to most of the objections raised by civil law countries, which view the scope of U.S. discovery as intrusive and the identity of the fact-finder inappropriate. (30)

Civil law countries also seek to promote justice through rules of civil procedure, but they do so in an entirely different fashion. First, most civil law countries view evidence gathering as a sovereign function best carried out by an active judge. (31) Typically, in civil systems "the judge questions the witnesses and decides which documents to request." (32) Because of this active role, the scope of discovery is naturally limited in civil law systems by the discretion of the judge, and foreign litigators often view the U.S. discovery process, placed in the hands of the parties, "as fostering 'fishing expeditions' by U.S. lawyers eager to build a case and perhaps impose costs on their adversaries." (33) Some countries, such as France, so vehemently oppose the U.S. discovery model that they enacted statutes specifically designed to block the application of U.S. discovery rules to their citizens, (34)

Given the historical tension between U.S. discovery rules and European approaches to evidence gathering, it is unsurprising that U.S. discovery rules conflict with EU data protection law, since it is another area where the European Union views U.S. regulation as inadequate. After all, given the general distaste in civil legal systems for U.S. discovery procedures, it is only natural that in an area viewed as a fundamental human right, such as data privacy, the conflict would increasingly grow. The question then becomes not how to eliminate the tension, but whether litigants can navigate both sets of laws without incurring penalties.

II. POSSIBLE SOLUTIONS TO THE U.S.-EU TRANS-BORDER LITIGANT'S LEGAL QUANDARY

A litigant involved in a U.S.-EU trans-border dispute may generally seek to comply with both U.S. discovery rules and the Privacy Directive by either persuading U.S. courts to accept restricted discovery production or using exceptions to the Privacy Directive to fully comply with U.S. discovery rules. A litigant seeking to persuade U.S. courts to accept restricted production may seek to either substitute the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters ("Hague Evidence Convention") procedures for the Federal Rules of Civil Procedure, or obtain a protective order on the basis of EU data protection laws. On the other hand, a litigant using Privacy Directive exceptions to fully comply with U.S. discovery requirements must both use exceptions to the Privacy Directive's transfer provisions to remove restrictions on the scope of discovery and justify processing of lawfully transferred data under Privacy Directive Article 7.

Solution A: Persuade U.S. courts to accept restricted discovery production.

A litigant in a U.S.-EU trans-border dispute generally has two options for persuading U.S. courts to accept restricted discovery production. First, the litigant may argue that the Hague Evidence Convention governs the dispute rather than the Federal Rules of Civil Procedure. (35) Alternatively, the litigant may seek a protective order on the basis that full discovery will expose the litigant to sanctions in the European Union. (36) Notably, the first strategy has not yet been used by a litigant in the specific context of the U.S. discovery-EU Privacy Directive conflict. The second strategy of seeking a protective order, however, has been successfully employed by litigants in this context. (37)

Option 1: Persuade the court to use the Hague Evidence Convention instead of the Federal Rules of Civil Procedure.

Although this option has not yet been pursued by litigants in this context, a litigant could overcome the U.S. discovery-EU Privacy Directive conflict by persuading the court to use the Hauge Evidence Convention instead of the Federal Rules of Civil Procedure. The Hague Evidence Convention, concluded on March 18, 1970, (38) sought to bridge the gap between evidence gathering procedures in civil and common law countries by providing three mechanisms to be used in either system: letters of request, diplomatic or consular officers, and appointed commissioners. (39)

The most helpful of these procedures for dealing with a conflict between the Privacy Directive and U.S. discovery rules is the letter of request. A letter of request is a formal procedure whereby the court presiding over a civil or commercial judicial proceeding in one country can ask the judicial authority of another country to gather evidence for use in the judicial proceeding in the requesting state. (40) Each country that ratified the Hague Evidence Convention designated a central authority to which all letters of request are sent for execution. (41) A letter of request must be executed expeditiously (42) and may only be refused in specific cases. (43) However, the person or persons from whom the executing country must gather the evidence "may refuse to give evidence in so far as he has a privilege or duty to refuse to give the evidence ... under the law of the State of execution." (44)

Hague Evidence Convention letters of request can allow litigants to fulfill U.S. …