Cross-Border E-discovery: Navigating Rules and Regulations Across Multiple Jurisdictions

Cross-Border E-Discovery: Navigating Rules and Regulations Across Multiple Jurisdictions.Kenneth N. Rashbaum, Esq.

Session AgendaPrivacy and data protection concepts beyond the U.S.How they affect ability to gather electronic evidence for U.S. litigation, regulatory proceedings and business processesRecent developments in privacy and data protection: Tightening (Spain and France) and loosening (U.K.) of barriers to transfer personal data outside the E.U.Practical suggestions for collection, review and disclosure or discovery of offshore data

CaveatsInconsistencies between countries: Privacy and data protection laws vs. need to expedite global business; historical antecedents that inform privacy and data protectionMany gray areas:Protections can differ between countries and even provincesLaw is evolving(2/11/09 Article 29 Working Party Document; Christopher X (France); Digicel (U.K.); the Sedona Conference® Framework for Analysis, cited by European Commission); Cloud issues

Data Transfer and DisclosuresData retention and disclosure rules vary by:Region (EU), Country (enabling legislation), and Sometimes province or state within a country (German Lander, for example)Key Concept: “Personal Data” is protected. Emails are personal data, as they can be traced to an identifiable individual

Cross Border Laws: The E.U. Privacy FloorEU Data Protection Directive (95/46) - Member nations must implement laws to restrict all manner of “processing” of “personal data” meaning “any information relating to an identified or identifiable natural person” (see EU Directive Article 2)Prohibits transfer of personal data outside the EU unless the country to which it is transferred provides “adequate protection” of personal data (EU Directive Article 25)Only Canada, Argentina, Switzerland and Israel meet E.U. “adequate protection” standard

E.U. Data ProtectionRule: Any transfer of personal data to a third party requires a justification and – in case of countries outside EEA – additional safeguardsThe concept of “pre-trial discovery” is unfamiliar to most EU countries (except UK)Rule: Each party may use only own documents as evidenceThese legal and cultural differences are relevant in the data protection assessmentConsent may be of doubtful validity in some countriesStatutory exemptions“Transfer necessary to safeguard legitimate interests of parties to litigation and no overriding interests of affected individuals”“Transfer necessary for exercise or defence of legal claims in court”

Don’t Assume U.S. Terms Have Same Definitions Elsewhere“Privacy Law” in U.S. = “Data Protection” in EU“Data Subject” is usually an individual but can also be a legal entity (Italy)“Data Processing” can be storage or mere accessing of data. Preservation (litigation hold) may be considered processing if it involves manipulation of data, such as moving data to a secure server or even preserving in place “Discovery” in U.S. = “Disclosure” in civil law jurisdictionsE-Mail in U.S. is “Personal Data” in EU and elsewhere

Discovery vs. DisclosureCommon Law Jurisdictions: wide-open pre-trial exchange of informationUS: Fed. R. Civ. Proc. 26(b): “discoveryreasonably calculated to lead to admissible evidence”

Discovery vs. Disclosure (cont’d.)Civil Law Countries: Disclosure limited to trial evidenceGermany:Litigants not required to produce documents Need only produce to court that which supports its litigant’s caseJudge decides whether to order document produced to adversaryFrance: Must disclose but only those documents that are admissibleJudge decides relevance and admissibility

Privacy Laws With Criminal LiabilityBlocking statues prohibit transfer of economic, commercial or technical data for use in foreign judicial proceedings.Personal nature of the data not relevantFrance and Venezuela (general); Switzerland (banking); limited blocking statutes in Canada, U.K., South Africa, RussiaPrivacy statutes have criminal penalties in Switzerland, Italy (recent Google conviction) and Venezuela

South America: Habeas DataConcept of Habeas DataA constitutional right first embodied in Brazil’s new constitution, 1988. Followed by Paraguay (1992), Peru (1993), Ecuador (1996), and Colombia (1997)Individual can obtain information on what data are kept on him/her, and request corrections, amendments or destructionArgentina and Chile have EU-style data protection Argentina is one of four countries EU considers equivalent in privacy protection

South America: Habeas Data (cont’d.)Be aware of local variations in this concept and data protection

Example: Not all countries permit request for destruction (in effect, precluding disclosure in litigation or investigation)

Real-World Consequences: Adverse inference instruction accepted rather than violate privacy provisions with criminal sanctions

Lyondell-Citgo Refining LP v. Petroleos de Venezuela, S.A., 2005 WL 1026461 (S.D.N.Y. 2005)JapanJapan’s Personal Information Protection Act of 2003:Rule: Consent required for transfers of “personal information” to third-parties (Art. 23, Par. 1)Data subject may request his/her personal data and must be provided an opportunity to correct, supplement or delete it (Art. 26)Entity holding personal data must specify the purposes of its use (Art. 15, Par. 1)Data subject may request cessation of use of the data f the data is used beyond the purposes in the Notice (Art. 27)

Disclosure and Discovery in AsiaKorea: Rule: Data to be deleted when no longer needed for intended purpose of processing (APPII Art. 17 (3).Data needed later for U.S. litigation may no longer exist, resulting in sanctions (cf., Adams v. Dell, re Taiwan)Australia: Practice Note 17 (meet and confer)Hong Kong: Practice Direction 5.2 (exchange of documents)Singapore: Direction No. 3 (discovery of electronic documents)

Hague Convention vs. FRCPThe five factor test in The Restatement (Third) of Foreign Relations Law Section 442(2)(a) is :“Relevant to any comity analysis . . . .” In determining whether federal courts should utilize Hague procedures rather than the Federal RulesSociete Nationale Industrielle Aerospatiale v. Iowa U.S. District Court, 53 U.S. 522, 556 (1987).

Five-Factor TestSignificance of the discovery/disclosure to issues in the caseDegree of specificity of requestWhether the information originated in the jurisdiction from which it is being requestedAvailability of alternative means of securing the information sought in the discovery/disclosure requestExtent to which noncompliance would undermine the foreign sovereign’s interest in the information requested

FRCP Presumption May Be Changing – Or NotUntil 2008: Most U.S. courts held that the Federal Rules were to be followed, in the face of Protective Order motions citing Blocking Statutes, on the ground that these provisions were rarely enforced. See, Straus v. Credit Lyonaisse, 242 F.R.D. 199 (E.D.N.Y. 2007)January, 2008:In re Avocat Christopher X: French Supreme Court affirms criminal conviction arising from California Executive Life litigationBut see, In re Global Power (2009):Delaware court holds no real threat of Blocking Statute enforcement (without citing Christopher X). Contra: In re Payment Card (EDNY)

Hope for Common Ground?European Commission Working Party 29 “1/2009 Working Document” On Pre-Trial Discovery For Cross-Border Civil Litigation” (WP158):Acknowledges need for understanding between common law and civil law jurisdictionsCNIL Opinion August 2009 on data transferWorking Document 158 cites, in several places, The Sedona Conference® Framework for Analysis of Cross-Border Discovery Conflicts (available at www.thesedonaconference.org)Sedona International e-Discovery Best Practices Commentary is in draft

WP 158: Minimizing the Intrusion?Filtering activities before disclosure in U.S. is to be carried out in Europe (p. 11)Separate infrastructure required (hardware + software)Filtering carried out by independent trustee instead of other parties (p. 11)Redaction of “sensitive” personal data and irrelevant material (requires input of U.S. counsel)Anonymizing personal data in a first step if practicableEarly involvement of internal data protection officers (p. 11)See Also, CNIL (France) Opinion August 2009 by same author

U.S. - Form Legal Hold in Europe? Not So Fast“There may however be a further difficulty where the information is required for additional pending litigation or where future litigation is reasonably foreseeable. The mere or unsubstantiated possibility that an action may be brought before the US courts is not sufficient.” (WP 158 at 8; emphasis supplied)

There’s MoreMany countries (i.e. Brazil, Korea, Japan) require deletion of personal data after the purpose for which it was collected has been completedConcept of “Discovery” does not exist in Civil-Law jurisdictions. Preservation for discovery, then, is an alien conceptBroad US-style legal hold notice offends Civil-Law concept of narrowly-tailored disclosureTracking legal holds, where names of custodians and their responses are forwarded to US, may violate local E.C. privacy directive enabling legislation

Best Practices: Path Through the ThicketAssemble the legal hold team: Local counselExperienced US counselLocal IT/records management resources and counselTailor the legal hold notice and scope to local requirements

Further Along the Path Through the ThicketFor Defensibility: Assess how tracking hold notices may be accomplished in compliance with privacy laws while meeting Pension Committee, ER. AL., standardsBe Proactive: Raise preservation issues with adversaries and court earlyRemember the Left Side of the EDRM: Design information governance protocols with potential for US discovery Obtain interdisciplinary assistance in drafting these protocols

What are Permissible Cross-Border Transfer Methods?Consent of Data Subject/Notice (where permissible) U.S. Safe Harbor:Certification that entity will abide by certain privacy principlesApproved by all EEA statesYearly re-certification requiredModel Contract Clause Agreements: EC Privacy Protocol ClausesBinding Corporate Rules: Global code of conduct (recently approved as “toolkit”) by EC*Caveat: May not suffice for personal data used in litigation (i.e., Blocking Statutes)

The CloudNIST Definition: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of three service models, four deployment models, and five essential characteristics.”

Cloud: English DefinitionComputing services available from anywhereApplications are accessed from the Internet; use can be meteredApplications and/or storage reside outside the four corners of the machine

Cloud: Whose Law Applies?Answer: UnknownIn cloud, server locations are not known; servers may be in many locationsData is often in many places simultaneously; many countries may claim their laws applyeBay Canada and eBay CS Vancouver, Inc. and Minister of National Revenue, 2007 FC 930.“The data may be both here, and there.”

Discovery of Cloud Data Originating Outside USPrivacy laws, data protection laws and blocking statues may impede discoveryServer locations may be an issue.See, Columbia Pictures v. Bunnell (data with company in Netherlands but servers in U.S.)Germany:DPA of Schleswig-Holstein announced sending data to cloud violates German Data Privacy Act unless servers are within borders of Germany

Collection and ReviewHow collect data from the provider?Does the SLA provide for collection methods and timing? Examples: Format (Native vs. TIFF), metadata preservationIdentification of data and search modalitiesWhere will the review be conducted? Restrictions apply to unfiltered personal data in the European Union and elsewhereEvidentiary Issues: Foundation for ESI

Additional ConcernsComplex pre-trial discovery slows down the caseJudges frequently have outdated equipment, reduced staff and little real-world experience with ESI“The technology of the digital revolution is forbidding to most lawyers, who after all went to law school because they could not do math or science.” Goode, Steven, The Admissibility of Electronic Evidence, 29 Rev. Litig. 1 (2009)Most lawyers as a result, DO NOT ADEQUATELY EDUCATE THE COURT; they do not give the court the basis for favorable rulings

So Now What? Plan Before CollectionWhat is needed? Where is it (Cloud? Servers? Laptops?)Is it protected?Are there data protection agreements?What are the language issues?Permissions/notifications needed?Is it here already and, if so, is onward transfer permitted?Where should data room be established?What are the protocols needed for on-site initial review?

So Now What?Assemble the Collection TeamClient representatives in U.S. and host countryLocal counselExperienced cross-border discovery U.S. outside counselThird-party consultantMake the process defensible here and in the host countryLocal counsel should advise whether local data protection authority requires permission, notice, or neitherThere will usually be some risk but, with adequate protocols and documentation of process, it can be reduced to an acceptable level

Cross-Border E-discovery: Navigating Rules and Regulations Across Multiple Jurisdictions

More Related Content

Viewers also liked (20)

Similar to Cross-Border E-discovery: Navigating Rules and Regulations Across Multiple Jurisdictions (20)

Recently uploaded (20)

Cross-Border E-discovery: Navigating Rules and Regulations Across Multiple Jurisdictions