International E-Discovery Compliance- Privacy First

The US isn’t like the rest of the world. In America, we play football, other countries they play soccer (which they call football). It’s not just a game, either. In other parts of the world, soccer is life. It’s an obsession. America is different. Fans are disinterested, and boring. While the rest of the world thinks it a bit barbaric, Americans have stuck steadfast with obscure measurements that the rest of the world long eschewed. We measure in feet and inches while they measure in centimeters and meters. The US is different. It’s just the way we do things. So it should come as no surprise that our privacy legislation is different from that of the rest of the world. If you have a strong grasp on international privacy law, then you will be able to send private information anywhere in the world.

Those places to which our data can be sent, though, hardly reciprocate in the burgeoning arena of data transfer. The subject is important to study and understand, especially for businesses that move large amounts of data across borders. International data transfer is mired by its incredible complexity: the issue is so complex and convoluted that it has been known to perplex even the most astute federal judges. They frequently default to U.S. procedural rules, placing the non-U.S. company in the unenviable position of dividing whether to risk criminal sanctions here for violating a U.S. judge’s order to produce data outside the U.S., or to chance a jail sentence for violation of privacy laws in his or her home country.

Outside of the United States, international data transfer laws are governed by regional, local privacy, and data protection laws. Multinational businesses must understand the implications such laws have on e-discovery. First, one must again draw distinctions between the U.S. and other nations. For example, when we are discussing “personal data” in the US, we are referring to such things as financial and medical data. Within the EU, however, personal data refers to such things as electronic mail. Privacy Directives and member state enabling legislation as data which can be traced to an identifiable individual (the “sender,” or “from” line).

The US is fairly lax in what it allows outside of its borders, boasting very little in the way of statutes preventing the transportation of data. Yet, the E.U. Privacy Directives and enabling legislation hold that personal data (again, all email), may not be sent outside the European Economic Area (the E.U. member states plus Switzerland, Liechtenstein and Norway to any country with lesser data protection than the E.U. There are only a few nations that meet the EU’s standards for data transfer: Canada, Switzerland and Argentina. And this scheme is not limited to the E.U.; Chile and Venezuela have similar restrictions, and Japan requires consent of the data subject for email to be sent outside the country.

Counsel attempting to put together a collaborative across enterprise, which will oftentimes depend on individuals sending emails across borders, can be a perplexing problem. An attorney’s first instinct will probably be to put into place a global litigation hold as is common place with regards to dealing with e-discovery law within the US. Yet, the European Union’s Privacy Directives again broaden terms U.S. lawyers use commonly, in order to maximize privacy protection. “Processing” of data includes any manipulation of data, including steps taken to protect it from deletion. The Directives also hold that “processing” may only be performed for a permitted purpose, and European Commission opinions have held that U.S. litigation is not a purpose for which processing may be performed.

It might be even worse than all that, however, as action can be mired by Blocking Statutes. These laws oftentimes prohibit the exportation of any data, personal or otherwise, that is to be used in a judicial proceeding in a foreign country. France is a country with such blocking statutes. Violating these statutes can carry criminal sanctions.

In lieu of these problems, how can a corporation that does collaborative work with international companies deal with these problems on a regular basis? One method, for data from the European Union, is enrollment in the U.S. Department of Commerce Safe Harbor Program. The program requires the U.S. company to file a Privacy Statement summarizing how it will protect personal data from the E.U., and in which it agrees to adhere to seven principles of confidentiality and data protection. There are also some contractual agreements that can be put together to deal with potential problems with regard to data transfer. Recently, many companies have implemented Binding Corporate Rules, in effect corporate codes of conduct for personal data protection. In Asia, Canada, South America and elsewhere, data transfers require compliance with local data protection laws, or permission from or notification to local data protection authorities. The assistance of U.S. counsel for preparation of these agreements is essential and that counsel must have some relationship with local counsel in the data host country.

It’s too bad that an attorney who regularly deals with international e-discovery issues has little in the way of recourse. These methods do not allow the onward transfer of personal data. Unfortunately, for those who are faced with the prospect of obtaining private information for proceedings, it is oftentimes required that that information be obtained under the laws of local protection authorities. Failing both, counsel may seek a Protective Order, citing the “Hobson’s Choice” of violating a US. order or local privacy laws. U.S. courts, though, have shown little sympathy for this plight. One solution, then, is to educate the adversary to the issues and negotiate time extensions of other agreements as to the non-U.S. data, perhaps in exchange for e-discovery concessions form the adversary if the litigation is symmetrical. Failing that, education of the judge as to these stringent privacy and data protection provisions is required so that the client company won’t have to decide whose law to violate.