This is a useful piece to read, especially if you are interested in GDPR compliance. I’ll let you take a read of the piece yourself, but below are just a few key points I wanted to highlight after reading it.
The GDPR does contain provisions which enable the use of personal data in the context of disclosures to third parties, including those subject to a court order. And in particular where this is necessary for compliance with a legal obligation, or where it is necessary for the performance of a task carried out in the public interest or in the exercise of official duty of the data controller. However, it is important to bear in mind that these legal conditions only apply to the extent that the obligations are subject to EU or Member State law, which will not be the case in the context of court orders from other jurisdictions, such as the United States.
Many organisations based in, or with a presence, within the EU face a difficult quandary when they receive subpoena from a foreign court, particularly in the United States, where the subpoena may be issued against the parent company. Whilst organisations are generally keen to co-operate with such requests, many are reluctant to do so. This is mainly because it may compromise compliance with laws such as the GDPR, which can result in the imposition (albeit in a worst-case scenario) of monetary penalties of up to 4% of annual global turnover. It is also important to mention that EU Member States have specific approaches to managing disclosure and discovery matters and therefore careful consideration should be given to how these approaches may impact pan-EU cases.
Much to the frustration of US attorneys, EU attorneys in US organisations with an EU presence may refuse to disclose personal information being sought or seek to negotiate the terms of a subpoena (a futile effort), both of which can result in long delays. Conversely, EU attorneys often are frustrated by the refusal of US authorities to enter into data transfer agreements incorporating the Standard Contractual Clauses (also a futile effort).
Typically, US headquartered organisations with EU affiliates will be more familiar with this type of scenario and may have implemented compromise measures or otherwise engage, albeit on an ad-hoc basis, in protracted negotiations between EU and US legal counsel. It has been known for organisations in the Financial Services sector to channel such requests via a regulatory body based in the EU who would act as an intermediary, such as Financial Conduct Authority, which provides the EU entity with a surer footing that it is making a disclosure pursuant to Member State law, although this is by no means a clear-cut solution.
Whilst there is no avoiding the reality that most organisations will find themselves between a rock and a hard place here, there are still some practical measures that can be taken to minimise the risk of falling foul of GDPR rules when making such disclosures. These consist of:
Carefully consider the scope of the request and whether there is a specified date range or timescales to help narrow down the scope of the data searches required;
Give due consideration to obtaining the consent of impacted individuals to the disclosure of their personal data, taking great care to ensure this is not on a forced or coerced basis, ensuring alternative measures can be taken in the event consent is not given or withdrawn;
Evaluate if the number of individuals whose personal data could be disclosed can be narrowed-down, or if certain identifying datasets could be redacted or pseudonymised;
Conduct a Privacy Impact Assessment with a focus on the purpose, necessity and balancing of risks between those of the organisation and to the impacted individuals, to systematically walk-through the risk considerations and to identify whether other data specific control mitigants could be applied prior to sharing any personal data;
Consult external legal counsel in EU to identify any Member State specific approaches which may need to be adopted on pan-EU discovery matters.
Although there are few reported decisions addressing the interplay between Section 1782 and the GDPR, the decisions to date hold important lessons. US courts have uniformly held that entities responding to a Section 1782 subpoena must produce documents regardless of whether those documents are subject to the GDPR. Where courts differ is how they attempt to minimize the burden on the responding party—if at all.