Cross-Border eDiscovery

Clear Law

Webinar

April 23, 2015 © 2015

Robert D. Brownstone, Esq.

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

EIM

GR

OU

P

© 2

Outline/ Agenda

I. The Landscape – U.S. is Unique

II. Practical Impacts on U.S. Litigation

III. Key Principles of Complying with European Privacy Laws . . .

IV. Top Ten Tips to Avoid Pitfalls (in chronological order) . . . .

V. CONCLUSION/Q&A

EIM

GR

OU

P

© 3

I. The Landscape – U.S. is Unique

FOUR KEY DIFFERENCES IN U.S.

• A. CIVIL DISCOVERY = BROAD

• B. EMPLOYEE PRIVACY = OXYMORON

• C. BREACH NOTICE DUTY = LIMITED

• D. A/C PRIVILEGE = BROADER

TO LEARN MORE:

• E. SOME Key Resources

EIM

GR

OU

P

© 4

I. Landscape – The U.S. is Unique (c’t’d)

FOUR KEY DIFFERENCES IN U.S.

A. DISCOVERY in U.S. civil lit. = broad

Contrast, e.g., the UK

proportionality important

But see Pippins v. KPMG, 279 F.R.D. 245 (S.D. N.Y. 2/3/12) and proposed amended FRCP 26 (at p. 104)

third party requests must ID specific documents/information

» See Edmund M. O’Toole and David N. Cinotti, E-Discovery in Cross-Border Lit.: Taking Int’l Comity Seriously, Int’l Dispute Resolution News 21 (Fall 2010), at .pdf pp. 1-2 & n. 19

EIM

GR

OU

P

© 5

I(A). Foreign Discovery Much Narrower (c’t’d)

General acknowledgment of difference . . .

Hague CONVENTION ON THE TAKING OF EVIDENCE ABROAD IN CIVIL OR COMMERCIAL MATTERS, Article 23 (3/18/70):

“A Contracting State may at the time of signature, ratification or accession, declare that it will not execute Letters of Request issued for the purpose of obtaining pre-trial discovery of documents as known in Common Law countries.”

See generally O’Toole & Cinotti, supra, slide 4

EIM

GR

OU

P

© 6

I(A). Foreign Discovery Much Narrower (c’t’d)

More re: explaining differences: • Thomas J, Shaw, Esq., aiim 2-part “Ediscovery in

Asia/Pacific” series (last visited 10/19/12):

U.S. Litigation Exposure for Asian Cos.

Litigation Readiness for Asian Cos.

• Hou Man, South Korea litigation guide, Shin & Kim (last visited 10/19/12)

• Houthoff Buruma, US e-discovery in the Netherlands (Nov. 2010) (helpful in general)

• Kap-You (Kevin) Kim, South Korea: Surviving U.S. Civil Litigation: Strategic Advice for Korean Companies, Bae Kim & Lee PC (10/29/06)

EIM

GR

OU

P

© 7

FOUR KEY DIFFERENCES IN U.S. (c’t’d)

• B. EMPLOYEE PRIVACY in U.S. can be readily taken away in advance re: all employees, per long-time case-law

Technology-Acceptable-Use-Policy (TAUP) can be, in large part a No-Employee-Expectation-of-Privacy-Policy (NoEEPP)

Legally defensible as long as in-trenches enforcement consistent with written policy

See generally Robert D. Brownstone, eWorkplace Privacy Materials, Nat’l. Employment Law Institute (NELI) (3/1/15)

I. Landscape – The U.S. is Unique (c’t’d)

EIM

GR

OU

P

© 8

FOUR KEY DIFFERENCES IN U.S. (c’t’d)

• B. EMPLOYEE PRIVACY (c’t’d)

In Europe, need individual consent typically (and it is difficult to obtain compliant consent, esp. with huge volumes of data)

Company-wide TAUP deemed coercive

But see In re Employer Access of Worker E-Mail, Berlin Lab. Ct.,

No. DB 2011, 1281-1282 (June 2011), discussed in Jabeen Bhatti, Scope of Ruling Giving German Firms Access To Worker E-Mail Is Unclear, Attorneys Say, PSLR (BNA 9/5/11) and here at p. 6

Bruno B. v. Giraud & Migot, No. (Cour de Cassation [France] 12/15/09); original/French version is here

I. Landscape – The U.S. is Unique (c’t’d)

EIM

GR

OU

P

© 9

I(B). Privacy Stronger Outside U.S. (c’t’d)

Examples • Europe (EU), incl.:

France Germany Italy UK

• Elsewhere: Brazil Canada Israel Switzerland Ukraine

EIM

GR

OU

P

© 10

FOUR KEY DIFFERENCES IN U.S. (c’t’d)

• C. DATA-BREACH NOTIFICATION LAWS in U.S. = more diffused, narrower in scope & often longer/vaguer deadlines

Compare 47+ U.S. States’ statutes with, e.g.,:

Chile

Germany

India

Korea

Mexico

Qatar

Russia

I. Landscape – The U.S. is Unique (c’t’d)

EIM

GR

OU

P

© 11

• D. ATTORNEY-CLIENT PRIVILEGE non-existent or more limited

• Ex: Does NOT apply to in-house counsel in EC investigations . . . .

• E.g., Akso Nobel Chemicals v. Commission, Case C-550/07 P (ECJ 9/14/10) (in context of competition law investigation, emails to & from co. officials not privileged)

• See generally Philip M. Berkowitz, The Attorney-Client Privilege and Advising Across Borders, NYLJ (11/29/13)

____________________________________________

I(C). INTRO – Data Breach Laws (c’t’d)

EIM

GR

OU

P

© 12

• Verizon, 2015 Data Breach Investigations Report (4/13/15)

• [U.S.] Nat’l Conf. of State Legislators (“NCSL”), Security Breach Notification Laws (1/12/15)

Sedona Conference®, International Principles on Discovery, Disclosure & Data Protection . . . (European Union Edition) Dec. 2011) (free registration required)

Brian Hengesbaugh, Data Privacy and Security Compliance Recent Legal Developments; Int’l Requirements, Strafford Webinar materials, at .pdf pp. 19-29 (11/3/11)

Huron, Cross-Border Discovery: Evolving Issues and Challenges (8/29/14)

I. INTRO (c’t’d) – E. Some Key Resources

EIM

GR

OU

P

©

II. Practical Impacts on U.S. Litigation

Common Scenarios

• Responding to discovery requests: Europe custodians (of U.S.-based co.)

• Issuing or responding to subpoenas involving European entities

• Opponent may invoke EU privacy laws to stonewall discovery responses

Potential impacts include increased costs and extra litigation delays

See generally Al Lindsay, U.S. LITIGATORS HIT BRICK WALL WITH EUROPEAN DISCOVERY, ALM DBR (6/2/14)

13

EIM

GR

OU

P

© 14

II. Impacts (c’t’d) – Location, Location, Location . . . .

It’s 2 AM; do you know where your data is? • Central server/network in EU? • Central server/network in US? • Foreign individual’s data on a server in

U.S.? Rock (int’l law) & hard place (ECPA)? Suzlon Energy Ltd. v. Sridhar [Microsoft], 671

F.3d 726, 2011 WL 4537843 (9th Cir. 10/3/11) (U.S.-stored Hotmail emails of foreign citizen)

IP address(es) from ISP’s? • Different views in EU and US

resources available from presenter on request • Compare In re Bittorrent Adult Film Order & Copyright Infringe-

ment Cases, Nos. 11-3995, 12-1147, et al. (E.D.N.Y. 5/1/12)

EIM

GR

OU

P

©

Potential big repercussions, esp. in France

Blocking statutes impose civil and/or criminal penalties . . .

• In re Avocat “Christopher X,” , Decision No. 7168, France Supreme Court (12/12/07)

French attorney working on a U.S. federal lawsuit prosecuted under French blocking statute for attempting to obtain information under false pretenses from member of board of French co. involved in purchase of U.S. insurer

II. Impacts (c’t’d)

15

EIM

GR

OU

P

©

More implications and case law . . .

• Pierre Grosdidier, The French blocking statute, the Hague Evidence Convention, and the case law: lessons for French parties responding to American discovery, 50 TEX. INT’L. L. J. F. 11 (9/15/14)

• Now on appeal: In re Warrant to Search... Microsoft, 2014 WL 1661004 (4/25/14) (criminal case; email data in Ireland), aff’d (S.D.N.Y. 8/12/14)

II. Impacts (c’t’d)

16

EIM

GR

OU

P

©

II. Impacts (c’t’d) – U.S. Courts Unsympathetic

AccessData Corp. v. ALSTE Techno-logies GmbH, 2010 WL 318477 (D. Utah 1/21/10)

Enquip Tech. Group, Inc. v. Tycon Technoglass, S.R.L., 2010 WL 53151 (Ohio App. 2 Dist. 1/8/10)

Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 5/29/07)

Gerling Global Reins. Corp. v. Low, 296 F.3d 832, 847 (9th Cir. 7/15/02)

In re Vitamins Antitrust Litigation, 2001 WL 1049433 (D.D.C. 6/20/01)

17

EIM

GR

OU

P

©

II. U.S. Courts (c’t’d) – Five- Factor Balancing Test

E.g., Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 5/25/07) citing . . .

Restatement (3d) of Foreign Relations Law § 442(1)(a) as to . . .

• 1) Importance to litigation

• 2) Degree of specificity of request

• 3) Whether information originated in U.S.

• 4) Availability of alternative means

• 5) Weigh extent to which:

non-compliance would undermine important U.S. interests; AND

compliance would undermine important foreign interest

18

EIM

GR

OU

P

©

III. Key Principles of Complying with European Privacy Law

EU, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” • Processing of Personal Data

• Transferring of Personal Data

• NOTE: Art. 26(1)(d) exception re: “transfer . . . necessary or legally required . . . for the establishment, exercise or defence of legal claims.”

• But see individual EU countries’ rules 19

EIM

GR

OU

P

©

III. Keys re: EU Laws Compliance (c’t’d)

Processing Personal Data

• Personal data -- potentially including email address -- is any data identifying a person

• Processing: any collection, storage, alteration, retrieval, or transmission of data – including copying information from one file to another

• Permitted only under limited circumstances . . . :

Unambiguous written consent of custodian

Necessary to comply with any legal obligation 20

EIM

GR

OU

P

©

Transferring Personal Data

• Satisfying “adequacy” requirement

Participation in the U.S. Dept. of Commerce U.S.-EU Safe Harbor Framework program OR . . . .

Model data protection agreements (Standard Contractual Clauses) or Binding Corporate Rules (BCR)

Exemption under Art. 26 (see above)

III. Keys re: EU Laws Compliance (c’t’d)

21

EIM

GR

OU

P

©

III. You Say Controller; I Say Processor . . .

Distinction has been murky

Pros/Cons . . .

Note: • Cannot use an ad hoc contract to definitively

designate/classify data recipient’s status as “controller” or “processor”

• “[D]etermining . . . actual status [must] be based on concrete circumstances.” EU Article 29, Opinion 1/2010 on the

concepts of “controller” and “processor”, WP 169, 0264/10/EN (2/16/10)

22

EIM

GR

OU

P

©

III. You Say Controller; I Say Processor (c’t’d) . . .

What about law firm lawyers?

See WP 169, at p. 28 (.pdf p. 30):

23

EIM

GR

OU

P

©

Great compilations re: individual countries’ rules

• BakerHostetler, 2015 International Compendium of Data Privacy Laws (2/16/15)

• Baker & McKenzie, Global Privacy Handbook 2014

• DLA PIPER, DATA PROTECTION LAWS OF THE WORLD (incl. clickable map) (last visited 4/20/15)

• EU Agency for Fundamental Rights, Council of Europe & Registry of European Court of Human Rights, Handbook on European data protection law (1/27/14)

• TO LEARN MORE: this video of a live 10/24/12 panel discussion (re: eDiscovery/LIT re: EU, China, etc.)

III. EU (and Elsewhere) (c't'd)

24

EIM

GR

OU

P

©

Revised EU Directive, at p. 40 (.pdf p. 41) “adopted” January ’12 & targeted ’15 rollout

• BUT: still being hashed out

• Maybe final in ’16 & fully effective ’18 or ’19

• To keep abreast of status:

• EU “Data Protection”: Home | “Newsroom”

• Bird & Bird’s “EU Framework Revision” site

• TRUSTe, 2015 Privacy Insight Series, including these Cross-Border Data Transfer Strategies slides (3/26/15)

III(A)(4). Implementation Keys – EU (c't'd)

25

EIM

GR

OU

P

©

“key changes”, per this ‘12 EU 2-pager:

• EU rules could apply to cos. not established in EU, if offer goods or services in EU or monitor online behavior of EU citizens

• Perhaps:

single set of rules valid across EU (a/k/a “one stop shop” per Mar ‘14 Memo)

single national data protection authority (DPA) w./ which each co. has to deal

III. EU Data Protection Reform . . . (c’t’d)

26

EIM

GR

OU

P

©

III. EU Data Protection Reform . . . (c’t’d)

“key changes” (c’t’d)

• increased responsibility and accountability for those processing personal data.

• removal of unnecessary administrative burdens, such as notification requirements for companies processing personal data

• consent to be specific, not assumed

• right to be forgotten

• right of data portability

• right to refer all cases to home national DPA

See generally Ruth Boardman, Draft EU Data Protection Rules revealed (3/2/12)

27

EIM

GR

OU

P

©

III. EU Data Protection Reform . . . (c’t’d)

“Administrative Sanctions”

• maximums for various types of intentional or negligent non-compliance may be 5% of “annual worldwide turnover” (a/k/a “annual gross sales revenue”) or 100M euros rather than 2% originally proposed)

EU, Mar ‘14 Memo

28

EIM

GR

OU

P

©

III. EU Data Protection Reform . . . (c’t’d)

Safe Harbor:

• U.S. lack of enforcement – and overall question of “adequate” protection increasingly slammed in wake of Snowden revelations

• EPIC, European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying (3/24/15) (decision expected by Fall ‘15)

29

EIM

GR

OU

P

©

International Issues re: day-to-day data flow

from EU (and/or other) countries to U.S.:

• 1) systems’ configuration;

• 2) Data Protection Authorities (DPA’s); and

• 3) Safe Harbor?

See, e.g., Long, McNicholas & Chabinsky, Data Privacy

Compliance in Global Transacs., at 32-33, Strafford (3/5/14)

III. EU Overview – Day-to-day “Cloud” (c't'd)

30

EIM

GR

OU

P

© 31

III. Cloud Issues (c't'd)

Centralized vs. ad hoc in, e.g., Dropbox

Bargaining power, including re: LIT holds?

Sync schedules if can [FRCP 37(e)], as to:

active/ live data?

backed-up data?

Possession/custody/control?

Severability?

Mirroring & whether can know location

EIM

GR

OU

P

© 32

For U.S. Cloud decisions, etc. see:

• Brown v. Tellermate Holdings, 2014 WL 2987051 (N.D. Ohio 7/1/14) (party’s obligations re: Salesforce data)

• Robert Keeling, How To Avoid Discovery Problems While Using The Cloud, Law360 (3/7/14)

• FTC v. First Universal Lending, LLC, 2011 WL 673879 (S.D. Fla. 2/7/11) (addressing Salesforce in passing)

III. Cloud Issues (c't'd)

EIM

GR

OU

P

©

IV. Top Ten Tips for Avoiding Pitfalls (in chron. order)

1. Develop general plan/protocol, including flagging issue in checklist(s)

2. Develop plan/protocol for each country

3. Consult foreign counsel

• referrals available from presenter on request

4. Get IT/InfoSec/Cloud house in order

5. If apt, get BCR and/or contracts in place

33

EIM

GR

OU

P

©

IV. Top 10 Tips (c’t’d)

6. Start planning as soon as LIT-Hold issue arises (re: incident-response, investigation, gov’t inquiry, suit, etc.)

7. Discuss key issues with client, incl. pre-existing process & getting consent

8. Alert opp. counsel (& judge in 1st CMC) • Ex: DaSilva Moore v. Publicis, No. 11-cv-1279 (S.D.N.Y.):

Opinion and Order, at 7, 8 (4/8/12) Hearing Transcript, at 33, 35 (2/8/12)

9. Retain local/foreign counsel? 10. Cull/review/anonymize “in country”

and then transfer/handle subset properly (encryption, etc.)

34

EIM

GR

OU

P

© 35

Conclusion/Questions Let’s be careful out there . . .

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

Q&A

Robert D. Brownstone • Blog (“IT Law Today”)

• Bio | Biblio (articles, press & speeches, Oh My!)

• Twitter ("@eDiscoveryGuru") | Facebook | LinkedIn | Google+

• 650.335.7912 or rbrownstone@fenwick.com

Please visit F&W EIM, Privacy & LIT. Groups