E-Discovery: What Increased Data Protection Means for the Global Economy

As our economy and companies become more digital and global, digital information outside the U.S becomes increasingly relevant to resolving civil disputes within our nation.

Digital information will be governed by a set of laws and values many U.S. companies and their lawyers are not familiar with, because the U.S. trades more heavily with nations outside the EU. While most industrialized (e.g., Canada, the United Kingdom and Australia) and newly industrializing (e.g., Singapore and South Africa) nations have developed laws compelling the transfer of relevant electronically stored information (ESI) in civil disputes, none have laws as liberal and far reaching as U.S. civil discovery procedures.

Many nations also impose restrictions on when ESI can be gathered, processed, used and transmitted beyond borders. Indeed, "In many non-U.S. jurisdictions, including the European Union member states, some Asian nations and a few Latin American nations, data privacy is viewed as a fundamental right and ‘personal data’ is afforded greater protections than we are accustomed in the U.S." (Gibson Dunn, "E-Discovery Basics: Cross-Border E-Discovery,” Vol. 1, No. 11). In addition, certain countries have privacy laws designed to protect information about their state-run companies (e.g., China) or even the identity of their banking clients (e.g., Switzerland).

Data protection hits the BRICS

Recently, the world's largest emerging economies, collectively known as "BRICS" (Brazil, Russia, India, China and South Africa), have become more protective of electronic data. Most U.S. litigators have some passing familiarity with the somewhat longstanding and oft-discussed EU Data Protection Directive 94/46/EC, which restricts the processing and transferring of "personal data" about EU member-state citizens. However, they are not generally familiar with the restrictions that emerging economies are placing on data transfer. As recently as July 2011, two BRICS members (Russia and China) passed laws strengthening data protection in their countries.

Every BRICS member nation has stricter data privacy laws than those of the U.S. and none officially authorizes the transfer of "private" data to the U.S. On July 25, 2011, Russia amended its data privacy laws to require written consent to transfer any "personal data" and to grant Russian officials the exclusive authority to determine which sovereignties may receive such data. China also strengthened its protection of "personal information" on July 27, 2011, when it amended the "Provisions on the Administration of Internet Information Services," preventing Internet service providers from collecting and using personal data without individual consent.

Far more important than the particular scope of any of the newly enacted privacy laws is what their enactments say about a growing international consensus on the cross-border transfer of electronic data. In addition to the BRICS and EU nations, Japan, Hong Kong, Argentina, Chile, South Korea, Columbia and Switzerland have data protection laws that are more restrictive than those in the U.S. Some countries have enacted blocking statutes that make it criminal to transfer protected information to the U.S. This, coupled with the fact that China, Russia and Mexico have strengthened their data privacy laws, suggests a trend toward more protection for ESI.

More international e-discovery disputes are likely

Global economic indicators predict that the U.S. will increase trade with emerging economies, including BRICS nations, in the next 10 years. As the U.S. relies more heavily on countries outside the EU to provide raw materials (e.g., Brazil and China), manufactured goods (e.g., China and Singapore), corporate call centers (e.g., India) and energy (e.g., Russia and Brazil), there is a greater potential that data critical to the resolution of a U.S. civil dispute will be housed in a country outside the EU. Because U.S. courts remain resolute in the conviction that they are authorized to compel production of foreign ESI, while much of the world seems to be bent on increased scrutiny of data requests, it's likely disputes over cross-border production of ESI will become more prevalent in the coming years.

As the U.S. increases trade with countries outside the EU and the United Kingdom, the variety and scope of data protection laws U.S. lawyers and their clients will have to contend to should increase substantially in the next decade. The EU Privacy Directive will not be the only data restriction companies will have to navigate and perhaps not even the most important. To best prepare for cross-border e-discovery disputes in EU and non-EU countries, companies should:

  • Determine whether their electronic data is stored in a jurisdiction that restricts their processing or transfer
  • Consult or retain counsel in the jurisdiction where their data or the data they would like to obtain is stored for advice on how the data should be handled

 

This article was originally published in Inside Counsel.

E-Discovery World Wars: The Privacy Menace

Descriptions of the art of litigation are ingrained in ancient history, from Greek scrolls yellowed with age to stone hieroglyphs engraved into the pyramid walls of the Egyptians. But these early insular legal systems did not have to deal with what is becoming one of the more daunting aspects of e-discovery: international boundaries. Today, the overseas offices of many United States corporations have been dragged into the painstaking, and often painful, process of e-discovery. Many more corporations, based entirely in foreign countries, have found themselves subject to e-discovery requests from the United States as well.

When requesting e-discovery internationally, foreign information privacy laws must be respected. The dilemma is that foreign countries have placed restrictions on the international transmission of data that can present high, sometimes insurmountable, barriers to United States e-discovery.  

European nations, having experienced first-hand the horrors related to invasions of privacy and release of personal information in World War II, are more protective of individual privacy than the United States to begin with. To compound matters, United States discovery obligations are more demanding -- by far -- than those in virtually every other jurisdiction in the world.  In response, foreign nations have scrambled to protect their citizens' privacy by placing stringent legislative restrictions on the transmission of electronic data.  French privacy “blocking statutes" (as observed by numerous courts) were designed solely for "frustrating the jurisdiction of the United States" and "provid[ing foreigners] with tactical weapons and bargaining chips" in U.S. courts.  Other countries have enacted similar legislation. 

The resulting differences between U.S. and non-U.S. discovery limits are considerable. For example, when a domestic corporation is required to submit to discovery obligations within the United States, e-mails sent to and received by that corporation's employees can be fair game. But under the European Union Privacy Directive, the privacy of employees is sacred, and electronic transmission of information across international borders can be prohibited without the express consent of the subject of the communication. Because the subordinate nature of the employer-employee relationship may render any such consent inherently coerced, it can be impossible to obtain the required consent of an E.U. corporation's employees in order to produce company e-mails and documents. While the U.S. enjoys a "safe harbor" of sorts with the E.U., this is not a fail-safe solution. The Directive, which has been adopted by numerous countries, is not the only impediment. Recently, China considered similar legislation. At times, U.S. e-discovery has also been threatened by privacy and secrecy laws in Japan, France, Switzerland, Belgium, Germany and Spain.

Surprisingly, there are few court decisions on overseas e-discovery. As a general rule, courts consider a variety of factors in weighing U.S. discovery requests against the stringent privacy requirements of foreign nations. These include: (1) the importance of the documents to the litigation; (2) the respective interests of the United States and the foreign national where the information is located; (3) the degree of specificity in the request; (4) whether the information originated in the United States; (5) the availability of alternate means to obtain the information; (6) the hardship of the foreign party or witness in complying with the discovery requests; and (7) the good faith of the foreign party or witness resisting discovery.

Going forward, corporations and their attorneys should be aware that even an in-depth knowledge of U.S. e-discovery rules is often not enough when requesting e-documents and information from overseas.  As international e-discovery gains traction, a key issue is when and whether the interest of a United States court or litigant is important enough to override the very real foreign state interest presented by foreign privacy legislation.  Courts will have to continue to be mindful of the tension between broad U.S. discovery rules and the restrictive privacy laws of foreign nations.