How To Approach The Conflict Between Data Privacy Laws And Cross-Border E-Discovery

Cross-Border Discovery Is on the Rise, and So Are Violations of Data Privacy

In today’s expanding global economy characterized by the rapid advancement of technology, information is increasingly shared more easily and readily across international borders. While there are innumerable advantages to such advancement, it simultaneously poses certain legal challenges. The simple act of sharing information across national borders, even when shared unwittingly, can violate data protection laws in any number of countries in which an organization operates.

When a multinational organization is responding to discovery requests as a result of litigation, government inquiries, or performing internal compliance audits, there is substantial risk of violating data protection laws as data is moved back and forth across borders. Understanding data protection in the context of a cross-border investigation, and in particular the process of electronic discovery, can help organizations contain an investigation and prevent criminal violations.

Discovery is the act of gathering evidence in response to a document production request in civil and criminal litigation or government driven investigations. It is a common law related process that is alien to many originating and operating in a civil law jurisdiction. Most commonly initiated through subpoena or a discovery request for document production by opposing counsel, discovery involves the process of securing and sifting through potentially relevant information to identify the pertinent pieces and submitting it to the other side.

Electronic discovery, or e-discovery, is the same process of discovery applied to electronic data, often referred to as electronically stored information, or ESI. Typically, an independent third party advisor or vendor is required to perform the steps necessary for collecting and processing data during the e-discovery process. In recent years, as technology has played an increasing role in the day-to-day operations of international corporations, the focus of discovery has largely turned towards ESI and typically involves voluminous amounts of data. Not surprisingly, e-discovery has become a central component of cross-border investigations.

E-discovery’s emergence occurred during the last 10 to 15 years as electronic documentation, e-mail, and use of the internet became increasingly central to business operations. In the United States, further growth can be attributed to the amendment of the Federal Rules of Civil Procedure in 2006, which made it easier for courts and litigating parties to manage electronic records.

Worldwide, e-discovery is now a multi-billion dollar industry, resulting in an explosion in companies specializing in providing e-discovery support services. The United States, whose government has arguably the greatest influence over the industry, is also home to the single largest portion of this market, last measured in 2008 as a 90 percent market share.¹ The U.S. field has matured considerably over this time, and other nations have followed suit in their use of ESI as evidence in investigations. Yet, while e-discovery has seen tremendous growth in the United States and in other common law countries (such as Australia, Canada, South Africa and the United Kingdom), and has implicated European companies where common law disputes and enforcement have gained traction, the data privacy laws and regulations in these jurisdictions have remained divergent.

As an example of an investigation where the globalization of cross-border enforcement has complicated matters and multiple jurisdictions come into play, consider the case of BAE Systems, the United Kingdom’s largest defense contractor, which faced accusations of bribery in 2009. The allegations were investigated by the UK Serious Fraud Office, whose investigation encompassed BAE’s operations in multiple countries, including the Czech Republic, South Africa, Romania, and Tanzania. Because the allegation stated that some of the bribery payments had been funneled through U.S. banks, the U.S. Department of Justice (DOJ) also initiated an investigation of BAE. Under investigation by two governments, and subject to discovery in the additional countries encompassed by the proceedings, BAE was forced to navigate the highly divergent and complex data protection laws of a large number of jurisdictions. While the matter was ultimately settled for an amount exceeding U.S.$450 million, the case serves as a good example of how an investigation can be complicated by cross-border discovery.

U.S., EU Laws Often in Conflict

In the United States, with the exception of the constitutionally guaranteed reasonable expectation of privacy (provided by the Fourth Amendment to the U.S. Constitution), there are scant privacy and data protection laws. In contrast, this area is strongly regulated in Europe (by both the European Union and individual countries), as well as in South America and other regions.

Regulation and enforcement of data protection differs from country to country, but most follow the same basic principles: 1) there must be a valid purpose of accessing private information of individuals; 2) proper notice must be given to those individuals; 3) appropriate security must be provided to the potentially private information obtained; 4) individuals whose private data has been obtained must have access to ascertain what has been done with the information; and 5) an effective enforcement policy must exist for any violations to individual privacy. Since, in many cases, the laws prohibit the cross-border transfer of data, the implications for transatlantic e-discovery (and cross-border e-discovery more generally) can be significant.

For example, the EU Data Protection Directive of 1995 restricts the transfer of personal data to countries that have not implemented “adequate” safeguards to protect the information at hand. The European Union is particularly sensitive to the possibility of data being moved to the United States (which could occur for something as routine as processing or review), because, upon entry into the United States, the data would be subject to U.S. legal jurisdiction, where there is no single data protection law comparable to that of the European Union. In fact, many countries have blocking statutes that contain even more stringent laws concerning the transmission of data in response to foreign government and other enquiry. France, for example, has such a statute, which imposes criminal liability for exporting data requested during the course of foreign legal proceedings. In the United States, laws such as the PATRIOT Act or the “third party exception” rule, which limit an individual’s expectation of privacy under certain circumstances, are in direct conflict with these directives and statutes.

Numerous cases involving French organizations and U.S. law illustrate the stark contrast between various countries’ laws, as well as the complexity of cross-border e-discovery. In the 2007 case Strauss v. Credit Lyonnais
,
² the U.S. court ordered Credit Lyonnais to produce certain documents during discovery, despite knowing that the transfer of this data to the United States would violate French data protection laws. Regardless of clear and strict French and EU law, Credit Lyonnais’s French counsel ignored the Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (the Hague Evidence Convention), which provides formal procedures for data requests during foreign legal proceedings, and produced the documents without receiving approval from the French government (or consent from the French individuals whose data was in question). As a result of his actions, the attorney responsible was subsequently criminally prosecuted by French authorities for violating the country’s data protection laws, the French blocking statute, and French banking secrecy laws.

Other countries that employ data protection directives have also demonstrated the seriousness of their laws by issuing criminal sanctions or levying heavy fines when they are breached. In one example,³ Zurich Insurance in the United Kingdom outsourced data processing to a subsidiary in South Africa, which lost an unencrypted back-up tape containing the data. Zurich Insurance was fined £2.275 million (U.S.$3.62 million) by the UK Financial Services Authority (FSA) for data security failings, specifically having failed to adequately protect the data.⁴

In the United States, the Federal Rules of Civil Procedure give the courts the authority to demand information from other countries. However, they do not offer protection from penalties for violating laws in foreign jurisdictions. In some cases, the penalties have been effective in preventing the transfer of data, particularly when the penalties involve the possibility of imprisonment. Consider the 2005 case Petroleos de Venezuela, S.A. v.
Lynondell-Citgo Refining LP,
⁵ which provides a strong example of a defendant corporation declining to produce documents to avoid violating the Venezuelan blocking statute. The result of not producing this information was that the U.S. court inferred that the evidence would have been adverse to the defendant’s case (adverse inference). Yet, the defense chose not to violate the Venezuelan blocking statute, which would have resulted in fines and imprisonment had they produced the evidence.

It is common to outsource e-discovery work to an independent vendor that has the requisite technology, and it is assumed that these vendors comply with all data protection requirements. However, many vendors are not aware of data protection laws or simply ignore them and freely transfer data across borders without concern for the legal ramifications of their actions. This has resulted in fines. For example, in France, the authority for monitoring data protection, the Commission nationale de l’informatique et des libertés (CNIL), has investigated and fined several companies for violations of data privacy. Some relevant examples of CNIL activity include the following:

• in August 2011, CNIL launched an investigation into the Apple iPhone’s ability to collect users’ location data without their knowledge;

• in March 2011, CNIL fined Google Inc. €100,000 (U.S.$131,346) for having implemented its Google Maps, Street View, and Latitude services on the French territory; and

• in December 2006, CNIL fined Tyco Healthcare France €30,000 (U.S.$39,401) for improperly transferring employee personal data to Tyco’s headquarters in the United States.

Common Approaches to Managing the Conflict Between Data Privacy and E-Discovery

Organizations or e-discovery vendors that take into consideration data privacy and data protection laws typically respond to e-discovery requirements that span international borders by transferring data cross-border through one of several methods.

One method is to allow for data transfer under a “safe harbor” program. The only such programs developed to date are the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks. These frameworks were developed by the U.S. Department of Commerce in consultation with the European Commission and the Federal Data Protection and Information Commissioner of Switzerland. The purpose for creating the frameworks was to help facilitate the transfer of personal information across borders and, in particular, from the European Union and Switzerland to the United States. The frameworks include the Safe Harbor certification, which is a “self-certification” policy that requires the certified organization (which could be a multinational itself or a vendor) to adhere to a set of Safe Harbor privacy principles, including notice, choice, onward transfer, security, data integrity, access and enforcement.⁶

While the Safe Harbor program is promising in that it makes an important attempt to ease some of the legal burdens of cross-border data transfer, the use of Safe Harbor certification as an approach is problematic for several reasons.

The first is that Safe Harbor status is incredibly easy to obtain, because it is a self-certification process that requires no proof of program compliance and no mandatory due diligence or compliance assessments by independent third parties.

Second, the current Safe Harbor program pertains to data sharing only between either the European Union or Switzerland and the United States. Presently, there is no other Safe Harbor framework that addresses possible data transfer among other countries.

Third, the Safe Harbor frameworks are intended solely for companies that need to transfer internal data across borders for the specific purpose of storing customer information (that might pertain to a subscription or license). The certification does not address the various processing actions required during e-discovery, let alone in responding to a U.S. discovery request by a government body or opposing counsel in U.S. litigation.

Many companies might be under the false impression that simply signing up with a Safe Harbor framework will protect them against data privacy violations during an e-discovery exercise, when in fact it does not. Further, from a risk management perspective, it does not take into consideration that, once data is transmitted into the United States, it may become available for future litigation or investigation of unrelated litigation and investigation. In the 2010 Ninth Circuit case In re Grand Jury Subpoenas, the court held that a grand jury subpoena in a criminal proceeding has priority over a protective order in a civil case, and consequently the DOJ was entitled to pursue a criminal case against foreign liquid crystal display manufacturers using non-U.S. data produced in response to a discovery request in a civil antitrust litigation.⁷

Another method for data transfer is the Hague Evidence Convention. This convention provides formal procedures for responding to data requests during foreign legal proceedings. In essence, the convention designates how a member nation of the Hague Convention (or a contracting state) should request information and to whom the request should be made. The process requires that one contracting state must submit a “Letter of Request” (LOR) to another contracting state. Obtaining an approved LOR permits the transfer and processing of data.

However, courts are often reluctant to grant this type of request, and even if the request is granted, the process can take an impractical amount of time (often more than a year), which in most situations renders this solution inapplicable to e-discovery requests that have strict deadlines. For example, in the 2007 case Enron v. J.P. Morgan,⁸ the U.S. court held that the threat of the French blocking statute did not excuse a party from its discovery obligation nor did it warrant the invocation of the Hague Convention. The defendant was ordered to comply with its discovery obligations without delay (which the Hague Convention would have certainly created).

Other less common methods used for transferring data across borders include: 1) obtaining consent from all possible individuals who are the subjects of the data being transferred; 2) implementing “model contracts” that set out strict obligations between two organizations transferring data across borders; and 3) creating Binding Corporate Rules, which allow one organization to transfer data cross-border internally within the organization. These methods are problematic because they are either impractical, time-consuming or too restrictive for a proper e-discovery exercise. They are also very expensive for companies to implement, so that only the largest corporations can contemplate developing them.

A Local E-Discovery Advisor with International Experience May Be the Best Approach

It is clear that none of the current methods used to perform a cross-border e-discovery exercise provides a viable solution when one considers the risks associated with data privacy. As a result, the recommended approach should be to conduct e-discovery in the country where the data resides.

This process would require that the party responsible for identifying relevant data (or the party responding to a discovery request) perform this function within the relevant country whereby local counsel would use e-discovery tools to review and segregate the data. Once the relevant data has been segregated, there are several options available to accommodate the discovery request. Coordinating with the country’s local data protection authority would ultimately yield the appropriate method, for example, redacting any sensitive information on the segregated relevant data so that it can be transported out of the country or providing restricted access via the internet (but ensuring the physical location of the data remains in the country). This would allow organizations to avoid restrictions on the collection, processing, review, and transfer of electronic data. The company in question would then be able to maintain greater control of its data and e-discovery response and satisfy the local data protection authority.

Seeking assistance from an e-discovery advisor with international experience is also highly recommended.

In the event that a company would require assistance from an e-discovery advisor, the company should be diligent in the selection process, seeking out those who will provide considered, nuanced advice which results in efficient processing while adhering to data protection laws and blocking statutes. As such, companies should ensure that their chosen e-discovery advisor either has data processing facilities within the relevant country or offers a mobile solution that allows for data to be processed in its country of origin.

Further, to ensure that an e-discovery advisor is able to comply with the full scope of a data request, the e-discovery solution offered should meet the following technical requirements:

• be an automated and electronic solution, as opposed to an outdated manual method such as paper review;

• allow for rapid deployment (i.e., have the capability to be up and running within a few days);

• be capable of processing large amounts of data at an acceptable rate to allow early case assessment and review to begin as soon as possible;

• offer advanced search and analysis capabilities for early case assessment, initial data review and filtering and removal of irrelevant data;

• be Unicode compliant to handle multiple character sets (and, in particular, address more complex language character sets such as Arabic, Chinese, or Cyrillic );

• present language identification options to assist in segregating data for language appropriate reviewers; and

• provide a review interface that is intuitive and requires minimal or no additional software, an example of which is a browser-based solution.

Conclusion

Companies face particular challenges in complying with discovery requests and data protection laws, the violations of which could have monetary, reputational, business, and criminal consequences. Nonetheless, if organizations seek the best advice from sophisticated and experienced e-discovery advisors and implement the best acceptable practices and sound approaches, appropriate responses can be developed that balance the risks posed by conflicting legal requirements. An e-discovery advisor, expert in advising on and managing the discovery response to cross-border investigation and litigation, can make a profound difference to the success of a litigation, and help avoid any legal pitfalls related to data protection.

Greg Mason is a Partner and a Co-Founder of Forensic Risk Alliance, a litigation consulting firm that provides international e-discovery solutions, data protection advice, and forensic accounting services. He may be contacted at gmason@forensicrisk.com.