International e discovery ceic 2012d


Published on

2102 CEIC Conference Presentation on International Cross-Border Discovery and Privacy Conflicts

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • DaleyIncumbent upon counsel to ensure US courts are apprised of any foreign law issues re discovery and/or privacy
  • Daley
  • Daley, Jaar, Quentin
  • Quentin
  • Chris
  • Chris
  • Daley
  • Daley
  • Daley
  • Daley with commentary by others
  • Daley, others
  • Daley, Quentin follow up
  • Daley, Quentin
  • Daley, Quentin follow
  • Daley, Quentin
  • Daley, Quentin
  • Quentin
  • Quentin
  • Quentin
  • Daley
  • DaleyIn 2011 we saw many countries establish or re-work existing privacy regimes. In sum, the minefield of international privacy laws grew denser. Mexico – July 2011“sensitive personal data:” data that may reveal information like racial or ethnic origin, health status and religious and moral beliefs—More restrictive than the broad “personal data” definitions seen in other actsSimilar to the directive in many respects, any transfer national or international, hinges on the consent of its data subject.” Exceptions: Some of the exceptions to Mexico’s consent requirement arise when the data transfer is pursuant to a treaty, where the transfer is necessary for health care purposes, where the transfer is made to subsidiaries, affiliates or parent companies of the data controller with the same processes and policies, and when necessary to safeguard public interestRussia – July 2011Russia’s reformed privacy laws still closely align with the strict privacy stance taken by European Union Data Protection Directive 95/46/EC (“the Directive”). Russia’s new statutory scheme permits uninhibited transfer to the EU. Additionally, similar to the need for “adequate” data protection in the Directive, Russia’s law empowers a special agency to determine whether the country’s data security procedures are sufficiently “adequate” to receive personal data from RussiaThe law imparts the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media with the ability to authorize a list of state parties (non-members to the EU) with sufficient personal data protection to qualify to receive personal data.Personal data may be produced pursuant to a treaty or Russian federal law.China“Internet Information Services” defined as “service activities for the provision of information to Internet users over the Internet – it doesn’t operate on “processors” like so many others acts - Service providers must not use personal data without consent,not collect more than the minimum amount of personal information necessary to provide their service,must divulge the method, content and purpose of the collection to the users in express forms without disclosing any information to a third party absent users’ consentIt’s a different approach on protecting personal data. “the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
  • DaleyE-Discovery law in APAC is evolving at the speed of light, in large part due to high numbers of US companies doing business in the region – and needing to produce information in APAC in US litigation. In addition, companies based in APAC are increasingly being drug into US based litigation. Both of these items are influencing APAC discovery law. Much arbitration occurs in the region, and these matters do involve exchange of ESI.
  • U.K. Practice DirectionEnacted in 2010 applies to multi-track claims, or at the discretion of the judgeFor cases that trigger the application of the Practice Direction, more involved e-discovery guidelines applyDirection calls parties to “discuss the use of technology in the management of Electronic Documents” prior to the first Case Management Conference, in addition to the electronic information the parties have in their control, the scope of the search for relevant documents, preservation steps taken, cost-sharing and formats for exchanging documents. Some key features of the direction include: a welcome for parties considering keyboard, or tech-assisted review, provisions on how metadata should be handled, and as we discuss later on, a sample questionnaire designed to facilitate counsel communication, and provisions that emphasize that the reasonable search requirement encompasses notions of proportionality so often discussed in US E-discovery commentaryAims to prevent the need for court intervention and avoid penalties for adopting unreasonable approachesCM is an acronym for “Case Management” that is used to signal a section for case management related practice issues in the Practice Notes issued by the Chief Justice. Practice Note CM 6 refers to specifically refers to “Electronic technology in litigation.” Comment: What is included in CM-6 checklists? Required? Examples?Practice Note CM-6 contains two important checklists for practioners: the pre-discovery conference checklist and the pre-trial checklist. Here are the sections of the pre-discovery conference checklist—the areas upon which parties are to align strategies upon:Introduction (The court places an expectation on counsel that they have “considered the issues identified in this Checklist and to be in a position to inform the Court on how the issues are to be addressed prior to or at the first Directions hearing or case management conference”)Scope of discovery (Assess scope with a mind towards speed, costs, efficiency and relevency)Strategies for conducting a reasonable search Management of Electronic Documents (Strategize key stages of the EDRM: “identification, collection, processing, analysis, review and exchange of Electronic Documents)Preservation of Electronic Documents (What strategy will be implemented for preservation?)Timetable and Estimated Costs for Discovery (How much will it cost? How much time will it take?)Privilege (How will the parties grapple with documents flagged as privileged)Document Management Protocol (default, advanced, other?) Pre-Discovery Conference Attendees Areas of disagreement (Address the areas where parties cannot agree)Comment: Info/requirements of doc mgmt protocolsThe Default Document Management Protocol, triggered by expected discoverable documents between 200 and 5000, imposes very comprehensive default provisions. The Default Document Management Protocol describes specifically how documents should be exchanged between parties and to the court. Some types of information addressed contain: what information should be in document descriptions, default file types and other permissible options, procedures for redacting privileged documents and correcting errors, duties for managing de-duplicates, how to name files, and how to handle attachments.This default protocol can be opted out of pursuant to an advanced agreement, and should be If the expected discoverable documents exceeds 5000.Comment: What is included in UK questionnaire? Required? Examples?The UK Electronic Documents Questionnaire is vehicle designed to get information pertinent to e-disclosure exchanged between parties early on in litigation. While parties should consider employing it in any litigation, as it very well may reduce costs that arise down the road, its use is only required if the size or complexity of a case so mandates. The questionnaire can be found in Direction 31B.Examples of Topics covered, in Q & A format, include: Extent of a reasonable search (questions about custodians, dates, forms of documents and databases);Method of search (does counsel think that keywords should be used? Other automated techniques like concept searches?)
  • Jaar
  • Jaar
  • Jaar
  • Jaar
  • Chris
  • Chris
  • Chris
  • Chris
  • Chris
  • Chris
  • Chris
  • Chris
  • Chris
  • Dominic
  • International e discovery ceic 2012d

    1. 1. International E-Discovery: DataProtection, Privacy, & Cross-Border Issues Quentin Archer, HoganLovells LLP Chris Dale, eDisclosure Information Project M. James Daley, Daley & Fey LLP Dominic Jaar, KPMG-Canada Patrick J. Burke, Guidance Software
    2. 2. Dominic Jaar KPMG Canada• Partner & National Leader, eDiscovery, FTech and Information Management Services•The Sedona Conference  WG7 editorial board member  WG1 and 6 memberPast•CEO, Canadian Centre for Court Technology•Founder, Ledjit Consulting•In-house counsel, Bell Canada•Litigator, Borden Ladner Gervais 2
    3. 3. Chris Dale eDisclosure Information Project chrisdaleoxford@gmail.comCarrying information about e-discovery between courts,lawyers, clients and providers. 3
    4. 4. Quentin Archer Hogan Lovells International LLP quentin.archer@hoganlovells.comImmediate Past Co-Chair, The Sedona Conference® WorkingGroup on International E-DiscoveryPartner in the London office of Hogan Lovells International LLPSpecialist for last 25 years in IT, data privacy and e-commerce,with particular emphasis on international data transfers 4
    5. 5. M. James Daley, Esq., CIPP Daley & Fey LLP jdaley@daleylegal.comCharter Member and Immediate Past Co-Chair, The Sedona Conference®Working Group on International E-Discovery (2005-2011)Technologist – Masters in Management of Information SystemsCertified Information Privacy Professional (CIPP/US) -- IAPPSenior Editor, The Sedona Conference® International Principles on Discovery,Disclosure and Data Protection (2011)Co-Editor-in Chief, The Sedona Conference® Framework for Analysis of Cross-Border Discovery Conflicts (2008) 5
    6. 6. Patrick Burke Senior Director & Assistant General Counsel Guidance Software, Inc.• Patrick performs in-house legal functions and works with corporate law departments of other companies in the U.S., Europe and Canada to advise them with respect to the implementation of defensible in-house e-discovery processes.• He serves on the Sedona Conference® Working Group 6 on International Electronic Information Management, Discovery & Disclosure, and speaks regularly at legal conferences on topics including e-discovery law and best practices, privacy, European data protection, digital evidence and cybersecurity.• He is an Adjunct Professor at Cardozo School of Law in New York City, where he teaches the e-discovery class. 6
    7. 7. Overview of Global Discovery •Discovery of documents and electronic information abroad is an increasingly important part of litigation •Problems with foreign discovery are driven by fundamental differences in legal systems and privacy/data protection laws •U.S. courts are frequently unfamiliar with, or are dismissive of foreign restrictions on cross-border discovery
    8. 8. Differing notions of privacyPrivacy is a fundamental right in much of the world  Definitions of personal data subject to privacy protection outside the U.S. are extremely broadPrivacy protections in the U.S. are industry specific  Personal data subject to protection is limited to specific categories (e.g., Social Security numbers, medical information, banking data)
    9. 9. Differing Notions of Discovery Common law: expansive pre-trial discovery conducted by the parties with judicial supervision as needed to resolve disputes or manage court calendar  U.S.  Canada  U.K.
    10. 10. The concept of discovery• Most EU countries do not have a discovery process in their civil procedure• Cases are decided primarily on the basis of documents submitted by the parties and oral evidence• Often this can lead to a cheaper and quicker result• But it may also lead to a suspicion of "foreign" court orders and document requests Page 10
    11. 11. Data Protection, Privacy, Cross-Border Distinguish between: Common Law countries with a discovery tradition  England and Wales, Northern Ireland, Scotland, Ireland  USA  Australia, Canada, Australia, Singapore, Hong Kong, New Zealand, India, Malaysia Civil Law countries with no discovery tradition  Most of mainland Europe, former USSR, China, Japan, South America, most of Africa Other Mixed Jurisdiction, Sharia, Customary Law Page 11
    12. 12. Data Protection, Privacy, Cross-Border UK, GB, E&W, EU United Kingdom England, Scotland, Wales, Northern Ireland Great Britain England, Scotland, Wales England and Wales Legal Jurisdiction European Union Economic and political partnership between 27 European countries Page 12
    13. 13. The Hague ConventionHague Convention on the Taking of Evidence Abroad(1972)  An attempt at compromise: a uniform procedure for collection of evidence between common law and civil law jurisdictions.  Letters of request (“rogatory”) issue from court in one nation to designated central authority (often a court) in another, requesting assistance in obtaining information
    14. 14. Blocking statutes Intended as shields to protect national sovereignty:  Statutes which restrict cross-border discovery of information intended for use in foreign judicial proceedings  Not limited to civil law jurisdictions (Australia and Canada have blocking statutes)  May be general (France and Venezuela) or industry- specific (e.g., Switzerland re banking information)
    15. 15. Blocking Statutes Contrary to certain U.S. and U.K. judicial decisions, blocking statutes can have severe consequences  Venezuela: In Lynondell-Citgo Refining LP v. Petroleos de Venezuela, defendant accepted an adverse inference instruction rather than turn over board minutes and related documents  France: In re Christopher X: French Supreme Court affirmed a criminal conviction for speaking to a potential witness about a U.S. lawsuit
    16. 16. Cross-Border RegulationsE.U. Data Protection Directive (95/46)  States should implement laws to restrict all manner of “processing” of “personal data”  Prohibits transfer of personal data outside the E.U. ▫ Exception: the country to which it is transferred provides “adequate protection” of personal data (E.U. Directive Article 25)  Countries who meet the E.U. “Adequate Protection” standard ▫ Canada ▫ Argentina ▫ Switzerland ▫ Israel
    17. 17. Personal DataBroad Definition of “Personal Data” under theEU Data Protection Directive: • Any information that can be used directly or indirectly to identify and individual (e.g., the name of the sender or recipient(s) of an email.
    18. 18. Personal DataPotential narrowing of the definition of “Personal Data” inU.K.  Durant v. Financial Services Authority, Court of Appeal (Civil Division), 2003: “Only information that names (the individual) or refers to him” qualifies for protection under the Directives and U.K. enabling laws  Court described its holding as a “a narrow interpretation of personal data” and is not universally followed
    19. 19. Additional EU Directive Terms“Data Subject” is usually an individual and sometimes anemployee of a “Data Controller/Employer. However in Italy,a corporate entity can be a Data Subject as well“Data Processing” is any Handling of Personal Data outsidethe normal use  Preservation (litigation hold) may be considered processing if it involves manipulation of data, such as moving data to a secure server or even preserving in place“Discovery” in U.S. = “Disclosure” in Civil Law Jurisdictions
    20. 20. EU Data Protection DirectiveRule: Any transfer of personal data to a third party requiresjustification and – in case of countries outside EEA –additional safeguardsStatutory Exceptions (Derogations):  “Transfer necessary to safeguard legitimate interests of parties to litigation and no overriding interests of affected individuals”  “Transfer necessary for exercise or defence of legal claims in court”  Transmission may require notification/permission of local Data Protection Agencies
    21. 21. New EU Data Protection Regulation •Adopted by EU Commission on 1/25/12 •Must be ratified by Council of Europe and European Parliament – 2 to 3 year process •Objectives: greater uniformity of data protection efforts among EU member states; and centralization of authority (“one stop shop”) for data protection issues for multinational corporations
    22. 22. New EU Data Protection Regulation •Single data protection authority for multinationals •Significant restriction of employee consent for data processing •Elimination of current processing notification requirements •Data protection officer if more than 250 global employees •“Right to be forgotten” and “Privacy by Design” requirements •Notification of data security breaches to regulators and persons; •Simplified procedures for transferring personal data outside EU •Increased independence and power for DPAs •Data protection violation fines -- up to 2 percent of a company’s global annual income
    23. 23. Attitude of the courts and regulators• Instinctive resort to the "safe" but limited procedures available in instruments such as Hague Convention• But Hague Convention rarely used• Blocking statutes of different kinds exist in several countries• Data protection laws present a more comprehensive block• But there is disagreement within the EU over the scope of protection • Durant – v – FSA, UK Court of Appeal, 2003 Page 23
    24. 24. Article 29 Working Party• Group established by the 1995 Data Protection Directive• Has engaged with Sedona Conference• In 2009 issued Working Document on pre-Trial Discovery (WP158)• Fairly conservative analysis of the subject• But conceded that transfers of personal data to the US for litigation purposes were permissible subject to safeguards including: • Assessment of relevance should be carried out in EU • Only data actually necessary for claims or defences should be transferred Page 24
    25. 25. The Sedona Conference• Framework for Analysis of Cross-border Discovery Conflicts published 2008• International Principles and Best Practices on Discovery, Disclosure & Data Protection published December 2011• Has encouraged a dialogue between EU regulators and the US judiciary, with high-level input on both sides• Fundamental principles are that personal data should be restricted to the level necessary to resolve the issues in the case, and that further disclosure should be subject to the terms of a protective order Page 25
    26. 26. Latin American Privacy Laws Based on Constitutional Right of “Habeas Data” (i.e.,“You have the Data):  Brazil – 1988  Paraguay  Peru  Argentina  Costa Rica  Mexico
    27. 27. Evolution of International Privacy LawRegion Adopted/Considering SummaryMexico Released draft privacy regulations that • Applies to controllers handling “sensitive personal work with existing data protection law data” • Restricts int’l transferRussia Amended privacy law, “On personal • Strict privacy stance data” • Permits uninhibited transfer to EU • Empowers a special agency to determine data security adequacyChina Released “Provisions on the • Framed around “Internet Information Service Administration of Internet Information Providers” (IISPs) Services” • Restricts IISP’s conduct in various ways
    28. 28. Global E-DiscoveryCountry Summary and recent developmentsHong Kong (Common • Special Administrative Region (SAR)Law) • Uses traditional English discovery law • Hong Kong International Arbitration CenterChina • Transferring state secrets out of country is strictly protected(Civil Law)Singapore (Common Law) • Have passed an “opt-in” e-discovery system, but seldom used in litigation • No dedicated data protection or privacy legislation, though some is currently being discussed • Singapore International Arbitration CentreSouth Korea • Blocking Statute that applies to cross-border transfers for purpose of foreign litigationJapan • Japan Privacy Act permits the conditional transfer of personal information from a corporate entity to a(Civil Law) third party; e-discovery still evolving
    29. 29. Global E-DiscoveryCountry Law SummaryCanada Ontario Rules of Civil Procedure • Directly calls counsel to implement discovery plan that incorporates how to handle production of ESI • Makes an explicit call for cooperation and meet and confer • Requires counsel to confer with the Sedona Canada PrinciplesAustralia Practice Note CM 6 • Courts may order electronic format production where “the use of technology… will help facilitate the quick, inexpensive and efficient resolution of the matter” • Pre-discovery and pre-trial checklists; places an expectation on counsel that they have considered the issues in the list, and are in a position to inform the court on how they will be addressed
    30. 30. 30
    31. 31. Privacy acts and blocking statutes Federal QuebecForeign Extraterritorial Measures Act Chapter F-29 Business Concerns Records Act R.S.Q., chapter D-12Personal Information Protection and Electronic Charter of Human Rights and Freedom R.S.Q., chapter C-12Documents Act (PIPEDA) 2000 c.5Privacy Act Civil Code of Quebec L.Q., 1991, c. 64Chapter P-21 Act Respecting the Protection of Personal Information in the Private Sector R.S.Q., chapter P-39.1 Act to Establish a Legal Framework for Information Technology R.S.Q., chapter C-1.1 31
    32. 32. Business Concerns ActR.S.Q., chapter D-122. Subject to section 3, no person shall, pursuant to or under any requirement issued by any legislative, judicial oradministrative authority outside Québec, remove or cause to be removed, or send or cause to be sent, from any place in Québecto a place outside Québec, any document or résumé or digest of any document relating to any concern.Exceptions:3. The prohibition enacted in section 2 shall not apply in the case of the removal or sending of a document out ofQuébec(a) by an agency, branch, company or firm carrying on business in Québec, to a principal, head office, affiliated company or firm,agency or branch situated outside Québec, in the ordinary course of their business; (b) by or on behalf of a company or person, as defined by the Securities Act, (chapter V-1) carrying on business in Québec, to aterritory subject to another political jurisdiction in which the sale of the securities of such company or person has been authorized;(c) by or on behalf of any such company or person carrying on business in Québec as a broker, security issuer or salesmanwithin the meaning of the Securities Act, to a territory subject to another political jurisdiction in which any such company or personhas been registered or is otherwise authorized to carry on business as broker, security issuer or salesman, as the case may be; (d) whenever such removal or sending is authorized by any law of Québec or of the Parliament of Canada, in accordance withtheir respective jurisdictions. 32
    33. 33. Act Respecting the Protection of Personal Information in the Private SectorR.S.Q., chapter P-39.15. Any person collecting personal information to establish a file on another person or to record personal information in such a file may collectonly the information necessary for the object of the file.8. A person who collects personal information from the person concerned must, when establishing a file on that person, inform him 1) of the object of the file; 2) of the use which will be made of the information and the categories of persons who will have access to it within the enterprise; 3) of the place where the file will be kept and of the rights of access and rectification. […]12. Once the object of a file has been achieved, no information contained in it may be used otherwise than with the consent of the personconcerned, subject to the time limit prescribed by law or by a retention schedule established by government regulation.13. No person may communicate to a third person the personal information contained in a file he holds on another person, or use it forpurposes not relevant to the object of the file, unless the person concerned consents thereto or such communication or use is provided for bythis Act.14. Consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given forspecific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested. 33
    34. 34. Data Protection, Privacy, Cross-Border US Contra Mundum • Collision between US Discovery and everyone else • Overbroad even before privacy and data protection considerations • Aérospatiale, Hague Convention v FRCP • Comity analysis supposed to balance competing interests • Good faith and hardship of compliance Page 34
    35. 35. Data Protection, Privacy, Cross-Border Aerospatial Comity Analysis (1) the importance to the . . . litigation of the documents or other information requested (2) the degree of specificity of the request (3) whether the information originated in the United States (4) the availability of alternative means of securing the information (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located Restatement (Third) of Foreign Relations Law of the United States Page 35
    36. 36. Data Protection, Privacy, Cross-Border Collision “There’s going to be a train- wreck” Browning Marean Page 36
    37. 37. Data Protection, Privacy, Cross-Border The Components Article 29 of EU Directive 95/46/EC + Individual State implementations v Restatement (Third) of Foreign Relations Law of the United States + Aerospatiale Page 37
    38. 38. Data Protection, Privacy, Cross-Border The view depends on your vantage-point Page 38
    39. 39. Data Protection, Privacy, Cross-Border Whoever heard of limiting the scope of Discovery? Discovery limited in scope = Intelligent appraisal of issues – what do we really need? + Protective Order + Technology to identify and filter quickly Page 39
    40. 40. Data Protection, Privacy, Cross-Border Assymetry and Compromise • "[m]utual knowledge of all the relevant facts gathered by both parties is essential to proper litigation." Hickman v. Taylor (1947) • Competition on uneven terms if one party subject to less onerous discovery. • If you take advantage of US trade, then you must accept its rules BUT • Compromise is necessary if EU laws are not to be simply ignored Page 40
    41. 41. Data Protection, Privacy, Cross-Border A Changing Climate? • EU Draft General Data Protection Regulation will tighten rules • ABA Report and Resolution 103 • Sedona Conference – International Principles on Discovery, Disclosure & Data Protection • Respect, good faith, reasonableness, protective order, discovery limited in scope, compliance with Data Protection obligations • But…. Trueposition Page 41
    42. 42. Data Protection, Privacy, Cross-Border Trueposition – making a monkey of the cheese-eaters • Trueposition, Inc. v. LM Ericsson Tel. Co • ”Limited Jurisdictional discovery” sought in alleged anti-competitive conduct case • French Blocking Statute makes discovery unlawful • Judge conducts Aérospatiale comity analysis • No reference to ABA or Sedona initiatives • Assumption that French will not enforce Blocking Statute Page 42
    43. 43. 43
    44. 44. 44
    45. 45. Comprenez-vous le français? L’argo? Le québécois? Le verlan? Page 45
    46. 46. Work Visa 46
    47. 47. Page 47
    48. 48. Page 48
    49. 49. REDACTED Page 49
    50. 50. Questions? Page 50