The expression “grasping at straws” has seafaring origins – a drowning man grasps at straws in the absence of anything more solid to cling to. It comes to mind whenever the subject of EU data privacy comes up in the context of US litigation where US lawyers, already drowning in electronic documents, an unrelenting timetable, and the fear of sanctions, will grab hopefully at anything which may save them from the additional difficulties posed by EU privacy rules. They read, for example, of what appears to be a “litigation exemption” and hope that it gets them clear of the whole data privacy problem.
This attitude follows from the feeling that the whole privacy regime is an anti-US device, something invented by Europeans (mainly the French and the Germans) to impede the due process of US law. This perception inevitably generates a backlash, and the language of many US courts implies not merely a defence but counter-attack. I have only just discovered, for example, that a 1987 case called Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987 referred expressly to a “sham law such as a blocking statute”. More recently, the cases of In re Global Power Equipment Group Inc., and Accessdata v Alste appear, to European eyes at least, to imply contempt for the whole privacy business.
It is helpful, therefore, to be reminded that EU privacy requirements bite as hard on EU-based parties to national EU litigation as on EU parties to US litigation. The conflict arises not because US parties are treated differently, but because the same rules apply to them as to everyone else. US litigants find it hard to comply with the data export provisions not because they are anti-American but because the US discovery rules, to say nothing of the Patriot Act, are inherently inimicable to EU notions of privacy. The export provisions are not an exemption from the rules but a means of ensuring that exported data is treated no worse, in privacy terms, than it would be if not exported.
The headline which caught my eye was New French Case Removes Automatic Privacy Shield From Employee E-Mails, Making Them More Amenable to US discovery. It appeared in an article by Washington and national law firm Hogan & Hartson who are, so far as I can see, the first to have picked up the possible implications of a case called Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 (I urge caution on anyone searching for “Bruno B” because there is a site out there which, from its page description, may involve young ladies wholly unconcerned about any kind of privacy). Bruno B is an employment case: the employer relied on e-mails criticising the employer sent by the employee to a regulator; the employee tried to bar their use on the grounds that the employer had no right to search his files, and the court rejected this proposition. There is no point in my paraphrasing the Hogan & Hartson report (it is also the source of the “sham” quotation above) which you can read for yourself. Despite its headline, the article is careful not to attach more weight to this decision than it is fit to bear.
There is no doubt, however, that many will use it as a reason to ignore everything they have heard about EU privacy. The case may well have implications for US litigants, but I do not think that a single Labour Court case in which an employee neglected to mark private e-mails as such will open the floodgates to FRCP discovery. It’s most likely consequence, I suspect, is that all French employees will start marking the e-mails” Private”, making it harder rather than easier to discriminate between those which are and those which are not genuinely private.
Hogan & Hartson pitched it right, I think, with their studiedly vague conclusion that the Bruno P ruling “is still a far cry from the absolute presumption that any data with an employee’s name is private” which has obtained hitherto. This decision represents no more than a tiny step toward resolution of the problems. Its importance, as I have said above, is that it helps illustrate to US lawyers that there is nothing anti-American in the existence and use of EU privacy laws.
We are where we are partly because the two regimes have independently developed in opposite directions – Germany has implemented, and the UK has announced, increased penalties for certain privacy breaches at the same time as US courts have racked up the penalties for allegedly inadequate disclosure. At the same time, the language of some of the US cases appears contentious, although probably in fact borne out of judicial frustration at the way the particular cases have been run – both Global Power and Accessdata leave the strong impression that the result might have been different if the problem had been gripped by the non-disclosing parties at the outset instead of appearing as a last ditch defence.
It may seem trite to describe this as a risk management exercise, since all litigation involves weighing cost against risk, but it is helpful to know what the risks are. The Bruno P case, if it does nothing else, will at least draw attention to the fact that EU privacy laws are not, as many of them may think, a cunning device invented deliberately to confound unwary Americans, but a dense thicket for local litigators as well, into which US lawyers must inevitably stray.
My knowledge of French jurisprudence is limited, but I suspect that this case affects only a limited range of circumstances, almost none of which will be relevant to a US litigant clutching an order of a US court against an EU company. For one thing, Bruno P was himself a party, not merely an employee of a party, and without reading the French judgment, it is not possible to say whether this played any part in the decision. For another, there is nothing particularly private about the subject-matter of the emails in question. Still, it opens a chink in what has hitherto been seen as the impregnable principle that mere mention of an employee’s name is enough to brand a document as “private”.
Like “grasping at straws”, the expression “any port in a storm” has nautical origins, and we can be sure that someone will seek to rely on the Bruno P case when trying to get access to the e-mails of a French employee. At the least, they will factor it into their risk assessment before ransacking the servers of their French subsidiaries for anything not marked “Private”. Whether it actually deserves that weight we will not know until they get caught doing it.