EU Cross Border Ediscovery, Standard Contractual Clauses, and Sub Processors: What Will Change on May 15, 2010?
How the New EU Rules on Data Export Affect Companies in and outside the EUby Dr. Thomas Helbing
On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.
Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.
The EU Commission decision is relevant for all organization receiving personal data – for example customer or employee data – from subsidiaries, customers or vendors in the EU.
In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.
In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.
Example “CRM”: CRM-Ready Inc. is a US-based company providing a Customer Relationship Management software that clients use remotely via a web browser (Software as a Service – SaaS). Best-Resell GmbH in the EU intends to use CRM-Ready’s system to store and manage its customer data. CRM-Ready Inc. and Best-Resell GmbH agree to conclude a contract with the EU standard contractual clauses to ensure Best-Resell’s compliance with local privacy laws.
Example “HR-Data”: Global Workers Ltd. is a multi-national company headquartered in Japan with subsidiaries in various EU countries. Names, functions and phone numbers of all employees are stored centrally in a firmwide database at Global Workers Ltd. in Tokyo. The EU subsidiaries and Global Workers Ltd. agree on the EU standard contractual clauses to ensure the lawfulness of the intra-group data transfers under EU laws.
In this article we answer the following questions:
• What is the Concept behind Standard Contractual Clauses?
• What are the Changes to the Standard Contractual Clauses?
• How Does the New Subcontracting Scheme of the Clauses Work in Practice?
• When Do the New Clauses Take Effect and Which Existing Agreements Need to be Updated?
• How Do the Clauses Affect Companies Outside the EU?
In a decision handed down on February 25, 2010, the French Constitutional Court ruled that the right to privacy derives from Article 2 of the Declaration of Human Rights, and is therefore considered a constitutional right under French law. The Court also ruled that the legislature must strike a balance between the right to privacy and other fundamental interests, such as preventing threats to public safety, which are necessary to preserve constitutional rights and principles.
In its decision, the Court ruled on several provisions of a legislative bill (the “Bill”) aimed at combating acts of group violence and protecting public servants. This Bill would have authorized the owners of buildings to provide live, closed-circuit video surveillance images of a building’s common areas to local or national law enforcement authorities in the event that activities taking place on the premises might require police intervention. The Court ruled against this provision on the grounds that it did not provide the safeguards necessary to protect the privacy rights of individuals living in the buildings.
Following the Court’s ruling, the French Data Protection Authority (the “CNIL”) took the opportunity to restate that video surveillance images are considered “personal data” since they allow for the identification of individuals. Consequently, any video surveillance using a system that is installed on the private premises of a building (e.g., in hallways, staircases or elevators) constitutes a data processing activity within the scope of the Data Protection Act and requires prior notification to the CNIL.
View the full text of the Court’s decision and the CNIL’s comments (both in French).
by Joseph Baker, Andrew Nicely and Tim Wybitul
Mayer Brown, LLP
Many foreign countries have enacted privacy laws and “blocking” statutes that limit the disclosure of personal data and other information maintained within their borders. Violation of these statutes can result in fines, civil penalties and, in some countries, criminal sanctions.
Parties involved in US litigation frequently find themselves in a quandary when they are directed to produce documents stored overseas that fall within the protection of a foreign privacy or blocking statute; US courts have generally been unsympathetic to such parties, commonly ordering production of overseas documents notwithstanding the obstacle posed by foreign law. Continuing this trend, a federal district court in Utah recently ordered a litigant to disclose certain data maintained in Germany that the resisting party contended were exempt from disclosure under the German Data Protection Act (GDPA).
AccessData, a US software developer, brought suit against its German reseller, Alste Technologies, to recover certain royalties due from the sale of one of its products. See AccessData Corp. v. Alste Techn. Gmbh, 2010 WL 318477 (D. Utah Jan. 21, 2010). Alste argued that it should not have to pay because, although many copies of the software product had been sold, the product was defective and had generated scores of complaints from customers. In addition, Alste alleged in a counterclaim that it had not been paid for technical support services that it had provided under its contract with AccessData.
To explore Alste’s contentions, AccessData issued interrogatories and document requests seeking information about the customer complaints Alste had received and the support services it claimed to have provided. Alste objected to the discovery requests, arguing that the disclosure of information about its customers “would be a huge breach of fundamental privacy laws in Germany” — specifically, the GDPA. Alste contended that the discovery could be obtained only through the procedures established in the Hague Convention for the Taking of Evidence Abroad.
Alste did not specify the applicable GDPA provisions. Nevertheless, the court examined the statute and observed that Part I, Section 4c permits the transfer of personal information to foreign countries — even those that do not have the same level of data protection — if the “subjects” of the personal data consent, or if “the transfer is necessary or legally required … for the establishment, exercise or defence of legal claims.”
To continue reading, follow the link below:
Musings on The Deep Cultural Divide between The US Ediscovery Tradition and The EU Privacy Protection Principles
It is more likely, in fact, that the recent US interest is based on two of my recent posts which concern the collision between US data demands and EU privacy restrictions. The two articles were Sedona Conference WG6 presentation to Article 29 Working Party in Brussels and The extent of the right to privacy in French employee’s e-mails. Both of these have been picked up by US commentators, and it is likely that the high proportion of US-derived page views come, in part at least, from these articles.
If the gist of my posts (and the comment on them) is that US lawyers are slow to identify, still less understand, the EU privacy problem, it is fair to say that that lack of understanding passes the other way as well (and I say that with full recognition that the EU’s Article 29 Data Protection Working Party is sincere in its wish to find a way through the problems). My original post about the Sedona Conference presentation had no higher ambition than to pass on the brief report from Sedona’s Jim Daley, and I now take the opportunity to expand on the central part of that. The main paragraph of Jim’s report reads as follows:
To read more, click below:
Video is “Personal Data” under EU Data Protection Laws- Cross Border Ediscovery Implications of The Google Three Case
We may not see the Italian decision stand for long, and cannot imagine a similar case happening in most Western countries. But it represents a growing temptation of courts and lawmakers worldwide: to find excuses to strip away the protection the law grants to Internet intermediaries. It’s also an intimation of the very serious consequences to the Net and free speech if those safe harbors are weakened.
Europe has, in theory at least, at the EU level, strong protections for Internet intermediaries in itsE-Commerce Directive: Article 14 of that directive provides that hosting providers are not responsible for the content they host, as long as they are not informed of its illegal character, and they act promptly when informed of it. Article 15 clarifies that hosts do not need to monitor hosted content for potentially illegal content.
This judgement guts both these principles. The court dismissed the allegation of criminal defamation but upheld a charge of illegally handling personal data on the basis that a video is personal data, and that under EU data protection law, Google needed prior authority before distributing that personal data.
Article by Danny O’Brien
To read more, click here:
New French Case Removes Automatic Privacy Shield From Employee E-Mails, Making Them More Amenable to US Discoveryby Trevor Jefferies and Alvin F. Lindsay:
To continue reading, click on this link:
by John Jablonski
The Judge that brought us the now famous Zubulake series of legal hold decisions has weighed in on the state of litigation holds in the United States. In particular, Zubulake IV requires a corporation to issue a litigation hold to preserve relevant evidence (including electronically stored information, like e-mail) whenever litigation is initiated or reasonably anticipated. See Zubulake v. US Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003).
Her latest decision, The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Opinion, Case No. 05-cv-9016 (SDNY Jan. 15, 2010), considers facts over a period of time from pre-Zubulake through the present. In a lengthy (89 pages) and well researched opinion (including 251 footnotes) the Judge carefully analyzes the state of legal hold law in the United States (a footnote suggests the Judge and two law clerks spent over 300 hours researching and writing the opinion.)
If you do not feel like reading all 98 pages, here are a few key takeaways:
1. When faced with anticipated litigation (aka a trigger event) a litigant in federal court must issue a written litigation hold. (Yes, the Opinion says it must be in writing.) That means, to avoid being grossly negligent as a matter of law a written notice must be delivered to custodians of relevant evidence once the duty to preserve evidence is triggered. So if you had any doubt about whether a legal hold notice is required, this Judge just removed it. To be clear: in order to avoid sanctions and implement a legal hold you MUST issue a written legal hold notice (at least in the Southern District of New York, and I suspect any jurisdiction that has cited to Zubulake as requiring a litigation hold.)
2. Identify all key players and ensure that their electronic and paper records are preserved.
3. Cease the deletion of email and preserve the records of former employees that are in a party’s possession, custody or control; and
4. Preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources.
Why has the Judge created a legal duty to issue a written litigation hold? Reading between the lines of the Opinion, it is very clear that the Judge views the time spent on the “detour” of this spoliation motion and passing judgment on the failure to preserve evidence as a huge waste of judicial resources. Rather than reviewing reams of motion papers and conducting hearings on the sufficiency of a party’s preservation efforts; looking at an audit trail of actions following a written litigation hold is much more economical. As a result, the Judge titled her Opinion, Zubulake Revisited: Six Years Later. The ominous message of the subtitle shows that Judge Scheindlin believes that nothing has changed in six years. Litigants still do not understand that preserving evidence means just that, preserving evidence. To drive the point home she wrote:
By now, it should be abundantly clear that the duty to preserve means what it says and that a failure to preserve records, will inevitably result in the spoliation of evidence.
For a copy of the Amended Opinion and Order of Judge Scheindlin in The Pension Committee of Montreal, et al. v. Banc of America Securities, et al., 05 Civ. 9016 (SDNY Jan. 15, 2010) or a whitepaper about the opinion and its impact on corporate legal hold policies and procedures email email@example.com or go to www.legalholds.typepad.com (a blog authored by Goldberg Segalla LLP lawyer John Jablonski.)
John Jablonski is a partner at Goldberg Segalla LLP. An experienced trial lawyer, John consults with Fortune 500 companies about records management, retention schedules, legal hold policies and procedures, pre-litigation planning, and electronic discovery. John is a frequent author in publications and speaker on records management, legal holds and e-discovery. John is co-author of 7 steps for legal holds of ESI & Other Documents (ARMA 2009), a book designed to help organizations understand and implement legally defensible litigation holds. John is also Editor of www.legalholds.typepad.com, a blog devoted to current document preservation trends.