Transferring data from the EU for eDiscovery purposes in a post Privacy Shield World

Michael Simon

A few weeks ago, I had the privilege of participating in a Masters’ Conference webinar on the topic of how to lawfully transfer EU data to the US after the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield agreement on July 16, 2020. Despite many uncertainties that remain from what has been called “Schrems II” (as it is the second blockbuster case caused by activist Max Schrems) we had some recommendations as to how one could still potentially lawfully transfer data for eDiscovery purposes. As they say, “where there is a will, there is a way.” But they never said that it would be an easy way.

RIP the Privacy Shield

You can find the full text of the decision here.  Because the decision is long, the equivalent of 64 PDF’d pages, we created our own explainer here. The most pithy summary comes from Privacy Law educator Daniel Solove: “The Privacy Shield is dead.”

And the Privacy Shield is not coming back any time soon

eDiscovery veterans remember the chaos caused when what we now call “Schrems I” invalidated the US-EU Safe Harbor agreement in October 2015. Yet we also remember that those troubles were short-lived; the new agreement was in place less than one year later, by July, 2016, with a moratorium on enforcement in the interval.

But that was then, and this is now. The GDPR became effective on March 25, 2018, superseding the old, poorly enforced Directive 95/46/EC. Then came Brexit, which removed a key US ally from EU data sharing discussions. And, of course, the overall political relationship between the US and the EU is far different in 2020 than it was in July 2016.

Now, the US Department of Commerce’s insists that it will administer – and demand payments for – a Privacy Shield program that the EU has declared to be dead. While high-level officials on both sides of the Atlantic have issued press releases about them having “initiated discussions” to “evaluate the potential” for a solution, nothing more concrete has been hinted at. In contrast, many of the EU Data Protection Authorities (“DPAs”) responsible for enforcing the GDPR, including key German authorities and the Dutch DPA, have been clear that there will be no moratorium on enforcement.

Meanwhile, NYOB, Max Schrems’ privacy advocacy organization has already filed 101 EU-US data transfer complaints premised upon the decision.

Finding a way to transfer data for eDiscovery

Although there are no easy answers, there are some potential paths still left open. The first and most obvious means to transfer data is the EU-approved Standard Contractual Clauses (SSCs). Schrems II did not invalidate the SCCs, but it came close enough so that, in the blunt words of Professor Solove, they “are in a coma on life support.”

The doubts about the SCCs stems from the CJEU requiring “additional safeguards” in Schrems II when the transferee country is “capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.” As one law professor warned: “It is no longer sufficient for companies to ‘copy and paste’ the SCCs templates.” As well, even if one still wanted to copy and paste in the SCCs, there are only three limited, pre-GDPR template sets, which do not cover key eDiscovery issues, including the exacting requirements for Processors in Article 28(3).

On our Masters’ Conference webinar, we came up with four criteria to assess when adapting the SCCs for each specific case:

  1. Volume: the more data, the more likely it will contain Personal Data.
  2. Source countries: some EU member state DPAs, such as the Irish DPA and some of the German states, are taking a harder line on SCC validity and thus present higher dangers.
  3. Sensitivity: start with the Article 4(1) for the definition of “Personal Data,” but pay special attention to the Article 9 “Special Categories of Personal Data.”
  4. US Government interest: some, including the IAPP’s Omer Tene, believe that “the U.S. national security laws referred to in [Schrems II] apply to just a small fraction of companies that transfer data across borders. . .” Others, such as the US law school professors who write for Lawfare, have doubts: “Although this option may be worth exploring for some companies, the theory is untested . . .” Until we have further guidance from the EU authorities, it seems foolish to volunteer to be that test case.

Our panel recommended that parties carefully document their analysis on a scale from 1-5 for each factor, with 1 being the lowest and showing little potential problem, and 5 being “toxic” data that should never be transferred. However, not all of these factors are co-equal, and some, like US Government interest, should be taken with great caution at any score beyond the lower levels.

Another set of potential tools for lawful transfer is encryption, anonymization and pseudonymization.Some DPAs seem ready to demand, or at least accept, encryption as a “supplemental measure.”

Anonymization could also help, as GDPR Recital 26 makes it clear that anonymized data is outside of the scope of the GDPR. However, anonymizing eDiscovery data might also be spoliating it under FRCP 37(e) if it removes relevant evidence. For this reason, pseudonymizing data, as contemplated by Recital 28, would likely be more appropriate, as it would allow the parties to restore relevant data. However, pseudonymised data would still fall under the GDPR. Of course, none of this, whether encryption or anonymization/pseudonymization is worth anything unless the receiving party in eDiscovery follows the protocols as well; insisting upon carefully-crafted protective orders is a must.

There is one final other means of potentially lawful transfer, though it requires no small degree of patience: Hague Convention requests and Letters Rogatory. While some have questioned the impact of GDPR Article 48 as a “blocking statute” upon such requests, others have shown that Article 48 did not invalidate these measures as long as one complies generally with other GDPR requirements. As well, at least some EU member states have been confirmed to be still honoring these mechanisms post-GDPR.

Understand that Hague Convention requests can be slow, as they require judicial approval and then cooperation by local authorities. You have to be reasonable in your requests and ask nicely. As well, many signatory states to the Hague Convention, including some in the EU, have placed specific restrictions upon discovery-related requests. For such roadblocks to Hague Convention requests, you can use Letters Rogatory, but as these are potentially even more exacting and time-consuming.

Finally, there are the Article 49 “Derogations for Specific Situations” which were specifically mentioned in Schrems II as a potential panacea. Unfortunately, Article 49 presents many difficult limitations for eDiscovery. Article 49(1)(a) allows for transfer upon explicit consent, but obtaining such “freely given, specific, informed and unambiguous” consent from each and every Data Subject specifically for the eDiscovery purposes is rarely going to be practical. Even then, consent can always be revoked, leaving you with an unusable data set.

Transfers can be made under Article 49(1)(e) for “establishment, exercise or defense of legal claims,” which would seem initially to be a valid means for eDiscovery transfers. The EU Data Protection Board (“EDPB”) Guidance for Article 49 initially appears to approve of this use: “data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation.” However, the Guidance then makes clear that the many EU member state “blocking statutes,” will prevent discovery-related transfers. Likewise, the Guidance requires a “layered approach” to any potential transfer under Article 49(1)(e), such that first the applicability of the use of anonymized and then subsequently of pseudonymized data must be considered before any transfer. Even if these hurdles are passed, the Guidance explicitly requires that “If it is necessary to send personal data to a third country, its relevance to the particular matter should be assessed before the transfer,” thus necessitating Review within the EU before transfer. Finally, the EDPB Guide warns that Article 49 is only for “occasional use,” not regular data transfers. While eDiscovery might seem like a perfect example of such an occasional use, the Guidance makes it clear that each case must be evaluated individually. Thus, eDiscovery, with its typical rolling Collections and changing data needs may very well go past such occasional use.

How we can help

Despite the death of the Privacy Shield, there are still a number of valid ways to transfer data from the EU for eDiscovery purposes. The XPAN Law Group has both the necessary Privacy experience and the years of eDiscovery capabilities needed to guide you through these processes. We can help you craft the proper SCC templates and build out the assessment process with the proper documentation. We can assist you in selecting the best methods of encryption, anonymization, and pseudonymization as applicable to each situation. Finally, if you find yourselves with no alternative but to navigate the hurdles of Hague Convention requests, Letters Rogatory, or specific Article 49 derogations, we can provide the guidance you will need to get through these at the speed and scale necessary to satisfy demanding eDiscovery deadlines. And, remember: strategized today so you are prepared for tomorrow. Luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.