German companies increasingly find themselves involved in litigation in the United States in which they are suddenly faced with alien concepts, such as “E-Discovery.” Pressured to deliver large quantities of documents and amounts of information – while restricted by German and European Data Protection Laws in providing such information (to the extent it contains personal data) – often creates very difficult situations. German companies need to be aware that every transfer of personal data to recipients outside of the European Union (or the European Economic Area) requires a two-step test:
- Is there a legitimate reason for every processing step (for example: the collection, storage, transfer, processing in the United States, potential for onward transfer, etc.)?
- Is there an adequate level of data protection at the recipient?
The legitimate interest for the transfer of data to the U.S. court or the opposing party depends on the individual circumstances. If the German company is itself the plaintiff or defendant in the litigation, it may very well have a legitimate interest, whereas if it is only required to provide information because its parent company in the United States is involved, the case will certainly be different.
There are usually three ways of creating an adequate level of data protection:
The recipient self-certifies compliance with the so-called “safe harbour program” (which is highly unlikely in cases of receiving law firms or U.S. courts).
- The involved parties conclude the so-called model clauses that have been approved by the European Commission as providing an adequate level of data protection between the involved parties. Again, it does not seem likely that the U.S. court (or the receiving law firms) would be willing to enter into said model clauses.
- The third option, Binding Corporate Rules, is only a theoretical option in this scenario, as they can only be agreed upon within a group of companies.
Since none of these options seems to be possible in the scenario of an e-discovery request, exceptions must be found. One exception can be a works council agreement that would at least cover employee data of the German company. Another option is to obtain consent of the data subjects whose data shall be transferred. Depending on the number of individuals, this may or may not be possible.
As you can see, questions about the transfer of personal data to comply with an e-discovery request can only be answered on an individual basis. German companies should be prepared for these situations and have mechanisms in place to deal with document production requests.
To view this article in German, download the .PDF below.