How data delivery from Switzerland works

Data Protection in US Civil Litigation

• Voluntary data deliveries from Switzerland are generally permissible
• Data protection requires a “Protective Order” in the USA
• Private data and trade secrets of third parties must be blackened

“Pre-trial discovery” is a standard procedure in US civil litigation: The parties exchange data and documents that may concern the case – i.e. e-mails, files, paper documents, chats, server logs, etc. – with each other before the trial. Again and again, it happens that data and documents from Switzerland must also be supplied, whether because a Swiss group company is involved in the dispute or it keeps the data or because a Swiss company is directly involved in the US legal dispute.

In this situation, we repeatedly have clients who ask us whether they are allowed to provide data and documents from Switzerland to their US lawyers and the other side. The short answer is: In the context of a pre-trial discovery, this is usually possible, as long as the data protection and trade secrets of third parties are observed. We have compiled the most important points that normally need to be considered. The same applies to data deliveries within the framework of the GDPR.

If the following measures have been taken, Swiss law generally allows data and documents to be collected, stored, viewed, and released for the US civil proceedings of a company (and for other companies):

1.To put it simply, Article 271 of the Swiss Criminal Code (StGB) prohibits working for a foreign court or authority on Swiss soil. In such cases, either a permit from the federal authorities must be obtained or legal or administrative assistance must be claimed. A taking of evidence for foreign court proceedings can be a case of Art. 271 SCC. In the “pre-trial discovery” phase, however, Art. 271 SCC usually does not pose a problem, which is why legal assistance can be dispensed with. However, should it become necessary to obtain documents or information that are not already in the possession of the company concerned (e.B interviews with former employees) or if the foreign court orders that certain documents or information must be submitted on Swiss territory (in particular under threat of criminal or quasi-criminal sanctions), Art. 271 SCC may be violated by a delivery of evidence and there are other precautions necessary; for this purpose, legal advice should be sought from a Swiss law firm with experience in this field. A violation of Art. 271 SCC can be sanctioned under criminal law. Such cases occur (see, for example, the decision of the Federal Supreme Court of 1 November 2021, 6B_216/2020).

2.It should be examined whether the disclosure of documents and information would infringe trade secrets of third parties which the company is obliged to protect. Otherwise, this may also violate Swiss law, as Swiss law does not provide for a generally applicable exception in favour of the submission of evidence in foreign civil proceedings. There is no problem where the relevant confidentiality agreements and NDAs explicitly or implicitly provide for exceptions that allow disclosure of information in legal proceedings. In the absence of such exceptions, the consent of the third parties concerned should be obtained before the documents are disclosed or the information in question must be blacked out accordingly, provided that the confidentiality interests of the third parties are sufficiently safeguarded. If this is not done, those responsible can in turn be prosecuted (Art. 162 and 273 SCC, whereby Art. 273 SCC is only relevant if the third party concerned is regarded as part of the Swiss economy). If, in addition to “normal” trade secrets, professional secrets are also affected (e.B. banking secrecy), additional rules must be observed, which we will not discuss further at this point; the following explanations apply to companies where this is not the case.

3.From the point of view of Swiss data protection, it is unproblematic if documents are collected within a company and kept available for a (possibly) legal dispute. However, employees should be informed as soon as possible that their data has been collected and may need to be disclosed as part of a legal dispute. This information can usually be provided as part of the “legal hold notice”, which is also part of the standard procedure of a dispute under US law. Against this background, it also makes sense to provide for this case in the company’s internal instructions; in this way, employees are already informed about what can happen to their personal data. Swiss data protection law protects not only private data, but also business data in which the identity of the employees concerned can be determined or determined.

4.Before the collected documents and information are transferred to the United States, irrelevant documents and information must be removed according to the principle of proportionality, so that only documents and information that are suspected to be relevant to the investigation are transmitted (as opposed to all documents seized in the company, for example, of an employee). This means that the documents must be viewed and the relevant documents sorted out.

5.The same principle of proportionality also requires that if the scope of the documents to be supplied is discussed and determined with the other party (so-called “meet and confer” meetings), this is limited to what is really necessary for the case. Excessively far-reaching demands for restitution can violate data protection law. Before documents and information are released, they must be checked for relevance and private data (i.e. non-business-related information of employees). Irrelevant data (especially concerning third parties) and private data must be removed or blacked out. In the case of particularly sensitive personal data (e.B. health data), it may also have to be blacked out.

6.It must be ensured that sufficient time is planned for the implementation of the aforementioned measures (e.B. by agreeing on a “rolling” release). As a rule, the documents are collected in Switzerland and hosted by an eDiscovery provider in Switzerland. The verification of the presumably relevant documents and information can be carried out from the USA (e.B. by remote access). Depending on the case constellation, a review is carried out before or after the documents are reviewed with regard to their relevance in order to protect secrecy and data protection in Switzerland. This aims to blacken the information in the documents that may not be released to the other party regardless of further protective measures (so that the requirements listed above from points 2 and 5 are met).

7.Before documents and information are transferred to a U.S. attorney, u.S. eDiscovery provider, U.S. subsidiary, or other third party, certain additional steps must be taken to ensure that the personal data contained in the documents and information remains adequately protected from a privacy perspective. Data protection requires that a Swiss company retains as far as possible control over the documents and information issued (including the decision as to when documents of the other party are issued) and that appropriate technical and organizational measures are taken to prevent unauthorized use or other processing. In practice, this means ensuring that the documents are kept secure, kept confidential and used only for litigation. The General Data Protection Regulation (GDPR) has comparable requirements.

8.Typically, the required level of protection is achieved by entering into a data transfer agreement with its own U.S. attorneys (or other parties to whom documents and information are to be given or who are to be given remote access). If it is intended to pass on documents and information within a group (even remote provision would be one), it may be possible to use an existing intra-group agreement for such data flows. Otherwise, the EU Standard Contractual Clauses (EU SCC) must be concluded, in particular with US lawyers. This is a set of contractual clauses drafted and approved by the European Commission in June 2021 to allow the transfer of personal data to countries that do not provide an adequate level of data protection. The EU SCCs are also recognised under Swiss data protection law if they are amended in a certain way; their use must be reported to the Swiss Data Protection Authority by 2023. Although most recipients of personal data will not find the EU SCC attractive, they are accepted worldwide. It should be noted that the parties are not allowed to change them.  However, it is not enough just to conclude the EU SCC. Swiss data protection law (and the GDPR) also requires the parties to carry out a “Transfer Impact Assessment” (TIA). The risk is assessed that the data will be tapped abroad by a foreign authority and that this “lawful access” does not meet the requirements for access to authorities under European law. Documents and information may only be transferred to the U.S. if the risk is low enough in individual cases. In practice, this is usually unproblematic; we also comment on this in our FAQ.

9.In principle, the EU SCCs would also have to be concluded with the counterparties, which are to be provided with documents and information as part of a “pre-trial discovery”. In the context of a legal dispute, however, this is usually not possible. The same applies if documents have to be transmitted to a foreign court. In such a situation, under Swiss data protection law (and under the GDPR), it is possible to invoke a legal exception that allows documents and information to be transferred to countries such as the USA as evidence for the purpose of defending or asserting legal claims. This also applies to the transmission of documents as part of a pre-trial discovery. However, it must be ensured that the documents and information issued are not used for purposes other than the dispute in question and that they remain confidential. To achieve this, a “protective order” should be obtained before the release of documents. This legal instrument is well known in the USA for the protection of trade secrets. For the purposes at hand, it must be adapted to cover all personal data in the documents in question, even if they are not considered to be trade secrets. Personal data is therefore protected in the same way as trade secrets. The Protective Order must also address certain other privacy-related aspects. This approach is now well established in the USA and should be easy to implement if it is addressed at an early stage. Further information and a model protection order covering data protection aspects can be found in the“International Principles on Discovery, Disclosure & Data Protection” published by the “Sedona Conference’s Working Group 6 on International Electronic Information Management, Discovery and Disclosure”. U.S. attorneys tend to be familiar with The Sedona Conference.

By David Rosenthal, Vischer, Switzerland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact switzerland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.