New EU Privacy Legislation Clashes with US Discovery Obligations: Forewarning for companies with employees on both sides of the Atlantic
The European Union is launching new privacy and data protection rules in May 2018. This new regulatory framework, known as the General Data Protection Regulation (GDPR) is known to have a substantial extra territorial reach (also likely to apply to every US organization processing personal information of even a single individual in the EU) and boast sanctions of up to € 20 million in fines or, in the case of an undertaking, 4 percent of the annual worldwide turnover.
The GDPR prohibits the transfer of any personal data processed in the European Union to a country whose privacy laws are considered inadequate, as is the case for the US. This may create a problem when an employer needs to comply with US discovery obligations.
It is Article 48 of the GDPR which explicitly states that a judgment by a non-EU court or administrative authority is not a valid basis for transferring data. Such orders or judgments will only be recognized if based on an international agreement, convention or treaty between the third country and the EU or member state, such as e.g. mutual legal assistance treaties or the Hague Convention.
After May 2018, disclosures to opponents in response to U.S. civil discovery requests involving data protected under GDPR will either need to rely on an appropriate international agreement or find other acceptable bases in the GDPR for transferring data out of the EU.
Preparation and coordination of all data transfers will be key in reconciling US discovery obligations and EU privacy legislation. The stakes, both on the US and EU side, have never been higher. The Kelley Drye Labor and Employment team stand ready to assist clients prepare for and navigate this complex new process.