Sedona Conference Issues International Principles On Discovery And Data Protection

Tuesday, February 14, 2012 - 16:38

Multinational companies based in the United States (or with significant operations in the United States) may be subject both to the civil procedure discovery rules of the United States as well as the privacy laws of the European Union and other countries in which they operate. Complying with these potentially conflicting bodies of law may pose difficult challenges for such companies.

Recently, Working Group 6 of the Sedona Conference issued a draft document aimed at addressing this conflict entitled  “International Principles on Discovery, Disclosure & Data Protection: Best Practices, Recommendations & Principles for Addressing the Preservation and Discovery of Protected Data in U.S. Litigation,” text available at www.thesedonaconference.org [the “Sedona International Principles”]. The International Principles are the product of nearly six years of work, involving representatives from the legal profession, judges, privacy and compliance leaders, academics and discovery service vendors from around the globe.[1] The Principles represent one of the most comprehensive of efforts to reconcile (to the extent possible) conflicting notions of data privacy and norms for disclosure in litigation.

Nature Of The Conflict

The International Principles aim principally at a potential conflict between U.S. and EU law.[2] Companies operating in the EU must abide by the laws of individual EU member countries as well as the EU Data Protection Directive (the “Directive”), 95/46/EC. The Directive, which took effect in 1998, required each member of the EU to pass data protection laws that comply with the Directive’s minimum standards. These standards require, among other things, that companies give data subjects (such as consumers and employees) access to correct their data, that they use personal data only for the purpose for which it was obtained, and that they not transfer personal data to countries (such as the United States) found to lack adequate data protection laws. If a company violates these data privacy laws, the Directive allows EU member governments to seek civil fines, injunctions and even criminal sanctions. In addition, some countries (notably, France in its Penal Law No. 80-538) have adopted “blocking” statutes, which are specifically designed to protect their citizens from compelled discovery of information in court proceedings outside their borders.

The U.S., unlike the EU, embraces broad discovery in civil litigation. Under Rule 26 of the Federal Rules of Civil Procedure, parties may obtain disclosure of any matter not privileged that is relevant to a claim or defense in an action. Materials disclosed need not be admissible as evidence, so long as they “may lead to the discovery of admissible evidence.” Parties responding to discovery requests may obtain protection from unreasonably burdensome or expensive requests.

When a U.S. court exercises jurisdiction over a European party (or a U.S. party that maintains some data in Europe), conflicts may result between U.S. civil discovery rules and European data protection rules. In the case of “Christopher X,” the Criminal Chamber of the French Supreme Court upheld the criminal conviction and fine of a French lawyer for violating the French blocking statute.[3]  Yet, in a similar case in the United States, an American court rejected the French blocking statute as a basis to preclude discovery in a U.S. proceeding,[4] and American courts have remained skeptical of claims that foreign privacy and blocking statutes are vigorously enforced.[5] As these and several other recent cases illustrate, however, the conflict in rules is quite real.[6]

The U.S. is a signatory to the Hague Evidence Convention,[7] yet, in the Aérospatiale case,[8] the U.S. Supreme Court held that courts in the United States were not bound to use the Hague Convention and that the convention did not preempt the Federal Rules of Civil Procedure with respect to discovery from foreign litigants. The Court described Hague Convention procedures as optional supplementary measures that need not be used where they would be “unduly time consuming and expensive, as well as less certain to produce needed evidence than direct use of the [Federal Rules].” To determine whether to use the Federal Rules or the Convention, the Court in Aérospatiale considered: “(1) the intrusiveness of the discovery requests given the facts of the particular case, (2) the sovereign interests involved and, (3) the likelihood that resort to the Convention would be an effective discovery device.”[9] The Sedona International Principles build on this analysis of relevant concerns.

The International Principles

The new Sedona International Principles identify six essential principles for reconciliation of the potential conflict between privacy and disclosure in the context of U.S. litigation:

  1. With regard to data that is subject to preservation, disclosure or discovery, courts and parties should demonstrate due respect for the data protection laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws.
  2. Where full compliance with both data protection laws and preservation, disclosure, and discovery obligations presents a conflict, a party’s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness.
  3. Preservation, disclosure and discovery of protected data should be limited in scope to that which is relevant and necessary to support any party’s claim or defense in order to minimize conflicts of law and impact on the data subject.[10]
  4. Where a conflict exists between data protection laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect protected data and minimize the conflict.
  5. A data controller subject to preservation, disclosure or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted.
  6. Data controllers should retain protected data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, data controllers should preserve relevant information, including relevant protected data, with appropriate data safeguards.

The Sedona International Principles offer a model protective order and a “Transfer Protocol” (identifying important issues to consider in implementing data transfers in the context of disclosure for litigation). The Principles, moreover, are labeled “draft,” with the expectation that interested parties and groups will provide comments on the Principles, for inclusion in revised versions.[11]

Conclusion

The conflict between European data protection law and U.S. discovery rules may eventually be resolved by treaty or other diplomatic efforts. The U.S. Department of Commerce, for example, has negotiated safe harbor standards with European authorities, which permit U.S. companies to obtain certainty as to the data protection rules they must follow when doing business in Europe.[12] Similar standards could be developed for purposes of U.S. litigation. For now, however, dialogue between U.S. and European groups, such as the Sedona Conference and the E.U. Article 29 Working Party, both advisory groups, may offer the best hope of improving understanding and developing “best practices” to manage the conflict.[13]

 

[1] [1] Working Group 6 previously issued a “Framework for Analysis of Cross-Border Discovery Conflicts” (2008) and an “International Overview of Discovery, Data Privacy & Disclosure Requirements” (2009), as well as a host of related papers published in the Sedona Conference Journal. In October 2009, moreover, Working Group 6 provided a detailed response to the Article 29 Data Protection Working Party’s “Working Document 1/2009 on pre-trial discovery for cross border civil litigation.” 

[2]  The Principles are subtitled: “European Union Edition.” Working Group 6 plans to issue additional versions of the Principles to address data protection concerns in other regions of the world. 

[3]  See In re Advocat “Christopher X”, Cour de Cassation, Appeal No. 07-83228 (Dec. 12, 2007).  

[4]  See Straus v. Credit Lyonnais, S.A., 242 F.R.D. 199 (E.D.N.Y. 2007). 

[5]  See In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a "realistic risk of prosecution"); Minpeco S.A. v. Conticommodity Servs. Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. Nov. 16, 1987) ("this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"); see also MeadWestvaco Corp. v. Rexam PLC, No.1:10CV511 (GBL/TRJ), 2010 WL 5574325, at *2, n.1 (E.D. Va. Dec. 14, 2010); aff'd sub nom. MeadWestvaco Corp. v. Rexam PLC, No.1:10CV511, 2011 WL 102675 (E.D. Va. Jan. 10, 2011) ("The court is not convinced that the circumstances surrounding Christopher X are comparable to those present in this case"); In re Air Cargo Shipping Servs. Antitrust Litig., No. 06-MD-1775, 2010 WL 1189341, at *3 (E.D.N.Y. Mar. 29, 2010) (holding that Christopher X ... would be prosecuted for complying with a court order compelling disclosure of the documents at issue"); In re Global Power Equip. Grp. Inc., 418 B.R. 833, 849-50 (Bankr. D. Del. 2009) (holding that Christopher X does not change the court's analysis because "it does not appear that the attorney who was sanctioned in that case was pursuing discovery in a manner that was ordered or approved by a United States court").

[6]  See, e.g., AstraZeneca LP v. Breath Ltd., Civil No. 08-1512 (RMB/AMD), 2011 WL 1421800 (D.N.J. Mar. 31, 2011) (Donio, Mag. J.) (ordering production of communications between Swedish in-house counsel and employees because documents were not privileged under U.S. or Swedish law, and U.S. discovery rules, permitting disclosure of trade secrets pursuant to a protective order, outweighed Sweden's interest in protecting trade secrets pursuant to the Swedish Trade Secret Protection Act); In re § 2703(d) Order, 2011 WL 900120, at *3 (E.D. Va. Mar. 11, 2011) (Buchanan, Mag. J.) (rejecting argument that requiring Twitter to disclose a member of the Icelandic Parliament's subscriber information to the U.S. threatens international comity); In re TFT-LCD (Flat Panel) Antitrust Litig., No. M 07-1827 SI, 2011 WL 723571, at *3 (N.D. Cal. Feb. 22, 2011) (ordering in-camera review of documents pertaining to the European Commission and Japan Fair Trade Commission investigations of Hitachi despite objections that review would violate European and Japanese laws because of failure to support assertions that review would impair the effectiveness of current and future investigations); Gucci America, Inc. v. Curveal Fashion, 2010 WL 808639 (S.D.N.Y. Mar. 8, 2010) (ordering third-party bank to produce documents regarding the defendant's Malaysian bank accounts despite argument that production would violate Malaysian banking secrecy laws); In re Air Cargo Shipping Services Antitrust Litig., 2010 WL 1189341 (E.D.N.Y Mar. 29, 2010) (holding that the U.S. interest in enforcing its antitrust laws outweighed France's interest in controlling access to information within its borders). 

[7]  The Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (otherwise known as the “Hague Evidence Convention”) is a multilateral treaty issued for signature in 1970, text available at www.hcch.net.

[8]  See Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522 (1987). 

[9]  These concerns largely derive from the RESTATEMENT (THIRD) OF FOREIGN RELATIONS § 442 (1987).

[10]  The Principles suggest limitations on the scope of requests, specificity in discovery, phased discovery, minimization of production of protected data, substitution of data and limitations on production format as means to reduce the scope of the problem. 

[11]  Comments may be submitted via the Sedona Conference website, or by email at info@thesedonaconference.org.  Working Group 6 will meet in June 2012, in Toronto, to discuss comments on the Principles and plans for the Working Group’s further activities.

[13]   Additional suggestions regarding methods to resolve (or at least minimize) the conflict between privacy and discovery rules appear at Steven C. Bennett, Practical Responses To the E.U. Privacy Versus U.S. Discovery Conflict, 2/12 Practical Lawyer 31 (Feb. 2012).

 

Steven C. Bennett is a Partner at Jones Day in New York and Chair of the firm’s Ediscovery Committee. He is also a founding member of the Sedona Conference Working Group 6.  The views expressed are solely those of the author and should not be attributed to the author’s firm or its clients, or to the Sedona Conference.  

Please email the author at scbennett@jonesday.com with questions about this article.