LITIGATION SUPPORT TIP OF THE NIGHT

As the business world waits for the General Data Protection Regulation to become effective on May 25, 2018, big news about additional possible legislation broke today. According to Reuters, the new law would make it possible for law enforcement authorities to access personal data located on servers outside of the European Union. Statements made by the EU Justice Commissioner indicate that the EU is moving away from its position advocating for greater data privacy. Vera Jourova criticized current methods for cross border discovery as "very slow and non-efficient". The proposed law would bypass Multilateral Legal Assistance Treaties (MLATs) in cases where a suspect was charged with a crime carrying a potential sentence of three years or more.

This news comes one day before the Supreme Court of the United States hears oral arguments in United States v. Microsoft. In that case, the Court will decide if a warrant issued under the Stored Communications Act can compel American companies to produce data stored on servers located in foreign countries. Microsoft declined to compile with a warrant that requested emails relevant to a drug trafficking case that were stored on servers located in Ireland.

The Reuters report quotes the Microsoft vice president for EU Government affairs as saying with respect to the proposed EU law that, "I think the international law is pretty clear that police jurisdiction exercised outside your territory infringes the sovereignty of other countries."

Interestingly, the amicus brief filed by the European Commission in United States v. Microsoft, states that:

"Any domestic law that creates cross-border obligations—whether enacted by the United States, the European Union, or another state—should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. The European Union’s foundational treaties and case law enshrine the principles of 'mutual regard to the spheres of jurisdiction' of sovereign states and of the need to interpret and apply EU legislation in a manner that is consistent with international law/"

. . . and further that:

"The GDPR thus makes 'mutual legal assistance treaties,' or MLATs,the preferred option for transfers. Such treaties provide for collection of evidence by consent, and embody a carefully negotiated balance between the interests of different states that is designed to mitigate jurisdictional conflicts that can otherwise arise."

Yesterday, Judge Mazzant of the United States District Court for the Eastern District of Texas, in Zoch v. Daimler, 4:17-cv-578, 2017 U.S. Dist. LEXIS 185343 (E.D. Tex. Nov., 8, 2017) approved a motion to compel the production data from the German auto manufacturer, Daimler, A.G. in a products liability case.

The decision found that a motion to compel was not moot where the defendant had produced heavily redacted documents and failed to prepare a privilege log in accordance with FRCP 26(b). It further ruled that the German Federal Data Protection Act, the Bundesdatenschutzgesetz (BDSG) did not prevent the discovery of the evidenced requested by the defendants.

The BDSG is a blocking statute that limited the discovery of ""any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject)." Mazzant found that several of the requests made by the plaintiff did not concern personal data, but that others did. Section 28 of the BDGS makes an exception for the disclosure of personal data in the public interest if the subject has no legitimate interest in the data being excluded. The Court did not find that the exception applies in this case.

The court then used the Societe Nationale analysis (which Judge Peck loves to discuss - see the Tip of the Night for October 18, 2016) in order to determine if the BDSG would need to yield to the discovery demands of American law.

1. The Importance of the Requested Discovery to the Litigation

The Court found that evidence on "comments, part change requests, defect notifications,letters, writings, e-mails, meeting minutes, analyses, internal remarks, and performance agreements" was compelling information.

2. Degree of Specificity of the Requests

The defendant conceded the plaintiff submitted specifically targeted requests.

3. Where Information Originated

The plaintiff conceded that the data originated outside of the United States.

4. Availability of Alternative Means of Securing Information

The Court seized on the fact that the defendants both stated that the information was protected by the BDSG and conversely also stated that is was available in the deposition testimony and redacted documents that were already available, in reaching its conclusion that alternative means did not exist.

5. Balancing of National Interests The Court reached its final decision on the motion to compel because of the nature of the data requested was related to business activities. ". . . despite Germany's interest in protecting such personal data, the quantity and context of the personal data at issue in this case mitigates these concerns. Here, Plaintiff's requests seek part change requests, defect notifications, meeting minutes, performance agreements, e-mails and writings regarding comments and remarks concerning the seat in question, and names of persons with knowledge of relevant facts." It determined that its protective order was sufficient to protect the confidentiality of the data, and Federal Rule of Evidence 403 would be an adequate means of preventing the admission of irrelevant or prejudicial evidence.

The court ordered documents to be produced in unredacted form, and a list of persons with relevant knowledge to be disclosed.

This evening I attended a discussion hosted by the Sedona Conference at the offices of BakerHostetler at Rockefeller Center in Manhattan. The topic of the discussion was, "Practical Solutions to the Challenges and UncertaintyAssociated with the EU-U.S. Privacy Shield". The panel was composed of Magistrate Judge Andrew Peck of the United States District Court for the Southern District of New York; Emily Fedeles, an associate with BakerHostetler; and Stacey Blaustein, a Senior Attorney and Global E-Discovery Lead at IBM.

The panel briefly discussed the Schrems decision of a year ago. They laughed about how ironic it was that a law student had found the time to bring the case, and joked that someone could have prevented all the trouble caused by the overturning of the U.S./E.U. safe harbor scheme by giving him a job with an American law firm. The group focused on the new privacy shield adopted in response to the Schrems decision and the General Data Protection Regulation which will be fully implemented in May 2018 in the European Union after a two year transition period.

Stacey Blaustein noted that business can certify online at https://www.privacyshield.gov. The site leads companies through the process step by step. She discussed how the new framework has avenues of redress built in. The FTC has jurisdiction under section 5 of the FTC Act for adjudicating violations of the Privacy Shield Principles. Blaustein mentioned the September 30, 2016 deadline for companies to self-certify and gain a nine month grace period to update contracts made with data processors.

Ms. Fedeles said that under the new framework companies would have a 45 day deadline to address specific concerns raised by complainants. She also noted the many companies have already certified. See the list here.

Ms. Blaustein talked about the onward transfer or downward stream exchange of data, and mentioned that vendors may not have to certify but need to comply with the same standards as the companies who engage them.

The panel noted the the FTC's jurisdiction only extends to the industries that it regulates. Ms. Blaustein noted that is precluded from exercising jurisdiction over transportation.

Judge Peck talked about the anonymization of data as a potential solution to the problem of producing documents covered by European data privacy laws. He speculated that under the new GDPR review will still take place in the European Union, with anonymization taking place before ESI was transferred to the United States.

Ms. Fedeles noted that certification can be rescinded, which would lead to a company having to delete the data it had collected. Audits are conducted under the new privacy shield regime.

Judge Peck discussed cross border discovery in the context of the 1987 United State Supreme Court decision, Societe Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa,482 US 522 (1987) . Five factors were given to judge whether or not international discovery could be conducted despite a foreign blocking statute:

"(1) the importance to the . . . litigation of the documents or other information requested;

"(2) the degree of specificity of the request;

"(3) whether the information originated in the United States;

"(4) the availability of alternative means of securing the information; and

"(5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located."

Judge Peck noted that over the years two additional factors were added in effect to this Societe Nationale test - the hardship imposed on the producing party and whether or not the request was made in good faith. He blamed bad lawyering for over relying on the fifth factor to justify cross border discovery.

He mentioned the 2007 'Christopher X' case in which a French court only imposed a €10000 fine for the violation of a blocking statute, has been used in American courts to encourage the practice of violating such statutes.

Judge Peck warned that under the new GDPR companies could face fines potentially high as 4% of global gross revenue - not just profit. He said if foreign data currently located in the United States no longer fell under provisions allowing for its exchange, there was a good argument for it being protected under cross border discovery rules, but he felt that this was something other judges would have to be educated about.

Judge Peck noted that a party won't necessarily be sanctioned for the disclosure of private data it moves 'downstream', if it uses proper contracts. He did not know if a negligence standard or something else would be used to evaluate whether or not a party had used proper methods for transferring data.

Ms. Blaustein noted that if possible recipients should only get data for a specific purpose. The panel reminded the audience that the United Kingdom after Brexit, and Switzerland would not be bound by European data privacy laws.

Judge Peck observed that Britain was one country in which discovery could be obtained quickly through the Hague Convention - in part because the British disclosure process is similar to American discovery.