May 28th, 2008 by Andrew Jenks
Discovery Mining has been operating in the EU for just about 2 years. This experience has given us a clear understanding of Directive 95/46 EC. This rule, adopted in October of 1995, lays out with great specificity the ways in which corporations handle the right to privacy for their employees. Many vendors in the E-Discovery market claim that being Safe Harbor certified will keep them in order with Directive 95. However, this article recently posted at Law.com provides the bigger picture and makes me glad we have a full processing and hosting center in the EU.
I’m not aware of any precedent set for bringing data to the US under the guise of E-Discovery and having the Safe Harbor certification ‘tested’, but I sure wouldn’t want to be the first. As the article goes on to say:
The Safe Harbor is not a practical solution for the discovery process because it only permits the export of the data, not any further processing. The prohibition on further processing would make the data unusable for discovery, since any document production and review activities that take place in the United States are likely to fall within the scope of the “processing.”
Just to point out another catch when following the directive… if you are issued a subpoena, you’re stuck violating either EU or US law. As the article goes onto say, there are other ways to get around this, but they are typically time consuming and costly. If you violate the Directive, there are real penalties to pay. The French data protection authority levied a €30,000 fine against Tyco Healthcare France. So what’s an International Firm or Multi-National Corporation to do when trying to comply with a discovery request?
The answer is to find someone who can fulfill your request on both sides of the Atlantic. If you want to guarantee that you are following the US best practices and complying with EU privacy rules, you’ll need someone who has operated on both continents with full facilities for some time. Discovery Mining has been involved in many cases where the US based company needs to fulfill a discovery request, but has data in the EU as well as the US. It allows the corporation to contract with one company and know they are following Directive 95/46 EC. If you have international clients that do business in Europe and Canada, don’t rely on a vendor being Safe Harbor certified. You may find yourself stranded on a legal island.
