The UK Information Commissioner’s Office (ICO) has produced a guide in plain English which aims to make it easier for the non-expert to understand what is involved. That is all to the good, but this is not one of these situations where tout comprendre c’est tout pardonner.
I thought you wouldn’t mind a bit of French in the circumstances. Those trying to get data from France (or anywhere else in the EU, but France more than most) for use in US proceedings rarely forgive what they learn about the restrictive nature of EU data protection, even when they understand it – perhaps especially when they understand it. Indeed, the expression “Pardon my French”, used by the English to exculpate themselves after using some vile swear word, might well be helpful to those who have just discovered what those implications are – the language which results is often unsuitable for what used to be called “mixed company”.
It is a good start, however, to find out in reasonably plain English what is involved, and that is what the ICO’s Guide to Data Protection aims to do. It is worth a small digression to explain how I came across it. The first intermediate source was Pinsent Masons‘ excellent Out-Law.com, the best source known to me of current law and practice in accessible form. I do not scan Out-Law daily for updates any more than I do the ICO site – what I rely on for current information in the e-Disclosure / e-Discovery field is Twitter. I am not going to look back to see which of the quick-off-the-mark Tweeters first got hold of this yesterday, but it will have been Ron Friedmann and/or Integreon, The Posse List or Rob Robinson, all of whom are quick to spot interesting things, only a fraction of which I can expand on here.
Back to the ICO’s Data Protection Guide, which begins with the promising assurance that it “explains the purpose and effect of each principle, and gives practical examples to illustrate how the principles apply in practice”. My quick scan of it suggests that it largely lives up to that promise. There is no escaping, however, that this is a complex area, not helped by the fact that each country has its own implementation of the EU Directive (a point to bear in mind – this is the UK’s version only which, whilst having the obvious merit of being in English, does not entirely help you in Spain save to the extent that the core obligations are universal).
It is, of course a guide to what exists, not a magic doorway to solutions. Don’t get too excited as you scroll through the myriad exemptions and exclusions relating to data transfer – they all bring you up against the same brick walls eventually: Principle 8 relating to transfer outside the EU is not a free-standing exemption but one which runs in parallel with the other seven; a data subject’s consent must still be obtained and can be withdrawn; other methods of obtaining information (e.g. the Hague Convention) must be explored; and so on. In addition, those who think that all this dull stuff can be avoided by just quietly getting on with it might care to bear in mind waiver of privilege, the implications of onward transfer (e.g. by production to opponents), and the effect of e.g. the PATRIOT Act.
Two quotations may help you – no, they will not help you, but they will help you understand what kind of a problem this is. The ICO section on international transfers includes a quotation from the Article 29 Working Party’s Working document on a common interpretation of Article 26(1) of Directive 95/46/EC (2093/05/EN – WP114) which, at page 11, says “Relying on consent may therefore prove to be a “false good solution”, simple at first glance but in reality complex and cumbersome”. Get the idea?
The other comes from an article by Shannon Capone Kirk, Emily Cobb and Michael Robotti in Law Technology News of 22 December 2008. They say:
one might start by researching the level of enforcement of EU privacy laws. This is no easy task, as there does not appear to be any organized reporting mechanism for enforcement actions. Consequently, U.S. lawyers are forced to rely upon a hodgepodge of court cases, news and journal articles, anecdotal accounts of enforcement and speculation.
Welcome to the world of non-American law reporting, chaps. This is the real heart of the problem: you may think that you have steered yourself round the rocks of rules and directives and through the shoals of exemptions and exclusions, but you fetch up every time against the lack of any precedent which fits your circumstances.
The ICO’s Guide contains links and references which make it a good spring-board for further research. It lives up to its billing as a plain English guide, within the obvious boundaries that its subject-matter is complex, voluminous and lacking in precision. Apart from the very biggest London law firms (which presumably know all there is to know on the subject), Lovells, White & Case, DLA Piper and Pinsent Masons are firms known to have expertise in this area. I am not setting myself up as an unofficial guide to law firm expertise, but these are firms which I have come across with practical knowledge on the subject. There are doubtless others; there are many who would have no clue what you were talking about if you hit them over the head with the Directive.