Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

Balancing Cross-Border Discovery and Data Protection

Aug. 24, 2015, 4:04 PM

Editor’s Note: The author of this post works at Xerox Litigation Services, an eDiscovery company.

By Gabriela P. Baron, Xerox Litigation Services

Navigating the murky waters of cross-border discovery can be challenging given the myriad of data privacy laws that organizations must adhere to — none of which consider the U.S. rules of civil procedure or demands for compliance within the investigative mandates of regulatory agencies. Therefore, entities that store data abroad must balance their discovery obligations against the risk of penalties for violating foreign data protection statutes.

Recent overseas developments in the data privacy arena make achieving this balance even more complicated.

  • EU: This summer, negotiations commenced between the Council of the European Union, the European Parliament, and the European Commission over the proposed EU General Data Protection Regulation. If approved, the law will supplant an inconsistent patchwork of laws among the 28 EU nations and require U.S. organizations doing business abroad to obtain consent before collecting or processing data; it may also obligate them to appoint a data protection officer.

  • France : Earlier in 2015, the French data protection authority (CNIL) simplified its data transfer policy. Now, instead of having to seek approval for every transfer of data outside the EU, organizations that adopt binding corporate rules — policies that establish a requisite level of data protection — can submit a “compliance commitment” on the CNIL website.

  • Australia : Australia limits the transfer of personal information or opinions that make someone’s identity apparent or reasonably ascertainable without consent. Data recipients must also have a law or contract that mimics Australia’s data privacy rules.

  • Hong Kong: Although Hong Kong is one of the Asia’s earliest adopters of data privacy regulation with the Personal Data (Privacy) Ordinance that came into force in1996, enforcement activity was marginal until recent data privacy incidents led to a revamp of the regulatory regime in 2012 and a subsequent increase in enforcement actions. In late 2014, Hong Kong published a guidance note which would restrict the exports of personal data from Hong Kong. The ordinance requires organizations to inform data subjects (i.e., custodians) about the purpose of data collection and to adopt sufficient measures to protect that data.

  • China: China’s already restrictive data transfer regime was further restricted in March 2015, when Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers went into effect. The law requires organizations to safeguard consumer personal information, defined as “name, gender, occupation, date of birth, identification card number, address, contact information, status of income and assets, health status, and consumption habits.” China also has a series of data protection and secrecy laws that operate like blocking statutes, forbidding the cross-border transfer of documents that contain “state secrets” as well as confidential commercial information.

To mitigate the risk of violating these laws while collecting, processing, and reviewing data for use in discovery, U.S. organizations should take several precautions before litigation or investigations arise.

  1. Know your data.

Create a comprehensive data map that identifies the organization’s data types and its locations. Not only will this expedite searches for pertinent information, but it can also demonstrate a need to invest in special processing or review tools to handle data that is stored in unusual software formats, that includes unusual or non-standard metadata fields, or that will require specialized password-cracking or decryption capabilities.

  • 2.  Make inroads with the local data protection authority.

Depending on where your data resides, you may be able to establish a protocol that demonstrates compliance with the country’s data privacy regime. For example, organizations with data in France should establish binding corporate rules. Companies doing business in Asia should apply to the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System. It is well worth researching the rules specific to each geographic region and determining ways to establish broad compliance across various business units.

  • 3.  Choose state-of-the-art review tools.

The better the review tool, the more efficient and defensible the results. If your review platform includes predictive analytics, such as technology-assisted review and conceptual analysis, you can streamline review and isolate telling linguistic and behavioral patterns. Foreign documents may require specialized functionality to handle foreign language alphabets, spacing and character idiosyncrasies that otherwise render it difficult to index or review documents.

  • 4.  Think global, but act local.

To avoid triggering data privacy laws, keep data projects on-site. Retain an eDiscovery vendor with regulatory experience, language fluency, and industry expertise. Vendors that offer “backpack” discovery models provide on-site support for collection, processing, review preparation, production, and project management.

Given the increasing rate of globalization and risk of regulatory action, the likelihood that organizations will have to contend with cross-border eDiscovery has never been greater. Organizations that adopt a proactive posture will be well positioned to meet their discovery obligations as well as avoid costly compliance errors.