On Feb. 6, 2018, the Article 29 Working Party (Working Party 29) published Working Paper 261 (WP 261), which provided guidance on the provisions of Article 49 of the European Union’s (EU) General Data Protection Regulation (GDPR). This guidance was especially interesting to data privacy attorneys and litigators (primarily e-discovery practitioners) in the United States who had been considering the operation of GDPR Article 49 as it relates to cross-border data transfers undertaken in the context of litigation or regulatory investigations and had been looking at the derogations in Article 49 as a means to continue data transfers in those instances. Many of those attorneys had already been cautious when determining how to best protect the privacy of citizens of EU Member States when responding to litigation or regulatory requests that originated in the United States, which does not specifically recognize the same types of privacy protections and does often require the production of information that raises EU privacy concerns, and they were especially concerned with how the GDPR would further modify that calculus.

WP 261, with its consideration of Article 49, focuses specifically on GDPR derogations, which are exceptions to the broader holdings or requirements the GDPR otherwise provides. But these derogations are not clear exceptions (and are certainly not the proverbial get-out-of-jail-free card), and WP 261 begins with exactly that admonition. The use of Article 49 is a last resort; specifically, “data exporters should first endeavor possibilities [sic] to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49 (1).”

Article 49 derogations are a sort of last-resort measure for data transfer under certain circumstances when the data’s use is demanded but where adequate levels of protection or appropriate safeguards for the data may not be available. Because these circumstances are viewed as exceptional in WP 261, the guidance allows for only occasional, not repetitive, transfers. This is not an exception that becomes a rule for an organization, and simply because it worked once, there is no guarantee that a second, a fifth or a 10th similar transfer would not be the proverbial siren that ultimately brings it to the attention of the data protection authorities.

In addition to a limited use requirement, WP 261 reinforced that Article 49 use requires a test for necessity, or an evaluation of whether the transfer of personal data is necessary for the purpose for which the derogation is employed, which requires a “close and substantial connection between the data in question and the specific establishment, exercise or defense of the legal position.” Also, WP 261 seems to directly consider the e-discovery context when relating Article 49 of the GDPR to Article 48. There, WP 261 states clearly that “Article 48 and the corresponding recital 115 provide that decisions from third country authorities, courts or tribunals are not in themselves legitimate grounds for data transfers to third countries. Therefore, a transfer in response to a decision from third country authorities is in any case only lawful, if in line with the conditions set out in Chapter V.” WP 261 then notes that such data transfer considerations often come up where “there is an international agreement, such as a mutual legal assistance treaty (MLAT),” and states that “EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”

WP 261 provides some additional, practical advice for the provision of personal data in the context of (now) traditional e-discovery and investigatory practices and transfer. Revisiting certain elements of older Working Party 29 guidance interpreting the Data Protection Directive, WP 261 clarifies that data transfers deemed necessary for the “establishment, exercise or defense of legal claims,” a derogation listed in Article 49, may include “data transfers for the purpose of formal pre-trial discovery procedures in civil litigation” as well as activities such as commencing litigation, seeking approval for a merger, and criminal or administrative investigations. However, Working Party 29 warns that this derogation “cannot be used to justify the transfer of personal data on the grounds of a mere possibility that legal proceedings or formal procedures may be brought in the future.” The procedure necessitating the transfer must have a “basis in law,” and there must be a close relationship between the data transfer and the procedure requiring it. Practitioners should note that this derogation does not create a loophole to avoid national blocking statutes, which can still validly restrict the transfer of data for foreign proceedings.

Further, the Working Party 29 guidance states that “in relation to litigation proceedings the WP29 has already set out a layered approach to the question of whether the personal data should be transferred, including the application of this principle,” which comports with the GDPR’s general data minimization principle.  That guidance provides a set of steps:

  • If it is necessary to send personal data to a third country, its relevance to the particular matter should be assessed before the transfer occurs.
  • After assessing relevance, only a set of personal data that is actually necessary should be transferred and disclosed.
  • There should be a careful assessment of whether anonymized data would be sufficient in the matter considered to address the request or demand.
  • If anonymized data is insufficient, then the producing or collecting party should consider the sufficiency of a transfer of pseudonymized data.

Finally, in addition to that list of considerations, WP 261 stresses another limit; it’s not just the number of times the derogation is employed, it’s also the number of data subjects it applies to. And while WP 261 notes that no absolute threshold has been set (as this will depend on the context), “the number must be appropriately small taking into consideration the type of transfer in question.”