On May 25, 2018, at the effective date of the General Data Protection Regulation (“GDPR”), the European Data Protection Board (“EDPB”) adopted its “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679” (“Derogation Guidelines”). Therein, the EDPB clarified that the “legal defense” derogation in Article 49(1)(e) also applies, among other things, to criminal, administrative, and pre-trial discovery procedures. This guidance brings legal certainty to companies engaged in U.S. document productions.
The EDPB was established as new EU body by the GDPR and replaces the previous Article 29 Working Party, which ceased to exist (and also stopped updating its web presence) as of May 25, 2018. The EDPB is composed of representatives of the national data protection authorities and the European Data Protection Supervisor. Its main task is to ensure the consistent application of data protection rules throughout the EU, by, among other things, adopting general guidelines on the interpretation of GDPR terms. Also, it can issue binding decisions towards national supervisory authorities to ensure a consistent application.
With its Derogation Guidelines, the EDPB clarified the scope of the derogations for international data transfers in Article 49 GDPR. Parties must rely on such derogations if the laws in the recipient’s state do not provide for an adequate level of data protection and other appropriate safeguards (such an EU standard contractual clauses or Binding Corporate Rules) likewise do not apply. European-based companies often find themselves in this situation if they have to respond to U.S. discovery requests, e.g., in the context of a U.S. litigation or an investigation. In this situation, typically no contractual safeguards are available vis-à-vis the opposing party, the court or a U.S. agency.
To justify data transfers to the U.S. for discovery purposes, parties therefore typically rely on the defense derogation in Article 49(1)(e), because it allows data transfers to a party in a third state even in the absence of an adequacy decision or contractual safeguards if “the transfer is necessary for the establishment, exercise or defense of legal claims.” This derogation was taken over from the previous data protection directive. Under the old regime, there was always some debate, however, in particular among authorities from civil law jurisdictions such as Germany, about the exact scope of this derogation: Is pre-trial discovery considered a “legal claim”? Does the derogation apply only to civil claims or also to administrative or criminal proceedings? Is a voluntary self-disclosure considered a “defense” in the meaning of this derogation?
A previous guidance of the Article 29 Working Party from February 2009 only touched the issue, but left room for interpretation. The EDPB’s guidance is short, but unambiguous and on the point. With reference to Recital 111, wherein it is stated that the defense derogation also applies “to administrative or any out-of-court procedure, including procedures before regulatory bodies,” the EDPB clarified that the defense derogation likewise applies in civil, criminal and administrative procedures and even if the purpose of the procedure is to obtain a reduction or waiver of a fine.
In the EDPB’s reading, Article 49(1)(e):
“[C]overs a range of activities for example, in the context of a criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in anti-trust investigations. As well, data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country for example commencing litigation or seeking approval for a merger.”
This does not mean, however, that parties can rely on the defense derogation in order to produce unlimited volumes of unredacted personal data to U.S. recipients, such as opposing parties, courts and authorities. The EDPB confirmed in this respect that the respective transfer must still meet the “necessity test” and comply with the GDPR’s general principles of proportionality and data minimization. Therefore, some level of coercion should be involved: The mere interest of third party authorities or possible “good will” to be obtained from the third country as such does not meet the necessity test in the EDPB’s view.
