Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

EU/US Cross Border Data Discovery – Mission Impossible?

by Joe Looby

Complicated, yes, but impossible? No, according to a report just out from RAND Europe.

With the widely reported increase in FCPA enforcement by the U.S. DOJ and SEC, and a new U.K. Bribery Act taking effect in April of 2011, corporations are increasingly required to conduct anti-bribery due diligence and investigations across the globe. In many instances, this may require the collection of email and documents from one country and the review and production of such documents in another country.

However, EU data privacy laws often seem to be in direct conflict with U.S. regulatory requirements to produce documents for FCPA investigations. To comply with a DOJ request for documents from certain countries—say, Germany or Italy—a company cannot simply rely on “U.S. notions” of employee consent and then gather those documents and bring them to the U.S. for review and production to the DOJ.

For example, if an EU employee were to consent upon hiring to the employer’s unrestricted use of his or her email (a common practice in the U.S.) – a later transfer to the U.S. on this basis alone would violate EU data privacy. To further complicate matters, each EU country, and certain local jurisdictions within those countries, can implement their own data privacy rules differently.

The RAND Europe report, sponsored by FTI Technology, outlines options that can be considered by companies and counsel, and the report incorporates guidance from the European Directive’s Article 29 Working Party, the Sedona Conference, as well as national data privacy regulators and experts from five European countries (France, Germany, Spain, Switzerland and the United Kingdom).

Some of these recommendations include processing and redacting documents in country, use of a privacy log, or assigning a third party to adhere to the European legal framework. In addition, the report includes country-specific requirements for the five countries mentioned above.

The full report is available for download here.

Joe Looby is a senior managing director of FTI Technology and can be contacted here.

Share this post


Comments are closed for this article!