BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Data Protection in the Financial Services Sector – Dealing with Discovery and Regulatory Dealing with Discovery and Regulatory Investigations Willi William Long L 18 November 2010
EU Data Protection and Document Discovery Discovery • Approach to document discovery varies between Member States particularly in civil law countries p y • November 2006: Article 29 Working Party expressed and adopted its opinion on the SWIFT case - fundamental rights of citizens p g must be guaranteed • French Blocking Statute prohibiting communication to foreign authorities. Aerospatiale/ MAFF-Executive Life • Swiss Penal Code restricts gathering of evidence in Switzerland f for use in foreign f proceedings d unless l d done through h h judicial d l assistance
EU Data Protection and Document Discovery Discovery • Rules on privilege also vary between Member States. The Azko Nobel (2007) case confirmed principles in relation to privilege in ( ) p p p g the context of EU Commission investigations • In February 2009, the Article 29 Data Protection Working Party y , g y published Guidelines on pre-trial discovery for cross-border civil litigation (WP 158) • Requests for information may also be made through the Hague Convention on taking of evidence abroad in civil and commercial matters – but not all Member States are parties while some have filed reservations for discovery in relation to foreign legal proceedings
Article 29 Working Party Paper on Discovery Discovery • The Article 29 Data Protection Working Party Paper provides guidance to EU data controllers on data protection requirements guidance to EU data controllers on data protection requirements as applied to discovery in civil litigation • Data Retention • • Legitimacy of Processing Legitimacy of Processing – Consent – Compliance with a Legal Obligation – Pursuit of a Legitimate Interest • Proportionality • • Notice to data subjects and rights of access, rectification and Notice to data subjects and rights of access rectification and erasure • Data Security and Controls over External Service Providers • T ansfe s to thi d co nt ies Transfers to third countries
Article 29 Working Party Paper on Discovery Discovery • Companies must consider the Guidelines in each phase of data processing for litigation purposes processing for litigation purposes - Phase 1: Retention - Phase 2: Disclosure - Phase 3: Onward transfer - Phase 4: Secondary use • Personal data should only be kept for the period of time necessary for the purposes for which it is collected • Contrast with requirement to retain documents under local law and regulatory requirements or possible future litigation • Specific or imminent litigation - EU Commission accept data can be retained until conclusion of proceedings
Article 29 Working Party Paper on Discovery Discovery • Processing of data for litigation purposes - justified when in the legitimate interests of the data controller but provided rights of the individual are not overridden • Individuals must be provided with fair processing information unless limited exceptions apply • A balancing test must be applied in considering the relevance of the personal data to the litigation and the consequences for the individual • Must act in a proportionate and fair way - determining if the information is relevant to the case - assessing the extent to which personal data is included - considering whether the personal data can be produced in a more anonymised or redacted form - perform filtering exercise locally
Article 29 Working Paper on Discovery: Guidelines for an EU data production Guidelines for an EU data production Steps to consider with EU discovery exercises • Consider guidelines during each phase: retention, disclosure, onward transfer, and secondary use • • Provide clear and advance notice Provide clear and advance notice • Inform data subjects of data protection rights such as rights of access, rectification and erasure • Consider Consider grounds for grounds for legitimate legitimate processing; processing; apply apply balance of balance of interests test • Consider measures to minimise information collection and dissemination, specify security and confidentiality procedures • Devise specific security measures and controls over third party service providers
Article 29 Working Paper on Discovery: Guidelines for an EU data production Guidelines for an EU data production Steps to consider with EU discovery exercises • Ensure active oversight role for data protection officers • Establish pre-transfer data review and filtering procedures including review of documents in the EU • Adopt restrictive data retention policies consistent with applicable law • Ensure data transfers are permitted under Article 25 and 26 of the Data Protection Directive and local law requirements • Check position with local counsel in each relevant Member State due to local law differences – for example need to make data protection filings with local DPA and consult with workers council
Dealing with Cross-border Data Transfers • Articles 25 and 26 of the Data Protection Directive prohibit transfer of personal data to countries outside EEA that do not ensure an adequate level of protection • • Possible means for dealing with data transfers outside the EU include: Possible means for dealing with data transfers outside the EU include: – Consent – but consent must be informed and freely given – Model Contracts – EU’s standard clauses for the transfer of personal data between a data exporter and a data importer – US S f US Safe Harbor – US company that subscribes to US Safe Harbor Scheme and H b US th t b ib t US S f H b S h d data protection principles – Binding Corporate Rules – EU approved internal data protection rules which are binding on parties – – Art 26(1)(d) – transfer necessary or legally required on important public interest Art 26(1)(d) – transfer necessary or legally required on important public interest grounds or for establishment, exercise or defence of legal claims – Art 29 Working party have commented that where the transfer for litigation purposes is a single transfer of all relevant information then Article 26(1)(d) is a possible ground but other options should be considered – Hague Convention – compliance with a request under the Hague Convention does provide a formal basis for the transfer of personal data but some EU Member States have not signed the Convention or signed with reservations
Comments/Questions BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
Sidley Austin provides services to meet the needs of clients on three t th d f li t th Banking & Financial Services Regulation continents. Our London Financial John Casanova Services Regulatory Practice represents jcasanova@sidley.com a broad range of financial institutions William Long and related businesses. We act for and related businesses We act for wlong@sidley.com @ clients with extensive UK, European and Sidley Austin LLP international operations, as well as for Woolgate Exchange clients based in the United States or 25 Basinghall Street London, EC2V 5HA elsewhere and looking to do business in elsewhere and looking to do business in U it d Ki United Kingdom d T: +44 (0) 20 7360 3600 the UK and the EU. F: +44 (0) 20 7626 7937 www.sidley.com BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results described herein do not guarantee a similar outcome. 4293352
Recommend
More recommend
