cross-border ediscovery
TRANSCRIPT
Cross-Border eDiscovery
Clear Law
Webinar
April 23, 2015 © 2015
Robert D. Brownstone, Esq.
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
EIM
GR
OU
P
© 2
Outline/ Agenda
I. The Landscape – U.S. is Unique
II. Practical Impacts on U.S. Litigation
III. Key Principles of Complying with European Privacy Laws . . .
IV. Top Ten Tips to Avoid Pitfalls (in chronological order) . . . .
V. CONCLUSION/Q&A
EIM
GR
OU
P
© 3
I. The Landscape – U.S. is Unique
FOUR KEY DIFFERENCES IN U.S.
• A. CIVIL DISCOVERY = BROAD
• B. EMPLOYEE PRIVACY = OXYMORON
• C. BREACH NOTICE DUTY = LIMITED
• D. A/C PRIVILEGE = BROADER
TO LEARN MORE:
• E. SOME Key Resources
EIM
GR
OU
P
© 4
I. Landscape – The U.S. is Unique (c’t’d)
FOUR KEY DIFFERENCES IN U.S.
A. DISCOVERY in U.S. civil lit. = broad
Contrast, e.g., the UK
proportionality important
But see Pippins v. KPMG, 279 F.R.D. 245 (S.D. N.Y. 2/3/12) and proposed amended FRCP 26 (at p. 104)
third party requests must ID specific documents/information
» See Edmund M. O’Toole and David N. Cinotti, E-Discovery in Cross-Border Lit.: Taking Int’l Comity Seriously, Int’l Dispute Resolution News 21 (Fall 2010), at .pdf pp. 1-2 & n. 19
EIM
GR
OU
P
© 5
I(A). Foreign Discovery Much Narrower (c’t’d)
General acknowledgment of difference . . .
Hague CONVENTION ON THE TAKING OF EVIDENCE ABROAD IN CIVIL OR COMMERCIAL MATTERS, Article 23 (3/18/70):
“A Contracting State may at the time of signature, ratification or accession, declare that it will not execute Letters of Request issued for the purpose of obtaining pre-trial discovery of documents as known in Common Law countries.”
See generally O’Toole & Cinotti, supra, slide 4
EIM
GR
OU
P
© 6
I(A). Foreign Discovery Much Narrower (c’t’d)
More re: explaining differences: • Thomas J, Shaw, Esq., aiim 2-part “Ediscovery in
Asia/Pacific” series (last visited 10/19/12):
U.S. Litigation Exposure for Asian Cos.
Litigation Readiness for Asian Cos.
• Hou Man, South Korea litigation guide, Shin & Kim (last visited 10/19/12)
• Houthoff Buruma, US e-discovery in the Netherlands (Nov. 2010) (helpful in general)
• Kap-You (Kevin) Kim, South Korea: Surviving U.S. Civil Litigation: Strategic Advice for Korean Companies, Bae Kim & Lee PC (10/29/06)
EIM
GR
OU
P
© 7
FOUR KEY DIFFERENCES IN U.S. (c’t’d)
• B. EMPLOYEE PRIVACY in U.S. can be readily taken away in advance re: all employees, per long-time case-law
Technology-Acceptable-Use-Policy (TAUP) can be, in large part a No-Employee-Expectation-of-Privacy-Policy (NoEEPP)
Legally defensible as long as in-trenches enforcement consistent with written policy
See generally Robert D. Brownstone, eWorkplace Privacy Materials, Nat’l. Employment Law Institute (NELI) (3/1/15)
I. Landscape – The U.S. is Unique (c’t’d)
EIM
GR
OU
P
© 8
FOUR KEY DIFFERENCES IN U.S. (c’t’d)
• B. EMPLOYEE PRIVACY (c’t’d)
In Europe, need individual consent typically (and it is difficult to obtain compliant consent, esp. with huge volumes of data)
Company-wide TAUP deemed coercive
But see In re Employer Access of Worker E-Mail, Berlin Lab. Ct.,
No. DB 2011, 1281-1282 (June 2011), discussed in Jabeen Bhatti, Scope of Ruling Giving German Firms Access To Worker E-Mail Is Unclear, Attorneys Say, PSLR (BNA 9/5/11) and here at p. 6
Bruno B. v. Giraud & Migot, No. (Cour de Cassation [France] 12/15/09); original/French version is here
I. Landscape – The U.S. is Unique (c’t’d)
EIM
GR
OU
P
© 9
I(B). Privacy Stronger Outside U.S. (c’t’d)
Examples • Europe (EU), incl.:
France Germany Italy UK
• Elsewhere: Brazil Canada Israel Switzerland Ukraine
EIM
GR
OU
P
© 10
FOUR KEY DIFFERENCES IN U.S. (c’t’d)
• C. DATA-BREACH NOTIFICATION LAWS in U.S. = more diffused, narrower in scope & often longer/vaguer deadlines
Compare 47+ U.S. States’ statutes with, e.g.,:
Chile
Germany
India
Korea
Mexico
Qatar
Russia
I. Landscape – The U.S. is Unique (c’t’d)
EIM
GR
OU
P
© 11
• D. ATTORNEY-CLIENT PRIVILEGE non-existent or more limited
• Ex: Does NOT apply to in-house counsel in EC investigations . . . .
• E.g., Akso Nobel Chemicals v. Commission, Case C-550/07 P (ECJ 9/14/10) (in context of competition law investigation, emails to & from co. officials not privileged)
• See generally Philip M. Berkowitz, The Attorney-Client Privilege and Advising Across Borders, NYLJ (11/29/13)
____________________________________________
I(C). INTRO – Data Breach Laws (c’t’d)
EIM
GR
OU
P
© 12
• Verizon, 2015 Data Breach Investigations Report (4/13/15)
• [U.S.] Nat’l Conf. of State Legislators (“NCSL”), Security Breach Notification Laws (1/12/15)
Sedona Conference®, International Principles on Discovery, Disclosure & Data Protection . . . (European Union Edition) Dec. 2011) (free registration required)
Brian Hengesbaugh, Data Privacy and Security Compliance Recent Legal Developments; Int’l Requirements, Strafford Webinar materials, at .pdf pp. 19-29 (11/3/11)
Huron, Cross-Border Discovery: Evolving Issues and Challenges (8/29/14)
I. INTRO (c’t’d) – E. Some Key Resources
EIM
GR
OU
P
©
II. Practical Impacts on U.S. Litigation
Common Scenarios
• Responding to discovery requests: Europe custodians (of U.S.-based co.)
• Issuing or responding to subpoenas involving European entities
• Opponent may invoke EU privacy laws to stonewall discovery responses
Potential impacts include increased costs and extra litigation delays
See generally Al Lindsay, U.S. LITIGATORS HIT BRICK WALL WITH EUROPEAN DISCOVERY, ALM DBR (6/2/14)
13
EIM
GR
OU
P
© 14
II. Impacts (c’t’d) – Location, Location, Location . . . .
It’s 2 AM; do you know where your data is? • Central server/network in EU? • Central server/network in US? • Foreign individual’s data on a server in
U.S.? Rock (int’l law) & hard place (ECPA)? Suzlon Energy Ltd. v. Sridhar [Microsoft], 671
F.3d 726, 2011 WL 4537843 (9th Cir. 10/3/11) (U.S.-stored Hotmail emails of foreign citizen)
IP address(es) from ISP’s? • Different views in EU and US
resources available from presenter on request • Compare In re Bittorrent Adult Film Order & Copyright Infringe-
ment Cases, Nos. 11-3995, 12-1147, et al. (E.D.N.Y. 5/1/12)
EIM
GR
OU
P
©
Potential big repercussions, esp. in France
Blocking statutes impose civil and/or criminal penalties . . .
• In re Avocat “Christopher X,” , Decision No. 7168, France Supreme Court (12/12/07)
French attorney working on a U.S. federal lawsuit prosecuted under French blocking statute for attempting to obtain information under false pretenses from member of board of French co. involved in purchase of U.S. insurer
II. Impacts (c’t’d)
15
EIM
GR
OU
P
©
More implications and case law . . .
• Pierre Grosdidier, The French blocking statute, the Hague Evidence Convention, and the case law: lessons for French parties responding to American discovery, 50 TEX. INT’L. L. J. F. 11 (9/15/14)
• Now on appeal: In re Warrant to Search... Microsoft, 2014 WL 1661004 (4/25/14) (criminal case; email data in Ireland), aff’d (S.D.N.Y. 8/12/14)
II. Impacts (c’t’d)
16
EIM
GR
OU
P
©
II. Impacts (c’t’d) – U.S. Courts Unsympathetic
AccessData Corp. v. ALSTE Techno-logies GmbH, 2010 WL 318477 (D. Utah 1/21/10)
Enquip Tech. Group, Inc. v. Tycon Technoglass, S.R.L., 2010 WL 53151 (Ohio App. 2 Dist. 1/8/10)
Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 5/29/07)
Gerling Global Reins. Corp. v. Low, 296 F.3d 832, 847 (9th Cir. 7/15/02)
In re Vitamins Antitrust Litigation, 2001 WL 1049433 (D.D.C. 6/20/01)
17
EIM
GR
OU
P
©
II. U.S. Courts (c’t’d) – Five- Factor Balancing Test
E.g., Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 5/25/07) citing . . .
Restatement (3d) of Foreign Relations Law § 442(1)(a) as to . . .
• 1) Importance to litigation
• 2) Degree of specificity of request
• 3) Whether information originated in U.S.
• 4) Availability of alternative means
• 5) Weigh extent to which:
non-compliance would undermine important U.S. interests; AND
compliance would undermine important foreign interest
18
EIM
GR
OU
P
©
III. Key Principles of Complying with European Privacy Law
EU, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” • Processing of Personal Data
• Transferring of Personal Data
• NOTE: Art. 26(1)(d) exception re: “transfer . . . necessary or legally required . . . for the establishment, exercise or defence of legal claims.”
• But see individual EU countries’ rules 19
EIM
GR
OU
P
©
III. Keys re: EU Laws Compliance (c’t’d)
Processing Personal Data
• Personal data -- potentially including email address -- is any data identifying a person
• Processing: any collection, storage, alteration, retrieval, or transmission of data – including copying information from one file to another
• Permitted only under limited circumstances . . . :
Unambiguous written consent of custodian
Necessary to comply with any legal obligation 20
EIM
GR
OU
P
©
Transferring Personal Data
• Satisfying “adequacy” requirement
Participation in the U.S. Dept. of Commerce U.S.-EU Safe Harbor Framework program OR . . . .
Model data protection agreements (Standard Contractual Clauses) or Binding Corporate Rules (BCR)
Exemption under Art. 26 (see above)
III. Keys re: EU Laws Compliance (c’t’d)
21
EIM
GR
OU
P
©
III. You Say Controller; I Say Processor . . .
Distinction has been murky
Pros/Cons . . .
Note: • Cannot use an ad hoc contract to definitively
designate/classify data recipient’s status as “controller” or “processor”
• “[D]etermining . . . actual status [must] be based on concrete circumstances.” EU Article 29, Opinion 1/2010 on the
concepts of “controller” and “processor”, WP 169, 0264/10/EN (2/16/10)
22
EIM
GR
OU
P
©
III. You Say Controller; I Say Processor (c’t’d) . . .
What about law firm lawyers?
See WP 169, at p. 28 (.pdf p. 30):
23
EIM
GR
OU
P
©
Great compilations re: individual countries’ rules
• BakerHostetler, 2015 International Compendium of Data Privacy Laws (2/16/15)
• Baker & McKenzie, Global Privacy Handbook 2014
• DLA PIPER, DATA PROTECTION LAWS OF THE WORLD (incl. clickable map) (last visited 4/20/15)
• EU Agency for Fundamental Rights, Council of Europe & Registry of European Court of Human Rights, Handbook on European data protection law (1/27/14)
• TO LEARN MORE: this video of a live 10/24/12 panel discussion (re: eDiscovery/LIT re: EU, China, etc.)
III. EU (and Elsewhere) (c't'd)
24
EIM
GR
OU
P
©
Revised EU Directive, at p. 40 (.pdf p. 41) “adopted” January ’12 & targeted ’15 rollout
• BUT: still being hashed out
• Maybe final in ’16 & fully effective ’18 or ’19
• To keep abreast of status:
• EU “Data Protection”: Home | “Newsroom”
• Bird & Bird’s “EU Framework Revision” site
• TRUSTe, 2015 Privacy Insight Series, including these Cross-Border Data Transfer Strategies slides (3/26/15)
III(A)(4). Implementation Keys – EU (c't'd)
25
EIM
GR
OU
P
©
“key changes”, per this ‘12 EU 2-pager:
• EU rules could apply to cos. not established in EU, if offer goods or services in EU or monitor online behavior of EU citizens
• Perhaps:
single set of rules valid across EU (a/k/a “one stop shop” per Mar ‘14 Memo)
single national data protection authority (DPA) w./ which each co. has to deal
III. EU Data Protection Reform . . . (c’t’d)
26
EIM
GR
OU
P
©
III. EU Data Protection Reform . . . (c’t’d)
“key changes” (c’t’d)
• increased responsibility and accountability for those processing personal data.
• removal of unnecessary administrative burdens, such as notification requirements for companies processing personal data
• consent to be specific, not assumed
• right to be forgotten
• right of data portability
• right to refer all cases to home national DPA
See generally Ruth Boardman, Draft EU Data Protection Rules revealed (3/2/12)
27
EIM
GR
OU
P
©
III. EU Data Protection Reform . . . (c’t’d)
“Administrative Sanctions”
• maximums for various types of intentional or negligent non-compliance may be 5% of “annual worldwide turnover” (a/k/a “annual gross sales revenue”) or 100M euros rather than 2% originally proposed)
EU, Mar ‘14 Memo
28
EIM
GR
OU
P
©
III. EU Data Protection Reform . . . (c’t’d)
Safe Harbor:
• U.S. lack of enforcement – and overall question of “adequate” protection increasingly slammed in wake of Snowden revelations
• EPIC, European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying (3/24/15) (decision expected by Fall ‘15)
29
EIM
GR
OU
P
©
International Issues re: day-to-day data flow
from EU (and/or other) countries to U.S.:
• 1) systems’ configuration;
• 2) Data Protection Authorities (DPA’s); and
• 3) Safe Harbor?
See, e.g., Long, McNicholas & Chabinsky, Data Privacy
Compliance in Global Transacs., at 32-33, Strafford (3/5/14)
III. EU Overview – Day-to-day “Cloud” (c't'd)
30
EIM
GR
OU
P
© 31
III. Cloud Issues (c't'd)
Centralized vs. ad hoc in, e.g., Dropbox
Bargaining power, including re: LIT holds?
Sync schedules if can [FRCP 37(e)], as to:
active/ live data?
backed-up data?
Possession/custody/control?
Severability?
Mirroring & whether can know location
EIM
GR
OU
P
© 32
For U.S. Cloud decisions, etc. see:
• Brown v. Tellermate Holdings, 2014 WL 2987051 (N.D. Ohio 7/1/14) (party’s obligations re: Salesforce data)
• Robert Keeling, How To Avoid Discovery Problems While Using The Cloud, Law360 (3/7/14)
• FTC v. First Universal Lending, LLC, 2011 WL 673879 (S.D. Fla. 2/7/11) (addressing Salesforce in passing)
III. Cloud Issues (c't'd)
EIM
GR
OU
P
©
IV. Top Ten Tips for Avoiding Pitfalls (in chron. order)
1. Develop general plan/protocol, including flagging issue in checklist(s)
2. Develop plan/protocol for each country
3. Consult foreign counsel
• referrals available from presenter on request
4. Get IT/InfoSec/Cloud house in order
5. If apt, get BCR and/or contracts in place
33
EIM
GR
OU
P
©
IV. Top 10 Tips (c’t’d)
6. Start planning as soon as LIT-Hold issue arises (re: incident-response, investigation, gov’t inquiry, suit, etc.)
7. Discuss key issues with client, incl. pre-existing process & getting consent
8. Alert opp. counsel (& judge in 1st CMC) • Ex: DaSilva Moore v. Publicis, No. 11-cv-1279 (S.D.N.Y.):
Opinion and Order, at 7, 8 (4/8/12) Hearing Transcript, at 33, 35 (2/8/12)
9. Retain local/foreign counsel? 10. Cull/review/anonymize “in country”
and then transfer/handle subset properly (encryption, etc.)
34
EIM
GR
OU
P
© 35
Conclusion/Questions Let’s be careful out there . . .
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
Q&A
Robert D. Brownstone • Blog (“IT Law Today”)
• Bio | Biblio (articles, press & speeches, Oh My!)
• Twitter ("@eDiscoveryGuru") | Facebook | LinkedIn | Google+
• 650.335.7912 or [email protected]
Please visit F&W EIM, Privacy & LIT. Groups