eDiscovery Privacy Concerns in North

America and Abroad

ALM Counsel SummitOctober 24, 2013

• 90% of the world’s data was created over the last two years.• As data created and stored online increases, discovery of

documents and electronic information is an increasingly important part of litigation and corporate transactions in the United States.

• General rule of thumb: if data relates to an identifiable person, then some privacy law might apply – not limited to custodian information

• Ongoing conflicts between privacy/data protection laws, both domestic and foreign, and discovery requirements

Data Privacy and e-Discovery

Domestic Privacy Laws

• Increasing number of US data privacy laws and increased focus on privacy issues by regulators

• Approximately 25 federal laws and regulations that involve privacy and employee or customer information

• Overwhelming majority of states have passed regulations related to privacy– Social media access in employment

• Key regulations include:– HIPAA/High Tech Act (medical information)– Stored Communications Act (information stored by third

parties, social media)– Gramm-Leach-Bliley (financial information)

• Problems with foreign discovery are driven by fundamental differences in legal systems and privacy/data protection laws• Differing notions of “privacy” (fundamental right v.

industry specific)• Differing notions of “discovery” (common law jurisdictions

vs. EU)

• U.S. courts are frequently unfamiliar with, or are dismissive of foreign restrictions on cross-border discovery

International Data Protection

Cross-Border Regulations

E.U. Data Protection Directive (95/46) – States should implement laws to restrict all manner of

“processing” of “personal data” – Prohibits transfer of personal data outside the E.U.

• Exception: the country to which it is transferred provides “adequate protection” of personal data (E.U. Directive Article 25)

– Countries who meet the E.U. “Adequate Protection” standard

• Canada• Argentina• Switzerland • Israel

Personal Data

• Broad Definition of “Personal Data” under the EU Data Protection Directive: • Any information that can be used directly or

indirectly to identify and individual (e.g., the name of the sender or recipient(s) of an email.

Additional EU Directive Terms

• “Data Subject” is usually an individual and sometimes an employee of a “Data Controller/Employer. However in Italy, a corporate entity can be a Data Subject as well

• “Data Processing” is any Handling of Personal Data outside the normal use– Preservation (litigation hold) may be considered

processing if it involves manipulation of data, such as moving data to a secure server or even preserving in place

EU Data Protection Directive

Rule: Any transfer of personal data to a third party requires justification and – in case of countries outside EEA – additional safeguards

Statutory Exceptions (Derogations):– “Transfer necessary to safeguard legitimate interests of

parties to litigation and no overriding interests of affected individuals”

– “Transfer necessary for exercise or defence of legal claims in court”

– Transmission may require notification/permission of local Data Protection Agencies

New EU Data Protection Regulation

• Adopted by EU Commission on 1/25/12• Must be ratified by Council of Europe and European

Parliament – 2 to 3 year process• Objectives: greater uniformity of data protection

efforts among EU member states; and centralization of authority (“one stop shop”) for data protection issues for multinational corporations

Article 29 Working Party

• Group established by the 1995 Data Protection Directive

• Has engaged with Sedona Conference• In 2009 issued Working Document on pre-Trial

Discovery (WP158)• Fairly conservative analysis of the subject• But conceded that transfers of personal data to the US

for litigation purposes were permissible subject to safeguards including:• Assessment of relevance should be carried out in EU• Only data actually necessary for claims or defenses should

be transferred Page 10

The Sedona Conference

• Framework for Analysis of Cross-border Discovery Conflicts published 2008

• International Principles and Best Practices on Discovery, Disclosure & Data Protection published December 2011

• Has encouraged a dialogue between EU regulators and the US judiciary, with high-level input on both sides

• Fundamental principles are that personal data should be restricted to the level necessary to resolve the issues in the case, and that further disclosure should be subject to the terms of a protective order

Page 11

Latin American Privacy Laws

• Based on Constitutional Right of “Habeas Data” (i.e.,“You have the Data”):– Brazil – 1988– Paraguay– Peru– Argentina– Costa Rica– Mexico

Evolution of International Privacy Law

Region Adopted/Considering Summary

Mexico Released draft privacy regulations that work with existing data protection law

• Applies to controllers handling “sensitive personal data”

• Restricts int’l transfer

Russia Amended privacy law, “On personal data”

• Strict privacy stance • Permits uninhibited transfer to EU• Empowers a special agency to

determine data security adequacy

China Released “Provisions on the Administration of Internet Information Services”

• Framed around “Internet Information Service Providers” (IISPs)

• Restricts IISP’s conduct in various ways

Global E-Discovery

Country Summary and recent developments

Hong Kong (Common Law)

• Special Administrative Region (SAR) • Uses traditional English discovery law• Hong Kong International Arbitration Center

China (Civil Law)

• Transferring state secrets out of country is strictly protected

Singapore (Common Law)

• Have passed an “opt-in” e-discovery system, but seldom used in litigation• No dedicated data protection or privacy legislation, though some is currently

being discussed• Singapore International Arbitration Centre

South Korea • Blocking Statute that applies to cross-border transfers for purpose of foreign litigation

Japan (Civil Law)

• Japan Privacy Act permits the conditional transfer of personal information from a corporate entity to a third party; e-discovery still evolving

Global E-Discovery

Country Law SummaryCanada Ontario Rules of Civil

Procedure• Directly calls counsel to implement

discovery plan that incorporates how to handle production of ESI

• Makes an explicit call for cooperation and meet and confer

• Requires counsel to confer with the Sedona Canada Principles

Australia Practice Note CM 6 • Courts may order electronic format production where “the use of technology… will help facilitate the quick, inexpensive and efficient resolution of the matter”

• Pre-discovery and pre-trial checklists; places an expectation on counsel that they have considered the issues in the list, and are in a position to inform the court on how they will be addressed

Aerospatial Comity Analysis

• (1) the importance to the . . . litigation of the documents or other information requested

• (2) the degree of specificity of the request• (3) whether the information originated in the United States• (4) the availability of alternative means of securing the

information• (5) the extent to which noncompliance with the request

would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located

Data Protection, Privacy, Cross-Border Page 16

Restatement (Third) of Foreign Relations Law of the United States

The Components

Data Protection, Privacy, Cross-Border Page 17

v

Restatement (Third) of Foreign Relations Law of the United States

+

Aerospatiale

Article 29 of EU Directive 95/46/EC

+

Individual State implementations

Whoever heard of limiting the scope of Discovery?

Data Protection, Privacy, Cross-Border Page 18

Discovery limited in scope=

Intelligent appraisal of issues – what do we really need?+

Protective Order+

Technology to identify and filter quickly

A Changing Climate?

Data Protection, Privacy, Cross-Border Page 19

• EU Draft General Data Protection Regulation will tighten rules

• ABA Report and Resolution 103

• Sedona Conference – International Principles on Discovery, Disclosure & Data Protection

• Respect, good faith, reasonableness, protective order, discovery limited in scope, compliance with Data Protection obligations

Practice Points

• Loop in counsel/data privacy experts early!• Know where is your data is located.

• Are any international issues implicated? • Can anyone in the US access the data for routine business matters?

• Know what is included in your data. • Which databases at your company include potentially private information?• Remember your clients’ data as well as your employees’ data.

• Know the the applicable privacy laws and/or blocking statutes.• For international cases, think outside the box.

• What kind of collection can you do – Forensic? Targeted?• Can you process in country?• Can you review for responsiveness in country?• Can you use a TAR technology to get to the relevant information sooner?

Data Protection, Privacy, Cross-Border Page 20

Questions?

Page 21