As with so many subjects, cross-border discovery has many aspects to cover, and it is sometimes helpful to pull out a sub-set and look at it on its own.
A helpful page on the European Commission Justice website called Collecting and Processing of Personal data: What is legal? focuses narrowly on the circumstances in Article 7 of the 1995 Data Protection Directive in which the collection and processing of personal data of individuals is legitimate. For those who want the full version, the text of the relevant parts of that is here.
The ones which cause trouble are the third and sixth in this summary list, that is, c) and f) in the actual Directive.
c) If processing is required by a legal obligation
f) If the data controller or a third party has a legitimate interest in [the collection and processing]
The last one carries its own restrictions by making it clear that the “legitimate interest” referred to must be balanced against the interests of the individual – the precise words are “except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject”.
The third one, compliance with a legal obligation, raises the appearance of the hope that the “legal obligation” to comply with a US discovery request is enough to legitimise any data processing. It does not. For one thing, the legal obligation must be one to which the data controller is subject, and not all discovery demands impose such an obligation on the data controller.
More importantly, these criteria for making data processing legitimate are not exceptions to the general protection given by Article 6 of the Data Protection Directive (though they are sometimes described as such). Even where the discovery demand appears to impose an obligation on the data controller, it does not oust his obligations given by Article 6 which, for example, refer three times to “the purposes for which the data were collected”, providing expressly that data must not be “further processed” in a way “incompatible with the original purpose”.
That refers to the original collection, whose purpose will rarely have been for compliance with the present discovery demand. The “legal obligation” clause does not entitle companies to ignore for discovery purposes the basic principles which apply to all data processing.
I will stick to my expressed intention to keep this simple. If you want a fuller explanation of the inter-relation between Article 6 and Article 7, CyberMatron’s article called Curbing unwholesome desires spells it out. The context is the information which can be obtained from ISPs rather than eDiscovery, but paragraphs 8 and 9 are worth reading for their wider implications.