Electronic Discovery Institute Course - Class 15 - International eDiscovery
Here's a continuation of my postings about the Electronic Discovery Institute's online e-discovery certification program, that you can subscribe to for just $1. I last blogged about this program on December 2, 2017. Go to https://www.lawinstitute.org/ to sign up for it.
This course is taught by Rose Jones, the head of electronic discovery and project management for King & Spalding; Wayne Matus, the head of eDiscovery for UBS; and David Shonka, a principal deputy general counsel at the Federal Trade Commission.
Cross border discovery is the discovery of data in a jurisdiction other than that of the United States.
International Data Privacy & Discovery Laws
Much of the world does not have any laws governing discovery, and no country has the wide range of law governing civil discovery that exists in the United States. International privacy laws often limit discovery to requests for specific documents.
Jones noted in many other countries it's not possible to get data as easily as it can be obtained in the United States. The United States has very board discovery. Sometimes jurisdiction can be obtained over a foreign corporation because it has an office in the United States. European citizens are often less inclined to disclose personal information because of their experience with totalitarian regimes.
Shonka noted that the EU privacy directive has been implemented by each member nation differently. The directive states that data can only go to countries that have sufficient privacy safeguards.
The Safe Harbor
A company used to be able to self-certify that they adequately protected the privacy of data, under an arrangement the United States Department of Commerce negotiated with the EU.
The Schrems Decision
An action was brought against Facebook in Ireland by Schrems alleging that his collected data was not adequately protected in the United States. The decision by the EU courts in this case invalidated the safe harbor arrangement the EU had with the United States for the transfer of personal data.
The New EU Data Protection Directive
The General Data Privacy Directive will become fully effective in 2018. The directive will binding on all countries in the EU, and there will be less latitude for the countries to implement the provisions of the directive differently.
The movement of data between the United States and Europe was strongly effected by the Schrems decision. Corporations have to submit themselves to the jurisdiction of European courts if they want to use the data of EU citizens. There is a higher possibility that sanctions can be imposed. There may be a greater lag in time for the production of international data.
Cross-Border Discovery with China
State secrets cannot be included in data produced from China. Monetary sanctions and prison sentences can be imposed for a violation of this rule. Shonka recommends hiring specialists in the local Chinese laws before moving data out of the PRC. Matus described the penalties for the illegal removal of data from China as draconian, and the guidelines for how data could be legally removed as nebulous. These leads to many people being very timid about conducting production of Chinese data.
Many blocking statues were implemented in the 1970s in response to American antitrust laws. Blocking statutes are intended to prevent information from flowing - it does not require that specific procedures be followed.
Corporate Binding Rules
Corporate binding rules provide a means for companies to follow European regulations without having to prepare a model contract each time data is transferred.
Cross-Border Considerations for Law Enforcement
U.S. government agencies when involved in law enforcement have agreements with the counterparts in other countries that allow for the sharing of data. The Schrems decision found that there adequate protections in place in U.S. investigations.
Mutual Legal Assistance Treaty
MLATs are negotiated by the U.S. State Department and deal with the transfer of data in criminal investigations. American regulators such as the SEC contact their foreign counterparts when making requests for data.
Data Privacy Officers
Data privacy officer monitor compliance with regulations and also serve as a point of contact for answering employees' questions about data privacy.
Cross-Border Challenges Related to the Cloud
Information in the 'cloud' is in fact located on a server, and the data is subject to the rules of the jurisdiction in which the server is located. The cloud is intended to provide access to the data without any restrictions. Microsoft, Google, and others have developed hybrid clouds that only allow access in certain jurisdictions.
Managing Cases Involving Cross-Border Transactions
Attorneys should try to limit the scope of discovery, and bring up problems with cross border discovery at the Rule 26(f) conference.
A global scheme for the multi-jurisdictional transfer of data will require review of the laws of each concerned country and how they effect the movement of data. Several jurisdictions will not allow vendors from other countries to process data.
Shonka recommends having local counsel readily available to help with cross border discovery, and also reviewing the guidelines developed by the Sedona Conference for the transfer of data.
Jones suggests conducting extensive employee training to make workers aware of the implications of not producing documents, and of the steps a company is taking to protect their data. A company should have a memorandum that provides for the documentation of steps that are taken to protect personal data. Another best practice is investment in advanced technologies. Software can automatically recognize credit numbers and personal ID numbers.
Potential Ramifications of Failure to Comply with Data Privacy & Protection Laws
When the GDPR becomes fully effective it will allow for companies to fined up to 4% of their global revenue for violations. There will also be the potential for liability to the individuals whose data has been transferred.
Data collected from EU citizens can only be used for the purpose for which it was collected.
Failure to comply with data protection rules in China may lead to incarceration; in the EU it may lead to imposition of increasingly high monetary fines.
Local counsel should be engaged to provide guidance on the restrictions that exist for the international transfer of data. Opposing counsel should be notified of any limitations at the Rule 26(f) meet and confer.
Many EU companies have a Works Council which can provide guidance on data privacy regulations.