One of the more troubling eDiscovery issues that globalization has inadvertently imposed on organizations is compliance with a complex set of international data protection and privacy laws. These laws present a significant challenge to U.S. companies, which enjoy fewer domestic restraints on collecting and storing personal data of its employees and consumers.
It’s not that these laws are unfamiliar concepts to U.S. corporations. Contrary to popular belief, statutes and regulations do exist in the U.S. to help protect certain personal and financial information from unauthorized disclosure. Nevertheless, the U.S. approach to data protection is mostly patchwork and is unmatched by the comprehensive framework in other regions, particularly in Europe.
Data Protection in Europe
The data protection regime adopted by the European Union (EU) presents unique information governance challenges to even the most sophisticated organizations. Developed to address the abuses of twentieth century fascism and communism, the EU system emphasizes the importance of securing personal information from unreasonable government and corporate intrusions. To guard against such intrusions, the EU member states have enacted laws that curtail processing, collection and storage of personal data. For example, European laws generally prevent organizations from processing personal information unless it is done for a lawful purpose and is not excessive. Furthermore, personal data may not be maintained longer than is necessary and must be properly secured.
Beyond these basic data protection principles, certain countries in Europe provide additional safeguards. In Germany, for instance, state governments have implemented their own data privacy provisions that are exclusive of and, in the case of the German state of Schleswig-Holstein, more exacting than the larger EU protection framework. Furthermore, corporate data processing in Germany must satisfy company Works Councils, which represent the interests of employees and protect their privacy rights.
The Clash between Data Protection Laws and Litigation Discovery Rules
A significant area of complexity facing organizations with respect to the governance of personal information concerns the treatment of that data in European and cross-border litigation. In domestic European litigation, personal data could be subject to discovery if it supports the claims of the parties or a court orders its disclosure. That could place an organization in the tricky position of having to produce personal data that may very well be protected by privacy laws. While legal exceptions do exist for these situations, the person whose data is subject to disclosure may nonetheless seek to prevent its dissemination on privacy grounds. Furthermore, company Works Councils and Data Protection Officers may object to these disclosures.
Additional difficulty may arise when addressing international discovery requests that seek personal information. Companies whose European offices receive these requests must ensure that the country where the data will be transferred has enacted laws that meet EU data protection standards. Transfers of personal data to countries that do not meet those standards are generally forbidden, with fines and even prison time imposed for non-compliance.
Certain countries have more stringent rules regarding proposed transfers of personal information. In France, for example, international discovery requests that seek personal data must comply with the rules promulgated by the French data protection authority, La Commission Nationale de l’Informatique et des Libertès (CNIL). Those rules require that the CNIL and the data subjects be notified regarding the proposed data transfer. In addition, disclosures must be limited to relevant information, with appropriate redactions of data that could be used to identify the data subjects.
Additional complications may arise for enterprises whose European offices have been served with discovery requests from the U.S. Despite the restrictions imposed by European data protection authorities and the penalties for noncompliance, organizations are often compelled by U.S. courts to produce personal information without regard to these laws. Noncompliance could subject organizations to U.S. court sanctions or, on the other hand, fines and possibly even jail time under European data protection laws.
Using Information Governance to Solve the Data Protection Conundrum
Given the complexity of ensuring conformity with foreign privacy rules and the penalties for noncompliance, organizations should consider developing an information governance strategy to effectively address these issues. Such an approach will typically require the data management principals (legal and IT) to work together on the myriad of legal and logistical issues surrounding information retention.
Legal and IT should also develop a process for how the organization will address data preservation and production during litigation. Where applicable, Works Councils and Data Protection Officers should be involved in the process to ensure that data protection laws are properly observed and employee privacy rights are safeguarded.
An effective governance strategy should also incorporate effective, enabling technologies to meet company information management goals while observing data protection laws. Archiving software, data loss prevention functionality and eDiscovery tools are all examples of technologies that together provide the means to protect personal information processed in connection with an organization’s information governance strategy.
By following these steps, organizations will be better prepared for the challenges of addressing cross-border data protection laws and the legal traps that are inextricably intertwined with globalization.