The U.S. Discovery-EU Privacy Directive Conflict: Constructing a Three-Tiered Compliance Strategy

Article excerpt

INTRODUCTION

Because of the different regulatory approaches of the United States and the European Union, litigants involved in U.S.-EU transborder litigation face a difficult situation regarding discovery. U.S. discovery procedures require litigants to produce any requested information under their control without regard to whether the information originated within U.S. borders. (1) Meanwhile, the European Union prohibits the transfer of data originating within its borders to the United States because it has determined that the United States lacks adequate data protection standards. (2) The steady increase of trans-border litigation has brought the conflict between U.S. discovery rules and EU data protection laws into sharp focus and spurred intense debate.

Despite calls from EU member states' data protection authorities for the Article 29 Working Party ("Working Party") to comment on the issue, (3) the lead EU administrative data protection body has remained silent. In the absence of such guidance from the Working Party, litigants in U.S.-EU trans-border disputes are left floundering in their attempts to comply with U.S. discovery rules without violating EU data protection law. This note sifts through the quagmire of regulations to help trans-border litigants view the U.S. discovery-EU data protection conflict through a transnational legal lens, and thereby, construct a strategy for compliance that respects U.S., EU and international law.

This note proceeds in three parts. Part I describes the nature and scope of the U.S. discovery-EU Privacy Directive conflict and investigates its roots in the larger differences between civil and common legal systems' approach to evidence gathering. Part II examines possible solutions to the legal quandary posed by the conflicting requirements, and Part III constructs the best possible compliance strategy for real world litigants.

I. UNDERSTANDING THE CURRENT CONFLICT AND ITS HISTORICAL ROOTS

Litigants in U.S. courts face strict penalties for failure to comply with the discovery process. (4) When data involved in the discovery process is located or originated in the European Union, these same litigants face strict penalties under EU data protection law for transferring the data to the United States. (5) This places litigants in U.S.-EU trans-border disputes in a difficult position. The conflict between the two sets of requirements has been a recent source of heated debate, (6) fueled, in part, by the long-standing disagreement between civil and common legal systems over the appropriate nature of evidence-gathering procedures.

A. The Conflict: EU data protection law confronts U.S. discovery rules.

The European Union began harmonizing the data protection laws of its member states with the adoption of Directive 95/46/EC ("Privacy Directive"). (7) The Privacy Directive restricts the transfer and processing of "personal data," which is broadly defined as "any information relating to an identified or identifiable natural person." (8) Privacy Directive Article 25 forbids the transfer of personal data to a third country unless the third country provides an adequate level of data protection. (9) Furthermore, if a specific third country is found to lack adequate data protection, EU member states are required to take affirmative steps to prevent the transfer of personal data to that country. (10) The EU position is that the United States lacks adequate data protection standards. (11) As a result, the United States and the European Union negotiated a safe harbor mechanism by which companies may voluntarily increase their level of data protection and become eligible for data transfers from the European Union. (12) The safe harbor, however, does not cover all sectors of data, (13) and, while specifically designed to govern data transfers, it also imposes restrictions on data processing which render the use of the Safe Harbor framework problematic in the U. …