Transferring data from the EU for eDiscovery purposes in a post Privacy Shield World
Michael Simon, Attorney, XPAN Law Group, LLC
A few weeks ago, I had the privilege of participating in a Masters’ Conference webinar, along with Wayne Matus, Debbie Reynolds, and Tom Matzen, on the topic of how to lawfully transfer EU data to the US after the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield agreement on July 16, 2020. Despite many uncertainties that remain from what has been called “Schrems II” (as it is the second blockbuster case caused by activist Max Schrems) we had some recommendations as to how one could still potentially lawfully transfer data for eDiscovery purposes. As they say, “where there is a will, there is a way.” But they never said that it would be an easy way.
RIP the Privacy Shield
You can find the full text of the decision here. Because the decision is long, the equivalent of 64 PDF’d pages, we created our own explainer here. The most pithy summary comes I’ve seen from Privacy Law educator Daniel Solove: “https://teachprivacy.com/schrems-ii-reflections-on-the-decision-and-next-steps/The Privacy Shield is dead.”
And the Privacy Shield is not coming back any time soon
eDiscovery veterans remember the chaos caused when what we now call “Schrems I” invalidated the US-EU Safe Harbor agreement in October 2015. Yet we also remember that those troubles were short-lived; the new agreement (i.e., the EU-US Privacy Shield) was in place less than one year later, by July, 2016. During that interval, the EU authorities agreed to a moratorium on enforcement.
But that was then, and this is now. The GDPR became effective on March 25, 2018, superseding the old, poorly enforced Directive 95/46/EC. Then came Brexit, which removed a key US ally from EU data sharing discussions. And, of course, the overall political relationship between the US and the EU is far different in 2020 than it was in July 2016.
Now, the US Department of Commerce insists that it will administer – and demand payments for - a Privacy Shield program that the EU has declared to be dead. While high-level officials on both sides of the Atlantic have issued press releases about them having “initiated discussions” to “evaluate the potential” for a solution, nothing more concrete has been hinted at.
In contrast, many of the EU Data Protection Authorities (“DPAs”) responsible for enforcing the GDPR have made it clear that they will not provide any moratorium on enforcement. For example, the German Conference Of Independent Federal And State Data Protection Supervisory Authorities (DSK), made its views absolutely clear in a recent press release that (as translated from the original German) “The transfer of personal data to the United States based on privacy Shield is not permitted and must be discontinued immediately.” Likewise, the Dutch DPA has unequivocally declared that (as translated from the Dutch original) “organizations in the EU can no longer pass on personal data to the United States (US) on the basis of the privacy shield.” The Swiss Federal Data Protection and Information Commissioner just recently issued a Policy Paper invalidating the US-Swiss version of the Privacy Shield as well.
Meanwhile, NYOB, Max Schrems’ privacy advocacy organization has already filed 101 EU-US data transfer complaints premised upon the Schrems II decision.
Finding a way to transfer data for eDiscovery
Although there are no easy answers, there are some potential paths still left open. None of them are as easy as the Privacy Shield, but there were always warnings, including by me, that the Privacy Shield should never have been applied to eDiscovery data transfers in the first place.
The first and most obvious means to transfer data is the EU-approved Standard Contractual Clauses (SSCs). Schrems II did not invalidate the SCCs, but it came close enough so that, in the blunt words of Professor Solove, they “are in a coma on life support.”
The doubts about the SCCs stems from the CJEU requiring “additional safeguards” in Schrems II when the transferee country is “capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.” As one law professor warned: “It is no longer sufficient for companies to ‘copy and paste’ the SCCs templates.” As well, even if one still wanted to copy and paste in the SCCs, there are only three limited, pre-GDPR template sets, which do not cover key eDiscovery issues, including the exacting requirements for Processors in Article 28(3).
On our Masters’ Conference webinar, we came up with four criteria to assess when adapting the SCCs for each specific case (credit to Wayne Matus who came up with three of these four):
4. US government interest
Our panel recommended that parties carefully document their analysis on a scale from 1-5 for each factor, with 1 being the lowest and showing little potential problem, and 5 being “toxic” data that should never be transferred.
Let’s detail those factors all a bit more (or for the last factor, a lot more). For the first factor, volume, it’s a simple equation: the more data, the more likely that data will be to contain Personal Data and the more Personal Data that it will contain.The good news is that this is a relatively simple determination, that can be done by way of metadata examination. To make a long story (and process) short, check the initial data volumes on Hold for your sources and each custodian, run some initial filtering, culling and/or search terms to get a better understanding of what you will end up Collecting, and you should have a good estimate of the resulting data volume to be Reviewed.
For the second factor, source countries, some EU member state DPAs are taking a harder line than others at interpreting and implementing Schrems II. For example, the Irish Data Protection Commission and the data protection chief of the German state of Hamburg have issued statements that using SCCs post-Schrems II is “questionable” and “uncertain.” Leveraging metadata and careful discussions with technical data custodians (the keepers of the data) may tell you ahead of time whether you might be likely to trigger DPA scrutiny.
For the third factor, sensitivity, you need to go past the metadata into the actual data to determine how much Personal Data is involved. Start with the Article 4(1) for the definition of “Personal Data,” but pay special attention to the Article 9 “Special Categories of Personal Data” such as racial and ethnic origin, political opinions, religious or philosophical beliefs and biometric or genetic data to name just a few. Being able to search, filter and cull data, such as in ECA application, before the data leaves the EU is crucial.
The final factor, US government interest, presents by far the most difficult determination that you will need to make. Some, including the IAPP’s Omer Tene, believe that “the U.S. national security laws referred to in [Schrems II] apply to just a small fraction of companies that transfer data across borders. . .” Others, such as the US law school professors who write for Lawfare, have doubts: “Although this option may be worth exploring for some companies, the theory is untested . . .” Until we have further guidance from the EU authorities, it seems foolish to volunteer to be that test case by blithely insisting that your organization is immune to US government snooping.
The key for this difficult test is to understand the applicability of the specific US provisions that the CJEU cited as reasons to invalidate the Privacy Shield: Section 702 of the Foreign Intelligence Survey Act (“FISA 702”) and Executive Order 12333 (“EO 12333”). FISA 702 only applies to “electronic communications service providers” under the FISA 702 definitions found at 50 USC §1881(b)(4). If your organization does not fit this definition, then there are no additional safeguards for you to implement for FISA 702. If you are one of the few organizations that does fit the definition, then your organization is almost certainly filing privacy transparency reports such as this one, from Apple, that you may be able to use to show that the number of orders and data subjects subject to US government requests is incredibly small relative to the total number of users and volume of data transferred.
Determining susceptibility to EO 12333 interceptions is more difficult, as that order applies to a far broader scope of organizations. Some have suggested that the best course of action is for transferors to add a provision to their SCCs that they will resist US government efforts to obtain the transferred data. These types of contractual promises need to be carefully weighed against potential risks of opening up your company to breach of contract claims if it fails in its efforts to resist. Many data processors have contractual provisions that they will comply with all government subpoenas, but provide notice to the controller, unless such notice is prohibited by law, along with the opportunity for the controller to assert a defence against that subpoena. Going beyond that, to contractually promise active resistance by a processor to US government demands, or even more extreme, that a processor would somehow be able to successfully block such demands seems like setting yourself up for failure - and a potential breach of contract claim.
Similar issues can also apply with another potential solution to EO 12333 requests: data encryption. Encryption certainly seems like a viable solution to the question of what those “additional safeguards” need to be. In fact, when it comes to those “additional safeguards” demanded in Schrems II, the only thing that Professor Solove says that he could think of as possibly sufficient would be encryption. Moreover, some DPAs appear ready to demand encryption as the price for allowing SCC-based transfers. Thus, transferors should strongly consider encrypting all EU-derived data in transit and at rest. However, any encryption used will have to be strong enough to resist not just hackers, but the US government agencies as well. More importantly, the transferor will have to be strong enough to resist the US government demands for the encryption keys, which will be a far tougher task indeed.
While the big tech firms are often acclaimed for resisting US government surveillance efforts and refusing to provide encryption keys, the reality of the situation doesn’t always fit that image. Although US secrecy laws prevent us from learning the degree to which companies push back on Federal security-related demands, studies of how often the big tech companies comply with data requests by law enforcement subpoenas in general show that they comply with those requests, depending upon the company, from 66% to more than 80% of the time. To expect organizations without the resources of a Silicon Valley giant like Apple, which just became the first company ever to be worth more than $2 trillion, to resist US government demands seems highly unrealistic. For this reason, we recommend treating this final factor of US government interest with particular care, especially if you reasonably assess this factor at a score beyond the lowest levels.
Another set of potential tools for lawful transfer is anonymization and pseudonymization. GDPR Recital 26 makes it clear that anonymized data is outside of the scope of the GDPR. However, anonymizing eDiscovery data might also be spoliating it under FRCP 37(e) if it removes relevant evidence. For this reason, pseudonymizing data, as contemplated by Recital 28, would likely be more appropriate, as it would allow the parties to restore relevant data. However, pseudonymised data would still fall under the GDPR. Of course, none of these efforts, whether anonymization, pseudonymization, or even encryption is worth anything unless the receiving party in eDiscovery follows the protocols as well. Therefore, insisting upon carefully-crafted protective orders that set out detailed procedures for protecting the produced data is an absolute must.
There are two other means of potentially lawful transfer, though both have limits and as well require no small degree of patience. First, there are Hague Convention requests and Letters Rogatory. While some have questioned the impact of GDPR Article 48 as a “blocking statute” upon such requests, others have shown that Article 48 did not invalidate these measures as long as one complies generally with other GDPR requirements. As well, at least some EU member states have been confirmed to be still honoring these mechanisms post-GDPR.
Understand that Hague Convention requests can be slow, as they require judicial approval and then cooperation by local authorities. You have to be reasonable in your requests and ask nicely. As well, many signatory states to the Hague Convention, including some in the EU, have placed specific restrictions upon discovery-related requests. For such roadblocks to Hague Convention requests, you can use Letters Rogatory, but as these are potentially even more exacting and time-consuming.
Secondly, there are the Article 49 “Derogations for Specific Situations” which were specifically mentioned in Schrems II as a potential panacea for data transfer problems. Unfortunately, Article 49 presents many difficult limitations for eDiscovery. Article 49(1)(a) allows for transfer upon explicit consent, but obtaining such “freely given, specific, informed and unambiguous” consent from each and every Data Subject specifically for the eDiscovery purposes is rarely going to be practical. Even then, consent can always be revoked, leaving you with an unusable data set.
Transfers can be made under Article 49(1)(e) for “establishment, exercise or defense of legal claims,” which would seem initially to be a valid means for eDiscovery transfers. The EU Data Protection Board (“EDPB”) Guidance for Article 49 initially appears to approve of this use: “data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation.” However, the Guidance then makes clear that the many EU member state “blocking statutes,” will prevent discovery-related transfers. Likewise, the Guidance requires a “layered approach” to any potential transfer under Article 49(1)(e), such that first the applicability of the use of anonymized and then subsequently of pseudonymized data must be considered before any transfer. Even if these hurdles are passed, the Guidance explicitly requires that “If it is necessary to send personal data to a third country, its relevance to the particular matter should be assessed before the transfer,” thus necessitating Review within the EU before transfer. Finally, the EDPB Guide warns that Article 49 is only for “occasional use,” not regular data transfers. While eDiscovery might seem like a perfect example of such an occasional use, the Guidance makes it clear that each case must be evaluated individually. Thus, eDiscovery, with its typical rolling Collections and changing data needs may very well go past such occasional use.
Finally, and perhaps most importantly, transfers based upon Article 49 must be approved by the applicable DPA or DPAs. Securing approval is going to take time, time which one rarely has under typically tight discovery deadlines. Though you could, technically, submit the request for an Article 49 exception to the DPA and then transfer the data while the DPA takes the weeks or even months that it is likely to take them to make that assessment, the risk that the DPA would disapprove of your request - especially now that you have now red-flagged it their attention - is not a risk that one should take casually. As well, going all the way back to the US Supreme Court’s seminal Societe Nationale Industrial Aerospatiale case that set the standards for considering Privacy issues in discovery, the courts have nearly always rejected Privacy claims as a reason to deny or even delay discovery deadlines.
Where do we go from here?
Despite the chaos that has already ensued as a result of Schrems II, we are still almost certainly in the beginning of the changes that the decision will bring upon international data transfers in general and upon eDiscovery specifically. For now, be sure to carefully analyze and diligently document all decisions that you make on eDiscovery-related data transfers from the EU. Most of all, it is the time to start putting your new plans into place; strategize today so you are prepared for tomorrow. Luck favors the prepared!