Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

US eDiscovery v UK eDisclosure

1,371 views

Published on

  • Be the first to comment

  • Be the first to like this

US eDiscovery v UK eDisclosure

  1. 1. 1© Copyright 2010 EMC Corporation. All rights reserved. Be st Practice We binar eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws e Disco ve ry series sponsored by EMC SourceOne eDiscovery - Kazeon
  2. 2. 2© Copyright 2010 EMC Corporation. All rights reserved. eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws Panelists Quentin Archer – Partner at Hogan Lovells, London and Co-Chair of Sedona Conference Working Group 6. James D. Shook – Director, EMC eDiscovery and Compliance Legal Group; member Sedona Conference WG1 and WG6. J. David Morris - webinar moderator
  3. 3. 3© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
  4. 4. 4© Copyright 2010 EMC Corporation. All rights reserved. Information Today – The Big Picture 1.8ZbLots of It Mostly Unstructured 95% Mostly Unmanaged 85% Becoming More Regulated ▲ Created by Organizations 85% Information
  5. 5. 5© Copyright 2010 EMC Corporation. All rights reserved. Average US eDiscovery Costs 10x increased costs to outsource $1.5M average cost per incident $34M average annual legal costs 89% of companies face litigation $18M+ cost to review 1 TB of info
  6. 6. 6© Copyright 2010 EMC Corporation. All rights reserved. 67% of eDiscovery Cases Awarded Sanctions in 1H2010 (31 Cases Requested Sanctions; 21 Cases Awarded Sanctions) Source: DIGITAL DISCOVERY & E-EVIDENCE REPORT ISSN 1941-3882
  7. 7. 7© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
  8. 8. 8© Copyright 2010 EMC Corporation. All rights reserved. World Litigation Overview US Common law Broad, expansive discovery “E-discovery” Generally bear fees & costs UK Common law Reasonable discovery “E-disclosure” Loser pays CN Common Law Broad, includes e-data Civil Code Limited disclosure
  9. 9. 9© Copyright 2010 EMC Corporation. All rights reserved. Worlds Apart? US UK/CN EU Privacy Very little in the workplace Strong protection for employees Very strong Data Ownership Employer-focused Employee-focused Employee-focused eDiscovery Broad, expensive UK: Growing but < US Typically very limited
  10. 10. 10© Copyright 2010 EMC Corporation. All rights reserved. Privacy Concerns Source: Fulbright and Jaworski, 7th Annual Litigation Trends Survey Report
  11. 11. 11© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
  12. 12. 12© Copyright 2010 EMC Corporation. All rights reserved. UK Data Protection Act 1998 • Implements EU Data Protection Directive 1995 • Regulates the activities of "data controllers", who control the purposes for which data is processed • "Processing" covers just about any activity relating to data • "Personal data" is data relating to an identifiable living individual • Data in manual unstructured filing systems is not included eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  13. 13. 13© Copyright 2010 EMC Corporation. All rights reserved. The Data Protection Principles • Personal data must be processed in accordance with eight data protection principles • Breach of the principles can lead to enforcement action by the Information Commissioner, or a private action for damages • Deliberate or reckless breaches can result in penalties of up to £500,000 • Breaches in the financial services field can also attract the attention (and fines) of the Financial Services Authority eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  14. 14. 14© Copyright 2010 EMC Corporation. All rights reserved. Principles 1 to 4 • Personal data must be processed fairly and lawfully • Personal data must be obtained for specified purposes and not processed in a manner incompatible with those purposes • Personal data must be adequate, relevant and not excessive • Personal data shall be accurate and (where necessary) kept up to date eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  15. 15. 15© Copyright 2010 EMC Corporation. All rights reserved. Principles 5 to 8 • Personal data must not be kept longer than necessary • Personal data must be processed in accordance with the rights of data subjects • Appropriate technical and organisational measures must be taken against unauthorised processing, and against loss or destruction • Personal data must not be transferred to a country outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to personal data eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  16. 16. 16© Copyright 2010 EMC Corporation. All rights reserved. Controllers and processors • An entity which processes personal data on behalf of a data controller is a "data processor" • There must always be a written contract between the data controller and the data processor • Contracts must require the processor to act only on the instructions of the controller, and to comply with the security conditions in the seventh principle • The security conditions require: • The implementation of appropriate technical and organisational measures to protect against unauthorised or unlawful processing, taking into account the harm that might result • Taking steps to ensure reliability of employees eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  17. 17. 17© Copyright 2010 EMC Corporation. All rights reserved. Exporting personal data • No transfer of personal data outside the EEA unless the destination territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data • “Transfer” and “adequate level of protection” are important concepts • Several cases where the general rule does not apply eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  18. 18. 18© Copyright 2010 EMC Corporation. All rights reserved. What is a transfer? • No transfer merely by placing material on the Web (Lindqvist case, November 2003) • But placing material on an intranet, where the intention is to make it available to people in different countries, may be subject to different criteria • Mere transit (e.g. routing emails through a third country) unlikely to amount to a "transfer" eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  19. 19. 19© Copyright 2010 EMC Corporation. All rights reserved. Who determines adequacy? • Exporting data controller must assess adequacy • If there is a Community finding of adequacy, the controller can rely on that • In the case of a controller-processor transfer, the Commissioner may presume adequacy: • Data controller remains liable • Must be a written contract in place • Must be no particular risks in destination country eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  20. 20. 20© Copyright 2010 EMC Corporation. All rights reserved. EU findings of adequacy for non-EEA countries • Andorra • Argentina • Canada (but only to activities covered by the Personal Information Protection and Electronic Documents Act) • Faeroe Islands • Guernsey • Isle of Man • Israel • Jersey • Switzerland • USA (Safe Harbor and passenger data only) eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  21. 21. 21© Copyright 2010 EMC Corporation. All rights reserved. Where export is possible, even if no adequate protection • If the data subject has given consent • If the transfer is necessary for the performance of a contract with the data subject • If the transfer is necessary for the purposes of: • Legal proceedings • Obtaining legal advice • Establishing, exercising or defending legal rights • Use of model contract clauses • Binding corporate rules eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  22. 22. 22© Copyright 2010 EMC Corporation. All rights reserved. Differences within the EU • Concept of personal data is narrower in the UK than in the rest of the EU (Durant case) which has caused difficulties • Many EU regulators exercise greater supervision, including a requirement to approve contracts for the export of personal data • Fines can be larger than the UK eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  23. 23. 23© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
  24. 24. 24© Copyright 2010 EMC Corporation. All rights reserved. Between A Rock and A Hard Place • Claim for unpaid invoices – AccessData sued ALSTE, a German company • ALSTE objected to discovery requests – Claimed violation of GDPA and German Constitution • Court disagreed, ordered production "[i]t is well settled that such [blocking] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute." See Societe Nationale Industrielle Aerospatiale, 482 U.S. 522, 544 (1987). AccessData Corp. v. ALSTE Technologies GmbH, 2010 WL 318477 (D. Utah Jan. 21, 2010)
  25. 25. 25© Copyright 2010 EMC Corporation. All rights reserved. Some Practical Issues Inter-country data transfers - Backup strategies - Email Archiving / Management - HR Systems - The Cloud US Litigation eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  26. 26. 26© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
  27. 27. 27© Copyright 2010 EMC Corporation. All rights reserved. The Sedona Conference • A non-profit educational and research institute dedicated to the advanced study of law and policy • Promotes dialogue (rather than debate) as the best means of promoting developments in the law in a reasoned and just fashion • Concentrates on antitrust law, intellectual property and complex litigation • Seven Working Groups focussing on different aspects of the law eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  28. 28. 28© Copyright 2010 EMC Corporation. All rights reserved. Sedona Conference WG6 • Mission of Sedona Working Group 6 is to address issues that arise in the context of e-information management and e- disclosure for organizations subject to litigation and regulatory oversight in multiple jurisdictions with potentially conflicting internal laws. • Framework for Analysis of Cross-Border Conflicts was released in 2008 and cited shortly thereafter by the European Commission's Article 29 Working Party • Continuing dialogue with EU Commission, Article 29 Working Party, regulators and US judiciary on proper approach to resolving conflicts between disclosure and data protection laws eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
  29. 29. 29© Copyright 2010 EMC Corporation. All rights reserved. Question and Answers Quentin Archer - quentin.archer@hoganlovells.com James D. Shook, Esq. – jim.shook@emc.com J. David Morris – david.morris@emc.com Hogan Lovells - www.hoganlovells.com Discover More! www.kazeon.com/discover www.kazeon.com/blog - case coverage and eDiscovery topics eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws

×