This post was written by Nick Tyler.
Last month we highlighted a resolution of the American Bar Association urging U.S. courts to: “consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from, such laws”, in the context of the onerous legal requirements in the United States to preserve and disclose information in civil litigation.
This month we want to highlight an important publication by Working Group 6 of the Sedona Conference®: “International Principles on Discovery, Disclosure & Data Protection: Best Practices, Recommendations & Principles for Addressing the Preservation Discovery of Protected Data in U.S. Litigation”. This document provides a working blueprint for litigants and data privacy practitioners alike to follow in resolving the “rock and hard place” challenge faced by clients seeking to comply with competing international laws.
The published “European Union Edition” can be viewed as a useful companion piece to the Article 29 Working Party Working Document 1/2009 on pre-trial discovery for cross-border civil litigation, but with the distinct advantage of providing six working principles as well as practical solutions:
- Model Protected Data Protective Order and
- Cross-Border Data Safeguarding Process + Transfer Protocol (Process + Protocol)
The six principles include:
- Due respect for Data Protection Laws, such as the EU Data Protection Directive and HIPAA, which echoes the ABA resolution
- Good faith and reasonableness (proportionality) to resolve conflicts
- Limited scope of preservation, disclosure and discovery by relevance and necessity
- Use of protective orders to resolve/minimize conflict
- Data Controller document data protection safeguards taken and obligations observed, including in relation to data transfers made from Europe in the litigation context
- Document management based on retention period being no longer than necessary to satisfy legal or business needs
Use of the principles, process and protocol may help mitigate the conflict in laws between the EU and the United States on this subject, but organisations will need to tread carefully since the proposed EU Data Protection Regulation still does not accommodate transfers to the United States for purposes of litigation.