In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011 International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor. It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018. Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.
Given the complex and dynamic EU data protection landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition. This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings. Following are the publication’s Six Transitional International Litigation Principles:
- With regard to data that is subject to preservation, disclosure, or discovery in a U.S. legal proceeding, courts and parties should demonstrate due respect to the Data Protection Laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws.
- Where full compliance with both Data Protection Laws and preservation, disclosure, and discovery obligations presents a conflict, a party’s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness.
- Preservation, disclosure, and discovery of Protected Data should be limited in scope to that which is relevant and necessary to support any party’s claim or defense in order to minimize conflicts of law and impact on the Data Subject.
- Where a conflict exists between Data Protection Laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect Protected Data and minimize the conflict.
- A Data Controller subject to preservation, disclosure, or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted.
- Data Controllers should retain Protected Data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, Data Controllers should preserve relevant information, including relevant Protected Data, with appropriate data safeguards.
The Transitional International Litigation Principles also include (1) a model EU Data Protection Pretrial Order, (2) a model EU Data Protection Protective Order, and (3) a model Cross-Border Data Safeguarding Process & Transfer Protocol (“Protocol”).
The model Pretrial Order, drawn from the Eastern District of Pennsylvania, is designed to help parties agree on deadlines and sequencing for completion of international discovery. The model Protective Order, developed by WG6, provides a standardized approach for protecting EU personal data at the preservation and collection levels. Important for EU Data Protection Authorities, it demonstrates a commitment by U.S. litigants and courts to respect and protect the privacy and security of EU personal data transferred to the United States for litigation or regulatory proceedings. The model Protocol, also developed by WG6, recommends best practice procedures for harmonizing the interests of EU Data Protection Law with the legitimate interest to obtain court-ordered discovery in U.S. courts, when conducting cross-border transfers of relevant EU personal data. It also signals that in 2018, the GDPR will impose new obligations on Data Processors as well. The Protocol reflects a good-faith, consensus approach for providing adequate safeguards to protected data transferred to the U.S. for the purposes of litigation or government investigations, by building on common interests.
The Transitional International Litigation Principles, together with the Model Pretrial Order, the Model Protective Order, and the Protocol, provide a solid interim framework for dealing with cross-border discovery issues during the infancy of the new Privacy Shield, and the implementation of the GDPR in May 2018.