On August 19, 2009, the French Official Journal published the French Data Protection Authority’s (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The CNIL’s Recommendations are particularly useful for companies that find it difficult to reconcile French data protection and blocking statute limitations with U.S. discovery demands.
It is perhaps no surprise that the Recommendations largely echo the views of the Article 29 Working Party, which provided EU-wide guidance on pre-trial discovery for cross-border civil litigation earlier this year. Like the guidance from the Article 29 Working Party, the Recommendations do not apply to investigations by U.S. federal authorities or criminal offenses in the U.S. relating to data destruction.
The Recommendations emphasize that requests for information for U.S. discovery purposes should in principle be made through the standard procedure provided by the Hague Evidence Convention (which requires U.S. courts to deliver a ‘letter of request’ to the designated central authority in France). Non-compliance with the Hague Evidence Convention triggers the application of French criminal law – also referred to as ‘blocking statute’ – which prohibits the disclosure of information for discovery purposes in foreign jurisdictions. In addition, companies transferring personal data for U.S. discovery purposes will need to make sure that they comply with French data protection requirements. To facilitate compliance for companies that are asked to transfer personal data to the U.S. for use in civil litigation, the Recommendations provide an overview of the main data protection requirements (as well as some compliance options) under French law.
As regards transfer of personal data to the U.S, the CNIL states that in some cases the transfer can be justified on the basis of Article 69-3 of the French data protection law. Art 69-3 permits transfers necessary for the "meeting of obligations ensuring the establishment, exercise or defense of legal claims." This is good news because our understanding — based on previous discussions of this issue with the CNIL — was that article 69-3 could never apply in the case of pretrial discovery. The new CNIL recommendation also suggest the use of protective orders to ensure that data transferred to another litigation party are protected from disclosure outside the context of the case. The CNIL recommends using trusted third parties to conduct reviews to ensure that the personal data collected and transferred are not excessive, and that wherever possible, anonymization or pseudonymization is used.