One of the major questions with the European Union’s General Data Protection Regulation (‘GDPR’) was always going to be how it would deal with cross-border data transfers: Transferring personal data from the EU to other countries. A decision last month from Europe’s highest court, the Grand Chamber of the European Court of Justice, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (known colloquially as ‘Schrems II’), has ripped up the EU-US Privacy Shield: This was the key mechanism used to transfer data between the EU and the United States.
In this update we look at the impact of this decision for international discovery actions.
The GDPR, as an EU law, is difficult to enforce on organizations based outside the EU. In light of this, the GDPR permits the transfer of personal data from the EU to other countries for processing only where very specific conditions are met. The key article is 44, which provides that the rules to be applied in any transfer:
shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
The GDPR allows for various data transfer mechanisms which would ensure this level of protection is met:
Adequacy decisions: These are decisions by the European Commission that a given jurisdiction has confirmed that it can meet equivalent standards for processing personal data as an EU-based processor. The EU-US Privacy Shield was a result of one of these adequacy decisions;
Standard contractual clauses: These are clauses, approved by regulator, that can be inserted into contracts where data is to be transferred overseas to ensure that key principles of the GDPR are adhered to;
Binding corporate rules: It is common for corporate groups/groups of legally related companies to see to transfer data between themselves across borders. In this situation, the company can come up with binding rules for compliance with the GDPR and submit for approval to EU data protection authorities.
Mr. Schrems was a Facebook user based in Austria. In the EU, Facebook’s operations are under the oversight of an Irish division of Facebook, which then transferred his personal data to the United States. Mr. Schrems complained that this transfer was unlawful under the GDPR, as the EU-US Privacy Shield does not provide adequate protections to EU data subjects.
In its decision, the Court decided that, as those data subjects had no way to take actions before US courts in relation to government surveillance programmes, the EU-US privacy shield did not, and does not, provide adequate safeguards to EU data subjects.
Discovery actions in the United States may require that personal data be transferred from the EU to the US (i.e., where customer personal data is a key element of a potential court action). Without the protection of the EU-US privacy shield, that may make this transfer in breach of the GDPR. There are two points worth noting here:
Whether in discovery actions or for any other reason, organizations cannot rely on the EU-US privacy shield to permit the transfer of data from the EU to the US.
For another recent update on the impact of the GDPR on discovery see New GDPR Guidelines Define Consent Around Web Cookies- Any Cross-Border eDiscovery impacts?.