Can you obtain personal data (particularly social media account information) from an EU citizen who is a party to your client’s lawsuit for eDiscovery purposes?

Can You Get Personal Data Contained Within a Social Media Account of an EU Citizen for eDiscovery Purposes? It Depends.

Author: Sarah E. Hsu Wilbur
Case Citation: Data Prot. Comm’r v. Facebook Ir. Ltd. & Schrems, [2017] 2016 No. 4809 P. (H.Ct.)
Employee/Personnel/Employer Implicated: Facebook; Social Media Providers
eLesson Learned: Whether for eDiscovery purposes or otherwise, you should not attempt to obtain or transfer (or have your client transfer) personal data (including data from a social media account) of any EU citizens into or within the US without first checking to see whether obtaining or transferring such data would violate any EU privacy laws and expose you or your client to being sued.
Tweet This: Don’t try to get or send personal data of EU citizens before first checking to see if it violates any EU privacy laws!

In this case, Facebook subscriber Maximillian Schrems sued Facebook Ireland because he said Facebook Ireland transferred his personal data to Facebook Inc. in the US in violation of EU privacy laws. As brief background relevant to this case, in 2013, former NSA employee Edward Snowden went rogue and disclosed documents that showed the NSA operated the Internet and telecommunications systems of some major global tech companies including Facebook, thereby allowing the NSA to conduct surveillance on said companies. Schrems thus argued that in light of Snowden’s disclosures, Facebook Ireland transferring “his personal data to its US parent, Facebook Inc., for processing was unlawful both under national and EU law.” He argued that Facebook Inc. is subject to a number of laws and other orders that require it to disclose personal data of individuals to US authorities, which in and of itself violates the EU’s privacy laws, even if the US government never accessed his personal data.

Facebook Ireland did not deny that it transferred Schrem’s personal data and in fact continued during litigation to transfer Schrem’s and other EU-resident Facebook subscribers’ personal data to the EU. Facebook Ireland argued, however, it had the right to do this because of its data transfer and processing agreement with Facebook Inc. and because it had language that resembled the “standard contractual clauses” that basically operated as a safe harbor for companies transferring such personal data of EU citizens to other countries. “Standard contractual clauses” (SCCs) are an EU-approved mechanism to transfer personal data between US (or other non-EU countries) and EU countries, which clauses essentially guarantee that personal data of EU citizens transferred to a non-EU country pursuant to those clauses enjoys the same amount of protection that the EU provides for that data. In other words, they ensure “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals,” including EU resident Facebook subscribers, and are approved under current EU data privacy laws. Schrems argued that a company such as Facebook using the SCCs and transferring his personal data and that of other EU citizens to the US does not provide the same privacy protections as the EU offers and therefore violates EU law. The Data Protection Commissioner investigated the case and agreed with Schrems.

The High Court of Ireland decided in favor of Schrems, concluding that the laws and practices of the United States “do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by [EU law], which applies to the data of all EU data subjects transferred to the United States.” The Court reasoned that the validity of SCCs “cannot depend on the automatic exercise of a discretionary power,” reasoning that the EU recognizes a right to data privacy as a “fundamental right and freedom,” unlike in the United States. Thus, following this decision, it is unclear whether SCCs continue to be a valid way to transfer personal data to third countries.

This decision impacts eDiscovery in the US for cases that involve parties who are EU citizens because of the strict EU data privacy laws that apply to those parties. When dealing with EU citizen parties from whom you may need eDiscovery or if you need eDiscovery that includes the transfer of personal data of EU citizens or personal data that is stored in the EU (particularly personal data found on a social media site), you should always check the current EU privacy laws and recent decisions involving personal data of EU citizens to make sure you are requesting the information in a lawful way. Be careful in framing the requests for this information and in requesting this information in the first instance so as not to risk yourself or your client to possibly being sued for violating EU data privacy laws. Keep in mind you may not be able to obtain this information unless an exception like consent or national security applies.

Sarah is a Seton Hall University School of Law student (Class of 2018), pursuing an Intellectual Property concentration through the Privacy and Security Law Track. After graduating, she will begin working as a Litigation Associate in a large Manhattan law firm. Sarah graduated from the University of Florida in 2009 with a B.S. in Journalism, and she worked as both a multimedia journalist and a legal assistant before attending law school.

Want to read more articles like this?  Sign up for our post notification newsletter, here.

Comments are closed.

  • Find an eLesson

  • Register for Post Notifications

    Subscribe to receive updates whenever a new eLesson is published.

    Manage Subscriptions
  • Let Us Blog Your Event!

    eLessons Learned is fast becoming the site of choice for employers, employees, judges, lawyers, and journalists who are interested in learning more about these areas without being intimidated by the complexity of the topic. In fact, organizations and event coordinators often feature eLessons Learned as their official eDiscovery blog. Fill out our simple registration form to have eLessons Learned be the official blog of your organization or event.

    Register Now
  • Recent Praise

    The blog takes a clever approach to [e-discovery]. Each post discusses an e-discovery case that involves an e-discovery mishap, generally by a company employee. It discusses the conduct that constituted the mishap and then offers its ‘e-lesson’ — a suggestion on how to learn from the mistake and avoid it happening to you.

    Robert Ambrogi

    Legal Tech Blogger and creator of LawSites

    Although I may have missed some, yours is the first article that I have seen addressing Zubulake II. It is often the lost opinion amongst the others.

    Laura A. Zubulake

    Plaintiff, Zubulake v. UBS Warburg

    Click here to see more.