The Legal Framework of the GDPR and Most Relevant Provisions Affecting U.S. Litigation
The General Data Protection Regulation (GDPR) is an EU regulation that replaces the EU Data Protection Directive of 1995. The GDPR is intended to provide stronger and more unified data protection for individuals in the EU, as well as personal data exported from the EU, thereby making it easier for non-European companies to comply with the regulation. The GDPR went into effect on May 24, 2016, and enforcement commenced on May 25, 2018.
Under the GDPR, a single set of rules will apply to all EU member states. The effects of the GDPR are wide-ranging and will impact most companies based in the EU, as well as companies based abroad that process personal data collected in the EU or from EU residents. The GDPR raises the bar for compliance significantly as compared to the Directive. Among other things, it imposes tighter limits on the use of personal data, it gives individuals more powerful enforcement rights, and it requires greater transparency. The GDPR also dramatically increases the penalties for non-compliance to the greater of €20 million, or 4% of worldwide turnover, penalties significant enough to attract senior management attention. Moreover, under the GDPR, EU residents are now allowed to sue to recover “material or non-material” damages resulting from data protection breaches. This may subject U.S. companies to litigation in each of the 28 EU member states, or in multiple member states under different legal regimes for breaches affecting residents of multiple EU countries.
Importantly for U.S. companies, the GDPR may significantly impact the way discovery is conducted in connection with U.S. litigation. The GDPR specifically limits the circumstances under which EU personal data may be exported from the EU. As a result, any document review conducted outside of the EU that involves personal data collected or located in the EU must be done in compliance with the GDPR. Furthermore, many global companies outsource e-discovery and litigation document review to service providers outside the EU. As a result, litigation support providers are scrambling to fully grasp the implications of the GDPR on their operations.
If the transfer of data to the U.S. for discovery purposes is necessary, litigants must implement safeguards, such as use of search terms and data restrictions, to limit the amount of data that is collected and transferred to the U.S. In light of the financial penalties available under the GDPR, companies should make a careful case-by-case assessment of the basis for transferring personal data to the U.S. or elsewhere outside the EU for use in discovery, or government or internal investigations.
As discussed in detail below, among the options available to mitigate risk under the GDPR include: 1) minimizing the amount of data actually transferred to that necessary for the purposes for which the data is being processed, 2) encrypting, redacting or anonymizing personal data wherever possible, 3) using international treaties (mutual legal assistance treaties) for justifying data transfers, 4) entering into standard contractual clauses with third parties processing personal data, 5) processing and hosting the data in the EU, particularly prior to redaction or anonymization, and 6) entering into a protective order limiting the parties’ ability to access and disseminate EU personal data in litigation.
“Personal Data” as defined in the GDPR means any information relating to an identified or identifiable natural person (a “data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
The definition of personal data is, for the most part, unchanged under the GDPR. The explicit inclusion of location data, online identifiers and genetic data within the definition of “personal data” means that in many cases online identifiers such as IP addresses and cookies will now be regarded as personal data if they can be linked back to a data subject without undue effort. There is no distinction between personal data about individuals in their public, private, or employment capacity. All information about a data subject meeting the definition is protected by the GDPR.
Sensitive Personal Data are special categories of personal data that are subject to additional protections. “Sensitive Personal Data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data, or biometric data. In general, companies must have stronger grounds to process Sensitive Personal Data that are required to process “Personal Data.”
The GDPR applies to any entity that collects data from EU residents or any data subject based in the EU (the “data controller”), and to any entity that processes data on behalf of the data controller (the “data processor”), such as an eDiscovery vendor or litigation support provider. The regulation also applies to data controllers and data processors based outside the EU if they collect or process personal data of EU residents.
Lawful Basis For Processing
Under the GDPR, a company may process personal data only if there is a lawful basis for doing so. Under Article 6 of the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Strict rules apply where consent is used as the lawful basis for processing:
- The controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
- The data subject shall have the right to withdraw his or her consent at any time. It shall be as easy to withdraw as to give consent.
- Consent must be explicit for data collected and the purposes data is used for.
- Consent for children must be given by the child’s parent or custodian, and verifiable.
- Data controllers must be able to prove “consent” (opt-in).
For the foreseeable future, it is unlikely that companies will have in place the necessary consents to transfer data outside of the EU for litigation purposes. Furthermore, consent is not an option where full disclosure regarding the purpose of the transfer can’t be given to the data subject, such as in internal investigations. As a result, companies will have to rely on one of the other bases for lawful processing of data as set forth above.
Furthermore, when drafting the GDPR, the EU added specific provisions to clearly indicate that companies must respect EU data privacy when engaging in litigation in the United States and elsewhere. Under Article 48, “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring [an entity holding EU data] to transfer or disclose personal data may only be recognizable or enforceable … if based on an international agreement, such as a mutual legal assistance treaty….” Since most member states do not have mutual legal assistance treaties with the United States, and even those that exist often do not cover U.S. pretrial discovery, this provision presents an obstacle to engaging in discovery in the United States and elsewhere.
Grounds for Transfer of Personal Data Outside of the EU
Assuming a company has a legitimate basis to process the relevant personal data, Articles 46 and 49 of the GDPR appear to provide the most useful mechanisms to enable companies to transfer data outside of the EU for document review or other litigation support. While data transfers based on consent are possible, they are unlikely to be of help in litigation because consent must be obtained from the data subject, not the company that collected the data.
The EU’s standard contractual clauses (Article 46(3)(a)) are particularly well suited for data transfers related to document review where a variety of litigation support vendors, such as an eDiscovery vendor, a document review provider, contract attorneys, or law firms, may need access to the data. However, as noted above, standard contractual clauses may be used only if the data is being transferred for reasons considered legitimate under the GDPR. Also, the standard contractual clauses currently in effect do not meet all GDPR requirements for transfers between controllers and processors, as discussed in detail below. As such, existing standard contractual clauses may need to be amended to comply with the GDPR.
In contrast to its predecessor (the Directive), the GDPR sets forth numerous data processor’s obligations which must be stipulated in a contract with the controller or in “other legal act under Union or Member State law” (Article 28). GDPR authorizes the European Commission and supervisory authorities (i.e. EU member states’ data protection authorities) to lay down standard contractual clauses to meet these requirements. To our knowledge, none of them has come up with a draft of amended standard contractual clauses to date.
Another means to transfer data is for the establishment, exercise or defense of legal claims under Article 49(1)(e) of the GDPR. This provision may offer the best justification for data transfers in connection with litigation, including pretrial discovery. While this exception was limited under the Directive by legislation in certain EU countries, under the GDPR, these exceptions will be more limited.
Article 49(1)(d) of the GDPR enables transfer of data for important reasons of public interest. While this approach may not support data transfers in connection with civil court proceedings, it may apply to law enforcement requests and government investigations. However, under Article 49(4), the “important reason” must be acknowledged by either the EU or the member states’ laws. As such, data transfers under this provision may be limited to situations in the public interest of both the EU and U.S., such as anti-money laundering or public health purposes.
Finally, if the options above for transferring discovery data are not available, Article 49(1)(2) enables a limited transfer of individual data for compelling legitimate interests of the data transferring party if the following criteria are met:
- The transfer is not repetitive and concerns only a limited number of data subjects.
- The transfer is necessary for compelling, legitimate interests of the data transferring entity that are not overridden by the interests or rights and freedoms of the data subject.
- The transferring entity has assessed all the circumstances surrounding the data transfer and has provided suitable safeguards.
- The relevant data protection authority has been informed of the transfer.
- The data subjects have been informed of the intended data transfer.
Regardless of which transfer method a company relies upon, the amount of data transferred should be the minimum necessary to achieve the purpose for which the data is being transferred, and appropriate technical and organizational processes must still be put in place to protect the relevant data. Responses to a discovery request or subpoena must be narrowed to focus on only the information and custodians directly relevant to the issue under consideration.