ediscovery privacy concerns in north america and abroad alm counsel summit october 24, 2013
TRANSCRIPT
eDiscovery Privacy Concerns in North
America and Abroad
ALM Counsel SummitOctober 24, 2013
• 90% of the world’s data was created over the last two years.• As data created and stored online increases, discovery of
documents and electronic information is an increasingly important part of litigation and corporate transactions in the United States.
• General rule of thumb: if data relates to an identifiable person, then some privacy law might apply – not limited to custodian information
• Ongoing conflicts between privacy/data protection laws, both domestic and foreign, and discovery requirements
Data Privacy and e-Discovery
Domestic Privacy Laws
• Increasing number of US data privacy laws and increased focus on privacy issues by regulators
• Approximately 25 federal laws and regulations that involve privacy and employee or customer information
• Overwhelming majority of states have passed regulations related to privacy– Social media access in employment
• Key regulations include:– HIPAA/High Tech Act (medical information)– Stored Communications Act (information stored by third
parties, social media)– Gramm-Leach-Bliley (financial information)
• Problems with foreign discovery are driven by fundamental differences in legal systems and privacy/data protection laws• Differing notions of “privacy” (fundamental right v.
industry specific)• Differing notions of “discovery” (common law jurisdictions
vs. EU)
• U.S. courts are frequently unfamiliar with, or are dismissive of foreign restrictions on cross-border discovery
International Data Protection
Cross-Border Regulations
E.U. Data Protection Directive (95/46) – States should implement laws to restrict all manner of
“processing” of “personal data” – Prohibits transfer of personal data outside the E.U.
• Exception: the country to which it is transferred provides “adequate protection” of personal data (E.U. Directive Article 25)
– Countries who meet the E.U. “Adequate Protection” standard
• Canada• Argentina• Switzerland • Israel
Personal Data
• Broad Definition of “Personal Data” under the EU Data Protection Directive: • Any information that can be used directly or
indirectly to identify and individual (e.g., the name of the sender or recipient(s) of an email.
Additional EU Directive Terms
• “Data Subject” is usually an individual and sometimes an employee of a “Data Controller/Employer. However in Italy, a corporate entity can be a Data Subject as well
• “Data Processing” is any Handling of Personal Data outside the normal use– Preservation (litigation hold) may be considered
processing if it involves manipulation of data, such as moving data to a secure server or even preserving in place
EU Data Protection Directive
Rule: Any transfer of personal data to a third party requires justification and – in case of countries outside EEA – additional safeguards
Statutory Exceptions (Derogations):– “Transfer necessary to safeguard legitimate interests of
parties to litigation and no overriding interests of affected individuals”
– “Transfer necessary for exercise or defence of legal claims in court”
– Transmission may require notification/permission of local Data Protection Agencies
New EU Data Protection Regulation
• Adopted by EU Commission on 1/25/12• Must be ratified by Council of Europe and European
Parliament – 2 to 3 year process• Objectives: greater uniformity of data protection
efforts among EU member states; and centralization of authority (“one stop shop”) for data protection issues for multinational corporations
Article 29 Working Party
• Group established by the 1995 Data Protection Directive
• Has engaged with Sedona Conference• In 2009 issued Working Document on pre-Trial
Discovery (WP158)• Fairly conservative analysis of the subject• But conceded that transfers of personal data to the US
for litigation purposes were permissible subject to safeguards including:• Assessment of relevance should be carried out in EU• Only data actually necessary for claims or defenses should
be transferred Page 10
The Sedona Conference
• Framework for Analysis of Cross-border Discovery Conflicts published 2008
• International Principles and Best Practices on Discovery, Disclosure & Data Protection published December 2011
• Has encouraged a dialogue between EU regulators and the US judiciary, with high-level input on both sides
• Fundamental principles are that personal data should be restricted to the level necessary to resolve the issues in the case, and that further disclosure should be subject to the terms of a protective order
Page 11
Latin American Privacy Laws
• Based on Constitutional Right of “Habeas Data” (i.e.,“You have the Data”):– Brazil – 1988– Paraguay– Peru– Argentina– Costa Rica– Mexico
Evolution of International Privacy Law
Region Adopted/Considering Summary
Mexico Released draft privacy regulations that work with existing data protection law
• Applies to controllers handling “sensitive personal data”
• Restricts int’l transfer
Russia Amended privacy law, “On personal data”
• Strict privacy stance • Permits uninhibited transfer to EU• Empowers a special agency to
determine data security adequacy
China Released “Provisions on the Administration of Internet Information Services”
• Framed around “Internet Information Service Providers” (IISPs)
• Restricts IISP’s conduct in various ways
Global E-Discovery
Country Summary and recent developments
Hong Kong (Common Law)
• Special Administrative Region (SAR) • Uses traditional English discovery law• Hong Kong International Arbitration Center
China (Civil Law)
• Transferring state secrets out of country is strictly protected
Singapore (Common Law)
• Have passed an “opt-in” e-discovery system, but seldom used in litigation• No dedicated data protection or privacy legislation, though some is currently
being discussed• Singapore International Arbitration Centre
South Korea • Blocking Statute that applies to cross-border transfers for purpose of foreign litigation
Japan (Civil Law)
• Japan Privacy Act permits the conditional transfer of personal information from a corporate entity to a third party; e-discovery still evolving
Global E-Discovery
Country Law SummaryCanada Ontario Rules of Civil
Procedure• Directly calls counsel to implement
discovery plan that incorporates how to handle production of ESI
• Makes an explicit call for cooperation and meet and confer
• Requires counsel to confer with the Sedona Canada Principles
Australia Practice Note CM 6 • Courts may order electronic format production where “the use of technology… will help facilitate the quick, inexpensive and efficient resolution of the matter”
• Pre-discovery and pre-trial checklists; places an expectation on counsel that they have considered the issues in the list, and are in a position to inform the court on how they will be addressed
Aerospatial Comity Analysis
• (1) the importance to the . . . litigation of the documents or other information requested
• (2) the degree of specificity of the request• (3) whether the information originated in the United States• (4) the availability of alternative means of securing the
information• (5) the extent to which noncompliance with the request
would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located
Data Protection, Privacy, Cross-Border Page 16
Restatement (Third) of Foreign Relations Law of the United States
The Components
Data Protection, Privacy, Cross-Border Page 17
v
Restatement (Third) of Foreign Relations Law of the United States
+
Aerospatiale
Article 29 of EU Directive 95/46/EC
+
Individual State implementations
Whoever heard of limiting the scope of Discovery?
Data Protection, Privacy, Cross-Border Page 18
Discovery limited in scope=
Intelligent appraisal of issues – what do we really need?+
Protective Order+
Technology to identify and filter quickly
A Changing Climate?
Data Protection, Privacy, Cross-Border Page 19
• EU Draft General Data Protection Regulation will tighten rules
• ABA Report and Resolution 103
• Sedona Conference – International Principles on Discovery, Disclosure & Data Protection
• Respect, good faith, reasonableness, protective order, discovery limited in scope, compliance with Data Protection obligations
Practice Points
• Loop in counsel/data privacy experts early!• Know where is your data is located.
• Are any international issues implicated? • Can anyone in the US access the data for routine business matters?
• Know what is included in your data. • Which databases at your company include potentially private information?• Remember your clients’ data as well as your employees’ data.
• Know the the applicable privacy laws and/or blocking statutes.• For international cases, think outside the box.
• What kind of collection can you do – Forensic? Targeted?• Can you process in country?• Can you review for responsiveness in country?• Can you use a TAR technology to get to the relevant information sooner?
Data Protection, Privacy, Cross-Border Page 20
Questions?
Page 21