Rigorous EU data protection laws conflict with lax US regulation
For companies with operations in both the US and in Europe, the legal environment governing collection and transfer of some sensitive personal data is heating up. Conflicting attitudes and cultural traditions are impacting the way companies can collect and distribute data.
In the latest transatlantic flap over data privacy, European Union data protection authorities have launched an inquiry into the use of personal data from Europe in discovery proceedings in US lawsuits.
The inquiry by the Article 29 Working Party, a group composed of the data protection authorities of the 27 EU member states, was started at the behest of the French authority, known as the CNIL (Commission Nationale de l’Informatique et des Libertés).
In a statement in mid-January, the CNIL called for high-level reviews in France and the Article 29 group.
Among other concerns, the CNIL singled out the exchange of comprehensive pre-trial information that is customary in the US. It notes that a market of high-tech service providers has developed sophisticated techniques to search electronic corporate records and databases for relevant information, which is then distributed to lawyers and others in the US for use in legal cases and regulatory actions.
‘The revealing phrase fishing expedition is often used to describe the search for information by applying electronic querying methods,’ the CNIL says.
Such practices run contrary to many European sensibilities – and most likely perhaps also to European law. The examination of the Article 29 Working Party’s paper on this subject is expected to last for at least the rest of this year.
Right to privacy
In Europe, where memories of World War II citizen deportations, widespread informant programs and the subsequent intrusions of Eastern European dictatorships into the private lives of citizens are still fresh, personal data privacy is seen as a fundamental human right and is guarded jealously.
As a result, European data privacy law tends to take a minimalist view of the type and amount of personal information that companies can collect and process from employees, customers, vendors and anyone else, and how long they can hold this information, while US law takes a far more expansive view.
‘EU data protection law is comprehensive in nature,’ says David Smith, deputy commissioner of the UK Information Commissioner’s Office. ‘It applies to personal information, whoever holds it and for whatever purpose. There is no such comprehensive law in the US.’
‘In Europe there is increasing resistance to the sale of personal details,’ says Jonathan Armstrong, a partner with Eversheds in London. ‘Americans are more accustomed to receiving junk mail and to having their personal details sold to marketing agencies and mailing-list brokers.’
The collection of data is only part of the issue, however. Many European companies are permitted to accumulate data about employees and other individuals but the uses this information can be put to are strictly limited. Even more importantly, this information, under a strict interpretation of the rules, is not supposed to leave the EU.
Electronic processing of personal information is not the only data policy that has raised transatlantic heckles. The US and the EU have previously tangled over US Sarbanes-Oxley rules requiring companies to make anonymous hotlines available to whistle-blowers, over disclosure by airlines of personal details of passengers flying to the US and over the decision of Belgian-based bank transfer organization SWIFT to give US authorities access to details of banking transactions, as part of American anti-terrorism and RICO probes.
As a general matter, the US tends to take the view that more data is better, and that information should move across borders freely even if it is of a specifically personal nature.
But to a growing extent, European data protection authorities are resisting efforts to impose US data views and practices on European companies. ‘If a US legal requirement is contrary to a European legal requirement, why should the US legal requirement necessarily take precedence?’ Smith asks.
Information on the hot seat
In recent years, national data protection authorities in Europe have made their views known through a series of enforcement actions.
In Spain, for example, data protection authorities imposed heavy fines on the producers of the Spanish version of the television program ‘Big Brother’ for data-security practices that allowed hackers to obtain personal information about the candidates for the show.
Spain has also fined Microsoft for transferring information about its employees in Spain to web servers in the US. And several years ago, Spain fined Spanish telephone company Telefonica for providing customer information to direct marketers.
The privacy agency in Greece, meanwhile, has fined Vodafone EUR 76 million for failing to protect its network from hackers who monitored private mobile phone calls.
France’s agency, the CNIL, imposed 16 fines totaling EUR $168,300 between mid-2006 and mid-2007. Among other actions, the CNIL imposed a EUR $30,000 fine in March 2007 on Tyco Healthcare France in connection with safeguards of employee data.
Despite this rash of regulatory action against perceived privacy violation, European data protection authorities are working with US companies and domestic corporations that have US ties to minimize the challenges posed by conflicts with respect to legal approaches. ‘Businesses should not be put in a position of having to decide with which legal regime they are going to comply,’ says Smith.
‘We want to develop a pro-active approach with companies to debate and build stronger links,’ says Alex Tuerk, president of the CNIL and newly elected president of the Article 29 Working Party.
The electronic discovery issue, however, poses particularly complex problems, because the disagreement has the potential to seriously impact litigation processes that have developed separately over long periods of time.
A rock and a hard place
‘The US system is based on common law, whereas much of Europe uses civil law. This gives rise to different approaches to gathering evidence and conducting proceedings,’ says Christopher Kuner, a partner of Hunton & Williams in Brussels and chairman of the International Chamber of Commerce Task Force on Privacy and Protection of Personal Data.
Moreover, unlike the whistle-blowing cases, which involved a single US agency (the SEC), the electronic discovery issue involves the entire US litigation system, and therefore any disagreement becomes far more difficult to resolve.
‘It may be quite difficult, and even impossible, to comply with both US and EU law in collecting documents situated in the EU, subject to a valid US litigation or investigative request,’ writes David Bender of DLA Piper in a recent issue of World Data Protection Report.
He adds that both US discovery law and EU data protection laws provide severe sanctions for non-compliance. In itself this would not be so bad but each side believes their system is the best and refuses to fully compromise on the issue.
‘Companies are caught in the middle,’ says Miriam Wugmeister, a partner with Morrison & Foerster in New York.
So what can multi-national companies do in an effort to minimize legal and structural conflicts? Among the steps companies can take is give customers and employees clear notice about data collection and use, and to segregate personal data from work-related data. ‘For example, if a company needs certain employee emails, it does not want to include personal emails going to an employee’s mother,’ Wugmeister says.
However, some European data privacy authorities do not recognize employee consent as valid, because of the imbalance of power between employers and employees.
It may be necessary for authorities to decide such matters on a case-by-case basis, notes Smith. ‘It is about striking a balance between the requirements (of privacy and of information discovery for legal cases), as opposed to saying that the information must always be made available.’
‘If the information is about senior employees and is in connection with their work rather than their private activities, then the information is clearly limited,’ Smith adds. ‘The more junior the people and the more the information collected goes into their private lives, the greater the intrusion – and also, the less likely that the information would be relevant to the legal proceeding.’
Robust uses of data
While companies wait for an intergovernmental solution to the debate over electronic discovery, technological and commercial forces are pushing them increasingly toward data practices that could create legal issues in Europe.
For example, there is a trend among multinational companies to centralize employee and customer databases in a single location, whereas in the past this information might have been processed separately in each country.
‘Centralization is a robust use of data, and carries legal issues with it,’ says Christopher Kuner of Hunton & Williams.
‘I don’t think US companies in Europe are being scrutinized more because they are US companies,’ he adds. ‘If anything, it is because US companies are cutting edge in terms of using new technologies in data processing, and in how they use data for various purposes. The use of the internet for transmission of – and remote access to – data has exposed the fault lines in data protection law and the differences between legal regimes.’
Offshore outsourcing, which typically involves cross-border data transfers, involves treating the world as if national boundaries don’t matter. ‘In a business sense that is increasingly the case, but not in a legal sense,’ Kuner says.
The risk for cutting-edge companies is that the issue becomes politicized, Kuner expands. ‘There is always some political element to these clashes. Americans might feel that the Europeans are trying to go after us, and the Europeans might say that the Americans don’t care about privacy. In the case of discovery, there is a substantive difference between the two systems. This could be misused for political ends; I hope that does not happen.’