In 2001 prior to the e-discovery explosion I had the opportunity to take an international law class covering the law of the sea, piracy, Antarctica and other global legal considerations with Professor Chris Joyner, Director of International Law and Politics at Georgetown University. Professor Joyner's final exam included an essay question that asked the class to compare and contrast domestic law and international law in the context of wrestling. Domestic law with its executive powers of enforcement was most similar to Olympic wrestling. The rules are well defined, clearly adopted and those who break the rules understand the punishment. Alternatively, professional wrestling with its lack of centralized power and weak enforcement often leads participants to loosely partner until the rules no longer suit them. When the battle at hand becomes a test of survival or victory, the laws, treaties and loose agreements tend to crumble. Similar situations are occurring with regard to international data protection, privacy and disclosure worldwide, especially when U.S. litigants are involved.
Nowhere is this example more prominent than in the case of In re Advocat "Christopher X." As has been well documented by The Sedona Conference®and others, the defendant in the case, Credit Lyonnais, argued that it would be in violation of French law to execute a discovery request. The U.S. courts found French courts had historically not enforced blocking statutes and chose to order the discovery assuming that the French would not enforce their laws. Christopher X entered the ring of international e-discovery and quickly became the center of an elaborate spectacle that put U.S discovery laws at odds with French data privacy and protection laws. Suddenly legal wrangling about data privacy and protection had become more than just a show. Real criminal charges had been filed, and the reality that a workable and practical way forward was necessary became ever more apparent.
The Sedona Conference®recently endeavored to help clarify this ongoing international conflict by hosting an event focused on Cross-Border e-Discovery, e-Disclosure and Data Privacy Conflicts in Barcelona, Spain. This conference featured two days of blue-ribbon panel discussions and dialogue that included a number of international data privacy commissioners, judges and attorneys. In addition, this event saw the launch of the latest Sedona publication. The Sedona International Overview on E-Discovery, Data Privacy and Disclosure Requirements was released to the Sedona membership and will be available for public comment in July.
The Sedona Overview of International E-Discovery, Data Privacy and Disclosure Requirements is a project of The Sedona Conference®Working Group on International Electronic Information Management, Discovery and Disclosure (WG6). Sedona's working groups are designed to bring together some of the world's leading attorneys, privacy and compliance officers, technical consultants, records managers, academics and jurists to address current problems in the areas of law. Over 60 of the world's leading experts in e-disclosure, data privacy and discovery collaborated to complete The International Overview over the course of the past two years.
This International Overview takes the form of a survey response with 21 questions organized by jurisdiction to provide a quick reference for legal and IT professionals seeking to understand the complex balance between data privacy and disclosure. For each of the 13 jurisdictions a primary contributor and one to two secondary contributors worked to deliver an overview of the current state of affairs within their home country.
A hallmark of Sedona Conference events is dialogue. Sedona founder Richard Brahman typically opens each event with a call for dialogue rather than debate. To further this effort The International Overview will also be available in wiki format. The entire survey will be available online and as a hard copy document for the public comment phase of the project. Through the wiki, which will be open to the public in July, anyone in the world will be able to add their voice to the dialogue that is occurring around international e-discovery. Refer to www.thesedonaconference.net for launch details.
This global dialogue needs to occur and this project combined with the work of The Article 29 Working Party and others will help move the discussion forward in a just and practical way. Our collective worldwide ability to create information has outpaced the current ability of the legal system to address the issues of cross-border data protection, disclosure and privacy. As a result, multinational organizations operating in all corners of the globe are being forced to deal with these issues on a case-by-case, country-by-country basis. These organizations, like Christopher X, have stepped into the metaphorical wrestling ring unsure if they are playing by Olympic rules or if they are entering the arena of professional wresting where almost anything goes and just enforcement is rare.
Symantec took a leadership role in The International Overview Project and sponsored the Working Group Six conference in Barcelona because the issues this group seeks to address are the same issues facing technology leaders worldwide. For example, the technology exists to make data stored in France easily searchable from the U.S. As a result, corporate IT leaders are forced to make practical, day-to-day decisions about where data is stored, for how long, and who has access to it without clear legal guidance. While clear guidance on cross border discovery for multinationals may be years away, legal departments have an obligation to work closely with IT to understand the technology currently in place and available to them. Resources available today that help frame this discussion include The European Union Article 29 Data Protection Working Party, Working Document and The Sedona Conference®publication titled Framework for Analysis of Cross-Border Discovery Conflicts.
Some technologies exist that make managing the information in question more efficient. Archiving technologies have been deployed worldwide to reduce the cost of storing content such as email, files, SharePoint data, instant messages and other types of unstructured information. Through de-duplication, compression and storage management functions organizations can lower the costs of long-term information management and, if necessary, disclosure. Archiving technologies may also help organizations navigate the difficult terrain of cross-border discovery even though there are many questions still left unanswered. The Working Party's opinion paper offers practical suggestions that organizations can incorporate into their information management, internal investigation and discovery processes. For example, using an archiving platform such as Symantec's Enterprise Vault, organizations may set data retention schedules in compliance with local laws to ensure that information is not kept longer than reasonably necessary. The industry term "archiving" naturally conjures up thoughts of retention, preservation and long-term data storage. While true, it is important to note that archiving technology also includes the ability to delete or expire information according to policy. This capability is critical when working to support European data privacy and protection policies that require data expiration.
Where a legal hold is triggered by U.S. litigation and complies with the Data Protection Directive, information can quickly and easily be put on hold in the country in which it is located without copying or moving that data. Later the organization can then filter only the information most relevant to the litigation from a larger data set. This filtering process may be carried out in the country in which the data is located by a local reviewer. In addition, personal data may be identified in-country for purposes of redaction. All of this results in the ability to provide a narrowly tailored set of data, balancing the interests of the parties as suggested by the Working Party's recent guidance.
Classification is another technology that IT and legal professionals can investigate to help address immediate data retention, privacy and disclosure concerns. Users or administrators can create classification policies or retention folders that allow end-users to segregate personal information from business information. Information that has been categorized can then be retained according to the appropriate policy. Later, if there is a collection, disclosure or legal hold requirement, organizations can leverage their archive repository as the centralized source for discovery and disclosure. Rather than subject individual data custodians to overly broad collection methodologies such as .pst collection or hard disk imaging, the classification policies can be leveraged as part of a targeted search functionality.
The challenge is not whether technologies exist that can support European data privacy and protection directives but rather whether that legislation is clear and understood by the IT and legal organizations. Regardless of the jurisdiction and regardless of the current state of the law, communication between these two departments must include a discussion related to:
• Development of retention and expiration policies that are appropriate from a legal and business perspective.
• Clear guidance on using corporate email infrastructure for personal email.
• Clear guidance on using personal email infrastructure for business email.
• End-user education and training related to individual responsibility for managing email.
• Disposal of email that is inappropriate, unnecessary or no longer required.
• Inclusion of email into the overall records management framework.
Although the frameworks from The Sedona Conference®and guidance from the Working Party do not address or resolve all the issues arising from U.S. discovery obligations in the EU, they do provide a framework for how these issues may be addressed going forward. In addition, the Working Party offers some practical guidance as to how parties may work within the structure of the EU data protection regime, and it provides a set of issues to consider when dealing with international discovery concerns.
Perhaps, with the help of these organizations, cross-border discovery, privacy and disclosure issues will be resolved in a way that balances the desire for privacy with the level of transparency necessary to enable the legal system. Only then can we return to the U.S.-European dialogue about the true definition of football, or is it soccer?
Sean Regan is E-Discovery Product Marketing Manager at Symantec Enterprise Vault focused on content archiving as it relates to E-Discovery and recently served as editor-in-chief of The Sedona Conference ®International Overview on E-Discovery, Data Privacy and Disclosure Requirements. He can be reached at (781) 487-3526 or (cell) (508) 801-4589.