U.S. multinationals that are making efforts to comply with data protection and e-discovery laws, rules and regulations in both the U.S. as well as other international jurisdictions face a multitude of challenges. If they are not in compliance, multinationals also bear the additional risk of significant sanctions, including monetary penalties. By identifying the appropriate experts within an organization and through proper planning, multinational organizations can ensure that they are in compliance.
Collecting and processing their own data in the U.S when the data resides internationally are among the more challenging issues facing U.S. multinationals. Two of the more common situations that they are confronted with relate to dealing with discovery orders for a U.S. based litigation that involves data from their own E.U. based employees; and being involved in an extremely sensitive and highly confidential internal investigation that relates to employees that are located in the E.U.
The Federal Rules of Civil Procedure, amended in December 2006, have cemented the significance of electronic discovery for the foreseeable future. As a result of these amendments, corporate counsel are not merely concerned with the costs, but also with the risks and potential sanctions associated with non-compliance of a discovery order. Counsel is not only challenged with how to develop the right approach to deal with U.S. based discovery, but also the multitude of data protection laws that exist in the U.S., E.U. and other jurisdictions.
With the costs of compliance with data privacy skyrocketing to approximately $21 billion by 20111 , companies are taking proactive measures to deal with data privacy concerns. More and more often, U.S. multinationals are creating Chief Privacy Officer positions and hiring a worldwide support staff to manage the risks and liabilities associated with compliance as well as the wide-ranging issues currently facing their companies.
Data protection laws have existed for a number of years and the E.U. has taken a strong stance in this area. The E.U. Data Protection Directive, which serves as a framework from which the 27 E.U. member states operate, is a primary example of the E.U.'s commitment to data privacy.
The E.U. Data Protection Directive is not the only requirement that should be of concern to U.S. multinationals. With each E.U. member state able to develop its own data protection legislation, organizations need to be sure that they can comply with every member states' requirements, which makes compliance by U.S. multinationals challenging at times. The U.S. and E.U. have maintained constant communication over the years to ensure cooperation and compliance with both U.S. and E.U. laws, as well as the laws of its member states.
At a recent U.S. Department of Commerce program, "Conference on Cross Border Data Flows, Data Protection and Privacy," held in Washington, D.C. in October 2007, representatives from the E.U. as well as many U.S. multinationals and law firms clearly demonstrated that the appropriate data privacy issues are being raised. A number of ideas to help U.S. multinationals comply with E.U. data protection laws were discussed extensively at the conference. The recommendations for compliance included: Binding Corporate Rules; the issuance of protective orders by U.S. courts that specifically address E.U. data protection concerns; the use of an E.U. Model Contract by all parties in a litigation; and joining the U.S.-E.U. Safe Harbor Framework.
The Data Protection Authorities (DPAs) of the E.U. member states have the ability to promulgate legally binding principles and guidelines regarding data privacy protection for U.S. multinationals that have operations in their jurisdictions. Companies are expected to adhere to the requirements set forth by the different DPAs since they also have the ability to sanction those companies determined to be non-compliant.
Underlying the data protection laws is a strong belief by the E.U. member states that they must avoid the abuses of individual privacy rights that occurred during the fascist and communist regimes that existed in Europe during World War II. Certain DPAs, such as France, Spain, Germany and Italy, have been very active in their enforcement efforts. For example, on April 12, 2007, the French DPA announced its decision to fine Tyco Healthcare 30,000 for improperly transferring employee data to its worldwide headquarters in the U.S. When such situations arise, multinationals not only incur substantial monetary sanctions, but are also at risk of requiring costly investigations and defending their company. The damage often goes beyond monetary loss and frequently involves enduring negative publicity that can impact the company's reputation.
Both the E.U. Directive and the legislation from the individual E.U. member states address the transfer of personal data as well as its collection and processing. The term "personal data," according to the E.U. Directive, is very broadly defined to include any information relating to an identified or identifiable natural person. In situations where a U.S. multinational is involved in either an internal corporate investigation involving an E.U. based employee or a U.S. based litigation where one or more of its employees is based in the E.U., there are specific measures that should be taken to ensure compliance with U.S. laws and those of the E.U. and its member states.
Given that corporate e-mail often identifies the names of the sender and recipients in their e-mail address, the transfer, collection and processing of any data associated with that e-mail address will fall under the broad definition of "personal data," and as such would be treated accordingly. Both the U.S. and E.U. have set in place, through the U.S-E.U. Safe Harbor Framework, an approach for U.S. multinationals to receive added protection for compliance with the E.U. Directive. As of October 2007, approximately 1,300 U.S. entities have joined the Safe Harbor Framework.
Dealing with the complexities of data transfer, collection and processing between the E.U. and U.S. requires a team effort involving a company's corporate counsel, compliance and privacy officers, IT staff as well as experienced outside counsel and electronic discovery providers that can provide expert forensic collection and processing capabilities. It is also highly recommended that companies join the Safe Harbor Framework as there are many evident benefits to doing so.
The complexities and risks related to privacy laws have never been greater and require constant diligence by counsel to ensure that they are well informed and current on the various ways to best protect their companies. Although the ultimate responsibility for compliance with the data protection laws rests with U.S. multinationals, when dealing with the personal data of its E.U. based employees, an extra layer of protection can be achieved by retaining only those electronic discovery service providers that have also joined the Safe Harbor Framework.
1IDC, Worldwide Legal Discovery and Litigation Support Infrastructure 2007-2011 Forecast: Legal Matter and Compliance Records Repositories Are the Early Use Cases of the Active Archiving Architecture, June 2007.
Jerry F. Barbanel is the Executive Vice President in charge of IT Risk and Litigation Consulting for the Financial Advisory and Litigation Consulting Services practice at Aon Consulting. Mr. Barbanel can be reached at (201) 966-3494. Daryk Rowland is a Managing Director of the IT Risk Group at Aon Consulting.Mr. Rowland can be reached at (213) 798-6508.