The Different eDiscovery Borders
The Sedona Conference's public comment period for its Practical In-House Approaches for Cross-Border Discovery & Data Protection ends tomorrow. The report discusses the different approach to personal data in the EU which not only encompasses data generated at work but also puts medical, banking, and social services data in a category of heightened protection called 'personal sensitive information'. In the EU the term 'processing' may refer simply to the recording or collection of data. It does not have the same meaning as it does in the context of the EDRM, when we talk about processing data to filter, de-dedupe, and convert it to another format . There are different boundaries for discovery in Europe - in Germany a party does not disclose non-beneficial documents to the opposing side; France criminalizes releasing discovery for use in litigation outside of its borders.
The preliminary version of this document puts foward six principles for international discovery, disclosure, and data protection.
1. For data that is subject to preservation, disclosure or discovery, courts and parties should pay due respect should be paid to the Data Protection Laws of any country for any person who benefits from those laws. When dealing with the preservation of data to be preserved for a case that is stored in both the U.S. and Europe, Sedona suggest issuing two legal hold notices, instead of one, to give extra time to address Data Protection issues in Europe.
2. A standard of good faith and reasonableness should be exercised where there is a conflict between compliance with the Data Protection Laws and discovery, disclosure and preservation. Sedona recommends using a template case management form as documentation can be used to prove good faith and reasonableness in the event of a challenge.
3. Preservation or discovery should be limited in scope to what is relevant and necessary to support a claim or defense. It's necessary to identify key IT contacts in targeted locations - you want to ascertain if several independent companies share the same file servers.
4. Where a conflict exists, a stipulation or court order should be issued to protect the data and reduce the conflict. It is necessary to raise data protection issues in early discussions so it can be established with the Court that complying with non-U.S. Data Protection Laws is expensive and may outweigh the value of the data in a matter.
5. A Data Controller should show that data protection obligations have been addressed and appropriate safeguards have been instituted. In order to accomplish this, the search process nees to be iterative and the results have to be revised as necessary, and the selection of keywords needs to be documented. Culing before transferring data across borders may help demonstrate respect for Data Protection laws. Document review guidelines (DRGs) should be prepared by counsel to direct the tagging of documents with protected data. Not only redaction, but anonymization, pseudonymization, and aggregation should be considered when dealing with CPI. U.S. productions should be reviewed first, since it is possible that parties may agree that it is sufficient by itself.
6. Protected Data should be retained only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, Data Controllers should preserve relevant information, including relevant Protected Data, with appropriate data safeguards. Transparency is a big part of the process of data collection in the EU, and in addition to providing transparency documentation (including graphics or diagrams and a detailed collection script), a company may want to give employees a chance to conduct their own privacy review before the production of data. The EU Directive provides that Protected Data should be retained only as long as necessary to satisfy legal or business needs.