INTRODUCTION

As we publish this January 2013 edition of our paper, nations throughout the world are grappling with the challenges of protecting personal information in today's fast-moving, global economy. Countries from Argentina to Vietnam have enacted data privacy laws, and many are seeking to strengthen the protections that are already in place. In the past 12 months, the European Commission (the "Commission") proposed sweeping changes to Europe's approach to data protection1 and France's data protection agency, the CNIL,2 declared that it was "ready for combat" to protect French information in an increasingly digital world.3 We expect significant data protection developments in 2013.

This paper continues to focus on Europe, which has long viewed the privacy of personal information and data as a fundamental right. The countries of the European Economic Area ("EEA")4 protect data in accordance with the EU Data Protection Directive (the "EU Directive").5 Each EEA country has implemented the EU Directive in its own way, leading to a complex web of privacy legislation, which, along with foreign discovery "blocking statutes," greatly restrict the transfer of data from Europe to the United States.

Practitioners need to be aware of country-specific privacy and discovery blocking legislation, as well as the potential implications these laws have on obtaining discovery for U.S. litigation. For that reason, we have included links and citations to a wide variety of recent materials published by entities as diverse as the American Bar Association and Europe's Working Party on the Protection of Individuals with regard to Processing of Personal Data ("Working Party").6

This paper is organized in two parts. Part I provides an overview of the EU Directive and discovery-blocking statutes, addresses their impact on U.S. discovery, and proposes guidelines for navigating the choppy waters of international discovery. Part II surveys the data privacy statutes, commonly encountered blocking statutes, and selected case law pertaining to each EEA country. Each country's section is up-to-date as of December 2012.

This paper provides an overview of a complex subject and is a starting point for additional, country-specific research. The Hughes Hubbard eDiscovery Practice Group wishes to thank Yohance Bowden for his help in preparing this paper.

PART I

AN OVERVIEW OF THE EU DIRECTIVE AND BLOCKING STATUTES AND THEIR IMPACT ON U.S. DISCOVERY

I. The EU Directive

A. Scope, Implementation and Enforcement

The EU Directive was adopted by the European Commission (the "Commission") on October 24, 1995 and took effect three years later on October 25, 1998.7 Its stated purpose is twofold: (i) to harmonize divergent data protection regimes

in the Member States in order to remove obstacles to the free flow of information and (ii) to "protect fundamental rights and freedoms, notably the right to privacy"8 by establishing minimum safeguards for the use of personal data.

The EU Directive covers public and private sector employees9 and, importantly, protects their rights even when electronic data is transferred out of the European Union ("EU"). The EU Directive accomplishes this by restricting both the "processing" and "transfer" of their data. The Directive does not apply to "processing operations concerning public security, defense, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law."10 Nor does it apply to processing by an individual engaged in a "purely personal or household activity."11

The EU Directive obligates each EEA country to enact data protection laws that are at least as protective of personal privacy as the EU Directive itself. Each EEA country has complied with the Directive by enacting its own data protection laws, reflecting that country's individualized choices with respect to the definition of personal data, the level of protection afforded personal data, and the penalties for privacy violations. Some countries, such as Germany, France, and Italy, enacted data protection laws that are significantly stronger than the minimum required by the EU Directive.

The EU Directive also obligates each EEA country to create an independent data protection authority ("DPA") to oversee compliance with that country's data protection laws. Each DPA must have the power to investigate and intervene in data processing operations.12 The European Commission monitors each country's DPA to ensure that the DPA adheres to the EU Directive. The Commission may bring a legal proceeding against a country whose DPA falls short of these requirements. For example, the Commission referred Austria to the European Court of Justice for allegedly not having a DPA that met EU independence requirements.13 In a high-profile referral, the Commission referred the UK to the European Court of Justice for "not fully implementing EU rules on the confidentiality of electronic communications such as email or internet browsing."14

Data privacy violators may face sanctions from both public and private sources. First, the EU Directive requires each member country, through its DPA or judicial authority, to impose sanctions against violators, such as fines, imprisonment, or both.15 Second, Article 23 of the EU Directive requires each member country to allow EEA citizens to bring private civil actions against violators.16

On January 25, 2012, the European Commission published a draft "General Data Protection Regulation," a proposed reform that would significantly change data protection laws and regulatory schemes across Europe.17 The proposed reform seeks to reduce the confusion caused by the fragmented approach companies currently face when dealing with DPAs across the member states of the EEA. The proposed reform seeks to strengthen data privacy protections. It stiffens penalties for noncompliance and expands the reach of the law to all companies seeking to process data belonging to EU residents, regardless of the company's location. The Commission hopes to obtain the agreement of all member states by June 2014 so that the regulation can take effect by June 2016.18

B. "Personal Data"

The EU Directive restricts access to and the use of "personal data." Personal data in the EEA has a much broader scope than in the United States. The EU Directive defines "personal data" as "any information relating to an identified or identifiable natural person ('data subject')," including workplace information pertaining to employees.19 In implementing the Directive, EEA countries have defined "personal data" in slightly different ways, but "personal data" generally refers to any data that permits the identification of an individual, either directly or indirectly, through means reasonably likely to be used by either the data controller or a third party.20 This includes information that is not considered "personal" in the United States, such as job titles, office locations and email addresses, but which is considered "personal" in EEA countries because it can be linked to a person whom — in the language of the Data Protection Directive — "can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."21

In the United States, we generally associate the phrase "personal data" with a limited set of data such as medical information and social security numbers. In Europe these types of data are considered "sensitive data," and are even more highly protected than "personal data." Sensitive data includes information of a highly personal nature that reveals an individual's race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, mental or physical health, sex life, criminal convictions, civil judgments or sanctions.22 Under Article 8 of the EU Directive, Member States and data controllers are prohibited from processing sensitive personal data, subject to some very limited exceptions.23

C. "Data Controller"

Under the EU Directive, a data controller is a "natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data."24 Data controllers can be entities or employees charged with making decisions regarding the processing of personal data. Data controllers must implement measures to protect personal data from accidental or unlawful destruction or loss, alteration or unlawful disclosure or access.25

D. "Processing"

One of the activities to which the EU Directive applies is the "processing" of data. "Processing" is defined broadly as "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."26 This definition encompasses essentially every action taken in connection with U.S. discovery.27 It is much broader than the concept of "processing" commonly used in the United States. In the United States, "processing" is generally limited to technical actions, such as filtering, indexing, culling, de-duplicating, and converting data from one format to another.

The EU Directive prohibits the processing of personal data except where certain conditions are met. These conditions, which are set out in Articles 6, 7, and 10 of the EU Directive, are designed to ensure that data processing is proportional (Article 6), legitimate (Article 7), and transparent (Article 10).

1. Article 6 Requirements: Under Article 6 of the EU Directive, member states must ensure that the processing of personal data is:

(a) Fair and Lawful – personal data must be processed fairly and lawfully;

(b) Purpose-Limited – personal data must be "collected for a specific, explicit and legitimate purpose and not further processed in a way that is incompatible with those purposes;"

(c) Relevant in Scope – the collected data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;"

(d) Accurate and Current – personal data must be accurate and up-to-date, and every reasonable step must be taken to ensure that inaccurate or incomplete data (in terms of the purposes for which they are collected or processed) are erased or rectified; and

(e) Time-Limited – personal data must be "kept in a form that permits data subjects to be identified for no longer than is necessary for the purposes for which the data were collected or for which they are further processed."

2. Article 7 Requirements: Article 7 of the EU Directive requires member states to provide that personal data may be processed only if one or more of the following conditions are met.

(a) Consent – Personal data can be processed if the data subjects "unambiguously" provide "informed" and "voluntary" consent.28 While this sounds good in principle, it can be very difficult in practice to obtain the consent of all the data subjects. For example, in order to process email, a data controller may need to obtain consent not only from the custodian of the email, but also from each and every sender and recipient of each email, including, perhaps, bcc addressees who may only be identified by the email's metadata. Even if the difficult identification hurdle can be overcome, other obstacles remain. For example, in certain countries employees may not be able to provide "unambiguous" consent as a matter of law.29

(b) Performance of a Contract Involving a Data Subject – Personal data may be processed if "necessary to the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract."30 This provision applies to processing that is necessary to achieve the specific purpose of the contract.

(c) Compliance with Legal Obligations – Personal data may be processed when "necessary for compliance with legal obligations to which the controller is subject."31 (As discussed below in section B, EEA countries generally do not recognize discovery obligations imposed by the United States or other non-EEA jurisdictions as "legal obligations" sufficient to allow the processing of personal data.)32

(d) Protection of Data Subject's Vital Interests – Personal data may be processed when "necessary in order to protect the vital interests of the data subject."33

(e) Tasks Carried Out in the Public Interest – Personal data may be processed "when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the control or in a third party to whom the data are disclosed."34

(f) Controller or Third Party's Legitimate Interests – Personal data may be processed "when necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)."35 (Similar to the situation concerning compliance with legal obligations, EEA countries generally do not recognize discovery obligations imposed by United States or other non-EEA jurisdictions as "legitimate interests" of data controllers that would justify processing personal data.)36

3. Article 10 Requirements: Article 10 of the EU Directive requires employers to notify employees that data about them is being collected and to provide them with (1) the identity of the controller and its representative, if any, (2) the intended purpose of the processing, and (3) any additional information, such as the recipients' identities, the need to respond to questions relating to the processing, notification of the employees' rights to obtain processing progress updates, to make updates to their data being processed, and to require the controller to notify third parties about those updates.37 Importantly, employers must disclose if the data will be transferred outside the EEA.

E. Transfer of Personal Data to Third Countries

Although the EU Directive does not actually define the term "transfer," the European Commission construes that term broadly to include any transmittal of personal data, whether paper or electronic. To ensure that controllers do not circumvent the EU Directive's protections by transferring data outside of the EU for processing, the EU Directive expressly prohibits the transfer of personal data to non-EU countries, except in limited circumstances.38

There are three categories of exceptions to the general prohibition against

transfer of personal data outside of the EU. It is useful to think of these as country-based, corporate-based, and condition-based.

1. Country-Based Exceptions: There are two types of country-based exceptions. The first exception is for countries that the European Commission finds provide adequate data privacy protection. The second exception pertains solely to the United States and is referred to as the "Safe Harbor Program."

a. Third Country Adequacy Findings. The EU Directive permits transfers "where the third country in question ensures an adequate level of protection."39 The European Commission determines whether a particular country provides an adequate level of protection. To date, the Commission has made adequacy findings (to which EEA countries are bound) with respect to eleven non-EEA countries: Switzerland (July 2000), Canada (December 2001 (for data subject to the Canadian Personal Information Protection and Electronic Documentation Act)), Argentina (June 2003), the Bailiwick of Guernsey (November 2003), the Isle of Man (April 2004), the Bailiwick of Jersey (2008), Andorra (2010), the Faroe Islands (2010), Israel (2011) Uruguay (2012) and New Zealand (2012).40 The Commission does not view the United States as having adequate protections in place for the transfer of data. Thus, this exception does not provide a basis for the transfer of personal data to the United States.

b. United States Safe Harbor Program. The European Commission permits transfers of personal data to the United States in accordance with the Safe Harbor Privacy Principles of the United States Department of Commerce (July 2000) (the "Safe Harbor Program"). The Safe Harbor Program was developed by the Commerce Department in consultation with the European Commission to permit the transfer of data to U.S. entities that self-certify that they have implemented internal data practices consistent with the United States EU Safe Harbor framework.41 The Safe Harbor Program is available only to companies that fall within the jurisdiction of the Department of Commerce, a limitation that excludes telecommunication and financial companies.

Footnotes

1. http://ec.europa.eu/news/business/120125_en.htm .

2. Commission nationale de l'informatique et des libertés is an independent French administrative authority whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data. The agency was established by French law No. 78-17 in January 1978.

3. http://www.cnil.fr/fileadmin/documents/en/Cnil-RA2011-EN/index.html .

4. The European Economic Area consists of the 27 Member States of the European Union plus Norway, Liechtenstein and Iceland (collectively, the "EEA" or "EEA countries"). The Member States of the EU are: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (U.K.). Seehttp://europa.eu/abc/european_countries/index_en.htm . The non-EU members of the EEA have agreed to enact legislation to implement the EU's data protection policies.

5. Council Directive No. 95/46/EC, O.J. L 281/31 (1995),

http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf .

6. The Working Party on the Protection of Individuals with regard to Processing of Personal Data is authorized by Article 29 of the EU Directive to oversee implementation of the EU Directive in the EEA, to address data protection issues and to issue recommendations, non-binding opinions and working documents to provide guidance in formulating appropriate and consistent data protection practices. It is comprised of, among others, representatives of the data protection authorities that oversee compliance with privacy legislation in the EEA countries. Council Directive No. 94/46/EC, art. 29, O.J. L 281/47 (1995).

7. Council Directive No. 95/46/EC, art. 32, O.J. L 281/49 (1995).

8. Id., O.J. L 281/38, at ¶ 10 (1995).

9. Id., art. 5-21, O.J. L 281/39 (1995).

10. Id., art. 3, O.J. L 281/39 (1995).

11. Id.

12. Id., art. 31, O.J. L 281/49 (1995). DPAs can order blocking, erasure or destruction of data, impose a ban, admonish a controller, engage in legal proceedings or notify judicial authorities where there have been violations. They may also hear claims lodged by any person who feels his or her rights have been violated.

13. http://www.lexology.com/library/detail.aspx?g=3bd2c02d-0b70-4ea4-90b5-c6a9997072b8 .

14. http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1215 .

15. Council Directive No. 95/46/EC , art. 24, O.J. L 281/45 (1995).

16. Id., art. 23(1), O.J. L 281/45 (1995).

17. Go to, then select "Regulation".

18. "Euro wonks lay SMACKDOWN on draft data protection rules; Little love for proposed privacy regulation", The Register, March 14, 2012; http://www.theregister.co.uk/2012/03/14/eu_data_protection_regulation_divisions_among_member_states_exposed/

19. Council Directive No. 95/46/EC , art. 2(a), O.J. L 281/38 (1995).

20. Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of Personal Data (012480/07/EN WP 136) (June 20, 2007), http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf .

21. Id.

22. Council Directive No. 95/46/EC, art. 8(a) and 9(5)-(6), O.J. L 281/40, (1995).

23. Sensitive personal data may be processed where (i) the data subject has given explicit consent, (ii) the controller cannot meet its employment law obligations without doing so, (iii) it is necessary to the vital interests of a data subject (or another person), and the data subject is physically or legally incapable of giving consent, (iv) it is carried out by a non-profit organization whose aim is to advance an agenda related to one of the categories of sensitive data, (v) the data subject makes the data public, (vi) it is needed to establish or defend a legal claim, or (vii) it is required by a health professional in the course of managing treatment or health care services. Id., art. 8, O.J. L 281/40 (1995).

24. Council Directive No. 95/46/EC, art. 7(b), art. 2(d), O.J. L 281/1 (1995). See also Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor" (00264/10/EN WP 169) (Feb. 16, 2010, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf .

25. Barbara Crutchfield George, Patricia Lynch & Susan J. Marsnik, U.S. Multinational Employers: Navigating Through the "Safe Harbor" Principles to Comply with the EU Data Privacy Directive, 38 Am. Bus L.J. 735, n. 81 (2001).

26. Id., art. 7(b), art. 2(b), O.J. L 281/40, 38 (1995).

27. See Working Document 1/2009 on pre-trial discovery for cross-border civil litigation ("WP 158"), at 8.

28. Council Directive No. 95/46/EC, art. 7(a), O.J. L 281/40 (1995).

29. Working Party, Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of

24 October 1995 (2093/05/EN WP 114), at 11 (Nov. 25, 2005), http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp114_en.pdf .

30. Council Directive No. 95/46/EC, art. 7(b), O.J. L 281/40 (1995).

31. Id., art. 7(c), O.J. L 281/40 (1995).

32. WP 158, at 9.

33. Council Directive No. 95/46/EC, art. 7(d), O.J. L 281/40 (1995).

34. Id., art. 7(e), O.J. L 281/40 (1995).

35. Id., art. 7(f), O.J. L 281/40 (1995).

36. WP 158, at 9.

37. Id., art. 10, art. 11, O.J. L 281/41 (1995); Working Party, Opinion 8/2001 on the processing of personal data in the employment context (5062/01/EN WP 48), at 3 (Sept. 13, 2001),

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2001/wp48en.pdf .

38 Data Protection Unit of the Directorate-General for Justice, Freedom and Security, Frequently Asked Questions Relating to Transfers of Personal Data From The EU/EEA to Third Countries, http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf , at 18.

39. Council Directive No. 95/46/EC, art. 25, O.J. L 281/45 (1995).

40. http://ec.europa.eu/justice/data-protection/document/internationaltransfers/adequacy/index_en.htm ; http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:227:0011:01:EN:HTML and

http://europa.eu/rapid/press-release_IP-12-1403_en.htm .

41. For a list of American companies that have been certified

To read this article in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.