International Restrictions on Releasing Personal Information

Similarly, countries hosting personal data that is the subject of litigation in the United States have rejected the interests of the United States in obtaining such personal data as part of its broad discovery process. In January 2008, the French Supreme Court upheld the criminal conviction of a French lawyer for violating a French statute criminalizing discovery within France by private parties for purposes of foreign litigation despite the fact that his actions were taken to comply with a request from a federal court in the United States. In re Advocat “Christopher X,” No. 07-83228 (Cour de Cassation Dec. 12, 2007) (English translation). The attorney was fined 10,000 Euros, or about $15,000 in U.S. dollars. In Lynondell-Citgo Refining, LP v. Petroleos de Venezuela,S.A., 2005 WL 1026461 (S.D.N.Y. 2005), the defendant corporation accepted an adverse inference instruction rather than turning over board minutes and related documents in violation of a Venezuelan blocking statute, which could have resulted in stiff criminal sanctions. Cross-border discovery is already a significant source of international legal conflicts. These conflicts are only expected to grow as electronically-stored information proliferates and the global marketplace expands. So, what can in-house counsel do to proactively address the risks inherent in cross-border discovery?

Ten Practical Steps
Corporations interested in mitigating their risks should consider the following actions:

One. Get the Right People and Policies in Place at the Company

To the extent not already in place, corporations should create a Chief Information Governance Officer position and develop a standing task force to proactively address data challenges. The CIGO and task force should: 1) Institute training programs to ensure that employees in the Legal, IT, Records Management, Corporate Compliance, and Human Resources departments are aware of the risks and complexities inherent in processing or transferring personal information; 2) Develop policies, procedures and processes, including safeguards against the unauthorized retransmission, onward transfer or modification of personal date that is processed and/or transferred, to address the challenges of complex, and varying data privacy and protection laws around the world; and 3) Institute compliance monitoring to confirm that employees are aware of and following those policies, procedures and processes.

Two. Use Knowledge of Relevant Laws and Risks

Corporations should take the data privacy regulations and blocking statutes (or lack thereof) of foreign jurisdictions into account in determining where their electronic information will be stored. In addition, they should ensure that people involved in e-discovery at the company know how their electronic information is created, stored and retrieved. Further, corporations should not retain personal information for any longer than required for legal and business reasons. Shorter retention periods will assist in reducing the amount of personal data in existence at the time any litigation hold is issued.

Three. Balance the Competing Risks

When involved in cases involving cross-border discovery, early in the case, corporations should analyze the risks of failing to produce in violation of a U.S. discovery order with the risks of transferring data out of a foreign country in violation of data privacy regulations and blocking statutes. All decisions concerning discovery of personal data should take this risk analysis into consideration.

Four. Engage in Discussions With Data Protection Officers in Foreign Countries

Data protection officers in the host country should be involved early in the case to provide guidance and to assist the parties in seeking protective orders to comply with EU and the host country's data protection regulations. In addition, early on, corporations should educate their opponents and the U.S. court on the relevant data privacy laws, including the additional time anticipated to work through the process in the foreign country.

Five. Consider Using the Hague Convention

Corporations should consider first resorting to the Hague Convention, through which a court in one nation requests assistance in obtaining relevant information from an authority in another nation. Some U.S. courts have held that parties must first utilize Hague Convention procedures. But it should be noted that the process for getting relief from the Hague Convention typically is very lengthy. In addition, a number of countries will not honor discovery requests through the Hague Convention from common law countries like the U.S., and some U.S. courts have refused to apply the Hague Convention.

Six. Craft Bulletproof Consents And Clear Notices of Usage

If workable, corporations seeking to process and/or transfer personal data should provide data holders with advance notice of the possibility that their personal data may be processed for litigation; and should have data subjects sign specific, unambiguous informed consents prior to the transfer of any personal data. In addition, data subjects should be provided with timely notice of the identity of any recipients of their data, the purposes for the processing, categories of data involved and a reminder of their rights, even where their data is being collected from a third party.

Seven. Hire Counsel and Vendors With Data Privacy Expertise

In cases involving cross-border discovery, the corporation should ensure that its counsel, as well as third parties hired to assist with document collection, review and production, have the expertise and experience necessary to best address the data privacy issues in the case. Corporations should hire vendors that are Safe Harbor-certified. Safe Harbor Certification creates the presumption of adequate data protection standards by signatory corporations. In addition, because specific data privacy laws can vary in significant ways from country to country (even between EU countries), the corporation hire should local counsel with data privacy expertise and good relationships with local data privacy protection officers. Corporations also may want to consider hiring an expert in the host country to independently analyze the relevance of any personal data subject to transfer.

Eight. Take Reasonable Steps to Protect Personal Data

Corporations should take precautions to “preserve the security of the data to protect it from accidental or unlawful destruction, loss and unauthorized disclosure or access.” This requirement applies to any and all parties that may handle the personal data ' from law firms and vendors to experts and court personnel. Corporations should require any third parties hired to assist with the collection, review and production of data to take steps to protect the integrity and security of personal data. Third parties handling personal data should collect and process personal data only for the specific reasons for which it was collected; maintain strict confidentiality; communicate only with specified individuals concerning the data; and comply with retention restrictions. Personal data should be retained only for as long as the action is pending.

Nine. Seek to Reduce the Scope of Personal Data

Disclosure of personal data should be limited to that which is objectively relevant in the case. Try to limit the personal data required to be produced through agreement with opposing counsel or through court order. Protective orders can be utilized to limit the discovery of personal information and/or to protect the privacy of personal information that is processed or transferred.

To the extent possible, redact personal information before it is transferred to the United States. If personal information cannot be redacted, then seek permission to anonymise (or pseudonymise) such information. Collect, process, and filter personal data while it is still in the host country. If possible, review information in the host country as well. Reducing the volume of personal data transferred and produced obviously reduces the risk. In addition, use a uniform confidentiality designation, such as “Confidential EU Data” to mark the personal data that is produced.

Ten. Participate in the Dialogue

Finally, interested corporations should participate in the dialogue with data protection authorities to develop workable global best practices. The Sedona Conference' has taking a strong leadership role in trying to develop a better international framework for resolving cross-border e-discovery issues. The Sedona Conference' International Working Group on Electronic Information Management, Discovery and Disclosure (WG6) has hosted conferences to address international data privacy and cross-border discovery challenges, and has published The Sedona Conference' Cross-Border Discovery Framework.

Other organizations, including the Defense Research Institute (“DRI”); the International Association of Privacy Professionals (“IAPP”); and the International Chamber of Commerce (“ICC”), also are actively involved in seeking a solution. Tremendous opportunities exist now for corporations to take an active role in shaping a solution to the challenges inherent in cross-border discovery.

In-house counsel interested in learning more about how to best protect their corporation from cross-border discovery sanctions should review the Working Document 1/2009 on Pre-Trial Discovery for Cross Border Civil Litigation (Working Paper 158) and The Sedona Conference' Cross-Border Discovery Framework, which provided the inspiration for some of the ideas listed above.

Conclusion

The complexity of cross-border discovery conflicts will increase as the global marketplace continues to expand and electronically stored information continues to proliferate. No solution currently exists to eliminate the risks. But if corporations take proactive steps, including the ones listed above, they can significantly reduce their risks.

M. James Daley and Laura Clark Fey of Daley & Fey LLP help their clients develop and implement solutions to a wide variety of global e-discovery, privacy and data protection challenges. Daley recently chaired The Sedona Conference's' International Programme on Cross-Border eDiscovery and Data Privacy, and was Co-Editor-in-Chief of The Sedona Conference' Cross-Border Discovery Framework. The authors may be reached at jdaley@daleyle gal.com and [email protected].

In June, data privacy experts from around the globe converged in Barcelona, Spain for The Sedona Conference's' International Programme on Cross-Border eDiscovery and Data Privacy. Participants, ranging from academics to data commissioners to judges to in-house and outside counsel from countries throughout North America, South America, Europe, Asia and Australia, gathered to dialogue on the legal, technology and cultural challenges posed by cross-border discovery conflicts. A wide variety of ideas were shared, but participants recognized that this international dilemma is not going to be solved overnight.

The challenge can be summarized as follows: With the globalization of business and the resultant flow of data across country borders, data sought in litigation, particularly litigation involving multinational corporations, increasingly includes personal information relating to employees, customers and/or clients that is located in foreign countries. A significant amount of that data is in the form of e-mails, which are recognized as personal data in most of the world other than the United States. The dilemma confronted by corporate counsel involved in such litigation is whether to disclose personal information located in foreign countries with laws that severely restrict the processing and transfer of personal data and risk being punished there with civil and/or criminal penalties; or to filter out the personal data and risk being sanctioned in the U.S. for incomplete responses to e-discovery requests.

U.S. courts have generally rejected the interests of countries with strict data privacy laws in shielding data located in their countries from discovery in U.S. proceedings. The Sedona Conference' Framework for Analysis of Cross-Border Discovery Conflicts: A Practical Guide to Navigating the Competing Current of International Data Privacy and e-Discovery (2008) (“The Sedona Conference' Cross-Border Discovery Framework”) at 17. For example, in Richmark Corp. v. Timber Falling Consultants , 959 F.2d 1468 (9th Cir. 1992), the Ninth Circuit upheld the lower court's sanction against a Chinese corporation for failure to comply with discovery orders despite the corporation's argument that disclosure of information would have subjected it to criminal prosecution in China under Chinese State Secrecy Laws. Sanctions for failure to comply with a U.S. discovery order can be significant ' including large monetary sanctions, witness preclusion and even dismissal.

Similarly, countries hosting personal data that is the subject of litigation in the United States have rejected the interests of the United States in obtaining such personal data as part of its broad discovery process. In January 2008, the French Supreme Court upheld the criminal conviction of a French lawyer for violating a French statute criminalizing discovery within France by private parties for purposes of foreign litigation despite the fact that his actions were taken to comply with a request from a federal court in the United States. In re Advocat “Christopher X,” No. 07-83228 (Cour de Cassation Dec. 12, 2007) (English translation). The attorney was fined 10,000 Euros, or about $15,000 in U.S. dollars. In Lynondell-Citgo Refining, LP v. Petroleos de Venezuela,S.A., 2005 WL 1026461 (S.D.N.Y. 2005), the defendant corporation accepted an adverse inference instruction rather than turning over board minutes and related documents in violation of a Venezuelan blocking statute, which could have resulted in stiff criminal sanctions. Cross-border discovery is already a significant source of international legal conflicts. These conflicts are only expected to grow as electronically-stored information proliferates and the global marketplace expands. So, what can in-house counsel do to proactively address the risks inherent in cross-border discovery?

Ten Practical Steps
Corporations interested in mitigating their risks should consider the following actions:

One. Get the Right People and Policies in Place at the Company

To the extent not already in place, corporations should create a Chief Information Governance Officer position and develop a standing task force to proactively address data challenges. The CIGO and task force should: 1) Institute training programs to ensure that employees in the Legal, IT, Records Management, Corporate Compliance, and Human Resources departments are aware of the risks and complexities inherent in processing or transferring personal information; 2) Develop policies, procedures and processes, including safeguards against the unauthorized retransmission, onward transfer or modification of personal date that is processed and/or transferred, to address the challenges of complex, and varying data privacy and protection laws around the world; and 3) Institute compliance monitoring to confirm that employees are aware of and following those policies, procedures and processes.

Two. Use Knowledge of Relevant Laws and Risks

Corporations should take the data privacy regulations and blocking statutes (or lack thereof) of foreign jurisdictions into account in determining where their electronic information will be stored. In addition, they should ensure that people involved in e-discovery at the company know how their electronic information is created, stored and retrieved. Further, corporations should not retain personal information for any longer than required for legal and business reasons. Shorter retention periods will assist in reducing the amount of personal data in existence at the time any litigation hold is issued.

Three. Balance the Competing Risks

When involved in cases involving cross-border discovery, early in the case, corporations should analyze the risks of failing to produce in violation of a U.S. discovery order with the risks of transferring data out of a foreign country in violation of data privacy regulations and blocking statutes. All decisions concerning discovery of personal data should take this risk analysis into consideration.

Four. Engage in Discussions With Data Protection Officers in Foreign Countries

Data protection officers in the host country should be involved early in the case to provide guidance and to assist the parties in seeking protective orders to comply with EU and the host country's data protection regulations. In addition, early on, corporations should educate their opponents and the U.S. court on the relevant data privacy laws, including the additional time anticipated to work through the process in the foreign country.

Five. Consider Using the Hague Convention

Corporations should consider first resorting to the Hague Convention, through which a court in one nation requests assistance in obtaining relevant information from an authority in another nation. Some U.S. courts have held that parties must first utilize Hague Convention procedures. But it should be noted that the process for getting relief from the Hague Convention typically is very lengthy. In addition, a number of countries will not honor discovery requests through the Hague Convention from common law countries like the U.S., and some U.S. courts have refused to apply the Hague Convention.

Six. Craft Bulletproof Consents And Clear Notices of Usage

If workable, corporations seeking to process and/or transfer personal data should provide data holders with advance notice of the possibility that their personal data may be processed for litigation; and should have data subjects sign specific, unambiguous informed consents prior to the transfer of any personal data. In addition, data subjects should be provided with timely notice of the identity of any recipients of their data, the purposes for the processing, categories of data involved and a reminder of their rights, even where their data is being collected from a third party.

Seven. Hire Counsel and Vendors With Data Privacy Expertise

In cases involving cross-border discovery, the corporation should ensure that its counsel, as well as third parties hired to assist with document collection, review and production, have the expertise and experience necessary to best address the data privacy issues in the case. Corporations should hire vendors that are Safe Harbor-certified. Safe Harbor Certification creates the presumption of adequate data protection standards by signatory corporations. In addition, because specific data privacy laws can vary in significant ways from country to country (even between EU countries), the corporation hire should local counsel with data privacy expertise and good relationships with local data privacy protection officers. Corporations also may want to consider hiring an expert in the host country to independently analyze the relevance of any personal data subject to transfer.

Eight. Take Reasonable Steps to Protect Personal Data

Corporations should take precautions to “preserve the security of the data to protect it from accidental or unlawful destruction, loss and unauthorized disclosure or access.” This requirement applies to any and all parties that may handle the personal data ' from law firms and vendors to experts and court personnel. Corporations should require any third parties hired to assist with the collection, review and production of data to take steps to protect the integrity and security of personal data. Third parties handling personal data should collect and process personal data only for the specific reasons for which it was collected; maintain strict confidentiality; communicate only with specified individuals concerning the data; and comply with retention restrictions. Personal data should be retained only for as long as the action is pending.

Nine. Seek to Reduce the Scope of Personal Data

Disclosure of personal data should be limited to that which is objectively relevant in the case. Try to limit the personal data required to be produced through agreement with opposing counsel or through court order. Protective orders can be utilized to limit the discovery of personal information and/or to protect the privacy of personal information that is processed or transferred.

To the extent possible, redact personal information before it is transferred to the United States. If personal information cannot be redacted, then seek permission to anonymise (or pseudonymise) such information. Collect, process, and filter personal data while it is still in the host country. If possible, review information in the host country as well. Reducing the volume of personal data transferred and produced obviously reduces the risk. In addition, use a uniform confidentiality designation, such as “Confidential EU Data” to mark the personal data that is produced.

Ten. Participate in the Dialogue

Finally, interested corporations should participate in the dialogue with data protection authorities to develop workable global best practices. The Sedona Conference' has taking a strong leadership role in trying to develop a better international framework for resolving cross-border e-discovery issues. The Sedona Conference' International Working Group on Electronic Information Management, Discovery and Disclosure (WG6) has hosted conferences to address international data privacy and cross-border discovery challenges, and has published The Sedona Conference' Cross-Border Discovery Framework.

Other organizations, including the Defense Research Institute (“DRI”); the International Association of Privacy Professionals (“IAPP”); and the International Chamber of Commerce (“ICC”), also are actively involved in seeking a solution. Tremendous opportunities exist now for corporations to take an active role in shaping a solution to the challenges inherent in cross-border discovery.

In-house counsel interested in learning more about how to best protect their corporation from cross-border discovery sanctions should review the Working Document 1/2009 on Pre-Trial Discovery for Cross Border Civil Litigation (Working Paper 158) and The Sedona Conference' Cross-Border Discovery Framework, which provided the inspiration for some of the ideas listed above.

Conclusion

The complexity of cross-border discovery conflicts will increase as the global marketplace continues to expand and electronically stored information continues to proliferate. No solution currently exists to eliminate the risks. But if corporations take proactive steps, including the ones listed above, they can significantly reduce their risks.

M. James Daley and Laura Clark Fey of Daley & Fey LLP help their clients develop and implement solutions to a wide variety of global e-discovery, privacy and data protection challenges. Daley recently chaired The Sedona Conference's' International Programme on Cross-Border eDiscovery and Data Privacy, and was Co-Editor-in-Chief of The Sedona Conference' Cross-Border Discovery Framework. The authors may be reached at jdaley@daleyle gal.com and [email protected].