Ceic 2010 international panel slide deck


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ceic 2010 international panel slide deck

  1. 1. International eDiscovery: Data Protection, eDiscovery: Privacy & Cross-Border Issues Cross- Red Rock Resort Summerlin, Nevada May 26, 2010 y ,
  2. 2. Agenda The Panel Moderator: Patrick Burke, Guidance Software M. James Daley, Esq., Daley & Fey LLP Dominic Jaar, Ledjit inc. George Rudoy, Shearman & Sterling LLP P A G E 1
  3. 3. M. James Daley M. James Daley, Esq., CIPP Partner, Daley & Fey LLP jdaley@daleylegal.com (913) 522-8901 www. daleylegal.com  Partners with clients to contain the costs and reduce the risks of global data privacy, e-discovery and data security challenges p y, y y g  Chair of The Sedona Conference® Working Group on International E- Disclosure and Records Management (WG6)  Co-Editor-in-Chief of The Sedona Conference® Framework for Analysis Of Cross-Border Discovery Conflicts (2008)  Certified Information Privacy Professional (CIPP) – International Association of Privacy Professionals P A G E 2
  4. 4. Dominic Jaar Dominic Jaar President, Ledjit Consulting inc.  CEO, Canadian Centre for Court Technology  Member of the Sedona Conference  Editorial board (Sedona Canada)  WG1  WG6  Guidance Software Strategic Advisory Board P A G E 3
  5. 5. George Rudoy George Rudoy Shearman & Sterling, LLP  Director, Global Practice, Information & Knowledge Management  Founding member of the E-Discovery Training Academy at Georgetown E Discovery Law Center  Chair of the ALM Law & Business’s Legal Tech Educational Board  Vice President of the International Legal Technology Association (ILTA) Practice Management Peer Group P A G E 4
  6. 6. Principles of Privacy M. James Daley, Esq., CIPP Daley & Fey LLP
  7. 7. The Current Landscape Cross-border ediscovery is a “Catch 22” Catch 22 U.S. Courts require production or relevant information located outside the U.S. US Many non-U.S. jurisdictions restrict and/or block th bl k the processing and transfer of such i dt f f h information to the U.S. P A G E 6
  8. 8. Differing notions of privacy Privacy is a fundamental right in much of the world ld Definitions of personal data subject to privacy protection outside th U S are extremely t ti t id the U.S. t l broad Privacy protections in the U.S. are industry specific Personal data subject to protection is limited to specific categories (e.g., Social Security numbers, medical i f b di l information, b ki d t ) ti banking data) P A G E 7
  9. 9. Differing Notions of Privacy Restrictions on disclosure outside the European Economic Area (E.U. member states plus Norway, Iceland, and Liechtenstein) Generally, personal data cannot be sent to countries with less privacy/data protection p y p than in the E.U. Only a handful of jurisdictions meet standards to allow data transfer P A G E 8
  10. 10. Latin American Privacy Laws Based on Constitutional Right of “Habeas Data” D t ” or “th right to your data” “the i ht t d t ”  Brazil – 1988  Paraguay  Peru  Argentina  Costa Rica  Mexico P A G E 9
  11. 11. Transfers outside the EU Exceptions and derogations to general principle Issues include necessity for the transfer, y proportionality (how the truly personal data is culled), and specifics in enabling laws of member states. b t t Critical to consult local counsel Transmission may require notification/permission of local Data Protection Agencies P A G E 10
  12. 12. Differing Notions of Discovery  Common law: expansive pre-trial discovery y conducted by the parties with judicial supervision as needed to resolve disputes or manage court calendar  U S most expansive: di U.S. t i discovery permitted of itt d f documents which may lead to admissible evidence  Canadian “semblance of relevance test almost as semblance relevance” expansive  U.K.: parties must p p produce “documents relied upon p and documents that adversely affect or support litigant’s position” but document request must seek specific documents not broad categories documents, P A G E 11
  13. 13. Civil Code jurisdictions Disclosure is limited to admissible evidence Court closely supervises disclosure and determines admissibility and relevance of proposed evidence For example, in Germany, litigants need only F l i G liti t d l produce those documents which will support their claims P A G E 12
  14. 14. The Hague Convention Hague Convention on the Taking of Evidence Abroad (1972) Ab d An attempt at compromise: a uniform procedure f collection of evidence b t d for ll ti f id between common law and civil law jurisdictions. Letters of request (“ L f (“rogatory”) i ”) issue f from court in one nation to designated central authority (often a court) in another requesting another, assistance in obtaining information P A G E 13
  15. 15. The Hague Convention  Aerospatiale: U.S. courts are not required to resort to the Hague Convention procedures over the Federal Rules of Civil Procedure  Fi f t b l Five-factor balancing test: i t t  Importance of the evidence to the litigation R Respective i t ti interests of the U.S. and th f i t f th U S d the foreign nation where the information is located  Specificity of the request  Whether the information originated in the U.S.  Availability of alternative means to obtain the information P A G E 14
  16. 16. Blocking statutes Shields for nationally sensitive data Statutes which restrict cross-border discovery of information intended for use in foreign judicial j di i l proceedings di Not limited to civil law jurisdictions (Australia and C d Canada h d have bl ki statutes) blocking ) May be general (France and Venezuela) or industry-specific (e.g., Switzerland re banking information) P A G E 15
  17. 17. Blocking Statutes Contrary to certain U.S. and U.K. judicial decisions, blocking statutes can have severe consequences Venezuela: In Lynondell-Citgo Refining LP v. Petroleos de Venezuela, defendant accepted an adverse i f d inference i t ti rather th instruction th than turn over board minutes and related documents France: In January, 2008, the French Supreme Court affirmed a criminal conviction for speaking to a potential witness about a U S U.S. lawsuit P A G E 16
  18. 18. Trends The French Supreme Court decision, in re Christopher Ch i t h X may tip the balancing test in ti th b l i t ti favor of recognition of the significance of blocking statutes and result in more recourse to the Hague Convention Some U.S. courts had already required US recourse to the Hague Convention (Connecticut District Court, In Re Perrier Bottled Water Litigation; New Jersey State Court, Husa v. Labatoires Servier S.A.) P A G E 17
  19. 19. Trends Potential narrowing of the definition of “personal data” in U.K. “ ld t ”i UK Durant v. Financial Services Authority, Court of Appeal (Ci il Di i i ) 2003 “O l A l (Civil Division), 2003: “Only information that names the (the individual) or refers to him” qualifies for protection under the him Directives and U.K. enabling laws Court described its holding as a “a narrow a interpretation of personal data” and is not u e sa y o o ed universally followed P A G E 18
  20. 20. EU Article 29 Working Party  Comprised of all 27 EU Member State Data Protection Authorities ( (DPAs) and interprets provisions of EU Data Protection Directive ) p p 95/46/EC: http://ec.europa.eu/justice_home/fsj/privacy/ Notice: subjects whose data is being collected should be given notice of such collection. Purpose: data collected should be used only for stated purpose(s) and for no other purposes purposes. Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s). Security: once collected, personal data should be kept safe and secure from potential abuse, theft, loss theft or loss. Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data. Access: subjects should granted access to their personal data and allowed to correct any inaccuracies. inaccuracies Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles. P A G E 19
  21. 21. WP 158 Issued February 2009 as a “work in progress” Attempt by Article 29 Working Party to address cross-border discovery issues Relies on August 2008 Sedona Framework on Cross-Border Transfers Opens way for further U.S. – EU dialogue on Cross Border issues Cross-Border P A G E 20
  22. 22. CNIL Declaration  CNIL is the French National Data Protection Authority ( (Commission nationale de l'informatique et des libertés) q )  On August 19, 2009, CNIL issued Deliberation No.: 2009-474, articulating its recommendations on responses to U.S. discovery requests for civil litigation discovery. discovery  Main Provisions: In country culling of personal data; limitations on scope of processing, without review; adherence to approved methods for transfer of personal data in civil litigation and th d f t f f l d t i i il liti ti d regulatory context P A G E 21
  23. 23. WP 168  Working Party “The Future of Privacy” opinion adopted on 01 December 2009  A Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data  Clarify the application of some key rules and principles of data protection (such as consent and transparency).  Innovate the framework by introducing additional principles (such as ‘privacy by design’ and ‘accountability’).  Include the fundamental principles of data protection into one comprehensive legal framework, which also applies to police and judicial cooperation in criminal matters. P A G E 22
  24. 24. U.S. Data Privacy & Security: A Patchwork Quilt 23 P A G E 23
  25. 25. The Surveillance Society 24 P A G E 24
  26. 26. Trends Increased attention to privacy in the United States  Media coverage of compromises of personal data through loss of laptops and backup tapes  Security breaches of large public and private databases  Increasing incidence of identity theft  Recent (and first) HIPAA civil monetary penalty proceeding to result in penalties, revamped electronic privacy plan and compliance reports P A G E 25
  27. 27. Ways to Mitigate Risk Dialogue with Data Protection Authorities on g common interests In-country collection, processing and culling collection and possibly review Development of a uniform confidentiality designation, i.e., “EU Confidential,” for personal data involved in discovery/disclosure cross borders P A G E 26
  28. 28. Ways to Mitigate Risk Development of specific E.U. (and perhaps Asia- Pacific d S th A A i P ifi and South America) provisions i ) i i for U.S. court protective orders and case management orders Addition of cross-border discovery and conflicts training to judicial education curricula Development of approved protocols for processing and pre filtering of personal data in pre-filtering the host country to assure only relevant pe so a personal data is t a s e ed for d sco e y s transferred o discovery purposes P A G E 27
  29. 29. A way forward Education and Awareness: Legal Restrictions Records Management – Cultural Divide Records Technology Realities Risk Benefit A l i Ri k B fit Analysis Efforts to Mitigate Risk Continued Communication and Collaboration P A G E 28
  30. 30. Framework for Cross-Border Discovery P A G E 29
  31. 31. Upcoming event The Sedona Conference® International Program I t ti lP on Cross-Border eDiscovery, eDisclosure & Data Privacy 15-17 September 2010 p Washington, D.C. P A G E 30
  32. 32. Think Globally, Act Locally P A G E 31
  33. 33. Principles of Proportionality Dominic Jaar President,Ledjit Consulting inc.
  34. 34. Canada The State of E-Discovery  Ontario Guidelines  Sedona Canada Principles  Rules of Civil Procedure  Nova Scotia  Ontario  Practice Directions  British Columbia  Alberta  Quebec Code of Civil Procedure  Federal P A G E 33
  35. 35. Privacy Canada as the Safest Harbour  Principles  Purpose  Consent  Limited — Collection C ll ti — Use — Disclosure — Retention  Accuracy  Canadian Charter of Rights and Freedom  Personal Information Protection and Electronic Documents Act (PIPEDA) P Provincial Legislation i i l L i l ti  Sedona Canada White Paper on Privacy (To be published) P A G E 34
  36. 36. Blocking Statutes Reacting to USA’s Extraterritorial Laws Cuban Policy Asbestos Uranium National and Provincial Politics and Economics Federal Foreign Extraterritorial Measures Act Provincial Quebec Business Concerns Records Act Ontario Business Records Protection Act P A G E 35
  37. 37. Privileges (Solicitor-Client and Litigation) Quasi-Constitutional Rights Canadian Charter of Rights and Freedoms Waiver  Explicit p  Implicit Cross-Border Production P A G E 36
  38. 38. Proportionality A Reality, not a Mere Principle Rules of Civil Procedure  Nature of the case  Value  Burden  Accessibility  Relative Relevance  Confidentiality — Privacy — Privileges — Intellectual Property p y — Commercial/Industrial Secrets P A G E 37
  39. 39. International E-Discovery Practical Challenges  Language  Identification  Processing  Review  Presentation  Technological g  Standards  Legacy systems  Multinational enterprise- wide content search  Criminal/Penal charges  Jurisdiction over act P A G E 38
  40. 40. Principles of Language & Culture George Rudoy Shearman & Sterling LLP
  41. 41. Non English Language Documents ASCII vs. Unicode • Computers only understand l d d numbers—0’s and 1’s.. • ASCII d i d t allow humans designed to ll h to communicate with computers. • Invented for teletypes • Original ASCII character set limited to 127 characters. A -> 0100 0001 P A G E 40
  42. 42. Non English Language Documents Printable ASCII Characters 0123456789abcdefg hIjklmnopqrstuvwx yz ABCDEFGHIJKLM NOPQRSTUVWXYZ ~ ! @ # $ % ^ & * ( ) _ + ` -= = [ ] { } | ; ’: ” , . / < > ? P A G E 41
  43. 43. Non English Language Documents ASCII vs. Unicode • Other languages needed additional characters. • Extended ASCII added ramped to 256 characters. • Special encoding developed to reach beyond extended ASCII. • Result: multiple coding sets emerged p g g using the same byte sequences. P A G E 42
  44. 44. Non English Language Documents The bottom line… • Chinese language has 65,000+ g g , symbols • Unicode assigns numbers to every possible character set. • UTF-8 has become defacto Unicode standard to represent multi-byte languages. E-Discovery processing software must support Unicode! P A G E 43
  45. 45. Non English Language Documents Non English Language Tokenisation • Western search based on spaces and punctuation. P A G E 44
  46. 46. Non English Language Documents Non English Language Tokenisation • Some llanguages often don’t use f d spaces or punctuation. P A G E 45
  47. 47. Non English Language Documents Non English Language Tokenisation Thedogatemydinnerbeforeicouldstophimnexttimeiwill p puthimoutbeforeieat The dog ate my dinner before I could stop him. Next time I will put him out before I eat. 裁判所はどこにありますか? Where is the courthouse? P A G E 46
  48. 48. P A G E 47
  49. 49. Non English Language Documents Non English Language Chinese Tokenisation 中國人 • Words may consist of one or d more symbols i f Middle country person yp China 中國 Middle country y P A G E 48
  50. 50. P A G E 49
  51. 51. Cultural Guide to Conducting E-Discovery in the International E Discovery Settings Selected countries and regions P A G E 50
  52. 52. P A G E 51
  53. 53. European Union P A G E 52
  54. 54. P A G E 53
  55. 55. EU  Location: Europe between the North Atlantic Ocean in the west and Russia, Belarus, and Ukraine to the east , ,  Legal System: comparable to the legal systems of member states; first supranational law system  P liti l structure: a h b id intergovernmental and supranational Political t t hybrid i t t l d ti l organization  Population: 491,018,683  Languages: Bulgarian, Czech, Danish, Dutch, English, Estonian, Finnish, French, Gaelic, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovene, Spanish, Swedish P A G E 54
  56. 56. EU  Be aware of balance and possible conflict of individual country rules vs. EU rules  Transport and use of data is highly guarded and restricted  Prepare schedule of annual holidays and observances p y  Polite direct requests  Take the time to clarify project purpose and plan  Clarify vernacular for technology (Services v. Share)  Establish client-side project liaison C Consider local labor laws id l ll b l P A G E 55
  57. 57. EU  Minimal experienced local vendor support, most located in UK I Involve IT in interview process to identify relevant technology l i i i id if l h l landscape  Explain discovery process in detail with the support of visual p yp pp diagrams and documentation  Local Counsel  IT Personnel  Interview process  Translate project requirements and scope P A G E 56
  58. 58. Former USSR P A G E 57
  59. 59. Former USSR  English not widely spoken, even less so in non-capital cities  Remaining xenophobia of foreigners, especially Americans foreigners  Local customs are unique and expected to be followed  Very little regard for privacy  Many layers of authority and management  Border security varies and customs can be negotiated with  No local vendors  Limited familiarity with litigation requests  “Government secrets” still an issue  Persistent refusal to sign any documents (chain of custody form, privacy waiver, etc) P A G E 58
  60. 60. P A G E 59
  61. 61. P A G E 60
  62. 62. Collecting ESI in Russia  Privacy Rights in Russia  Article 23 of the Constitution of the Russian Federation — Everyone has the right to privacy, personal and family secrets, protection of one’s honor and good name. — Right to privacy of correspondence, telephone communications, mail, cables and other communications. — Any restriction of these rights require a court order.  Federal law “on information” — Each person has the right to search and receive any information in any forms and from any sources subject to specific limitations. — Limitations provide only for data related to a state secret, commercial secret, official or other secret (e.g. tax secret), professional secret, privacy or family ( g ), p ,p y y secrets which are regulated by separate federal laws. P A G E 61
  63. 63. Penalties  Penalties can be disciplinary, civil, administrative or criminal.  Specifically criminal liability for violation of the immunity of private life Specifically, life, violation of secrecy of communications and infringement of home involiability, as well as liability for unauthorized access to legally protected computer information.  Civil liability if an individual suffers physical or moral damages by violation of his or her non-property rights or any other non-material welfare rights. A court can force financial compensation. P A G E 62
  64. 64. Russian law on transferring data through data telecommunications networks  Article 15(5) of the Federal law “On Information” provides that data can be transferred through data telecommunications g networks without any limitations subject to the protection of intellectual property except  “On personal data” ( p (Article 7) requires the operator ensure for the ) q p confidentiality of received personal data with two exceptions: — Instances involving depersonalization of personal data, and — Publically available personal data. — Most importantly, the operator can process personal data only with a person’s consent (Article 6) subject to certain exceptions. — Personal data is broadly defined to include “any information related to an individual…or information on the basis of which an individual may be identified.” Examples include surname, birthdate, address, family status, income and education. P A G E 63
  65. 65. Consent  On the one hand, consent is required “when directed by law” such as collection and transborder transfer of personal data.  On the other hand, in practice, where a company puts employees on written notice by policy or specific notice that their email and documents are company property and can be accessed for business uses at any time, written consent can be made by the company.  Written consent is prudent – the burden of proof is on the operator and Russian courts usually require documentation.  No standard consent form, but lists six criteria to include: , — full name of person giving consent including address, passport number, date of issue and issuing authority. — Name and address of operator to whom consent is given. — List of personal data that may be processed. — List of operations to be performed with personal data, and general description of the processing methods. — Term of validity of the consent and the procedure for its revocation. P A G E 64
  66. 66. Exceptions to Consent  Personal data process on the basis of federal law (primarily supporting law enforcement).  Personal data processed to perform an agreement to which such individual is a party (e.g. employment agreement).  Personal data processed for scientific or statistical purposes, and it is sanitized. iti d  Personal data processed to protect life, health or important individual interests and it’s not possible to obtain consent.  Personal data processed to deliver mail or telecommunications customer settlements.  Processed for professional activity of a journalist or for scientific literature or creative activity activity.  Data subject to publication in compliance with federal laws such as state officials or candidates to elective posts. P A G E 65
  67. 67. Australia  Land Mass: Slightly smaller than the US contiguous 48 states  Legal System: Based on English common law; accepts compulsory ICJ jurisdiction, with reservations  Population: 21,007,310  Ethnicity: Caucasian 92% Asian 7% aboriginal and other 1% 92%, 7%,  Languages: English or strine spoken P A G E 66
  68. 68. Australia – Cultural  Highly regulated environment  Legal compliance is accepted and valued  Polite direct requests  Informal business environment  High use of technology, mobile technology and email  Due to “listing” requirements objective data and metadata integrity is important  The Legal Hold concept loosely translates  Vigilant customs and security L Local vendors l d  Familiar with litigation requests P A G E 67
  69. 69. China  Land Mass: Slightly smaller than the US  Legal System: Based on civil law system; derived from Soviet and continental civil code legal principles; legislature retains power to interpret statutes; constitution ambiguous on judicial review of legislation; has not accepted compulsory ICJ jurisdiction  Population: 1,330,044,544  Ethnicity: Han Chinese 91.5%, Zhuang, Manchu, Hui, Miao, Uyghur, Tujia Yi, Mongol, Tibetan Buyi Dong Yao Korean Uyghur Tujia, Yi Mongol Tibetan, Buyi, Dong, Yao, Korean, and other nationalities 8.5%  Languages: Standard Chinese or Mandarin (Putonghua, based on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese), Minbei (Fuzhou), Minnan (Hokkien-Taiwanese), Xiang, Gan, Hakka dialects, minority languages P A G E 68
  70. 70. China - Cultural  Dispute resolution process not aligned  Not familiar with litigation requests  Many layers of authority and management  “Party” plays a role  Titles and formality is important  Timeframes may slip  Can be difficult getting hardware in and out  Payment customs can be misunderstood  Exceptions based on relationships  Labour cost and efficiency y  Self service  Vendor selection and testing P A G E 69
  71. 71. Privacy in China  China lacks comprehensive privacy legislation.  A draft Personal Data Protection Law has been submitted to the State Council, China’s executive branch.  It is not unusual for searches to be undertaken on company computers without an employee’s consent. p y  Nonetheless, obtaining written consent is a prudent practice. P A G E 70
  72. 72. Privacy in Hong Kong  Two sources of privacy protection  Personal Data (Privacy) Ordinance  Common law (generally applies only to information which has the necessary quality of confidence, was imparted in confidence, and used without authorization to the detriment of the party communicating it (Coco v AN Clark (Engineers) Ltd. [1969] RPC 41).  Under Personal Data (Privacy Ordinance), “personal data” is defined as any data  (a) relating directly or indirectly to a living individual,  (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained, and  (c) in a form in which access to or processing or use of the data is practicable.  The use of personal data (including collection, processing and transfer) must be consistent with the purpose for which the data were originally collected or directly related to it, otherwise the prior consent of the employee must be sought and obtained.  Beware a newly enacted section 33 of the Privacy Ordinance – which may not yet be in force – which prohibits the transfer of personal data outside Hong Kong and unclear if consent overcomes that. P A G E 71
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.