International E-Discovery E-Discovery vs. German Data Protection

Transcription

1 International E-Discovery E-Discovery vs. German Data Protection ABA Tech Committee April 28 30, 2010 New York, LL.M. CMS Hasche Sigle Kranhaus 1 / Im Zollhafen Cologne Germany Tel: Fax: carsten.domke@cms-hs.com C:\Documents and Settings\dalym\Local Settings\Temporary Internet Files\OLK2\ABA Tech Committee April doc

2 A INTRODUCTION... 3 B U.S. E-DISCOVERY VS. GERMAN DATA PROTECTION LAW NO GERMAN E- DISCOVERY GERMAN DATA PROTECTION BEFORE A COURT TRANSFER OF PERSONAL DATA TO THE U.S. FOR LITIGATION PURPOSES PRACTICAL MEASURES... 7 C BACKGROUND: EU DATA PROTECTION DIRECTIVE AND ART. 29 WORKING PARTY... 7 D BACKGROUND: DATA PROTECTION IN THE EU ESP. GERMANY DEFINITION OF DATA LAWFUL PROCESSING OF DATA RIGHTS OF THE INDIVIDUAL LIABILITY AND SANCTIONS APPLICABLE LAW EXPORT OF DATA OUTSIDE THE EU

3 A INTRODUCTION Transborder discovery as well as transborder data protection may create significant problems for natural or legal persons especially for multinational groups of companies that intend to comply with at least two jurisdictions. With regard to discovery and data protection, the legal systems of Germany and the U.S. follow very different approaches. While data protection plays an important role in Germany, discovery is not a big issue. For the U.S. the opposite is true. When transferring data from Germany to the U.S., data protection issues are already posing problems for companies in their regular daily business. The challenge could be even more important when companies are faced with an obligation to transfer personal data if they need to defend or raise a claim in a trial. Once again, data protection in Germany and U.S. law seem to be at odds. The conflict of laws and the extraterritorial effects of both jurisdictions recall the discussions between Germany (the EU) and the U.S. regarding the implementation of Whistleblower Channels reporting personal data from German (European) subsidiaries to U.S. parent companies. With regard to personal data to be transferred for litigation purposes, German data protection law provides for a solution. Accordingly, the conflict may be reduced to the definition of the scope of necessary data. B U.S. E-DISCOVERY VS. GERMAN DATA PROTECTION LAW While U.S. E- Discovery rules oblige companies in the U.S. as well as parent and other affiliated companies outside the U.S. to provide all kinds of data including personal data to the court, to the adverse party and its counsel, European and German data protection law in general prohibits the transfer of personal data to another legal entity as well as to countries that do not provide for an adequate level of data protection. Every processing and transfer of personal data requires a specific justification. When personal data generated in Germany is to be transferred to other countries that do not guarantee an adequate level of data protection like the U.S. additional special conditions must be fulfilled in order to legitimize the data transfer. With regard to the general principles of data processing in Germany as well as to the data transfer to the U.S., please see Section C, below. This section will concentrate on the transfer and use of personal data for litigation purposes in the U.S. in particular under the e- discovery procedure. 1. No German E- Discovery 3

4 There is no German equivalent to E-Discovery. The German Code of Civil Procedure 1 applies to general civil litigation as well as to litigations before specialized labor courts. According to the law, no party is obliged make accessible any document of possible relevance at an early or late stage of litigation. As a rule, a party must only deliver such electronic or hardcopy documents that support its case. The burden of proof lies with the party that intends to take advantage of the document. However, in particular when it comes to litigation before labor courts, the burden of proof may shift: It is generally the employer who is in possession of documents that can prove facts and circumstances. Therefore, if an employee cannot deliver documents supporting his case and if the company typically is in possession of such documents, the courts will ask the company to provide such documents. But, here too, the company will only be requested to deliver individual documents with relevance to a defined and precise question. There is no obligation to provide documents that are of general interest or that do not reply to a clearly defined question that could be relevant to the outcome of the litigation. On the contrary, requesting general facts in order to find out further facts that could be of interest ( Ausforschungsbeweis ) is inadmissible. 2. German Data Protection before a Court Already within the EU, German data protection law prohibits the transfer of personal data to another entity if there is no specific justification for the transfer. In case of litigation, the party involved may transfer personal data of third parties according to Art. 28 (1) N 2 and N 3 German Data Protection Act. 2 According to the law, the generating, processing and transfer of personal data is admissible if it serves the legitimate interests of the processor and if there are no prevailing legitimate interests on the part of the person concerned to retain the data. Accordingly, before German or EU courts, the transfer and use of data of third persons is generally possible. Only in extremely rare cases, could a person whose personal data is used claim a prevailing interest in not disclosing the data. 3. Transfer of Personal Data to the U.S. for Litigation Purposes In general, it is admissible to transfer electronic or hardcopy information from Germany to the U.S. in order to provide facts to the court. However, in practice it will be difficult to urge a German legal entity or natural person to provide such facts against their will. For the standard situation, this will have no practical consequences. If a German company or one of its affiliated companies is a party to litigation in the U.S., it has its own interests in delivering the nec- 1 Zivilprozessordnung ZPO 2 Bundesdatenschutzgesetz - BDSG 4

5 essary facts. However, in that case one obstacle could arise: With regard to the data of natural persons, German data protection law may prohibit any transfer to the U.S. a. Data Transfer to the U.S. While the transfer to and the use of personal data by the U.S. is generally subject to severe restrictions, this is not the case with litigations conducted before a court. In general, the transfer of personal data from Germany to the U.S. can only take place if the sender ensures an adequate level of data protection by way of the following: - EU Standard Contractual Clauses - Safe Harbor Certification of the receiving entity - Certified Corporate Code of Conduct. These remedies are inapplicable in the litigation situation the court or the opposing party would not agree hereto. German law takes this into account by providing for an exception to the requirement of an adequate level of data protection. Such level is dispensable if the transfer is necessary for defence or to support a claim before a court (Art. 4c (1) N 4 BDSG). Personal data may be transferred to U.S. courts, the opposing party and their counsel without any guarantee of an adequate protection level or the consent of the person concerned. Further, Art. 4c (1) N 4 BDSG does not require that the German data controller itself is party of the litigation. Accordingly, a German parent company may also transfer the data if only its U.S: subsidiary is involved in litigation. b. Scope of Discovery Although the transfer of personal data for litigation is admitted in general, information required under U.S. law will not automatically be necessary data under German data protection law. It is recognized in Germany as in the U.S. that disclosing personal data during litigation may constitute legitimate interests of a litigating party. These interests may prevail over the interests of a third party whose data is being transferred and used therefore. The German Data Protection Act provides for an explicit exception if the "exercise or defense of legal interests before a court is required" 3. 3 Ausübung oder Verteidigung von Rechtsansprüchen vor Gericht erforderlich ist Art. 4 c (1) No. 4 BDSG 5

6 The scope of discovery under German law differs significantly from that under U.S. law. The German Code of Civil Procedure has no equivalent to e-discovery or pre-trial discovery. Accordingly, from the German perspective, one would have a very restricted understanding of what should be disclosed under these procedures. Necessary information would be a limited and concentrated scope of data. However, the U.S. perspective should be decisive. The German Data Protection Act lays down that data necessary in litigation can be transferred. This means that the data must be necessary under the applicable law. If a company is involved in litigation in the U.S., necessary is defined by U.S. law, in principle. A restriction has to be made, here if fundamental principles of data protection are not respected. Please note in this context a U.S. court decision of January that did not accept the German Data Protection Act nor the Hague Convention 5 as an excuse for not disclosing information. c. Examples: Examples for situations of data transfer: A U.S. subsidiary of a group of companies with their headquarters in Germany is defending before a U.S. federal court against a claim brought by a former employee. In order to defend properly, it needs to prove facts by way of documents containing personal data on other employees, like salary, sex, place of residence or other non- sensitive information. Under German law this is possible. In the same case the U.S. subsidiary also wishes to defend its case by providing information on race/ ethnic origin, health, union affiliation or other sensitive information. This is possible under German law according to Art. 4 c (1) N 4 BDSG. Further, the U.S. subsidiary intends to transfer data sensitive and non- sensitive on the opposing party in the litigation. Again, the transfer is admitted according to Art. 4 c (1) N 4 BDSG. The information may be transferred by way of electronic documents as well as hard copies. Smoking gun information: If information that is not of direct relevance but could lead to disclosure of relevant information, the justification of the data transfer under German can be contested. German data protection law requires a necessity. 4 Accessdata Corp. v. Alste Technologies GmbH, 2010 U.S. Dist. LEXIS 4566 (D. Utah Jan. 21, 2010) 5 Hague Evidence Convention Germany ratified by Mar. 18, 1970, the U.S. by Jul. 27, Germany as well as many other European countries filed reservations regarding requests for pre-trial discovery of documents. 6

7 4. Practical measures In order to avoid conflict with German data protection law, when sending personal data from Germany, the general principles of data protection should be observed: Data avoidance not necessary personal data must not be generated, transferred used. Anonymizing must the information be attributed to a natural or identifiable person? Restriction of use the use of the data should only be permitted for purposes in the course of litigation. It may not be used for any other purpose. No onward transfer recipients (the court, the opposing party, opposing counsel) may not transfer the data to any other recipient. Deletion as soon as the data is no more needed. C BACKGROUND: EU DATA PROTECTION DIRECTIVE AND ART. 29 WORKING PARTY From A German Perspective e- discovery is a data protection issue. Therefore the following overview on the data protection legal framework in Germanys and the EU shall help to understand the German context. In 1995, the Commission adopted a Directive on Data Protection, which is concerned with the rights and freedoms of natural persons with regard to the processing of personal data. 6 The Directive applies to personal data of natural persons. The Member States complied with this Directive by adapting their national laws to its requirements. The Directive prevails in case of contradiction by national law. The European Data Privacy Law aims to conciliate two opposite interests: On the one hand, an employer or legitimate data owner has a need for free and continuous flow of data. On the other hand, the person concerned, in particular the employee has a right of respect of his personal privacy. In Europe the personality right is generally considered to be a proprietary right of each individual including also personal data. The employee as every individual has the right to know when information related to him is collected or processed. He has also the right to prohibit this collection or processing if no other interests prevail. The core of the personality right is inalienable. 6 Directive 95/46/EC of the European Parliament and of the Council (Privacy Directive) 7

8 The Art. 29 Working Party is the competent body on a European Level for all questions of international data transfer and interpretation of the EU Directive 95/46/EC. It pronounces its legal opinion by Working Papers. With regards to pre-trial discovery for cross border civil litigation it has adopted the Working Document 1/ The opinions and recommendations of this document are not legally binding. However, it can be expected that European courts will follow the arguments of the very specialized Art. 29 Working Party. D BACKGROUND: DATA PROTECTION IN THE EU ESP. GERMANY Germany complied with the Privacy Directive by amending the German Data Protection Act in While the definitions and basic rules for the dealing with personal data, criteria for data processing and the conditions of data-export are subject to EU-harmonized legislation, workplace monitoring as well as questions of codetermination of the employees representatives depend on national law. 1. Definition of data The Privacy Directive gives in its Article 2 (a) a rather broad definition for personal data: Any information relating to an identified or identifiable natural person. As a consequence as soon as an automated data processing or storage concerns an individual person the provisions of the Directive apply. The Privacy Directive distinguishes basically between normal and sensitive data. Sensitive data contains information on the ethnic origin of a person, skin color, religion, political opinions, health, or sexual preferences. Sex and marital status are not sensitive data. Normal data is all data that is not sensitive. 2. Lawful processing of data a. Principles According to the Directive personal data must be processed fairly and lawfully collected for specified, explicit and legitimate purposes adequate, relevant and not excessive in relation to the purposes accurate put out of context of an identifiable individual as soon as possible 7 Available under 8

9 b. Normal Data The collection, storage, or use of normal data is permissible if it serves the purpose of the contractual relationship. It is, however, not sufficient that the collection of the data is simply useful. Permissible is only the collection of data that is necessary for the performance of the employment agreement. The controller must specifically define the aim of the data collection. It must therefore state to what purpose the data is being collected. Examples for an employment relationship: Access control Salary calculation Personnel development Attendance times of employees Recruitment The employer may not, however, by combining data gain new information offhand which it had not previously specifically defined. If, for example, information is collected on what the employees eat in the staff restaurant, in order to take this into account for the calculation of salary, the employer may not then evaluate the eating habits of the employees and assess their health with this information. The purpose of the employment relationship justifies storing employees data with regard to sex, marital status, school, training in a trade or another occupation, vocational school/subject/graduation, and language skills, because this information is necessary for personnel planning, personnel shortages, and social selection in the case of dismissals. The purpose of the relevant employment relationship determines the restrictions on processing. Therefore, if basic information concerning remuneration and promotion as well as possible data on performance and leadership competencies are to be transmitted, this can be done without the consent of the employee, if this is important for the future development of the employment relationship. 8 The close connection of use of the normal data to the existing employment relationship and to the continuing internal employment are the two criteria for the distinction between the use of data covered by the contractual purpose and an impermissible storage of data. Personnel planning and development are examples of a prospective processing. Both of these deliberately do not focus on a specific instance, but presume a longer time period and thus take into account not only the expectations of the employer, but also the interests of the employees to avoid 8 According to Art. 7 Privacy Directive, Art. 32 BDSG 9

10 selective and thus often incidental reactions. Attention must be paid here, as there always has to be a connection to a specific employment relationship and the purpose of its processing or future development. In the individual case, it may be necessary to collect information on employees for purposes which do not clearly arise from the employment relationship. In this case, the employee s consent has to be obtained. The consent of the employee must be given in writing, and the person giving the consent must be sufficiently informed on what he is consenting to. He must also be aware of what consequences a refusal of consent would have. The consent must also be given on the basis of a free decision of the employee. This criteria, for example, is not fulfilled if the employee is put under time pressure, if several people are discussing the matter with him, or if he cannot talk to a person he trusts. However the employer is not considered to be putting the employee under pressure if it states that he is likely to be dismissed if he does not give his consent, because the data processing is indispensable for his future job. c. Sensitive Data There are special rules for sensitive data. Unlike normal data, it is not sufficient that the collection serves the purpose of the contractual relationship. Special consent of the individual is therefore required in any case. If the individual does not give his consent, vital interests of the controller or a third person are sufficient reasons to use the data. Sensitive data may also be collected and used if the individual has made the data public, e.g., if he is campaigning for a certain political party. In any event, the individual must be informed regarding the collection, storage, and use of his data. This becomes unnecessary when the individual has already learned of the collection, storage, or use of data or if informing him would be a threat to security. 3. Rights of the Individual The Privacy Directive grants different individual rights: a. Information The individual must be informed about: 9 the identity of the controller, i.e. the for the collection or the processing responsible peron the purposes of the processing for which the data are intended the recipients of the data 9 Art. 10 Privacy Directive 10

11 whether replies to the questions are obligatory or voluntary and the consequences of failure to reply the existence of the right of access and the right to rectify the data concerning him Where the data has not been obtained from the individual the controller must additionally give him information about the categories of data concerned. 10 b. Access At any time the individual has the right to obtain under fair conditions from the controller: 11 confirmation as to whether or not data relating to him are being processed communication of the data undergoing processing and of information as to their source in case of automated decision information about the system s logic c. Rectification If the data processing does not comply with the provisions of the Directive, the individual may request as appropriate the rectification, erasure or blocking as well as - if necessary - the notification of this rectification to third parties. 12 d. Objections Fundamentally, the fact that an individual could refuse to comply with or object to the collection, storage, use, or transfer of data should also be considered. Data protection law provides that the person concerned may object to the collection, storage, use, or transfer of data for uses of promotional purposes or market research. 13 In such case, the collection, storage, use, or transfer of data is not permissible. An objection from an individual may be disregarded if, in exercising an objection, it would prove contrary to the purpose of the employment agreement. The individual concerned was, after all, consciously and willingly involved in the creation of his employment agreement, so he may not simply offhandedly use data processing as an excuse to hinder the fulfilment of the employment agreement. 4. Liability and Sanctions It should be observed that the Privacy Directive guarantees an individual entitlement to compensation for damages caused by inadmissible collection, storage, use, or transfer of his per- 10 Art. 11 Privacy Directive, Art. 33 BDSG 11 Art. 12 (a) Privacy Directive 12 Art. 12 (b), (c) Privacy Directive 13 Art. 14 Privacy Directive 11

12 sonal data. 14 In addition, the Directive ensures the full implementation by obligating Member States to lay down sanctions: In Germany, the Data Privacy Protection Act provides for fines up to 300,000 in the event of certain violations by the employer. If such violations are committed with the intention of financial gain for itself or a third party or with the intention of damaging a third party, the Data Privacy Protection Act also provides for heavy fines or imprisonment for the employer. 5. Applicable law In the international transfer of personal data, two situations must be distinguished: - The transfer to other European Union Member States and - The transfer to third countries outside the EU. The applicability of a European Member State s privacy law depends on where the personal data is collected, stored, or used. The criteria for the applicable law is the establishment of the controller; i.e. the domicile of the responsible person or unit, thus the processing party. Therefore, the domicile of an individual concerned, the location of the server, or the place of the party that collected the data is irrelevant. The same rules apply when exporting data outside the EU. 6. Export of data outside the EU Because European law provides for high data protection standards, the EU identifies the danger of undermining its provisions by the export to other countries and, as a consequence, regulates this export of personal data. The aim is to guarantee under all circumstances an equivalent level of data protection. Very few exceptions are admitted in this point. Examples for data-export are: Transfer of personal data to headquarters for general strategic planning of personal development or individual career planning Transfer of employees data to parent company for global benefit plans such as stock option plans publishing employees data on the Internet or on the company s website to inform customers 14 Art. 23 Privacy Directive 12

13 Transfer and processing of employees or customers data after off-shoring this task to low cost country. Communication of personal data on the phone a. Adequate Protection Level The European Commission has decided that only a small number of countries like Hungary, Switzerland, Canada and Argentina guarantee adequate data privacy protection, with the consequence that the data transfer to these countries is possible under the same conditions as within the European Union. If there is in, the view of European law, no adequate data privacy protection as, for instance, in the U.S. - the transfer of data to third countries is generally forbidden, but permissible under certain conditions: a. The data importer is based in the U.S. and has accepted the U.S. Safe Harbor Principles b. Data exporter and data importer agreed upon the EU standard clauses c. Consent of the person concerned d. Fulfillment of other special conditions b. U.S. Safe Harbor Principles The EU Directive on Data Protection allows the transfer of personal data to non-eu countries only if these provide an adequate level of privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from the EU. Given those differences, many U.S. organizations have expressed uncertainty about the impact of the EU-required adequacy standard on personal data transfer from the European Union to the United States. To diminish this uncertainty and to provide a more predictable framework for the data transfer, the Department of Commerce has issued the Safe Harbor Privacy Principles. Those principles have been recognized by the European Commission as adequate data privacy protection. The decision by U.S. organizations to enter the Safe Harbor is entirely voluntary. Organizations that decide to participate in the Safe Harbor have to comply with the Safe Harbor's requirements and publicly declare that they do so. To be assured of Safe Harbor benefits, an organization needs to self-certify annually to the Department of Commerce in writing, that it agrees to adhere to the Safe Harbor's requirements, which includes elements such as notice, choice, access, and enforcement. It must also state in its published privacy policy statement that it adheres to the Safe Harbor. The Department of Commerce will maintain a list of all 13

14 organizations that file self-certification letters and make both the list and the self-certification letters publicly available. To qualify for the Safe Harbor, an organization can either join a self-regulatory privacy program that fulfills the Safe Harbor's requirements or develop its own self-regulatory privacy policy that conforms to the Safe Harbor. To questions of interpretation and compliance of privacy policies with the Safe Harbor Privacy Principles, U.S. law is applicable. c. EU Standard Contractual Clauses Another way to guarantee sufficient data privacy protection is to conclude a contract between the European organization, the data exporter, and its foreign parent organization, the data importer. The European Commission has adopted a decision setting out standard contractual clauses ensuring adequate safeguards for personal data transferred from the EU to countries outside the Union. 15 This decision obliges Member States to recognize that companies or organizations using such standard clauses in contracts concerning personal data transfers to countries outside the EU offer "adequate protection" to the data. The use of these standard contractual clauses is voluntary, but offers companies and organizations straightforward means of complying with their obligation to ensure "adequate protection" for personal data transferred to countries outside the EU which have not been recognized by the Commission as providing adequate protection for such data. The Commission s decision obliges the EU Member States to recognize the contractual clauses annexed to the decision as providing adequate safeguards. However, the standard contractual clauses are neither compulsory for businesses, nor the only way of lawfully transferring data to third countries. Contractual clauses are not necessary for the transfer of data to U.S. companies adhering to the Safe Harbor Privacy Principles. d. Consent of the Individual As a third way to transfer normal data outside the EU, it is furthermore possible to obtain the consent of the individual concerned. 16 This consent makes other data-protecting clauses unnecessary. Nevertheless, if sensitive data is concerned, the individuals consent is always required, notwithstanding that the company has applied the Safe Harbor Principles or used the standard 15 Decision 2001/497/EC = O.J L 181/19, see Annex for Standard Contractual Clauses; Internet: 16 Art. 4c (1) N 1 BSDG 14

15 contractual clauses. The consent must be in writing and under the conditions as described above. e. Other Possibilities of Data Transfer In several special cases, data may still be transferred to countries whose data protection regime is not adequate. 17 This includes cases in which the transfer outside the EU is necessary for the conclusion or performance of a contract in the interest of the data subjects, cases in which the transfer is required to the protection of important public interests or the defence of legal matters in court. In addition, the data protection authorities may allow such transfers on a case by case basis when they are satisfied and the data enjoys "adequate protection". f. Information about the Data Transfer The data-exporting organization generally has to inform the individual of the data-transfer, 18 and has to declare the purpose of the data transfer to the receiving organization Art. 4c BDSG 18 Art.4b (4) BDSG 19 Art.4b (6) BDSG 15