Can conflicts between U.S. and European laws on personal privacy be resolved? These conflicts, which are burdening international transactions and cross-border litigation, were recently debated at a Distinguished Lawyers’ Conference at Duke Law School on November 29 and 30, 2012. The conference was called to air, in an academic setting, different approaches given to the use of confidential data in litigation in the United States, compared to the treatment given to privacy data in E.U. countries and across the world. All speakers noted a great deal of confusion and inconsistency among courts considering this issue, but developed a consensus on what steps needed to be taken to add clarity and improve the situation.
The panelists at the conference, recognized experts in the field, included prominent professors, practitioners and judges. Federal judges Anthony Scirica (U.S. Court of Appeals for the Third Circuit), Michael Moore (S.D. Fla.), Michael Baylson (E.D. Pa.), magistrate judges Frank Maas (S.D.N.Y.) and Viktor Poho­relsky (E.D.N.Y.) engaged in frank discussions with experienced practitioners, including, among others, David Bernick, David Ichel, Peter Kahn, Christopher Wolf, Christina Peters, Mary Ellen Calla­han, Amor Esteban, David Hoffman, and noted law professors Stephen Burbank, Rick Marcus and Ralf Michaels.
The United States provides limited protection to personal information, requiring redaction only of an individual’s Social Security number, taxpayer identification number or birth date, the name of an individual known to be a minor or a financial-account number. A sprinkling of substantive U.S. laws also protects certain sensitive personal information. U.S. laws place a premium on openness and transparency, raising a presumption in most cases favoring disclosure and production of all relevant information in litigation.
Europe is a different story. Under many of its laws and constitutions, data privacy is recognized as a fundamental and inalienable human right. Much of the privacy legislation is based on the 1995 E.U. Directive (Directive 95/46/EC), which prohibits the unauthorized processing and transferring of personal data. Most E.U. countries have incorporated the substance of the directive into their respective laws, adapting it to their individual countries.
Under the E.U. Directive, "personal data" is defined to be "any information relating to an identified or identifiable natural person." Notably, email messages fall under this definition because the names of the persons sending and receiving the message are identified. Not only is the definition of personal data broad, the scope of regulated activity is also broad and includes "any operation or set of operations" related "to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction" of the personal data.
In cross-border litigation, virtually every party faces an impossible dilemma, either producing discoverable information located in Europe and facing sanctions by a European data-protection authority that considers the information confidential, or refusing to produce such information and suffering sanctions by a U.S. court.
The broad European definition of confidential privacy information makes the conflict intractable. Moreover, Europe’s fierce public defense of personal privacy is backed by member nations’ laws and constitutions, which recognize personal privacy as a fundamental right. Foreign nations’ "blocking" statutes, primarily intended to restrict disclosure of commercial data, add another layer of complexity.
U.S. and European approaches to, and attitudes about, discovery could not be further apart. European countries rely on judges to collect necessary information, and they prohibit the disclosure of information beyond that which is necessary for trial purposes. Parties involved in U.S. litigation have very broad discovery preservation and production obligations, which apply to all relevant information.
Under the E.U. Directive, personal data can be collected and processed only for "specified, explicit, and legitimate purposes," unless these interests are overridden by the interests for fundamental rights and freedom of the individual. European data-protection officials uniformly view U.S. discovery as private, nonjudicial and between parties, which justifies much less deference than court-ordered discovery "necessary for trial." European officials are skeptical that wholesale collection and production of enormous amounts of discovery information is necessary to serve a legitimate purpose. And, in any event, the interests in pursuing unrestricted discovery do not override the "fundamental rights and freedom of the data subject." They are becoming increasingly frustrated at the perceived neglect of U.S. officials and courts in failing to safeguard the protected personal information of their citizens in the course of discovery.
When faced with a disclosure of protected-privacy data issue, U.S. courts apply the analysis given in Societe Nationale Industrielle Aerospatiale v. District Court for the Southern District of Iowa, 482 U.S. 522 (1987), holding that a U.S. court may, but need not, comply with the limitations and restrictions imposed by the Hague Convention on the disclosure of information in cross-border discovery litigation. Most courts applying the Aerospatiale analysis have consistently ruled that the federal discovery rules "trump" recourse to the Hague Convention procedures.
A rough consensus emerged at the conference that ongoing efforts to reach a compromise resolving the conflict should continue. This consensus is similar to the recommendations published by The Sedona Conference after several years of study by experts in the field, many of whom spoke at the Duke Conference.
First and foremost, attorneys engaged in cross-border litigation need to do more to educate themselves and the judges hearing their cases. It is important that U.S. judges become sensitized to the European concerns protecting an individual’s privacy. All acknowledged that it was the lawyers’ responsibility to provide judges with this information. Second, it is the lawyers’ responsibility to explain to their clients that the limitation on the disclosure or discovery of personal information located in Europe is intended to comply with legitimate privacy concerns and not designed to hinder discovery. In Europe, the focus must be on showing the information is "necessary" at a trial.
In the United States, consideration should be given to amending the Federal Rules of Civil Procedure to include this subject as one of the topics to be considered at a Rule 16 pretrial conference or at the Rule 26(f) meet-and-confer meeting.
Third, parties should limit discovery of protected personal data only to information that is both relevant and necessary to support any claim or defense in order to minimize conflicts of law and any impact on the data subject. To this end, parties should be encouraged to use filtering techniques to avoid conflicts by limiting the use of protected personal data, including making specific discovery requests, using targeted search terms and phased discovery, and considering other culling techniques such as semantic clustering, linguistic analysis and statistical sampling.
Fourth, courts and parties should give due respect to data-protection laws. Parties can avoid and minimize potential conflicts by seeking a court protective order that limits or restricts disclosure of protected personal data; phasing discovery, which defers discovery of protected personal data as late as possible in the discovery process and then only if necessary; and developing and implementing a "legitimization" plan that sets out the steps that are taken to identify, collect, transfer and produce protected personal data. Despite best efforts, if full compliance with conflicting laws is not feasible, a court or data-protection authority should apply a good-faith and reasonableness standard in evaluating the party’s conduct in discharging its discovery obligations.
Several speakers explored the concept of a treaty to resolve the conflict, but the prospects for ratification are slim.
The biggest obstacle preventing solution of the problem is the perception that the problem is solely theoretical. Although the E.U. Directive has been on the books for decades, prosecutions for violations have been rare. Another obstacle is that the issue, though troublesome when raised and potentially expensive to address once encountered, arises in a relatively small percentage of the overall cases filed in U.S. courts. Targeting the appropriate bench and bar members for an educational effort is not easy nor is amending the Federal Rules likely.
In January 2012, the European Com­mission proposed strict new privacy rules. If passed, the current directive would be repealed. The key difference between the proposed regulations and the directive is that the regulations would be the law in every European country, which would be uniformly enforced, instead of the current piecemeal system, which is enforced inconsistently. Knowledgeable sources predict that, though far from certain, regulations similar to the ones proposed will pass within the next 12 months. Intense discussions are going on to modify and revise the proposed regulations to make them more acceptable to the European Parliament and to the Council of the European Union, which are responsible ultimately to adopt the regulations. Under the current regime, lax enforcement of the data-privacy rules has led to complacency in complying with the E.U. Directive. But depending on approval and its final version, newly enacted regulations may well ratchet up the need for a compromise, as growing numbers of parties face a real risk of severe sanctions for violations. If that happens, the consensus approaches discussed at the Duke conference will take on a more urgent character.
John Rabiej is the director of the Duke Law School Center for Judicial Studies. Michael M. Baylson is a U.S. district judge for the Eastern District of Pennsylvania and a former member of the Advisory Committee on Civil Rules.