Privacy and Security TidBits

Privacy, European Union Data Protection and EDiscovery

Ediscovery in US Civil Litigation and EU Data Protection

EDiscovery in the US

 Electronic Discovery (or “Ediscovery”) is the process of identifying, preserving, collecting, preparing, reviewing, and producing electronically stored information (“ESI”) in the context of the legal process. Some examples of ESI are: emails, word documents, power point presentations, excel sheets, social media posts, voice mail and videos.

The legal basis for one party to request from the other party to produce ESI that are in that party’s possession, custody and control is Rule 34 of the Federal Rules of Civil Procedure. (2006):

“(a) In General. A party may serve on any other party a request within the scope of Rule 26(b):

(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control: (bold added)

(A) any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form; or

(B) any designated tangible things; or

(2) to permit entry onto designated land or other property possessed or controlled by the responding party, so that the requesting party may inspect, measure, survey, photograph, test, or sample the property or any designated object or operation on it.”

In principle, any nonprivileged matter that is relevant to any party’s claim or defense, is subject to discovery, even if it is nor admissible as evidence, as long as it “may lead to the discovery of admissible evidence”, as per Rule 26(b):


“(b) Discovery Scope and Limits.

(1) Scope in General. Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense—including the existence, description, nature, custody, condition, and location of any documents or other tangible things and the identity and location of persons who know of any discoverable matter. For good cause, the court may order discovery of any matter relevant to the subject matter involved in the action. Relevant information need not be admissible at the trial if the discovery appears reasonably calculated to lead to the discovery of admissible evidence. All discovery is subject to the limitations imposed by Rule 26(b)(2)(C) “.

The Courts interpret the Federal Rules of Civil Procedure as having extra-territorial reach.

As long as the ESI is in the “responding party’s possession, custody, or control”, and is relevant to the litigation, it does not matter wherein the world these ESI reside, it is discoverable under federal law. If, for example, a US employee can access ESI of an affiliate overseas on a shared network, the US company has “possession, custody and control”, and the overseas ESI is discoverable on that basis.

The US has the broadest civil discovery procedure in the world. None of the other Common Law countries, such as the United Kingdom, Australia and Canada, have such a wide scope of discovery and in most of the Civil Code countries, such as in most of the European and Latin American countries, the concept of discovery obligations is unknown.

In the last few years a quite voluminous case law has developed regarding the interpretation and application of the Federal Rule of Civil Procedure (FRCP). The law has developed differently in each of the District Courts and it is important to keep that in mind when preparing a case.

In cases governed by US state law, keep in mind that many states have enacted new civil procedure rules to cover discovery of ESI. Most states have adopted the FRCP ediscovery model. For example, Florida became the 29th state to adopt specific electronic data discovery rules for its state courts on July 5, 2012. It is based on the FRCP model.


When confronted with a lawsuit or subpoena in a large case, it is considered best practice to appoint a project manager, who organizes an eDiscovery team and who coordinates the co-operation between corporate counsel, IT, records management, HR, outside counsel and various service providers. This task can be done in-house, or outsourced to a law firm or an eDiscovery consultant.

The IT and records management departments are helpful in explaining the company’s IT architecture and the life cycle of the records, as well as in preparing a computer network and data map to locate all discoverable data. The endless list might contain servers, backup tapes, flash drives, laptops, iPods, smart phones, VOIP systems, EZpass data, IMS and text messages. It is important to consult HR concerning departed employees as well, since the EDiscovery process will typically cover a time period going back a few years.

If the information is not “reasonably” accessible, because of undue burden or cost, the parties are relieved from disclosure, (Rule 26 (b) (2) (B)), as they are when the burden or expense of the proposed discovery outweighs its likely benefit, the so-called “proportionality rule”. (Rule 26(b) (2) (C) (iii)).

Very old ESI, stored on obsolete media, might fall into the category of “unreasonably accessible”, and a case where the lawsuit is worth $100,000, but the EDiscovery costs would amount to $1 million, would fall into the category of “disproportionate”.

The data custodians then need to be interviewed to ascertain what relevant data they might have.

Once all the ESI at issue has roughly been identified, a “Litigation Hold” letter has to be sent to all relevant parties to make sure that the potential evidence doesn’t get destroyed or altered.

A “Litigation Hold” or a “Legal Hold” is a communication issued as a result of current or reasonably anticipated litigation, audit, government investigation, or other such matter that suspends the normal disposition or processing of records.

It is very important to carefully document all these steps, in case you have to prove due diligence in preserving ESI to the Court.

Then comes the ”meet and confer” meeting with opposing counsel and the Court, where parties discuss the scope of production of ESI in terms of subject matter and relevant time period. The following topics are some that also need to be addressed: the search methodologies to be used; the list of keywords to be used for keyword search; the requirement for preservation of metadata; the format for the production of ESI (TIFF or Native or both); clawback agreements (a clawback agreement is an agreement outlining procedures to be followed to protect against waiver of privilege or work product protection due to inadvertent production of documents or data); and issues of cost shifting (Rule 26 (f)).

Next, outside vendors or service providers are usually called in to perform the actual collection of ESI.

Some important questions to ask the vendors are whether they provide software that enables key word searching, conceptual searching, technology assisted searching, predictive coding, near duplicate identification, e-mail threading, and foreign language search capabilities. In smaller cases, in house IT staff may do the job of collecting all the ESI.

Once all the ESI is captured, the project manager arranges for teams of contract attorneys to review the ESI for relevance, and confidentiality and privilege flagging and redacting. This is the most time consuming and expensive part of eDiscovery. In a large lawsuit with about 30 million documents to be reviewed, this part of the eDiscovery process sometimes takes a few years to complete.

The reviewed data get analyzed by trial attorneys and integrated into trial preparation software.

Finally, the reviewed and analyzed ESI gets delivered to the opposing counsel in CD, DVD, hard drive or other formats, who then has his own team review the ESI.

In large cases, this whole procedure is executed in the form of rolling productions, with scheduled releases of data.

When eDiscovery needs to be executed outside of the US, for example in a foreign affiliate or subsidiary of a US company, the basic procedure remains the same, except that there are myriads of complications due to different legislations that apply when data gets collected in foreign jurisdictions.

Many countries outside of the US have legislation that protects data from either being collected and/or from being exported outside of the country.

These can be criminal laws, labor laws, bank secrecy laws, and data privacy laws.

The European Union data protection framework is one of the most prohibitive set of laws that parties to a civil litigation or government investigation in the US has to deal with, when trying to collect and export evidence.

EDiscovery in the EEA and Data Protection Issues

The EEA (European Economic Area) consists of the 27 member states of the EU, plus Iceland, Liechtenstein and Norway. It has one of the strictest data protection frameworks in the world.

In the EU, data protection is a human right and is protected by article 8 of the  Charter of Fundamental Rights of The European Union.

The main legal instrument that regulates data protection in the EEA is the Data Protection Directive 95/46/EC.The Directive has been implemented by all 30 national member states into their national laws, and, while the Directive acts as a floor, some national laws have gone even further in their protection of personal data.

There are quite a lot of differences in implementation of the Directive: France, Germany, Spain, and Italy have stricter rules, while the UK has more lenient ones.

One of the most difficult problems of the EU data protection regime is the lack of harmonization of laws between the member states, and consequently also the difficult but important determination which national law is applicable in any given situation.

This is one of the points under consideration in the current process of overhaul of the entire European data protection regime.

On  January 25, 2012, the European Commission proposed a new Data Protection Regulation. That Regulation  should replace Directive 95/46/EC.

If the new legislation would indeed take on the form of a “Regulation”, it would be, under EU law, directly applicable to all member states, without need for separate implementation into national law, as would be the case for a “Directive” and that would considerably facilitate the global transfer of data outside the EEA.

Another proposed innovation would be the imposition of fines for data protection violation up to 2% of the gross annual turnover of the violating company.

It is expected to take quite a few years for the new rules to come into force though, so that for a while, the old rules will still apply and therefore will still be very relevant.

There is a serious conflict for US firms with affiliates in EEA countries, when they get involved in civil litigation within the US: On the one hand, federal and state rules mandate retention and production of all relevant data, even data located outside of the US, with the risk of severe penalties by the Courts in case of “spoliation”, and on the other hand, EU data protection laws (applicable to the EEA) mandate very strict data protection rules for “personal data” of their residents, that seriously restricts processing of personal data and transfer of those data to “non-adequate” countries outside of the EEA, with risks of steep fines in case of transgression.


Directive 95/46/EC regulates the processing of “personal data”.

“Personal data” is construed very broadly as “any information relating to an identified or identifiable natural person or “data subject”” (Article 2, (a) of Directive 95/46/EC).

For example, an email address is “personal data”.

“Sensitive Personal Data” are personal data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” and processing of such data is in principle prohibited, with a very limited list of exceptions ( Article 8 of Directive 95/46/EC).

The processing of personal data within the EEA is subject to extensive regulation, which, in a nutshell, strives to incorporate privacy principles, such as consent, access, proportionality, transparency, necessity and legitimacy.  (Article 6 of Directive 95/46/EC).

The Article 29 Working Party, a EU data protection advisory body, recommends in its Working Document 1/2009 on pre-trial litigation in cross border ediscovery ( WP 158, 2009) guidelines to be followed in order to conduct cross border ediscovery within the requirements of the EU data protection framework.

It recommends that

  1. The filtering and reviewing of ESI for relevance should be done locally, within the EEA. Personal data should be anonymised or pseudonymised. The parties should obtain protective orders and filings under seal from the US courts to protect data from access by third parties.
  2. A notice should be sent to all employees or customers, whose emails or other data are collected. The data subject has a right to know that information is being collected about him/her.
  3. The data subject’s rights should be respected: for example, the data subject has the right to access the information that is being collected about him/her.
  4. Data Controllers should take reasonable measures to secure personal data from unauthorized access. This applies to vendors, law firms and courts in every stage of the ediscovery process.
  5. If the collection of ediscovery is outsourced to a third party, such as a vendor, there must be a written agreement with that third party, who must undertake strict confidentiality and provide appropriate security, must undertake to use the data only for specific purposes and within a specific retention period and only in accordance with the data controller’s instructions.
  6. There has to be a legal basis for processing of personal data. In other words, there has to be a legitimate reason to process personal data of other people: for example, curiosity is not a legitimate reason.  For the purpose of ediscovery, there are only two legitimate basis for processing personal data under directive 95/46/EC: One is informed and freely given consent by the data subject (article 7 (a) ), the other is a legitimate interest of the data controller, balanced with the fundamental rights of the data subjects. (article 7 (f) ). The Article 29 Working Party recognizes ediscovery as a “legitimate interest”.      For sensitive personal data, the legal basis is more stringent: consent is the only legitimate basis for purposes of ediscovery, and it has to be explicit and cannot be implied. For example, opt-out is implied consent, and opt-in is explicit consent.
  7. There has to be a legal basis for transfer of personal data outside of the EU. (articles 25 and 26). In the case of the US, this can be accomplished by several means: By receiving unambiguous consent from the data subjects (not very practical), by transferring the data to a Safe Harbor certified company in the US, by transferring the data under Standard Contractual Clauses agreements or by transferring them to companies that have “Binding Corporate Rules” in place. The question remains, however, how these personal data may be legally transferred onward to opposing counsel and to the Court. The Working Party recommends requesting a protective order from the Court, which guarantees the data a certain degree of privacy protection.

In addition , the national Data Protection Authorities (DPAs) need to get the proper notifications, as for every processing of personal data under the Directive.

In order to show good faith, in case the national DPA should conduct an audit, it is to be recommended that the data controllers involved in ediscovery include all the above mentioned privacy guarantees in their general policies.

When choosing ediscovery vendor or consultants to do ediscovery in the EAA, one must look to how well they guarantee the rights of the data subjects under Directive 95/46/EC , such as notice to the concerned data subjects and access of the data subjects to their data and whether the  processing of the data, such as preliminary document review, is done in the EU. When transferring data to the US for final processing, the US companies should either be Safe Harbor certified, or have model contract clauses or binding corporate rules, approved by the Data Protection Authorities, in place. This is a requirement for any EU personal data that will eventually be used in a civil proceeding in the US.

The increase of data protection risks associated with the rise of cloud computing has prompted the Article 29 Working Party to publish Opinion 05/2012 on Cloud Computing.

As a reminder tough, the Article 29 Working Party’s opinions are not legally binding, but they are very influential nevertheless.


Companies which have to apply ediscovery rules and at the same time are under the jurisdiction of the EEA data protection laws, find themselves between a rock and a hard place.

Under Rule 37 FRCP and under the traditional rule of “spoliation”, which means the destruction or alteration of evidence, or even the failure to preserve property or documents for another’s use as evidence in pending or reasonably foreseeable litigation, the US federal courts have broad discretion regarding the type and degree of sanctions they can impose.

The sanctions run the gamut from significant monetary sanctions, to “adverse inferences”, meaning directing the jury to assume that missing ESI is adverse to the spoliator, to even default judgments.

As with other laws, the case law has developed differently in the different district courts.

In general though, the Courts do not look kindly, not only to those parties in litigation who are guilty of willful spoliation, but also those who merely show negligence in preserving and producing ESI, and the case law of Judges sanctioning negligent parties has grown over the past few years.

As mentioned before, these rules apply to all relevant ESI in the parties’ possession, custody or control, regardless of their geographical location or the applicable local laws.

It is therefore crucial for companies that are affiliates or subsidiaries of US companies, to have a litigation hold procedure in place, since the reasonable expectation of a lawsuit alone triggers the obligation of preservation of ESI under the FRCP, without delay.

What is even more crucial for companies today is the proper management of “information governance.”

Since storage of ESI has become so cheap, especially in the cloud, the lure for IT has been very strong to just store everything, forever. This can have disastrous consequences once a company gets involved in litigation or internal investigations, since, once the ball starts rolling, nothing potentially relevant may be deleted and as a consequence, a company may have to end up paying a small fortune for processing of terabytes of useless information.

It is a huge cost saving move for companies to invest in information governance. That involves, among others, the decision as to which data will be preserved for what period of time, and needs to be tailored to the needs of the company, depending on the type of industry and the regulatory and business requirements of the company. For most companies, there is no reason whatsoever to retain all low level employees’ emails, forever. There need to be a policy, stating for example that all of certain levels of employees’ emails need to be deleted within 6 months.

Proper information management will also facilitate the ability to locate data in an increasingly complex information ecosystem.

As far as EU data protection framework is concerned, the risk facing EU affiliates of companies from the US in the course of EDiscovery procedures not totally in line with the national data protection laws, consists of being investigated and maybe fined by the local Data Protection Authorities.

Of course, the risk depends very much on the country where the data are located.

If they are located in Germany, for example, the risks are much higher than if they are located in the UK.

Right now, most Data Protection Authorities are understaffed and under financed, and there have been complaints about lack of compliance and enforcement.

In France, for example, a January 2011 study has shown that 82% of French enterprises do not abide by the French Data Protection Act of 2004.

But with the overhaul of the EU data protection framework in full swing, and with the strengthening of the data subjects’ rights, as well as the improving of enforcement as some of the main objectives of the overhaul, I believe it would be wise for companies to prepare themselves and make sure they have the right infrastructure in place for proper compliance. The Federal Courts have already declared that social media are discoverable and that the mere fact of outsourcing IT to the cloud does not relieve companies from their EDiscovery obligations under the FRCP.

In cases where ediscovery requirements are irreconcilable with EU data protection requirements, companies will have to do a balancing test between the risks of non compliance with EU data protection laws and risks of non compliance with EDiscovery obligations in the US, on a case by case basis.

Or maybe it should be the Federal Courts and the Data Protection Authorities who should do the balancing when companies find themselves between the rock of ediscovery and the hard place of data protection.

This is exactly what Working Group 6 (WG 6) of The Sedona Conference® is suggesting in its 6 principles, “The Sedona Conference® International Principles on Discovery, Disclosure & Data Protection (December 2011).

WG 6 recommends that, as long as the parties in cross-border ediscovery show good faith and reasonableness,  “US Courts, as well as Data Protection Authorities  should consider the balancing of competing factors to achieve a practical compromise between the US litigants’ interests and the EU data subjects’ interests. “


The subject matter of cross border ediscovery is an extremely complicated one, and the move to mobile, social media and the cloud only complicates already very complex legal issues of applicable laws.