ceic 2010 international panel
TRANSCRIPT
International International eDiscoveryeDiscovery: Data : Data Protection, Protection, Privacy & CrossPrivacy & Cross--Border IssuesBorder Issues
Red Rock ResortSummerlin, Nevada
May 26, 2010y ,
Agenda
The PanelThe PanelModerator: Patrick Burke, Guidance
SoftwareSoftwareM. James Daley, Esq., Daley & Fey LLPDominic Jaar, Ledjit inc.George Rudoy, Shearman & Sterling LLP
P A G E P A G E 11
M. James DaleyM. James Daley
M. James Daley, Esq., CIPPM. James Daley, Esq., CIPPPartner, Daley & Fey LLP
Partners with clients to contain the costs and reduce the risks of global data privacy, e-discovery and data security challengesp y, y y g
Chair of The Sedona Conference® Working Group on International E-Disclosure and Records Management (WG6)
Co-Editor-in-Chief of The Sedona Conference® Framework for Analysis Of Cross-Border Discovery Conflicts (2008)
P A G E P A G E 22
Certified Information Privacy Professional (CIPP) – International Association of Privacy Professionals
Dominic Jaar
Dominic JaarPresident, Ledjit Consulting inc.
CEO, Canadian Centre for Court Technology
Member of the Sedona Conference Editorial board (Sedona Canada) WG1 WG6 WG6
Guidance Software Strategic Advisory Board
P A G E P A G E 33
George RudoyGeorge Rudoy
George RudoyGeorge RudoyShearman & Sterling, LLP
Director, Global Practice, Information & Knowledge Management
Founding member of the E Discovery Training Academy at Georgetown Founding member of the E-Discovery Training Academy at Georgetown Law Center
Chair of the ALM Law & Business’s Legal Tech Educational Board
Vice President of the International Legal Technology Association (ILTA) Practice Management Peer Group
P A G E P A G E 44
Principles of PrivacyPrinciples of PrivacyM. James Daley, Esq., CIPPM. James Daley, Esq., CIPPDaley & Fey LLPDaley & Fey LLP
The Current LandscapeThe Current Landscape
Cross-border ediscovery is a “Catch 22”Cross-border ediscovery is a Catch 22
U.S. Courts require production or relevant information located outside the U Sinformation located outside the U.S.
Many non-U.S. jurisdictions restrict and/or bl k th i d t f f hblock the processing and transfer of such information to the U.S.
P A G E P A G E 66
Differing notions of privacyDiffering notions of privacy
Privacy is a fundamental right in much of the ldworld
Definitions of personal data subject to privacy t ti t id th U S t lprotection outside the U.S. are extremely
broad
Privacy protections in the U.S. are industry specificPersonal data subject to protection is limited to
specific categories (e.g., Social Security b di l i f ti b ki d t )
P A G E P A G E 77
numbers, medical information, banking data)
Differing Notions of PrivacyDiffering Notions of Privacy
Restrictions on disclosure outside the European Economic Area (E.U. member states plus Norway, Iceland, and Liechtenstein)
Generally, personal data cannot be sent to countries with less privacy/data protection p y pthan in the E.U.
Only a handful of jurisdictions meetOnly a handful of jurisdictions meet standards to allow data transfer
P A G E P A G E 88
Transfers outside the EUTransfers outside the EU
Exceptions and derogations to general principleIssues include necessity for the transfer, y
proportionality (how the truly personal data is culled), and specifics in enabling laws of
b t tmember states.Critical to consult local counselTransmission may require
notification/permission of local Data Protection
P A G E P A G E 99
Agencies
Differing Notions of DiscoveryDiffering Notions of Discovery
Common law: expansive pre-trial discovery yconducted by the parties with judicial supervision as needed to resolve disputes or manage court calendarU S t i di itt d fU.S. most expansive: discovery permitted of
documents which may lead to admissible evidenceCanadian “semblance of relevance” test almost asCanadian semblance of relevance test almost as
expansiveU.K.: parties must produce “documents relied upon p p p
and documents that adversely affect or support litigant’s position” but document request must seek specific documents not broad categories
P A G E P A G E 1010
specific documents, not broad categories
Civil Code jurisdictionsCivil Code jurisdictions
Disclosure is limited to admissible evidenceDisclosure is limited to admissible evidence
Court closely supervises disclosure and determines admissibility and relevance ofdetermines admissibility and relevance of proposed evidence
F l i G liti t d lFor example, in Germany, litigants need only produce those documents which will support their claimstheir claims
P A G E P A G E 1111
The Hague ConventionThe Hague Convention
Hague Convention on the Taking of Evidence Ab d (1972)Abroad (1972) An attempt at compromise: a uniform
d f ll ti f id b tprocedure for collection of evidence between common law and civil law jurisdictions.L f (“ ”) i fLetters of request (“rogatory”) issue from court in one nation to designated central authority (often a court) in another requesting(often a court) in another, requesting assistance in obtaining information
P A G E P A G E 1212
The Hague ConventionThe Hague Convention
Aerospatiale: U.S. courts are not required to resort to the Hague Convention procedures over the Federal Rules of Civil Procedure
Fi f t b l i t t Five-factor balancing test: Importance of the evidence to the litigationR ti i t t f th U S d th f iRespective interests of the U.S. and the foreign
nation where the information is locatedSpecificity of the requestSpecificity of the requestWhether the information originated in the U.S.Availability of alternative means to obtain the
P A G E P A G E 1313
Availability of alternative means to obtain the information
Blocking statutesBlocking statutes
Shields for nationally sensitive dataStatutes which restrict cross-border discovery
of information intended for use in foreign j di i l dijudicial proceedingsNot limited to civil law jurisdictions (Australia
d C d h bl ki )and Canada have blocking statutes)May be general (France and Venezuela) or
industry-specific (e.g., Switzerland re banking information)
P A G E P A G E 1414
Blocking StatutesBlocking Statutes
Contrary to certain U.S. and U.K. judicial decisions, blocking statutes can have severe consequencesVenezuela: In Lynondell-Citgo Refining LP v.
Petroleos de Venezuela, defendant accepted d i f i t ti th than adverse inference instruction rather than
turn over board minutes and related documentsFrance: In January, 2008, the French Supreme
Court affirmed a criminal conviction for speaking to a potential witness about a U S
P A G E P A G E 1515
speaking to a potential witness about a U.S. lawsuit
TrendsTrends
The French Supreme Court decision, related t U S f St C dit L ito U.S. case of Straus v. Credit Lyonnais, may tip the balancing test in favor of recognition of the significance of blocking statutes andof the significance of blocking statutes and result in more recourse to the Hague Convention
Some U.S. courts had already required recourse to the Hague Conventionrecourse to the Hague Convention (Connecticut District Court, In Re Perrier Bottled Water Litigation; New Jersey State
P A G E P A G E 1616
Court, Husa v. Labatoires Servier S.A.)
TrendsTrends
Potential narrowing of the definition of “ l d t ” i U K“personal data” in U.K.Durant v. Financial Services Authority, Court of
A l (Ci il Di i i ) 2003 “O lAppeal (Civil Division), 2003: “Only information that names the (the individual) or refers to him” qualifies for protection under therefers to him qualifies for protection under the Directives and U.K. enabling lawsCourt described its holding as a “a narrowCourt described its holding as a a narrow
interpretation of personal data” and is not universally followed
P A G E P A G E 1717
u e sa y o o ed
U.S. Data Privacy & Security: A U.S. Data Privacy & Security: A Patchwork QuiltPatchwork Quilt
18
P A G E P A G E 1818
The Surveillance SocietyThe Surveillance Society
19
P A G E P A G E 1919
TrendsTrends
Increased attention to privacy in the United StatesMedia coverage of compromises of personal data
through loss of laptops and backup tapesSecurity breaches of large public and private
databasesdatabases Increasing incidence of identity theftRecent (and first) HIPAA civil monetary penaltyRecent (and first) HIPAA civil monetary penalty
proceeding to result in penalties, revamped electronic privacy plan and compliance reports
P A G E P A G E 2020
Ways to Mitigate RiskWays to Mitigate Risk
Dialogue with Data Protection Authorities on gcommon interests
In-country collection processing and cullingIn-country collection, processing and culling and possibly review
Development of a uniform confidentialityDevelopment of a uniform confidentiality designation, i.e., “EU Confidential,” for personal data involved inpersonal data involved in discovery/disclosure cross borders
P A G E P A G E 2121
Ways to Mitigate RiskWays to Mitigate Risk
Development of specific E.U. (and perhaps A i P ifi d S th A i ) i iAsia- Pacific and South America) provisions for U.S. court protective orders and case management ordersmanagement ordersAddition of cross-border discovery and
conflicts training to judicial education curriculaconflicts training to judicial education curriculaDevelopment of approved protocols for
processing and pre filtering of personal data inprocessing and pre-filtering of personal data in the host country to assure only relevant personal data is transferred for discovery
P A G E P A G E 2222
pe so a data s t a s e ed o d sco e ypurposes
A way forwardA way forward
Education and Awareness:Legal RestrictionsRecords Management – Cultural DivideRecords Management Cultural DivideTechnology Realities
Ri k B fit A l iRisk Benefit Analysis
Efforts to Mitigate Risk
Continued Communication and Collaboration
P A G E P A G E 2323
Framework for Cross-Border Discovery
P A G E P A G E 2424
Upcoming eventUpcoming event
The Sedona Conference®
I t ti l PInternational Programon Cross-Border eDiscovery, eDisclosure & Data PrivacyeDisclosure & Data Privacy
15-17 September 2010pWashington, D.C.
P A G E P A G E 2525
Think Globally, Act LocallyThink Globally, Act Locally
P A G E P A G E 2626
Principles of ProportionalityPrinciples of ProportionalityDominic Dominic JaarJaarPresident,LedjitPresident,Ledjit Consulting Consulting inc.inc.
CanadaThe State of E-Discovery
Ontario GuidelinesSedona Canada PrinciplesRules of Civil Procedure Nova Scotia Ontario
Practice Directions British Columbia Alberta Alberta
Quebec Code of Civil Procedure
P A G E P A G E 2828
ProcedureFederal
PrivacyCanada as the Safest Harbour
Principles Purpose Purpose Consent Limited
C ll ti— Collection— Use— Disclosure
Retention— Retention
Accuracy
Canadian Charter of Rights and Freedom
Personal Information Protection and Electronic Documents Act (PIPEDA)
P i i l L i l ti
P A G E P A G E 2929
Provincial Legislation
Sedona Canada White Paper on Privacy (To be published)
Blocking StatutesReacting to USA’s Extraterritorial LawsLaws
Cuban Policy
Asbestos
UraniumUranium
National and Provincial Politics and EconomicsPolitics and Economics
FederalForeign Extraterritorial Measures ActForeign Extraterritorial Measures Act
ProvincialQuebec Business Concerns Records Act
P A G E P A G E 3030
Ontario Business Records Protection Act
Privileges (Solicitor-Client and Litigation)Quasi-Constitutional Rights
Canadian Charter of Rights and Freedoms
WaiverExplicitp Implicit
Cross-Border ProductionCross-Border Production
P A G E P A G E 3131
ProportionalityA Reality, not a Mere Principle
Rules of Civil ProcedureNature of the caseValueBurdenAccessibilityRelative RelevanceConfidentiality
—Privacy—Privileges—Intellectual Property
P A G E P A G E 3232
p y—Commercial/Industrial Secrets
International E-DiscoveryPractical Challenges
Language Identification Identification Processing ReviewReview Presentation
Technologicalg Standards Legacy systems Multinational enterprise-
wide content search
Criminal/Penal charges
P A G E P A G E 3333
Criminal/Penal charges Jurisdiction over act
Principles of Language & CulturePrinciples of Language & CultureGeorge RudoyGeorge RudoyShearman & Sterling LLP Shearman & Sterling LLP
Non English Language Documents
ASCII vs. Unicode
l d d• Computers only understand numbers—0’s and 1’s..
ASCII d i d t ll h• ASCII designed to allow humans to communicate with computers.
• Invented for teletypes• Invented for teletypes
• Original ASCII character set limited to 127 characters.limited to 127 characters.
A -> 0100 0001
P A G E P A G E 3535
Non English Language Documents
Printable ASCII Characters
0 1 2 3 4 5 6 7 8 9 a b c d e f g gh I j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
! @ # $ % ^ & * ( ) + ` =~ ! @ # $ % ^ & * ( ) _ + -= [ ] \ { } | ; ’ : ” , . / < > ?
P A G E P A G E 3636
Non English Language Documents
ASCII vs. Unicode
• Other languages needed additional• Other languages needed additional characters.
• Extended ASCII added ramped to• Extended ASCII added ramped to 256 characters.
• Special encoding developed to reachSpecial encoding developed to reach beyond extended ASCII.
• Result: multiple coding sets emerged p g gusing the same byte sequences.
P A G E P A G E 3737
Non English Language Documents
The bottom line…• Chinese language has 65,000+ g g ,
symbols
• Unicode assigns numbers to every possible character set.
• UTF-8 has become defacto Unicode standard to represent multi-byte languages.
E-Discovery processing software must support Unicode!
P A G E P A G E 3838
Non English Language Documents
Non English Language Tokenisation
• Western search based on spaces and punctuation.
P A G E P A G E 3939
Non English Language Documents
Non English Language Tokenisation
l f d• Some languages often don’t use spaces or punctuation.
P A G E P A G E 4040
Non English Language Documents
Non English Language Tokenisation
Thedogatemydinnerbeforeicouldstophimnexttimeiwillputhimoutbeforeieatp
The dog ate my dinner before I could stop him. Next time I will put him out before I eat.
裁判所はどこにありますか?
Next time I will put him out before I eat.
Where is the courthouse?
P A G E P A G E 4141
P A G E P A G E 4242
Non English Language Documents
Non English Language Tokenisation
d i f
Chinese
• Words may consist of one or more symbols中國人
Middle country persony p
中國
China
中國
Middle countryy
P A G E P A G E 4343
P A G E P A G E 4444
Cultural Guide to
Conducting E-Discovery in the International Conducting E Discovery in the International
Settings Selected countries and regions
P A G E P A G E 4545
P A G E P A G E 4646
European Union
P A G E P A G E 4747
P A G E P A G E 4848
EU
Location: Europe between the North Atlantic Ocean in the west and Russia, Belarus, and Ukraine to the east, ,
Legal System: comparable to the legal systems of member states; first supranational law systemP liti l t t h b id i t t l d ti lPolitical structure: a hybrid intergovernmental and supranational organization
Population: 491,018,683Languages: Bulgarian, Czech, Danish, Dutch, English, Estonian,
Finnish, French, Gaelic, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovene, Spanish, Swedish
P A G E P A G E 4949
EU
Be aware of balance and possible conflict of individual country rules vs. EU rulesrules vs. EU rules
Transport and use of data is highly guarded and restricted
Prepare schedule of annual holidays and observancesp y
Polite direct requests Take the time to clarify project purpose and planClarify vernacular for technology (Services v. Share)Establish client-side project liaison
C id l l l b lConsider local labor laws
P A G E P A G E 5050
EU
Minimal experienced local vendor support, most located in UK
I l IT i i i id if l h l Involve IT in interview process to identify relevant technology landscape
Explain discovery process in detail with the support of visual p y p ppdiagrams and documentation Local Counsel IT Personnel IT Personnel Interview process
Translate project requirements and scopeTranslate project requirements and scope
P A G E P A G E 5151
Former USSR
P A G E P A G E 5252
Former USSR
English not widely spoken, even less so in non-capital citiesRemaining xenophobia of foreigners especially AmericansRemaining xenophobia of foreigners, especially AmericansLocal customs are unique and expected to be followedVery little regard for privacyMany layers of authority and managementBorder security varies and customs can be negotiated withNo local vendorsNo local vendorsLimited familiarity with litigation requests “Government secrets” still an issuePersistent refusal to sign any documents (chain of custody
form, privacy waiver, etc)
P A G E P A G E 5353
P A G E P A G E 5454
P A G E P A G E 5555
Collecting ESI in Russia
Privacy Rights in Russia Article 23 of the Constitution of the Russian Federation Article 23 of the Constitution of the Russian Federation
— Everyone has the right to privacy, personal and family secrets, protection of one’s honor and good name.
— Right to privacy of correspondence, telephone communications, mail, cables and other communications.
— Any restriction of these rights require a court order.
Federal law “on information”— Each person has the right to search and receive any information in any forms
and from any sources subject to specific limitations.— Limitations provide only for data related to a state secret, commercial secret,
official or other secret (e.g. tax secret), professional secret, privacy or family ( g ), p , p y ysecrets which are regulated by separate federal laws.
P A G E P A G E 5656
Penalties
Penalties can be disciplinary, civil, administrative or criminal. Specifically criminal liability for violation of the immunity of private life Specifically, criminal liability for violation of the immunity of private life,
violation of secrecy of communications and infringement of home involiability, as well as liability for unauthorized access to legally protected computer information.
Civil liability if an individual suffers physical or moral damages by violation of his or her non-property rights or any other non-material welfare rights. A court can force financial compensation.
P A G E P A G E 5757
Russian law on transferring data through data telecommunications networks
Article 15(5) of the Federal law “On Information” provides that data can be transferred through data telecommunications gnetworks without any limitations subject to the protection of intellectual property except “On personal data” (Article 7) requires the operator ensure for the p ( ) q p
confidentiality of received personal data with two exceptions:— Instances involving depersonalization of personal data, and— Publically available personal data.— Most importantly, the operator can process personal data only with a person’s
consent (Article 6) subject to certain exceptions.— Personal data is broadly defined to include “any information related to an
individual…or information on the basis of which an individual may beindividual…or information on the basis of which an individual may be identified.” Examples include surname, birthdate, address, family status, income and education.
P A G E P A G E 5858
Consent
On the one hand, consent is required “when directed by law” such as collection and transborder transfer of personal data.
On the other hand, in practice, where a company puts employees on written notice by policy or specific notice that their email and documents are company property and can be accessed for business uses at any time, written consent can be made by the company.uses at any time, written consent can be made by the company.
Written consent is prudent – the burden of proof is on the operator and Russian courts usually require documentation. No standard consent form, but lists six criteria to include: ,
— full name of person giving consent including address, passport number, date of issue and issuing authority.
— Name and address of operator to whom consent is given.— List of personal data that may be processed.— List of operations to be performed with personal data, and general description of the
processing methods.— Term of validity of the consent and the procedure for its revocation.
P A G E P A G E 5959
Exceptions to Consent
Personal data process on the basis of federal law (primarily supporting law enforcement).
Personal data processed to perform an agreement to which such individual is a party (e.g. employment agreement).
Personal data processed for scientific or statistical purposes, and it is iti dsanitized.
Personal data processed to protect life, health or important individual interests and it’s not possible to obtain consent.
Personal data processed to deliver mail or telecommunications customer settlements.
Processed for professional activity of a journalist or for scientific literature or creative activityliterature or creative activity.
Data subject to publication in compliance with federal laws such as state officials or candidates to elective posts.
P A G E P A G E 6060
Australia
Land Mass: Slightly smaller than the US contiguous 48 states Legal System: Based on English common law; acceptsLegal System: Based on English common law; accepts
compulsory ICJ jurisdiction, with reservations Population: 21,007,310Ethnicity: Caucasian 92% Asian 7% aboriginal and other 1%Ethnicity: Caucasian 92%, Asian 7%, aboriginal and other 1% Languages: English or strine spoken
P A G E P A G E 6161
Australia – Cultural
Highly regulated environmentLegal compliance is accepted and valuedLegal compliance is accepted and valuedPolite direct requests Informal business environmentHigh use of technology, mobile technology and emailDue to “listing” requirements objective data and metadata
integrity is importantThe Legal Hold concept loosely translatesVigilant customs and securityL l dLocal vendorsFamiliar with litigation requests
P A G E P A G E 6262
China
Land Mass: Slightly smaller than the USLegal System: Based on civil law system; derived from SovietLegal System: Based on civil law system; derived from Soviet
and continental civil code legal principles; legislature retains power to interpret statutes; constitution ambiguous on judicial review of legislation; has not accepted compulsory ICJ jurisdictionjurisdiction
Population: 1,330,044,544Ethnicity: Han Chinese 91.5%, Zhuang, Manchu, Hui, Miao,
Uyghur Tujia Yi Mongol Tibetan Buyi Dong Yao Korean andUyghur, Tujia, Yi, Mongol, Tibetan, Buyi, Dong, Yao, Korean, and other nationalities 8.5%
Languages: Standard Chinese or Mandarin (Putonghua, based on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese),on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese), Minbei (Fuzhou), Minnan (Hokkien-Taiwanese), Xiang, Gan, Hakka dialects, minority languages
P A G E P A G E 6363
China - Cultural
Dispute resolution process not alignedNot familiar with litigation requestsNot familiar with litigation requestsMany layers of authority and management “Party” plays a roleTitles and formality is importantTitles and formality is importantTimeframes may slipCan be difficult getting hardware in and outPayment customs can be misunderstoodExceptions based on relationshipsLabour cost and efficiencyySelf serviceVendor selection and testing
P A G E P A G E 6464
Privacy in China
China lacks comprehensive privacy legislation. A draft Personal Data Protection Law has been submitted to the State A draft Personal Data Protection Law has been submitted to the State
Council, China’s executive branch. It is not unusual for searches to be undertaken on company computers
without an employee’s consent.p y
Nonetheless, obtaining written consent is a prudent practice.
P A G E P A G E 6565
Privacy in Hong Kong
Two sources of privacy protection Personal Data (Privacy) Ordinance Common law (generally applies only to information which has the necessary quality of
confidence, was imparted in confidence, and used without authorization to the detriment of the party communicating it (Coco v AN Clark (Engineers) Ltd. [1969] RPC 41).
Under Personal Data (Privacy Ordinance), “personal data” is defined as any data (a) relating directly or indirectly to a living individual, (b) from which it is practicable for the identity of the individual to be directly or indirectly
ascertained, and (c) in a form in which access to or processing or use of the data is practicable.
The use of personal data (including collection, processing and transfer) must be consistent with the purpose for which the data were originally collected or directly related to it, otherwise the prior consent of the employee must be sought and obtained.
Beware a newly enacted section 33 of the Privacy Ordinance – which may not yet be in force – which prohibits the transfer of personal data outside Hong Kong and unclear if consent overcomes that.
P A G E P A G E 6666