2014: Winter Issue

Home – U.S. E-Discovery Concepts Collide With International Privacy Policies

U.S. E-Discovery Concepts Collide With International Privacy Policies

It's not unusual for a company to be involved in litigation where it is based in one country, its servers are in another country, the relevant subsidiary is in yet another, and its employees--all of whom are collaborating on that server--are in 10 other countries. As global companies work with data across borders, and therefore across various sets of privacy laws, electronic discovery has become an expensive, complex and evolving area of the law internationally.


This was the subject of a May 1, 2012, Webinar titled International eDiscovery: When Cyber Workspaces Collide with U.S. Litigation, produced by Fulbright & Jaworski, featuring one of the firm's partners Lana K. Varney and Bayer Corporation Senior Counsel John G. Unice. The program, moderated by Fulbright & Jaworski partner Ronn B. Kreps was part of the "Fulbright Forum" series.

Paradigm shift

Varney called out the "significant paradigm shift" of companies increasingly migrating to global IT architectures. No longer is there a focus on the physical location of servers, she said, a decision which is based on business considerations.  Global companies are moving toward a single IT department that can be in any country, which also means other business processes--such as auditing, payroll, HR, benefits management and supply chain management--can be outsourced to anywhere in the world and linked via these networks, Varney said.


Bayer Corporation's Unice added that with the growth of international data structures, as well as the volume of electronically stored information, or ESI, that is being generated with new forms of social media and collaborative tools, "We have seen increasingly complex strategies for data storage, data retention and also production of data throughout the world in U.S. litigation." Unice said there is a growing prevalence of discovery requests for ESI physically located on servers outside the U.S., or for data created by employees who work for U.S. companies but reside outside the country. 


Cost is a big factor

Collecting all of this data is expensive, a fact not lost on plaintiff attorneys. "In U.S. litigation the plaintiffs' bar is expected to frequently seek this type of information, using it as a means to secure evidence production. Often, companies are forced to invest a lot of time, resources and cost on data collection, retention and production," Unice said. "This can be a very costly tool for companies involved in U.S. litigation."


Kreps posed the question: Although there is new regulatory guidance on international collaborative platforms, how are courts dealing with "custody and control"--viewed by some as an antiquated concept--and does that collide with data protection laws around the world?


Varney explained that U.S. courts have the authority to order the production of data even if it is located outside the U.S. and subject to rules of other countries, when the proper proof of need is made by the requestor. The U.S. Supreme Court has held that both the Federal Rule of Civil Procedure 26 and The Hague Convention are tools that can be used in this process, together or separately, citing Societe Nationale Aerospatiale v. U.S. Dist. Court for the S. Dist. of Iowa, 482 U.S. 522 (1987). Courts look to which will be most successful in each case, Varney said. 


Who is in control?

Most existing case law focuses on the custody and control issue, she continued.  Courts examine who actually has the data and their ability to bring it to the United States, Varney said, a question that often centers on whether the parent company has the most control over subsidiaries or affiliates.  


Although the landscape is changing, Kreps said judges still look at custody and control as one of the main factors. Varney added that these evaluations are case specific, and parties trying to protect data must provide evidence proving the data are not within their reach.  Some courts and commentators say custody and control are really passé concepts, and that the real issue is privacy--a subject where the policies of the U.S. are "diametrically opposed" to those in the rest of the world, Varney explained. 


She said U.S. laws developed through statutes and case law essentially hold that employees have no expectation of privacy in the workplace--their information is discoverable when it is deemed relevant. The opposite is true in the rest of the world where information--and privacy--belongs to its creator, she said, and in some countries that includes email. All of this is based on the belief in many countries that the right to control personal data is a human right.


Most countries now have data protection laws and as data become more public the definition of personal data has broadened. Now we see it applying to all data created in the workplace on company gadgets, Varney said, and these laws apply to that data internationally.


Privacy in Europe

Varney said that in 1997 the European Union adopted seven principles whereby the creator of user-generated content, or UGC, has a right to receive notice of a data request, that the request must have a purpose, that the user must give consent, that security protections must be in place, that disclosure has limits, that the user has access to the data in order to make any corrections, and that there is accountability.  E.U. member states were required to pass laws to ensure privacy protections, and all 27 countries did it differently. Most said you cannot transfer data out of their country to another country unless there are adequate protections, Varney explained. 


In most of the E.U. states there are only three countries found to have adequate protections, and the U.S. is not one of them, Varney said. Most countries created safe harbors, she explained, whereby a company can certify or pledge that they will follow these principals in the U.S., activity that is coordinated through the U.S. Federal Trade Commission. When that happens, Varney said a safe harbor is established and the data can be transferred.


In other parts of world, Bayer Corporation's Unice said countries have variations on the same theme. India, for example, requires that the generator of the information must know it is being provided, that the purpose for the data must be lawful, that the provider must give consent, that the provider must be allow to review data and correct inaccuracies, and that the data may be retained only as long as required.


Varney noted that in the case of countries like those in Asia that are not signatories to The Hague Convention, many courts are focusing their opinions on the use of Federal Rules of Civil Procedure Rule 26.


From directives to regulations

The E.U. is moving from a directive to a more regulatory landscape to gain consistency, Kreps said. The proposed regulation is very broad and would have extraterritorial application. For example, he said, if the ESI is generated in a member country and transferred out, the law will still apply even if the data are outside of the E.U. The rules would apply to companies with as few as 250 employees and would require appointing a data protection officer in the country of data origination, Kreps said, calling this a significant shift.


Varney said one of the goals of shifting to a regulation is to bring uniformity and clarity to the rules across the EU. The proposed regulations provide a broader definition of "personal data" and provide users a right to a copy of any of their personal data that is subject to production. Data processors would be subject to regulations and, maybe, it would make international transfer of data easier, she said. An important change, she pointed out, would be an increase in fines and sanctions when non-compliance with the regulations is found. Violators would be subject to fines of up to two percent of "global turnover." While "turnover" is commonly considered to be the European term for "revenue," the precise definition is this context is not yet clear.


Practice tips


1. Start now. Varney said the time to think about these issues is today, before litigation begins, to minimize the impact of e-discovery requests later on. Now is the time to develop a plan for litigation holds, data collection, review and production of ESI in the cross-border context.


2. Develop a data map. Pointing to a global initiative at Bayer, Unice favors the development of a company data map, a document that identifies where employees can create UCG and outlines the appropriate record systems. This must be a cross-department effort, involving a company's IT department, its records storage team, its legal department and business units. This type of organization will enable employees to store records properly--in compliance with corporate retention policies--so information can live out its life of disposition, perhaps with automatic retention and deletion when appropriate, Unice said. The more we push content toward these types of systems the easier it will be to collect information from them when future matters arise, he said.


3. Check for unnecessary transfers. At global organizations employees transfer within a company to countries with different ESI policies, Unice noted. Employees may not realize they cannot take everything with them, so companies must establish transfer policies, and balance what is required by law with what enables employees to work effectively, he said.


4.  Know the law of the land. Varney said that when moving to a global IT department, it is important to check the law of the land where the data are going to reside. For example, she cautioned, make sure the data can come back. 


5. Connect with the authorities. Maintain open communication channels with the local data privacy authority, Varney said.


6.  Work with adversaries. Think about how you structure discovery with opposing counsel so the initial wave of discovery is on U.S.-based ESI. Then, if warranted, work out how global ESI is addressed, said Kreps, an advocate of reaching agreements with adversaries in the discovery of international ESI. "If we start very early to control the process through agreements, through limited discovery that the other side might agree to," Kreps said, "we can control both the cost and, ultimately, the damage that might be done by these broad ESI discovery requests."


7. The Sedona Conference. Varney encourages companies to turn to The Sedona Conference for best practices, international principles of disclosure and data protection.  Recommendations for addressing the preservation discovery of protected data, model orders, white papers and more can be found at www.thesedaonaconference.org.


Companies and social media

Kreps said many companies do not have restrictions on social media. In fact, he said restrictions on the use of social media on company- provided computers are decreasing in many companies because social media has become an accepted form of communication. This will become a major issue in litigation and discovery, he predicted.


Unice noted the proliferation of international collaboration sites being used by global companies. Some are platforms that reside behind firewalls on company servers (e.g., IBM Connections), others are company-hosted external websites (e.g., company Facebook® sites), and a third category comprises social media platforms hosted by third-parties on third-party servers (e.g., Yammer and Xing).  Unice said the goals are to connect employees, creating workspaces and establishing communities. Some companies are allowing more employee bloggers to discuss products, while others retain third-parties to write about their products and services.


Important questions need to be answered. Where will you host the data? Where will the server sit? If you have a social media platform in a country with stricter laws, U.S. courts may say "just go get it," no matter where the company might sit, Unice said. 


Day-to-day control

Kreps said courts will assess whether you had access to information on a day-to-day basis. Even if the data reside with an affiliate or sister company, whether you have access on a daily basis will be the court's focus in discovery of ESI, Kreps said. 


When adopting a collaborative system, it is important for a company to first learn what features exist for the retention and collection of data. For example, will the system allow for a litigation hold to be implemented efficiently? 


In the case of third-party sites, like Yammer and Xing, understand where the data are located and what happens to the data when your relationship ends, Unice said. Know who owns the data and who has authority to delete it.  Understand how open the sites are. For example, can employees invite people from outside the business to comment on the site? And do not forget the various countries' data protection laws when making these decisions, Varney added.


Risk mitigation strategies

Anticipate that discovery requests for data hosted on third-party platforms are going to come in, Varney advised. Have a data map so you know where the data are and flag any challenges you might face in collecting data.


All of this raises a new level of cost.  For example, in the international context you have additional translation expenses, Varney said, and there are not a lot of opinions on shifting the burden of the cost onto the requestor. "Courts are reluctant to go there," she said.  


Kreps said one way to reduce cost is to reduce the amount of data you are dealing with. For example, Unice said companies would be well served by helping employees understand what a corporate record actually is.  Employees need to know that while social media sites can be where corporate records are created, that is usually not where such records should be retained. Most of what employees create on these sites likely will not lead to the creation of corporate records, but if a document does become a corporate record it should be moved to the appropriate record storage location, Unice said. In the context of a litigation hold, he recommended that companies consider their social media tools and the related content because employees may not realize that there may be litigation-related data created on a social media platform, such as a wiki or blog.


To listen to the complete Webinar and download the presentation, visit the Fulbright & Jaworski website at http://www.fulbright.com/index.cfm?fuseaction=publications.detail&pub_id=5469&site_id=494&detail=yes.


 For more information about LexisNexis products and solutions, connect with us through our corporate site