CD: How does the current data privacy landscape present challenges for cross-border confidentiality?

Lubbock: Within the European Union (EU), the data privacy landscape is governed by the General Data Protection Regulation (GDPR), whereas rights of confidence in information, which may or may not be personal data, are governed by the laws of Member States which have or will be, to some extent, harmonised by the requirements placed on Member States by the Trade Secrets Directive. Confidential information may include personal data and some personal data may be confidential. A challenge which many organisations face has been caused by the failure to appreciate the important distinctions between the two and the rights and obligations associated with each. This can be exacerbated in cross-border transfers where the transfer of personal data is heavily regulated, whereas the transfer of confidential information, which is not personal data, is generally not.

Ridgway: The increased focus on data privacy poses a significant challenge to the bounds of cross-border transfers in US litigation and in other jurisdictions. Emerging data privacy regimes in the EU, Asia, Latin America and even some US states, complicate and in some circumstances bar, the transfer of data across borders in connection with a legal proceeding. The prospect of conflicting obligations is heightened, moreover, with passage of new extraterritorial production laws, such as the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the UK’s Crime (Overseas Production Orders) Act (COPO Act). Courts in the US and elsewhere will continue to wrestle with these overlapping legal regimes, balancing the need to facilitate data transfers against the need to protect personal privacy.

Jul-Sep 2019 issue

Brown Rudnick LLP

Freshfields Bruckhaus Deringer

FTI Consulting

Skadden, Arps, Slate, Meagher & Flom LLP