The Georgetown Law Advanced E-Discovery Institute: Cross-Border E-Discovery & International Data

15 November 2009

In June 2009 the Sedona Conference held it’s program Cross-Border eDiscovery and Data Privacy.  The Posse List was there and covered the event (click here).

The Georgetown panel was composed of several Sedona participants: James Daley, Kenneth Rashbaum, Lisa Sotto, Alexander Blumrosen and Christian Zeunert.

The technology and cultural challenges posed by cross-border discovery conflicts are many.  The challenge can be summarized as follows: with the globalization of business and the resultant flow of data across country borders, data sought in litigation, particularly litigation involving multinational corporations, increasingly includes personal information relating to employees, customers and/or clients that is located in foreign countries. A significant amount of that data is in the form of e-mails, which are recognized as personal data in most of the world other than the United States.

The dilemma confronted by corporate counsel involved in such litigation is whether to disclose personal information located in foreign countries with laws severely restrict the processing and transfer of personal data and risk being punished there with civil and/or criminal penalties; or to filter out the personal data and risk being sanctioned in the U.S. for incomplete responses to e-discovery requests.

U.S. courts have generally rejected the interests of countries with strict data privacy laws in shielding data located in their countries from discovery in U.S. proceedings.  Sanctions for failure to comply with a U.S. discovery order can be significant—including large monetary sanctions, witness preclusion and even dismissal.  Similarly, countries hosting personal data that is the subject of litigation in the United States have rejected the interests of the United States in obtaining such personal data as part of its broad discovery process.

This challenge is complicated by linguistic differences as to the scope of certain key terms, such as “personal data”,  “processing”, etc.:

1. In the United States, the category of “personal data” protected from processing would ordinarily be limited to something very unique to a person with a high degree of sensitivity, such as social security numbers or medical records. The EU protects all types of personal data from processing, including emails identifying authors or recipients.

2.  In the United States, the concept of data processing implies a formal, large scale handling and labeling of data. The European Union, however, considers virtually every action relative to personal data to be “processing” of that data, including archiving, searching, and particularly collecting, reviewing and producing such data.

3.  In the United States and other common law countries, documents and data are discoverable if they are reasonably calculated to lead to the discovery of admissible evidence. Parties can be severely sanctioned for failing to preserve or produce relevant materials.

4.  Unlike common law pretrial practice, many civil law jurisdictions prohibit disclosure of evidence beyond what is needed for the scope of trial. In these civil code countries (which vastly outnumber common law countries), discovery is very limited. Privacy laws prohibit the processing of personal data, and individuals or organizations can be penalized for such action.

5.  When seeking to resolve discovery disputes, generally, the law of the country where the “data controller” is established will apply to the question of whether the relevant personal data can be legitimately “processed.” It is possible that within one company, many sets of laws will apply to data residing in different countries.

6.  While data protection regulations differ broadly across the globe, the EU Directive provides somewhat of a model as to the kind of processing and transfer restrictions that are included in most of these regulations. As such, it is a useful example to use in evaluation of common privacy principles underlying these regulations. The European Union Data Protection Directive was published on October 24, 1995. The starting premise under the EU Data Protection Directive is that data transfers are prohibited unless the receiving country provides adequate protection. As a rule of thumb, data transfer is permitted between Member States and prohibited outside of Member States. Each Member State has implemented the data protection directive in different ways—some have given additional layers of protection to personal data.

7.  In addition to the EU Data Protection Directive, several countries have enacted Blocking Statutes. These statutes prohibit the transfer of different types of information across country borders, and were enacted with the goal of protecting sovereignty and commercial interests from interference by foreign states. Violation can result in civil or criminal penalties. For example, in 2008, in a case known as In re Christopher X, the French Supreme Court in publicized the conviction of a French attorney for violating the French blocking statute. The French blocking statute is quite broad, and prohibits the gathering of information of any kind in France if it relates to a foreign judicial or administrative proceeding. In this case, the French attorney had been retained by a U.S. law firm to interview a potential witness in Paris in relation to a case filed in United States federal court. The French attorney was reported to the French authorities, and was ultimately convicted of the French Penal Statute, resulting in a substantial fine.