As a result of an increase in U.S. lawsuits requiring the transfer of personal data from France to the United States, the French Data Protection Agency (CNIL) published a recommendation in August 2009, which is designed to offer guidance on data transfers in connection with U.S. civil discovery proceedings.[FOOTNOTE 1] The CNIL's recommendation expands on the guidelines adopted by the body of European data protection agencies (the Article 29 Data Protection Working Party) in February 2009.[FOOTNOTE 2]
EU member states increasingly enforce their data protection laws. For instance, in 2008, the Spanish data protection agency imposed fines amounting in total to €22.6 million. In France and other EU countries, companies are under pressure to comply with U.S. discovery requests, which frequently call for the production of personal data about employees, clients, or customers. The CNIL's recommendation reflects a tension between a company's obligation to respond to U.S. discovery requests and its obligation to comply with EU data protection laws. Because data protection laws pursue a legitimate interest and are increasingly enforced in Europe, courts and litigants in the U.S. should take them into account when ordering discovery abroad.
The CNIL acknowledges that the parties to a U.S. lawsuit have a legitimate need for documents, and that European and French data protection laws do not prohibit the transfer of personal data to the U.S. for litigation purposes. Such transfers, however, should be subject to certain requirements to comply with data protection laws. The CNIL's recommendation states, among other things, the following:
To Continue Reading: Click Here
By: Daniel Schimmel