French Data Protection Authority (CNIL) Issues Opinion On Personal Data Transfer To The United States For Civil Litigation Discovery

The French Data Protection Authority, the CNIL (“Commission nationale de l’informatique et des libertes”) issued Deliberation No.: 2009-474, articulating its recommendations on responses to U.S. discovery requests for civil litigation discovery.  The Deliberation was published on August 19, 2009. The Deliberation concerned the transfer of “personal data,” a category which, in France as in the rest of the European Union, includes email. Thus, the Deliberation is critical reading for multinationals with a presence in France, and those who represent them. No official English translation is yet available, though one should be forthcoming shortly. The French version (which can be translated with the use of Google and other services, is available at http://www.cnil.fr/en-savoir-plus/deliberations.

While the CNIL recommended that all U.S. discovery requests be made through the procedures outlined in the Hague Evidence Convention of 1970, as required by France’s Blocking Statute, it took pains to emphasize that the transfer, even if authorized by a French judicial authority, must comply with the requirements of France’s Data Protection Act, Law No.: 78-17 of January 6, 1978.  These requirements include notice to the data subject; the data subject’s right of access to the data, with an opportunity to modify the data or object to its transfer (the CNIL did not discuss the consequences of such an objection); and measures to ensure the security of the data when it is in the U.S.  On this last point, the CNIL recommends the use of a Stipulated Protective Order.

The CNIL strongly emphasizes, by virtue of the amount of text spent on the subject, that the need for the data request to be “proportional,” and here is where U.S. practitioners may have the most difficulty. The Deliberation points out that France has issued an “exception” to the Hague Evidence Convention, pursuant to its Article 23, that the authorization for the transfer will be granted only “when the requested documents are enumerated limitatively in the Request, and have a direct and precise link with the object of the procedure” (Declaration of France pursuant to Article 23 of the Hague Evidence Convention of 1970; emphasis supplied).

This proportionality requirement is inconsistent with American practice of demanding “Any and All” documents, even within a defined category.  Further, the language of the Deliberation implies that a French judge, in ruling on the Hague Convention Letter of Request, will be making a determination on relevance.  Practitioners should be prepared to indicate, in the Hague Convention Letter of Request submitted to a U.S. judge for transmittal to a French judicial authority, precisely why the now-circumscribed list of documents (including electronic documents) are relevant.

Once the authorization is granted, the Deliberation continues, the processing of the data requires culling and filtering to further ensure that only the relevant data is obtained and transferred. This is consistent with the Working Document 1/2009 (“WP158”) issued by the Article 29 Working Party of the European Commission, published in February, 2009.   Both documents note the need to “cull and filter” the data at the time of collection, and both recommend that this process be done in the country where the data is located.

The CNIL, like the Article 29 Working Party, recommends the use of a third party to assess the relevance (proportionality) of the data in the context of the underlying case.  This will require retention of counsel outside the proceedings (counsel of record are excluded in both documents) to guide the process of culling and filtering (which should be done by a third-party vendor) and provide a legal determination of relevance.

Data already within the United States pursuant, for example, poses a thorny problem for non-U.S. data protection agencies.    The CNIL approaches it with a bit of a shrug, recommending that personal data from France be subject to a Protective Order stipulated between the parties to the U.S. litigation.

We will continue to watch for updates to this Deliberation, but it clearly indicates that the CNIL will be carefully watching transfers of emails to the U.S. for civil litigation, and will be prepared to take action in the event of violations of French privacy and data protection laws.