Data protection is antagonistically opposed to discovery: discovery promotes the disclosure of data whereas data protection is intended to prevent such disclosure. The underlying legal principles of both are often in conflict in the context of civil litigation both in the United States and in Member States of the European Union. In this regard, neither the disclosure nor discovery rules of the US and European courts have been harmonised. This often places European companies that are doing business in the United States (or that have their parent company, a subsidiary, or an affiliate in the United States) in a dilemmaó comply with compulsory discovery/ disclosure obligations v. protecting your employees' and customers' data. However, the consequences of this dilemma can be avoided, or at least mitigated.
Discovery Requirements under US Law and Discovery Restrictions under European Data Protection Law
Recent amendments to US pre-trial discovery require the responding party to search for and produce electronically stored information (ESI) regardless of where that information is stored within the corporate information technology infrastructure. Often, ESI stored within with a facility located in an EU Member State may indeed be subject to discovery in the United States.
Under European Data Protection Directive 95/46/EC, "personal data" is any information relating to an identified or identifiable natural person; "processing" of personal data includes the disclosure of personal data by transfer to a third party. Responsive electronic files and e-mails (including electronic files attached to e-mails) may contain personal data. An example would be responsive e-mails that contain personal data relating to the responding party's customers. The Directive further restricts the transfer to any non-EU state that does not afford the same privacy protections as an EU Member State. In this regard, the United States is expressly recognised as a country that does not afford such protections.
Circumstances under Which Personal Data Can Be Transferred
Unfortunately, the laws and regulations surrounding when and how data can be transferred to the United States remain a web of confusion with no necessarily clear answers. There are, however, certain best practices that should be followed when transferring "personal data" to the United States for the purposes of discovery.
First, personal data may generally be transferred if the data subject, for instance the...