eDiscovery Privacy Concerns in North America and Abroad ALM Counsel Summit October 24, 2013
90% of the world’s data was created over the last two years. As data created and stored online increases, discovery of documents and electronic information is an increasingly important part of litigation and corporate transactions in the United States. General rule of thumb: if data relates to an identifiable person, then some privacy law might apply – not limited to custodian information Ongoing conflicts between privacy/data protection laws, both domestic and foreign, and discovery requirements Data Privacy and e-Discovery
Domestic Privacy Laws Increasing number of US data privacy laws and increased focus on privacy issues by regulators Approximately 25 federal laws and regulations that involve privacy and employee or customer information Overwhelming majority of states have passed regulations related to privacy – Social media access in employment Key regulations include: – HIPAA/High Tech Act (medical information) – Stored Communications Act (information stored by third parties, social media) – Gramm-Leach-Bliley (financial information)
Problems with foreign discovery are driven by fundamental differences in legal systems and privacy/data protection laws Differing notions of “privacy” (fundamental right v. industry specific) Differing notions of “discovery” (common law jurisdictions vs. EU) U.S. courts are frequently unfamiliar with, or are dismissive of foreign restrictions on cross-border discovery International Data Protection
Cross-Border Regulations E.U. Data Protection Directive (95/46) – States should implement laws to restrict all manner of “processing” of “personal data” – Prohibits transfer of personal data outside the E.U. Exception: the country to which it is transferred provides “adequate protection” of personal data (E.U. Directive Article 25) – Countries who meet the E.U. “Adequate Protection” standard Canada Argentina Switzerland Israel
Personal Data Broad Definition of “Personal Data” under the EU Data Protection Directive: Any information that can be used directly or indirectly to identify and individual (e.g., the name of the sender or recipient(s) of an .
Additional EU Directive Terms “Data Subject” is usually an individual and sometimes an employee of a “Data Controller/Employer. However in Italy, a corporate entity can be a Data Subject as well “Data Processing” is any Handling of Personal Data outside the normal use – Preservation (litigation hold) may be considered processing if it involves manipulation of data, such as moving data to a secure server or even preserving in place
EU Data Protection Directive Rule: Any transfer of personal data to a third party requires justification and – in case of countries outside EEA – additional safeguards Statutory Exceptions (Derogations): – “Transfer necessary to safeguard legitimate interests of parties to litigation and no overriding interests of affected individuals” – “Transfer necessary for exercise or defence of legal claims in court” – Transmission may require notification/permission of local Data Protection Agencies
New EU Data Protection Regulation Adopted by EU Commission on 1/25/12 Must be ratified by Council of Europe and European Parliament – 2 to 3 year process Objectives: greater uniformity of data protection efforts among EU member states; and centralization of authority (“one stop shop”) for data protection issues for multinational corporations
Article 29 Working Party Group established by the 1995 Data Protection Directive Has engaged with Sedona Conference In 2009 issued Working Document on pre-Trial Discovery (WP158) Fairly conservative analysis of the subject But conceded that transfers of personal data to the US for litigation purposes were permissible subject to safeguards including: Assessment of relevance should be carried out in EU Only data actually necessary for claims or defenses should be transferred Pa ge 10
The Sedona Conference Framework for Analysis of Cross-border Discovery Conflicts published 2008 International Principles and Best Practices on Discovery, Disclosure & Data Protection published December 2011 Has encouraged a dialogue between EU regulators and the US judiciary, with high-level input on both sides Fundamental principles are that personal data should be restricted to the level necessary to resolve the issues in the case, and that further disclosure should be subject to the terms of a protective order Pa ge 11
Latin American Privacy Laws Based on Constitutional Right of “Habeas Data” (i.e.,“You have the Data”): – Brazil – 1988 – Paraguay – Peru – Argentina – Costa Rica – Mexico
Evolution of International Privacy Law RegionAdopted/ConsideringSummary MexicoReleased draft privacy regulations that work with existing data protection law Applies to controllers handling “sensitive personal data” Restricts int’l transfer RussiaAmended privacy law, “On personal data” Strict privacy stance Permits uninhibited transfer to EU Empowers a special agency to determine data security adequacy ChinaReleased “Provisions on the Administration of Internet Information Services” Framed around “Internet Information Service Providers” (IISPs) Restricts IISP’s conduct in various ways
Global E-Discovery CountrySummary and recent developments Hong Kong (Common Law) Special Administrative Region (SAR) Uses traditional English discovery law Hong Kong International Arbitration Center China (Civil Law) Transferring state secrets out of country is strictly protected Singapore (Common Law) Have passed an “opt-in” e-discovery system, but seldom used in litigation No dedicated data protection or privacy legislation, though some is currently being discussed Singapore International Arbitration Centre South Korea Blocking Statute that applies to cross-border transfers for purpose of foreign litigation Japan (Civil Law) Japan Privacy Act permits the conditional transfer of personal information from a corporate entity to a third party; e-discovery still evolving
Global E-Discovery CountryLawSummary CanadaOntario Rules of Civil Procedure Directly calls counsel to implement discovery plan that incorporates how to handle production of ESI Makes an explicit call for cooperation and meet and confer Requires counsel to confer with the Sedona Canada Principles AustraliaPractice Note CM 6 Courts may order electronic format production where “the use of technology… will help facilitate the quick, inexpensive and efficient resolution of the matter” Pre-discovery and pre-trial checklists; p laces an expectation on counsel that they have considered the issues in the list, and are in a position to inform the court on how they will be addressed
Aerospatial Comity Analysis (1) the importance to the... litigation of the documents or other information requested (2) the degree of specificity of the request (3) whether the information originated in the United States (4) the availability of alternative means of securing the information (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located Data Protection, Privacy, Cross-Border Pa ge 16 Restatement (Third) of Foreign Relations Law of the United States
The Components Data Protection, Privacy, Cross-Border Pa ge 17 v Restatement (Third) of Foreign Relations Law of the United States + Aerospatiale Article 29 of EU Directive 95/46/EC + Individual State implementations
Whoever heard of limiting the scope of Discovery? Data Protection, Privacy, Cross-Border Pa ge 18 Discovery limited in scope = Intelligent appraisal of issues – what do we really need? + Protective Order + Technology to identify and filter quickly
A Changing Climate? Data Protection, Privacy, Cross-Border Pa ge 19 EU Draft General Data Protection Regulation will tighten rules ABA Report and Resolution 103 Sedona Conference – International Principles on Discovery, Disclosure & Data Protection Respect, good faith, reasonableness, protective order, discovery limited in scope, compliance with Data Protection obligations
Practice Points Loop in counsel/data privacy experts early! Know where is your data is located. Are any international issues implicated? Can anyone in the US access the data for routine business matters? Know what is included in your data. Which databases at your company include potentially private information? Remember your clients’ data as well as your employees’ data. Know the the applicable privacy laws and/or blocking statutes. For international cases, think outside the box. What kind of collection can you do – Forensic? Targeted? Can you process in country? Can you review for responsiveness in country? Can you use a TAR technology to get to the relevant information sooner? Data Protection, Privacy, Cross-Border Pa ge 20
Questions? Pa ge 21