Anonymisation, the Hague Convention and US judicial notice of EU privacy protection

I expressed puzzlement recently at the high proportion of page views from the US over a period when most of my focus has been on the UK draft practice direction. I know, of course, that there is much US interest in developments in other jurisdictions, particularly the UK, and there is an obvious connection between Judge Scheindlin’s Pension Committee Opinion with its huge potential to drive litigation costs upwards, and the focus of the Jackson Report on Litigation Costs which is to drive them down.

It is more likely, in fact, that the recent US interest is based on two of my recent posts which concern the collision between US data demands and EU privacy restrictions. The two articles were Sedona Conference WG6 presentation to Article 29 Working Party in Brussels and The extent of the right to privacy in French employee’s e-mails. Both of these have been picked up by US commentators, and it is likely that the high proportion of US-derived page views come, in part at least, from these articles.

If the gist of my posts (and the comment on them) is that US lawyers are slow to identify, still less understand, the EU privacy problem, it is fair to say that that lack of understanding passes the other way as well (and I say that with full recognition that the EU’s Article 29 Data Protection Working Party is sincere in its wish to find a way through the problems). My original post about the Sedona Conference presentation had no higher ambition than to pass on the brief report from Sedona’s Jim Daley, and I now take the opportunity to expand on the central part of that. The main paragraph of Jim’s report reads as follows:

We received very spirited questions from the several Working Party members regarding why anonymisation was such a burden for companies responding to cross border discovery, and why recourse to the Hague convention posed practical issues.   We were also asked whether we believed there is really any hope that the U.S. federal judiciary will consider data protection and privacy and blocking statutes in balancing the privacy interests of Data Subjects with the disclosure obligations of multinational corporations.

The emphasis is mine, and identifies three separate points which I will take in turn (and if you do not like the words “anonymised” and “pseudonymised”, whether with an English “s” or an American “z”, don’t blame me – that is how they appear in WP 158):

Why is anonymisation such a burden?

Anonymisation came up in the discussion because it was raised in the Article 29 Working Party’s paper known as WP 158. It is, perhaps, worth pulling out the section in WP 158 in which this subject comes up (making no observation as I do so on the fact that the section is headed “Proportionality”)

There is a duty upon the data controllers involved in litigation to take such steps as are appropriate (in view of the sensitivity of the data in question and of alternative sources of the information) to limit the discovery of personal data to that which is objectively relevant to the issues being litigated. There are various stages to this filtering activity including determining the information that is relevant to the case, then moving on to assessing the extent to which this includes personal data. Once personal data has been identified, the data controller would need to consider whether it is necessary for all of the personal data to be processed, or for example, could it be produced in a more anonymised or redacted form. Where the identity of the individual data subjects is not relevant to the cause of action in the litigation, there is no need to provide such information in the first instance. However, at a later stage it may be required by the court which may give rise to another “filtering” process. In most cases it will be sufficient to provide the personal data in a pseudonymised form with individual identifiers other than the data subject’s name.

When personal data are needed the “filtering” activity should be carried out locally in the country in which the personal data is found before the personal data that is deemed to be relevant to the litigation is transferred to another jurisdiction outside the EU.

Whilst I am sure that this was is not true of those who drafted WP 158, I think it possible that others in the EU camp genuinely cannot see the problem here. It is easy, they might say – just collect all the data, identify personal data and then “the data controller would need to consider whether it is necessary for all the personal data to be processed, or for example could it be produced in a more anonymised or redacted form”. It sounds easy does it not? Even if, however, you ignore (as you should not) the idea that this anonymisation or redaction should be done before processing (that is what the paragraph says) and ignore also the fact that the word “processing” has a very much wider meaning within the EU regulations than it does in US terms, anonymisation is neither trivial as a technical matter nor likely to appeal to a US judge for whom ” anonymisation ” and “spoliation” mean much the same thing.

I do not purport to provide an answer to this; my sole purpose in drawing attention to the section is to show that anonymisation is not the cure-all which some in the EU might think it is. My aim is not, of course, to be unhelpful, merely to make sure that everyone starts on the same page. If, as Jim Daley’s report implies, some in the EU camp think it a trivial exercise to replace every instance of a name and every reference which might identify a person (whether before or as part of any processing) then perhaps their perception of US difficulties might be based in part on a false premise.

The Hague Convention

The second point which the Article 29 Working Party members raised with the Sedona Conference representatives was “why recourse to the Hague Convention posed practical issues”. The Hague Convention on the Taking of Evidence Abroad in Civil and Commercial Matters, to give it its full name, is a multi-lateral treaty whose signatories allow, in varying degrees, the taking of evidence and discovery of documents by way of a Letter of Request from a foreign court to the designated Central Authority of the country where the evidence exists. I see no point in writing my own essay on the subject when Proskauer on International Litigation and Dispute Resolution has done so with clarity here (there is a mass of other relevant material accessible from this page which you will find helpful).

The Hague Convention has become a kind of bogeyman in US international jurisprudence. It is referred to in both the Global Power and AccessData cases in terms which suggest that it is seen as a deep black hole into which the legitimate demands of American litigants and courts disappear without trace for months if not years. It therefore sits nicely alongside anonymisation as a subject on which those from the US and those from the EU suffer deep mutual incomprehension, with the one side seeing the other as having deliberately closed minds on the subject.

Senior Master Whitaker is the Central Authority for the Hague Convention in England & Wales. The Letters of Request are therefore sent to him, and he spoke about it at the LegalTech international panels for Trilantic (for which I was a co-panelist) and for Epiq Systems (which I moderated). His message was that the Hague Convention route is both under-used and misused. As a matter of practice, there is no point in just sticking a Letter of Request in an envelope and posting it to the Central Authority. It will arrive in due course and will be dealt with but, in the absence of a locally appointed lawyer, it will be dealt with by the Treasury Solicitor who has no great commercial imperative to give it any higher priority than all the other things which the Treasury Solicitor does (see the helpful booklet produced by the Treasury Solicitors called TSol’s Guide to Letters of Request and Part 6 V CPR). It is essential to appoint local (in this case London, but the principles apply elsewhere) lawyers and have them deal with it. It helps, of course, to initiate the process as early as possible – the mother country of early case assessment is curiously dilatory when it comes to the assessment of this aspect of a case (I sometimes wonder, incidentally, if some lawyers use early case assessment as a means of picking off the easy things which show maximum billable progress in the minimum time rather than the aspects with the longest time-frames).

The Requests must also be narrowly defined to identifiable ranges of documents. The standard US style request (“gimme everything you’ve got which might possibly have any bearing on anything which might conceivably come up at some point in the litigation”) does not cut much ice outside the US. That again, is perhaps something on which local advice might be sought. The third element which might make a difference is to bring the US Court on-side as early as possible. In non-legal terms, this is called “managing expectations”; in everyday court terms, it may involve seeking a Protective Order under Rule 26(c) FRCP on the basis of an early and informed application to the court. The Aerospatiale case 788 F2d 1408 Societe Nationale Industrielle Aerospatiale v. United States District Court for District of Alaska D does not, as one might suppose from some of the references to it, say that US courts may spit on the courts of other countries. It says We agree that resort to the Convention should be considered in each case, but not that it must be utilized first in every case. This implies that a number of factors must be weighed in deciding what is appropriate. Informed submissions to the court would help avoid future decisions which, whether made rightly or wrongly by their own lights, have the potential to inflame passions and provoke adverse reactions in the EU.

The attitude of US judges

This shades into the third point reported by Jim Daley – the Article 29 Working Party question whether there is really any hope that the US Federal judiciary will consider data protection and privacy and blocking statutes in balancing the privacy interests of data subjects with the disclosure obligations of multinational corporations.

Of course they will “consider” these things, and it is unlikely that any US court would today describe a blocking statute as a “sham law” as one apparently did in 1987. Much turns, as I have suggested above, on whether the disclosing party troubled to explain the position, and at an early stage, to the judge. There is a deep cultural divide here, and not just because the US has no tradition of having its neighbours pour over its boundaries and march people off to camps on the strength of their religion, philosophical convictions or whatever else about them was recorded on a list. It is not for us to condemn the way US lawyers demand and give discovery of documents (we do, of course, but it is not really any of our business as long as they do it at home, as it were). I entirely buy the idea (again, discussed in Aerospatiale) that a company which takes the benefit of US law and trade must take also some of the burdens, else foreign litigants would have an extraordinary advantage in American courts as the Aerospatiale court put it. The privacy which the EU protects, however, is not that of the company but of its employees and other individuals with whom it deals. Besides, the comity of nations has a place in here somewhere, as well as the fact that EU fines are becoming no less trivial than the sanctions which the parties seek to avoid at home.

That does not answer the question as to whether US judges will consider data protection and privacy and blocking statutes. It may not be right to conclude from Global Power and AccessData that judges are simply trampling on foreign laws, foreign courts and foreign rights in appearing to disdain them. We need a case in which the parties do things by the book and in good time and still get thrown out on their ear. Then we will know whether US lawyers and judges are ignoring the foreign implications or are merely ignorant of them.

Home

About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Data privacy, Data Protection, Discovery, eDisclosure, Electronic disclosure, EU. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s