As recently reported by the data protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority’s limitation on the scope of discovery involving documents with personal information. The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity.
A German company was the subject of a non-party discovery request in a US civil action to produce company documents located in Germany. The documents, including emails, were connected to the plaintiff and its business, as well as to the development and distribution of products of the German company. The German company itself was not a party to plaintiff’s lawsuit. However, the German company belonged to the same group of companies as the defendant. The plaintiff claimed that the defendant and the German company had gained unauthorized access to business secrets of the plaintiff, and the discovery request was directed to this claim.
The Bavarian data protection authority, in principle, accepted the need for discovery, but determined that personal data could only be transferred “to the extent this was necessary”. For this purpose, the Bavarian data protection authority imposed restrictions on the German company, namely:
- The German company could only transfer data which corresponded to the criteria of the disclosure request and which were relevant for clarifying the claims of the plaintiff.
- The German company was obliged, in a first step, to review its documents by means of a keyword search in order to determine which of the documents would fulfill the criteria of the disclosure request. In a second step, the relevant documents needed to be filtered and separated from the other documents which were not relevant.
- The “relevant documents”, in addition, needed to be manually assessed against the criteria of the disclosure request.
- These steps needed to be taken in Germany (unless the German company had proved that this would be unreasonable).
- The German company was further only entitled to provide documents in which personal data had been pseudonymized. Only such documents could be sent to the US.
- Only if a party to the proceedings or the court had established in detail that it was necessary to also review personal data on an identifiable basis, data could have been sent to the US in a non-pseudonymized form.
The German company submitted the opinion of the Bavarian data protection authority to the US court and provided documents only to the extent permitted by the Bavarian data protection authority.
The US court ruled that the plaintiff would not be unreasonable disadvantaged (or, at least, could not prove such disadvantage) if the German company complied with the provisions of German data protection law and the opinion of the Bavarian data protection authority. Therefore, the US court rejected the plaintiff’s request for providing documents on a larger scale.
The case touches a hot topic. In practice, companies often are caught between complying with US discovery rules and European data protection rules. This leads to a situation of great uncertainty. Important bodies, such as the Article 29 Data Protection Working Party of the European Union in its “Working document 1/2009 on pre-trial discovery for cross border civil litigation”, or the Sedona Conference, have assessed this predicament in detail and attempted to provide guidance to the practice. The approach taken by the Bavarian data protection authority, and supported by the US court, can now be taken as further guidance as to how to handle respective cases in practice, at least by German companies.
The Bavarian data protection authority and the German company had agreed that the authority should only publish a high level summary of the case, and should not provide any further details (including the identification of the US court).