We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Our knowledge, expertise & publications
6 December 2021
Data Protection in US Civil Litigation
Pre-trial discovery is a standard procedure in US civil litigation: The parties to a dispute exchange data and documents – e-mails, files, paper documents, chats, server logs, etc. – that may be relevant to the matter at hand prior to the trial. Time and again, data and documents from Switzerland have to be provided for such purpose, either because a Swiss group company is involved in the dispute or it holds the requested data, or because a Swiss company is directly involved in the US litigation.
We regularly have clients, who find themselves in this situation, asking us whether they are allowed to simply deliver data and documents from Switzerland to their US counsel and ultimately to the opponent. The short answer: In the context of pre-trial discovery, this is usually possible if third-party privacy and trade secrets are respected. We have compiled the most important points that normally have to be considered. Similar rules apply to data deliveries under the GDPR.
Hence, if the following measures have been taken, Swiss law generally permits the collection, storage, review and production of data and documents for the US litigation of a company (or another company):
Art. 271 Swiss Penal Code (SPC) does not permit you to act for a foreign court or authority on Swiss territory, meaning that you either need an authorization from the government or have to go through judicial assistance. The taking of evidence may trigger Art. 271 SPC. However, in the pre-trial discovery phase Art. 271 SPC is usually not an issue, i.e. you do not have to go through judicial assistance. However, should it become necessary to obtain documents or information not already held by your company (e.g., interviews with former employees) or be ordered by the court to produce specific documents or information on Swiss territory, Art. 271 SPC may be violated if obtain and produce such evidence; in such cases, you should get legal advice from a Swiss law firm with experience in such situations. The violation of Art. 271 SPC can be sanctioned criminally and this is no idle threat (see, for instance, the decision of the Federal Tribunal of November 1, 2021, 6B_216/2020).
You should check whether the production of documents and information would violate any third party business secrets you are required to maintain. This, again, could violate Swiss law, as there is no general exception that permits you to disclose such information in foreign proceedings. Of course, if the confidentiality clauses and NDAs at issue contain implicit or explicit exceptions that permit you to disclose information in such cases, then this is no problem. If not, you should obtain consent from such third parties to disclose the information or redact the documents to an extent sufficient to protect the secrecy interests of the third parties. Failure to do so could be a crime under Swiss law (Art. 162 and 273 SPC, whereas Art. 273 SPC only applies in cases where the third party is considered part of the Swiss economy). If in addition to "normal" business secrets the company is also subject to professional secrecy (e.g., banking secrecy), additional provisions have to be complied with, which we are not elaborating here; the following steps are drafted for companies who are not subject to professional secrecy.
From a Swiss data protection point of view, collecting documents within your company so that they are preserved for the purposes of the (pending) litigation is not an issue. However, you should inform custodians about the fact that their data is being collected and may have to be produced for the purposes of the litigation once this is feasible. This notification can usually be combined, or made, in conjunction with the legal hold notice you may (or have to) issue. Against this background it is advisable to already provide for such activities in the company's policies; this way, employees are already informed about what can happen with regard to their personal data. Note that under Swiss data protection law, not only private data is protected, but also business data and documents that refer to an employee in an identified or identifiable manner.
Before you send the documents and information you have collected to the US, the data protection principle of "proportionality" requires that you remove irrelevant documents and information, so that you only transfer documents and information that is likely relevant with regard to the discovery (as opposed to all documents collected from a particular employee). This means that documents have to be reviewed in order to determine which are actually responsive.
The same principle of proportionality also requires that when discussing the scope of the discovery with the opposing party (meet and confer), you should limit the scope to what is really necessary for the case. Overbroad discovery requests may violate data protection law. Before documents and information are produced, they will have to be reviewed for relevance and private data (i.e. non-business related information of employees). Irrelevant data (in particular involving third parties) and private data will have to be removed or redacted. If there is particularly sensitive personal data (e.g., health data), you may have to consider redacting it as well.
Make sure you have sufficient time for doing the foregoing (e.g., by agreeing on a rolling production). A typical setup is that the documents are collected in Switzerland and hosted with an eDiscovery provider in Switzerland. The review of likely relevant documents and information may be done from the US (e.g., by remote access). Depending on the specific circumstances, either before or after the relevancy review, a Swiss secrecy and privacy review is undertaken for the purpose of redacting the information in the documents that you are not allowed to produce to the opposing party even if you put in place protective measures (in order to satisfy the requirements discussed in the steps 2 and 5 above).
Before transferring documents and information to US counsel, US eDiscovery provider, a US affiliate or other third party, you need to undertake certain steps to ensure that the personal data contained in the documents and information remains adequately protected from a data protection point of view. Data protection law also requires that you, as the Swiss company, maintain control over what will happen with the documents and information provided (including the decision as to when to produce documents to the opposing party) and that there are adequate technical and organizational measures in place to prevent unauthorized use or other processing. Practically speaking, this means that the documents are to be stored securely, remain confidential and are used only for the purpose of the legal dispute. The General Data Protection Regulation (GDPR) has similar requirements.
Usually, the necessary level of protection is achieved by entering into a "data transfer agreement" with US counsel (or other parties who will receive or gain remote access to documents and information). If you transfer (which term includes making available by remote access) documents and information among affiliates, you may already have an intra-group agreement in place that "takes care" of such transfers. Otherwise, in particular vis-à-vis US counsel, you will typically enter into EU Standard Contractual Clauses (EU SCC) with them, which is a set of contractual clauses that has been developed and approved in June 2021 by the European Commission for transfers of personal data to countries that do not provide for an adequate level of data protection. The EU SCC are also recognized under Swiss data protection law, provided they are amended in a certain way; until 2023, their use also needs to be notified to the Swiss data protection authority. The EU SCC are not attractive for recipients of personal data, but they are nevertheless accepted worldwide. Note that the parties are not allowed to modify them (see our extensive and free FAQ on the EU SCC). The conclusion of the EU SCC alone is not sufficient, though. Swiss data protection law (and the GDPR) also requires that the parties perform a "Transfer Impact Assessment" (TIA), which is an analysis of the risk of foreign lawful access (considering only those forms of lawful access that appear problematic from an EU point of view). You may transfer documents and information to the US only if the risk is small enough in the specific case (see our free template for performing such TIAs); in practice, however, this is usually not an issue (we discuss this in our FAQ, too).
In principle, the EU SCC would also have to be concluded with opposing parties to whom documents and information is to be produced as part of a pre-trial discovery. However, in the context of a litigation, this is usually not possible. The same is true if documents are to be provided to a foreign court. In such situations, under Swiss data protection law (and the GDPR), you can rely on a statutory exemption rule that permits you to transfer to countries such as the US any documents and information that are required as evidence in a foreign litigation to defend yourself or prove your claims. This also applies to document productions for pre-trial discovery. That said, you have to make sure that the documents and information produced will not be used for any other purpose than for the litigation, and that it remains confidential. To achieve this, you should prior to producing any documents have a corresponding "protective order" put in place. This legal instrument is well known in the US for protecting business secrets. For the present purposes, it has to be expanded to also cover all personal data contained in the documents and information produced, even if not a business secret. In other words, personal data will be protected as if it were a business secret. The protective order also needs to deal with certain other data protection related aspects. This approach is now well established in the US and should not represent a problem if raised early enough. For more information and a model protective order covering data protection aspects, see the "International Principles on Discovery, Disclosure & Data Protection" published by The Sedona Conference's Working Group 6 on International Electronic Information Management, Discovery and Disclosure. US counsel will usually be familiar with The Sedona Conference.
If the above rules are not complied with, this may have civil, criminal and administrative consequences. Data subjects may assert damages or other claims based on the violation of their personality rights (under Swis data protection law) by way of civil lawsuits. In addition, the Federal Data Protection and Information Commissioner may intervene, as he did, for example, in the case of the tax dispute between the U.S. and Switzerland (cf. his comments on the transfer of bank employee data from 2013). In regulated industries (e.g., the financial services industry), the regulator (e.g., FINMA) may also intervene. If secrecy obligations are violated, this can lead not only to civil law sanctions but also to the criminal liability of responsible individuals, be it for the violation of business secrets (Art. 162 SPC), due to the violation of professional secrecy obligations (e.g. Art. 321 SPC, Art. 47 Bank Act) or for economic espionage (Art. 273 SPC). Under the revised Data Protection Act (revDPA, expected in 2023), professional secrecy obligations will be extended to all professions (Art. 62 revDPA); the disclosure of personal data abroad in wilful disregard of the requirements of the revDPA on data exports will also be punishable by up to CHF 250,000 (Art. 61 revDPA), as will the outsourcing to a data processor without the necessary contract in place (ibid.). Finally, Art. 271 SPC must be observed: If this provision is violated intentionally, the offender faces up to three years imprisonment or a fine. This may not only be triggered by producing evidence on Swiss soil for a foreign proceeding under the threat of sanctions, but also in other cases where the production effectively deprives the persons affected of the protection of Swiss law, even where such data is produced voluntarily; according to the most recent case law of the Federal Tribunal, supplying data in violation of Swiss data protection law or of a contractual secrecy obligation may already be sufficient to trigger the provision; according to the Federal Tribunal, only the supply of data that the company can freely dispose of is permitted (cf. Federal Tribunal decision of November 1, 2021, 6B_216/2020). In the case of data of employees, it must be examined, for example, whether the disclosure of their personal data exposes them to a disadvantage.
If you also read German and want to learn more about how to handle internal investigations and eDiscovery, please download a copy of our comprehensive practice manual on the subject or order a printed copy from us (free of charge).
Author: David Rosenthal
Categories: Employment Law, Banking & Finance, Data & Privacy, Investigations & eDiscovery, Litigation and Arbitration
According to a recent Global Information Security Survey of EY, only nine percent of the respondents...
Rosenthal, David, Walle, Rie Aleksandra / Novović, Miloš – Podcast "Grumpy GDPR": TIA Superhero...
Rosenthal, David / Steiger, Martin – Podcast "Datenschutz Plaudereien" zum Thema "DAT032 Methode...
Opt-in for our regular updates, news, views, insights and more.