Litigants navigating the conflict between U.S. discovery
obligations and foreign data protection laws have a new ally, the
American Bar Association ("the ABA"). The ABA
recently passed Resolution 103, which "urges" that:
[W]here possible in the context of the proceedings before them,
U.S. federal, state, territorial, tribal and local courts consider
and respect, as appropriate, the data protection and privacy laws
of any applicable foreign sovereign, and the interests of any
person who is subject to or benefits from such laws, with regard to
data sought in discovery in civil litigation.
The full text of the resolution and accompanying report (the
"Report") can be found here. In supporting its resolution,
the ABA noted that "[l]itigants often face a Hobson's
Choice: violate foreign law and expose themselves to enforcement
proceedings that have included criminal prosecution, or choose
noncompliance with a U.S. discovery order and risk U.S. sanctions
ranging from monetary costs to adverse inference jury instructions
to default judgments." Report at p. 2. As
"U.S. law already provides a clear and workable standard for
resolving the conflict" the ABA believes that Courts should
give more consideration "to the national interests behind the
non-U.S. laws" such that the comity factors are weighed and
applied "in a manner that demonstrates respect for those laws
and the principles of international comity." Report at p.
The ABA's involvement with this issue is particularly
timely, as it has recently become apparent that new data analytic
technologies have weakened the effectiveness and reliability of
anonymization, one of the primary mechanisms available to litigants
to navigate cross border discovery conflicts. See
e.g., The Practice of Law in the Age of Big Data, Nat.
L. J., April 11, 2011.
Despite the apparent strength of this Resolution, it is worth
noting that the ABA appears to have watered down the original
intended language, restricting its statement to data that is
"sought," i.e. affirmatively requested by an opposing
litigant, as compared to the original language, which applied
broadly to data that is subject to preservation, disclosure, or
discovery." The intent of this change is unclear, as the
ABA continues to acknowledge that preservation related-activities
can, by themselves, run afoul of foreign data protection
obligations, even in the absence of actual production or
cross-border transfer. Report at p. 12. For example, the
European Data Protection Directive, defines regulated
"processing" to include mere "storage," and
further provides that data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for
the purposes for which the data were collected." See Directive 95/46/EC, Articles 1 and
6. Such restrictions can be inconsistent with broad U.S.
preservation obligations, and non-compliance would seem to present
many of the same risks that are a concern when it comes to cross
border data transfer.
Regardless of any limited intent, it is hoped that the ABA's
position will be taken to heart by the judiciary, as litigants in
possession of protected data should not have to unnecessarily fear
litigating in U.S. Courts.
The Radio Shack bankruptcy case raised a fundamental question regarding the sale of personally identifiable customer information: Can it be done? The answer is "Probably". (You expected anything else?)
On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).