LITIGATION SUPPORT TIP OF THE NIGHT

Today the D.C. Circuit Court issued a decision in Elec. Privacy Info. Ctr. v. Presidential Advisory Comm'n on Election Integrity, No. 17-5171, 2017 U.S. App. LEXIS 26535 (D.C. Cir. Dec. 26, 2017), affirming the denial of preliminary injunction to the Electronic Privacy Information Center (EPIC) to prohibit the Presidential Advisory Commission on Election Integrity from collecting voter data without completing a privacy impact assessment under the E-Government Act of 2002. The court determined that EPIC did not have standing.

Section 208 of the Act requires that an assessment be completed if, "information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons." The Commission has promised to 'de-identify' any voter data before it is made publicly available.

The D.C. Circuit ruling found that EPIC could not show a particularized and concrete injury traceable to the Commission's conduct that was capable of redress. While the denial of information can be an injury in fact, EPIC was not the kind of plaintiff the Act seeks to prevent from being harmed - it is an organization - not an individual that can vote.

In her decision, Judge Henderson concluded that, "Nor is EPIC's asserted harm—an inability to 'ensure public oversight of record systems,' Appellant's Reply Br. 9—the kind the Congress had in mind. Instead, section 208 is directed at individual privacy, which is not at stake for EPIC." [Id. at 10].

Yesterday, Judge Mazzant of the United States District Court for the Eastern District of Texas, in Zoch v. Daimler, 4:17-cv-578, 2017 U.S. Dist. LEXIS 185343 (E.D. Tex. Nov., 8, 2017) approved a motion to compel the production data from the German auto manufacturer, Daimler, A.G. in a products liability case.

The decision found that a motion to compel was not moot where the defendant had produced heavily redacted documents and failed to prepare a privilege log in accordance with FRCP 26(b). It further ruled that the German Federal Data Protection Act, the Bundesdatenschutzgesetz (BDSG) did not prevent the discovery of the evidenced requested by the defendants.

The BDSG is a blocking statute that limited the discovery of ""any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject)." Mazzant found that several of the requests made by the plaintiff did not concern personal data, but that others did. Section 28 of the BDGS makes an exception for the disclosure of personal data in the public interest if the subject has no legitimate interest in the data being excluded. The Court did not find that the exception applies in this case.

The court then used the Societe Nationale analysis (which Judge Peck loves to discuss - see the Tip of the Night for October 18, 2016) in order to determine if the BDSG would need to yield to the discovery demands of American law.

1. The Importance of the Requested Discovery to the Litigation

The Court found that evidence on "comments, part change requests, defect notifications,letters, writings, e-mails, meeting minutes, analyses, internal remarks, and performance agreements" was compelling information.

2. Degree of Specificity of the Requests

The defendant conceded the plaintiff submitted specifically targeted requests.

3. Where Information Originated

The plaintiff conceded that the data originated outside of the United States.

4. Availability of Alternative Means of Securing Information

The Court seized on the fact that the defendants both stated that the information was protected by the BDSG and conversely also stated that is was available in the deposition testimony and redacted documents that were already available, in reaching its conclusion that alternative means did not exist.

5. Balancing of National Interests The Court reached its final decision on the motion to compel because of the nature of the data requested was related to business activities. ". . . despite Germany's interest in protecting such personal data, the quantity and context of the personal data at issue in this case mitigates these concerns. Here, Plaintiff's requests seek part change requests, defect notifications, meeting minutes, performance agreements, e-mails and writings regarding comments and remarks concerning the seat in question, and names of persons with knowledge of relevant facts." It determined that its protective order was sufficient to protect the confidentiality of the data, and Federal Rule of Evidence 403 would be an adequate means of preventing the admission of irrelevant or prejudicial evidence.

The court ordered documents to be produced in unredacted form, and a list of persons with relevant knowledge to be disclosed.

France's top privacy regulator, the CNIL (Comission nationale de l’informatique et des libertés), is attempting to get Google to enforce the EU right to forgotten outside EU borders.  Last year Google was fined €100,000 for failing to do so.  The right does not involve taking info off line but does require search engines to correct or remove results in searches for a person's full name.  

Today the Conseil d'Etat referred the case to the EU's Court of Justice.   See the decision posted here

The French court noted that while users that browse to google.com will be redirected to a google search engine for their particular country, search engines for other domains are still accessible and results still come from a single indexing database.