Editor: Why is collecting information outside the U.S. for a discovery obligation inside the U.S. even an issue?
Knouff: Generally speaking, this is an issue because of two fundamental differences between the U.S. and most all other countries. The first is the common law tradition as it has developed in the U.S. and the other legal systems throughout the world, namely civil law regimes where pre-trial discovery doesn’t even exist. Because of FRCP 26, the U.S. has the broadest discovery regime of any country on the planet. Thus, at all stages, from preservation, to collection, and through production, counsel experiences different issues when relevant evidence is located within the U.S. versus elsewhere. The second is the vastly divergent notions regarding individual privacy and data protection that exist between the U.S. and most all other countries around the world, especially between the U.S. and the EU.
Editor: Is the clash between data privacy and broad discovery only an issue between the U.S. and the EU?
Knouff: No, practitioners often focus on the EU Data Protection Directive and the laws of individual member states regarding the processing of personal data. Aside from the obvious reasons that the Directive is the most comprehensive data protection regime in the world, covering many of our most prominent commercial allies, there are explicit restrictions on data processing, and the EU does not recognize the U.S. as meeting the “adequacy” standards for data protection that would otherwise facilitate relatively unobstructed transfer. However, this conundrum is a much broader issue that applies to Canada, Latin America, the non-EU EEA countries that follow the Directive, Switzerland, European countries outside the EEA, countries throughout Asia both inside and outside of APEC, as well as countries throughout the Middle East and Africa. It would be more apt to identify this issue as being between the U.S. and the rest of the world. Also, even outside of the privacy context, it is important to consider blocking statues that may apply to certain categories of data, as well as countries such as China that, although they provide for a right to privacy in their Constitution, have yet to develop any type of regulatory framework for the processing of personal data.
Editor: Are there laws or regulations that help facilitate data transfers to the U.S.?
Knouff: Yes. In the civil context, as an alternative to the Federal Rules, discovery can be sought pursuant to the Hague Evidence Convention, which was specifically intended to help reconcile the conflicting interests that manifest in the discovery procedures of civil and common law countries. The mechanism for e-discovery under the Hague Evidence Convention is the Letter of Request. A Letter of Request can be used to request testimony as well as documents, and it is issued from the U.S. court to the Central Authority of that member state where target evidence is located. Also, under the Hague umbrella, parties can streamline the process of certifying certain public documents for use in legal proceedings in member nations pursuant to the Apostille Convention. However, both of these mechanisms have significant limitations that can make them ineffectual in practice. The largest limitation on the Evidence Convention is that member states can selectively reject various provisions, which has resulted in a lack of uniformity in its application. For example, both France and Germany declared under Article 23 that they would refuse to execute Letters of Request. Obtaining evidence under the Hague Convention can be a lengthy and expensive process in comparison to the Federal Rules, which often makes it a less attractive option. One limitation of the Apostille Convention is that it does not provide a mechanism for a competent authority to look beyond the Apostille itself. In a system where sufficient indicia of reliability and authenticity of evidence are predicates to admissibility, the fact that an Apostille may lend an air of authority to an otherwise fraudulent document causes significant concern.
To add to the Hague Convention’s limitations, in its landmark Aerospatiale decision, the Supreme Court held that the application of the Evidence Convention’s provisions are neither mandatory nor exclusive, but are merely optional. Instead, the Aerospatiale court highlighted five factors set forth in the Restatement of Foreign Relations law that courts should balance when resolving discovery issues involving parties outside the U.S. These include the importance of the documents or other information requested to the litigation, the degree of specificity of the request, whether the information originated in the U.S., the ability to obtain the information via alternate means, and the extent to which the interests of the U.S. or the foreign nation where the evidence is located would be undermined by either noncompliance or compliance, respectively. Some jurisdictions have truncated or expanded the comity analysis, so it is important to be aware of the precedent in your particular jurisdiction regarding such rulings. I would also encourage counsel to review the recent ABA Resolution 103 urging U.S. courts to consider and respect the data protection and privacy laws of foreign nations.
With regard to transfers between the EU and the U.S. specifically, parties may also utilize the U.S.-EU Safe Harbor framework (there is a separate framework applicable to transfers between the U.S. and Switzerland), Model Contracts, or Binding Corporate Rules. As with any method of transfer, it is important to understand their mechanics and limitations. One of the major limitations of the Safe Harbor regime was that it was designed for business-to-business transfers and not necessarily with discovery obligations in mind. Therefore, limitations under the principle of onward transfer can thwart its effectiveness for such purposes. While it may be possible to transfer data from the EU to a firm, service provider, or domestic office that self-certifies with Safe Harbor, that entity may then be prevented from making productions to other parties that do not have the requisite level of protection. Also, data can only be used for those purposes to which a data subject provided consent and for which the data was collected. Parties must be very careful when considering the use of data collected for a business or HR purpose to satisfy a discovery obligation. Model Contracts have significant limitations with regards to cross-border e-discovery in that they are not applicable to internal transfers, and data subjects can easily block transfer. Parties using Model Contracts still need to ensure compliance with any local privacy regulations as well. Binding Corporate Rules can be very difficult to implement, can require significant interaction with EU Data Protection Authorities that can be time consuming, and also have the same onward transfer limitations present with the Safe Harbor frameworks. The takeaway is that no matter what approach you take to facilitate data transfer to the U.S., do so thoughtfully and strategically.
Editor: How do U.S. courts respond to claims that foreign data is not accessible?
Knouff: Although the Supreme Court in Aerospatiale does encourage lower courts to respect the interests of other nations, U.S. courts have generally ruled in favor of production with regard to data located abroad. This is especially true when the only obstacle to discovery is a foreign blocking statute. In one particular case, In Re Vivendi Universal Securities Litigation, the court dismissed a non-party’s argument that complying with a discovery order would violate French blocking statutes by ruling that the U.S.’s interests in compelling discovery “dwarfed” France’s interests in preventing production. In many of the cases where a U.S. court ordered production despite the competing interests of a foreign nation, the objecting party has failed to supply the court with adequate information to support tipping the scales in their favor. Where relevant data located abroad is clearly in the objecting party’s possession, custody or control, they must be prepared to explain the foreign law and the hardship that would be endured, and to provide support for their interests in comparison with those of the opposing parties and the U.S. interest in broad discovery.
Editor: So, how can parties satisfy their preservation duty with respect to data located outside the U.S.? I imagine that inconsistent judicial treatment creates a real problem.
Knouff: It definitely does. Parties subject to a U.S. discovery obligation face significant difficulty with regard to preservation because of the absence of concrete rules in both the domestic and international spheres. Before a multinational litigant faces the task of crafting a process for preserving data that may be relevant to U.S. litigation, a more general question presents itself: does the attempt to satisfy the U.S. common law duty to preserve by implementing a legal hold itself cause a violation of privacy laws outside the U.S. to which compliance is equally expected? The legal hold is a creature of U.S. common law and there is still little direction regarding its practical aspects – i.e., triggering events, the scope of a hold, and what constitutes adequate implementation. This is the case even where cross-border data transfer isn’t even an issue, so it only becomes more complex when the multinational layer is added. Counsel often faces a significant conundrum: Do I violate my duty to preserve under U.S. discovery obligations, or do I fulfill those obligations and potentially violate foreign law?
Although the European Commission Article 29 Data Protection Working Party (WP) has opined that preservation of data is a form of “processing,” they have acknowledged the bind in which U.S. companies and companies with facilities within the EU falling under U.S. jurisdiction may find themselves. The WP 158 document attempts to reconcile these conflicts through suggestions for a balanced approach to e-discovery and data retention in particular. WP 158 was followed by a similar set of opinions and guidelines by the data protection authority in France, the Commission Nationale de L’Informatique et des Libertes (CNIL). Both WP 158 and the 2009 CNIL opinion are great starting points for counsel to develop preservation protocols that would respect the important data protection values of legitimacy, proportionality, and notice in the EU, while accommodating the interests of the U.S. litigation system.
There are many practical steps that you can take to address preservation in the cross-border context. First, you don’t necessarily need to worry about data that already resides in the U.S., as long as it was stored here before the preservation duty was triggered. Second, certain laws can provide pockets of certainty for preservation. One example is Article 49 of Mexico’s Commercial Code, which mandates a minimum 10-year preservation period for any communication related to a contract or other agreement that creates legal rights or obligations. Understanding these laws can help you identify large categories of information that may be preserved already. Third, try to classify data that is subject to protection pursuant either to privacy laws or to some form of blocking statute. Privacy protections apply to personally identifiable information (PII). Drawing a line between what is considered “personal” and what might be considered “non-personal” information can be difficult but is critical to determining what your obligations are with regard to a certain piece of information. Finally, as with all e-discovery issues, early knowledge, good-faith cooperation, and open communication are your best allies. Notify opposing counsel and the court as soon as possible when you know that you are facing cross-border issues.
Editor: How does CDS Legal address cross-border e-discovery?
Knouff: We utilize a vast array of personnel and technological resources that allow us to effectively address the competing domestic and foreign interests present in cross-border matters. We localize as much of the effort as possible through our proprietary Digital Customs offering. We can parachute in a device containing a collection of portable servers and other collection, processing, review, and production applications behind the corporate firewall, essentially setting up a secure, on-demand, private cloud. This allows us to perform any culling, filtering, redaction, anonymization, or other process in-country with involvement from a DPA, Works Council, or other applicable body by individuals in the relevant native language.