Sedona Conference Report on Cross Border Discovery
Just his month, the Sedona Conference published a new report entitled, Practical In-House Approaches for Cross-Border Discovery & Data Protection. The new report can be downloaded here. The report promotes Sedona's International Litigation Principles as a means to minimize problems in international discovery and in the protection of personal data. There are six principles:
1. Court and parties have to show deference to the data protection laws of all countries.
2. Where there is a conflict between compliance with data protection laws and full compliance with discovery obligations, a party's conduct should be judged on a standard of good faith and reasonableness.
3. Preservation and discovery should be limited to evidence of claims and defenses in order to minimize problems with complying with laws and reduce the impact on individuals.
4. Court orders should be issued to protect personal data and minimize conflicts between data protection laws and discovery / preservation obligations.
5. A data controller needs to demonstrate that data protection obligations are met and safeguards are implemented.
6. Protected data should only be retained as long as necessary to meet business needs or legal obligations.
The Sedona report recommends issuing different legal holds to American and European employees. It notes that snapshots of data preserved as back-ups will likely fall under the EU definition of processing and require the protection of personal data. It promotes the use of its template case management form to support claims of good faith and reasonableness in complying to legal obligations. The form is contained in Appendix B to the report.
It encourages counsel to discuss data protection issues very early in order to lay a basis that compliance with data protection requirements can be costly. Being transparent about its steps to collect potentially personal data may include the disclosure by company of diagrams or detailed collection scripts. Sedona recommends that employees be given the opportunity to conduct their own privacy reviews.