LITIGATION SUPPORT TIP OF THE NIGHT

This month the Swiss Federal Data Protection and Information Commissioner concluded that the Swiss-U.S. Privacy Shield as not providing an adequate level of protection under the Switzerland's Federal Act on Data Protection (FADP). See the policy paper posted here.

"The FDPIC considers that this lack of transparency and the resulting absence of guarantees concerning the interference of US authorities with privacy and informational self-determination of persons concerned in Switzerland is irreconcilable with: . . . the principles of the lawful processing of personal data."

United States laws on data surveillance may impact of the privacy of Swiss citizens' data in way does not honor the protections of the FADP. It will ultimately be up to Swiss courts to invalidate the privacy shield.

This month, in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, the Court of Justice of the European Union invalidated a 2016 decision on the adequacy of the EU-US Data Protection Shield. See the judgment posted here.

The ruling means that companies transferring data to the United States may be fined under the GDPR, since American measures to protect the privacy of personal data are inadequate.

In 2015, the Court had ruled that the United States did not provide an adequate level of protection for the personal data of Maximillian Schrems. Facebook transferred Schrems' data to servers located in the United States. Schrems re-filed his complaint, and sought to suspend future transfers of his personal data by Facebook Ireland to the United States. These are the key points of its July 2020 decision:

1. Data processing by a third country for national defense and public safety falls within the scope of the GDPR.

2. Personal data transferred to a third country must be subject to the same level of protection guaranteed in the EU under the GDPR.

3. Assessments of the level of protection should take into account the contract entered into by the EU data exporter and access to the data by the public authorities of the third country.

4. Supervisory authorities must prohibit the transfer of personal data to a third country where the standard data protection clauses cannot be complied with, and the personal data cannot be protected by other means.

5. The Court did not invalidate its prior decision, 2010/87, that requires a data exporter and the data recipient to verify that the level of protection is adequate prior to the transfer and to terminate a contract if the protection is found to be inadequate.

6. "The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary."

7. In reaching its conclusion, the Court stressed the importance of the fact that data subject would not have a cause of action before a court that could provide the level of protection required by EU law by issuing a decision binding on United States intelligence services.

In November, Special Master Dennis Cavanaugh issued a decision, In re Mercedes-Benz Emissions Litig., No.: 2:16-cv-881 (SDW) (JAD), 2019 U.S. Dist. LEXIS 223132 (D.N.J. Nov. 4, 2019), ruling on a dispute between the parties on the General Data Protection Regulation of the European Union. The parties could not agree on a Discovery Privacy Order to address the redaction and protection of the private data of EU citizens. The Defendants argued that the Plaintiffs' proposed order would not comply with the GDPR because it prohibited the redaction of professional contact information of EU citizens. The Plaintiffs' order only called for the redaction of objectively irrelevant information. The Plaintiffs also objected to the Defendants' call for meet and confers on redactions pursuant to the GDPR throughout discovery.

Special Master Cavanaugh reviewed the applicability of the GDPR under the five factor test provided by Restatement (Third) for Foreign Relations Law § 442 in order to evaluate whether or not foreign laws barring disclosure should be observed.

1. The names, positions, and contact information of Defendants' employees were directly relevant to claims and defenses and so showed the requested evidence was important to the litigation.

2. Because the Plaintiffs' order would require the redaction of personal information of an intimate nature, the special master found that the request was specific enough to favor disclosure.

3. The special master assumed that most of the documents to be produced by Daimier originated in Germany, and hence this would weigh against disclosure even though some documents with personal information were found to come from the United States.

4. The Defendants were not shown to have a means of obtaining information about the employees through alternate means.

5. Because the suit alleges violations of the RICO Act and fraudulent concealment by misleading customers about the environmental impact of diesel vehicles, it is shown that noncompliance with the discovery request would be against the important interests of the United States.

These factors led to this conclusion: "Special Master believes the Discovery Confidentiality Order provision allowing a producing party to designate and protect as 'Highly Confidential' information that the producing party claims to be Foreign Private Data—such as employee names, sufficiently balances the EU's interest in protecting its citizens private data and the U.S. legal system's interest in preserving and maintaining the integrity of the broad discovery provisions set forth in the Federal Rules of Civil Procedure." Id. at *15.

In reaching his decision, the special master also noted that there have been no EU GDPR enforcement actions relating to violations stemming from legal cases.

The order bars the parties from redacting the names, titles, and contact information of Defendant and third party employees.