These slides are part of a presentation given at the IAPP Europe Data Protection Congress on November 15, 2012, by, in order of presentation, Monique Altheim, James Daley and Alexander Dix. The panel was moderated by Florian Thoma.
3. Mind the Gap: Bridging U.S.
Cross-border E-discovery and EU
Data Protection Obligations
4. Overview
• The Catch 22 U.S. Discovery –
E.U. Data Protection Conundrum
• Imminent changes of the
proposed EU regulation affecting
cross-border discovery
5. 1. The Catch 22 U.S. Discovery – E.U.
Data Protection Conundrum
• U.S. Discovery Obligations:
1.Duty to disclose (Rule 26, FRCP)
2.Duty to preserve and Legal Hold
3.Sanctions for Non-Compliance
6. • Do US Discovery Obligations Apply to
Companies Established outside the US?
7. YES
Extra-territorial Application of US Discovery
Obligation (Rule 34, FRCP) confirmed by case law
• Rule 34 FRCP:
(a) In General. A party may serve on any other
party a request within the scope of Rule 26(b):
to produce and permit the requesting party or
its representative to inspect, copy, test, or sample
the following items in the responding party's
possession, custody, or control
8. But, what about the Hague Evidence
Convention?
• Request under The Hague Convention on
the Taking of Evidence Abroad in Civil or
Commercial Matters
or
• US Court Order under Rule 34 FRCP?
9. Aérospatiale (Société Nationale Industrielle Aérospatiale v
United States District Court, 482 U.S. 522, 544 n.28 )(1987)
Court has option to order discovery under FRCP,
despite Hague Evidence Convention.
However, “International Comity” demands following balancing test
to decide whether Hague Convention is applicable:
1) the importance to the litigation of the information requested;
2) the degree of specificity of request; (3) whether the
information originated in the United States; (4) the availability of
alternative means of securing the information; (5) the extent to
which non-compliance would undermine the interests of the
United States or compliance with the request would undermine
the interests of a foreign sovereign nation.
•
10. Catch 22 Conflict of Obligations for Companies
Established in the EU and Subject to U.S.
Discovery
• Which obligations to comply with: local data protection
obligations or US discovery obligations?
• Proposed Solutions:
Art. 29 WP 158 on Pre-Trial Discovery for Cross Border Civil
Litigation
The Sedona Conference International Principles on
Discovery, Disclosure & Data Protection
11. 2. Imminent changes of the proposed
EU regulation affecting cross-border
discovery
All changes will affect data controllers/processors involved
in cross-border discovery
12. • Processing
New Rules for Processors (art. 26). Ex. Processors need
consent of controller to appoint sub-processor.
Consent of data subject: from “freely given, specific and
informed” to “freely given, specific, informed and explicit”
Limitation of use of consent as basis for processing when
significant imbalance of power. (employment context)
13. • Transfer to third countries: (art. 40-44)
Adequacy: Commission may design separate sectors as
adequate.
BCRs expressly mentioned. Includes BCRs for processors.
Standard Data Protection Clauses don’t need authorization.
Non-standard Contractual Clauses with authorization.
14. • Transfer to third countries: (art. 40-44)
Is Safe Harbor safe? Yes.
Legitimate interest : no frequent & massive transfers; data
controllers & processors must provide documentation of
proper safeguards.
Non-Legally Binding Instrument- with authorization. (art.
42 (5))
16. M. James Daley
M. James Daley, Esq., CIPP/US
Daley & Fey LLP
• Partner, Daley & Fey LLP – over 30 years of complex litigation
experience
• Founder and Chair, The Sedona Conference® Working Group on
International Discovery, Disclosure and Data Protection
• Technologist – Masters in Management of Information Systems
• Certified Information Privacy Professional (CIPP/US)
• Senior Editor, The Sedona Conference® International Principles on
Discovery, Disclosure and Data Protection (2011)
• Editor-in Chief, The Sedona Conference® Framework for Analysis of
Cross-Border Discovery Conflicts (2008)
16
18. 4
2011 Sedona International Principles
The Sedona Conference International Principles on
Discovery, Disclosure & Data Protection
Who • Created by international experts in Working Group 6
• Addressed to courts, private parties, counsel and
data controllers
What 6 principles that address discovery of protected data
Where Worldwide
Why Provide guidance where multiple jurisdictions impose
conflicting duties to produce and protect data
When Released December 2011
19. 2011 Sedona Conference Principles
1. With regard to data that is subject to preservation,
disclosure, or discovery, courts and parties should
demonstrate due respect to the Data Protection Laws
of any foreign sovereign and the interests of any
person who is subject to or benefits from such laws.
2. Where full compliance with both Data Protection Laws
and preservation, disclosure, and discovery
obligations presents a conflict, a party’s conduct
should be judged by a court or data protection
authority under a standard of good faith and
reasonableness.
3. Preservation or discovery of Protected Data should be
limited in scope to that which is relevant and
necessary to support any party’s claim or defense in
order to minimize conflicts of law and impact on the
Data Subject.
20. 2011 Sedona Conference Principles
4. Where a conflict exists between Data Protection Laws
and preservation, disclosure, or discovery obligations,
a stipulation or court order should be employed to
protect Protected Data and minimize the conflict.
5. A Data Controller subject to preservation, disclosure,
or discovery obligations should be prepared to
demonstrate that data protection obligations have
been addressed and that appropriate data protection
safeguards have been instituted.
6. Data Controllers should retain Protected Data only as
long as necessary to satisfy legal or business needs.
While a legal action is pending or remains reasonably
anticipated, Data Controllers should preserve relevant
information, including relevant Protected Data, with
appropriate data safeguards.
22. 2013 International Conference
The Fifth Annual Sedona
International Conference®
on Cross-Border
eDiscovery, eDisclosure &
Data Privacy
June 19-21, 2013
Zurich, Switzerland
1. Duty to disclose under Rule 26?FRCP: "parties may obtain discovery regarding any matter, not privileged, that is relevant to any party's claim or defense." The obligation of parties in a litigation to disclose all the information they have in a case so that they can effectively prepare for trial and won,t be caught by surprise by the introduction of new evidence at the trial itself, is a purely common law tradition and does not exist in countries with a civil code tradition. The obligation of parties in a litigation to disclose all the information they have in a case so that they can effectively prepare for trial and won,t be caught by surprise by the introduction of new evidence at the trial itself, is a purely common law tradition and does not exist in countries with a civil code tradition. In civil code countries, such as Europe, Latin America and other former European colonies, each party to the litigation submits its own evidence to the court in support of its case. The Judge decides whether or not to order additional evidence. Usually, one party can also request from the judge to order production of specific documents, that it suspects is in the possession of the other party, but the request must be very specific. 2. The Common Law imposes the obligation to preserve evidence from the moment that litigation is reasonably anticipated. Ex. Apple v. Samsung patent infringement case: Apple: gave Samsung a live presentation about specific patent infringement claims it had against Samsung in Aug. 2010. They sued in April 2011. Apple claimed obligation to preserve started in Aug.2010; Samsung April 2011; Crt agreed with Apple; Samsung could reasonably foresee from this presentation that litigation would follow Once the preservation duty has been triggered, the Common Law imposes an obligation to implement a "litigation hold" to insure the preservation of relevant documents. Companies' retention/ deletion policies have to be suspended and no relevant document or email may be deleted or altered. 3. Sanctions The sanctions for failure to make a required discovery and for spoliation ( destruction) of evidence are very real & serious. Judge can order dismissal of the case, can order punitive/ compensatory damages & can instruct the jury adverse inference. Ex. Apple v. Samsung case: after Apple's presentation to Samsung, Samsung issued a Litigation Hold to a number of key employees with instructions to retain all relevant email. But retention policy:,every 2 weeks, email,automatically deleted. Despite litigation hold, all emails continued to be automatically deleted. Crt found that Samsung was guilty of willful spoliation of evidence because it has failed to follow up on the litigation hold: did not train employees; did not monitor them; did not perform audits; did not reissue litigation holds regularly.the Crt ordered an adverse inference instruction, allowing the jury to presume that the lost evidence was relevant and favorable to plaintiffs. The jury ended up awarding Apple $1.049 billion in damages. Sanctions depends on judge, even within same district.
What if you are a US plaintiff before a US crt product liability. Disabled bcause of side effects of a medicine. The manufactures main branch is based in Germany. Most of the data are there. You sue the co. in the US. you ask judge to issue order under Rule 34 FRCP.to compel discovery of all possibly relevant documents, so you can prove your that justice can be done? Can judge issue extra territorial order to conduct ediscovery in Germany?
Case law interpretation art. 34 FRCP According to Rule 34 of the FRCP, a party may request another party to produce ESI that are in that party,s " possession, custody or control". Control does not require physical control. Contractual right of control is enough. If you have the right to demand your data, you have control. Subsidiaries, affiliates, fall under this category, as do 3rd party providers, such as cloud providers. I t all depends on the terms of the contract. There is some controversy in US case law whether there has to be a legal right to access the ESI or whether practical access is sufficient. The important principle here is that the fact that the ESI is overseas is irrelevant for this test of " possession, custody or control" . If a US employee can access ESI of an affiliate overseas on a shared network, the US company has " possession, custody and control" and the overseas ESI is discoverable on that basis
Defendant will usually argue that the judge has to apply The Hague Convention; International Treaty; normally would trump Federal Rules History; The US ratified this treaty, as did many EU member states. The Hague Convention provides a procedure, where the Court of one country sends a letter of request to a designated authority of another country, requesting assistance from that authority in obtaining relevan information located within its borders. Advantages: There are a couple of advantages in using the Hague Convention: The EU recognizes it as a legal basis for transferring personal,data to the US. And it is a way to obtain production of ESI that is NOT under a party,s " possession, custody or control". But there are many problems with this procedure: Problems: • not all EU Member States are parties to the Hague Convention. (e.g. Belgium) • reservations under Article 23:“a contracting state may at the time of signature, ratification or accession declare that it will not execute letters of request issued for the purposes of obtaining pre-trial discovery of documents. Many signatory States, including France, Germany, Spain and the Netherlands have filed such reservations under Article 23. • unduly time consuming; can take more than a year. • discovery request must be very specific. Broad requests are denied. Normally, an international treaty trumps a national law.
Supreme Court resolved this issue in 1987 with the landmark Aerospatiale case.. If US Crt has jurisdiction over the foreign entity (ex. Defendant in the case)..Case;Frech blocking statute; must make a case by case analysis, balancing many factors. most courts decide balancing test in favor of US; full discovery is in interest of US justice system ; exceptions: Tiffany trademark case (chinese bank of the defendant; letter from government will cooperate speedily with Hague Convention request . Tiffany (NJ) LLC v. Forbse (S.D.N.Y. May no time to go into details. Crt has choice.
Assume defendant German pharmaceutical co. lost its Hague Convention defense. They invoked the strict german data protection laws. Judge applied the aerospatiale balancing test and decided that interest of injured parties in US to pursue justice is more important then German data protection laws. Ediscovery order from a US judge. mEanwhile, Varied types of data protection laws: Bank secrecy, data privacy, labor laws, blocking statutes. Defendant : Sanctions from US judge if don’t comply with ediscovery request; sanctions if do not comply with data protection laws? ..Data Privacy Laws: Laws:Art.29; prefers hague convention, but if not: recognizes discovery obligation as a legitimate interest basis for processing BUT balancing test - data protection directive applies. Little difficult in practice. Sedona Conference: practical solution.
Of course, ALL the changes of proposed regulation will apply to crosssborder discovery. what changes are of specific interest for discovery one stop shop: BCRs; transfers; makes it easier than to apply to 27 or more separate DPAs rtbf: if individual requets DC to delete his data, data controller tis obliged to o delete them, unless there is a legitimate reason to retain it: Q: will Litigation Hold be considered a “legitimate reason” to refuse deletion? In case of discovery procedures: Will be Conflict of two obligations for DC: obligation to delete & obligation to preserve.
Documentation: already now good business practice Explicit: now: only sensitive data- regulation: all personal data; the opposite of implied; a statement or a clear affirmative action. Article 29 WP Opinion on the definition of consent: “meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent.” Ex. Notice to employees that their emails will be subject to ediscovery. If employee does not consent, must call a number. NOT express consent. Express Consent= Statement of employees: I hereby agree that my personal data will be subject of ediscovery. Online, opt-in as opposed to opt-put. Note: consent never a good legal basis for processing/transfer of data in ediscovery context; difficult to obtain valid consent; data subject has right to withdraw his consent.
Adequacy: Commissions delegated acts ?seperate sectors? US health & financial sectors? Hipaa & glb Safe Harbor: the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson. March 2012 “In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”./DEpt of Commerce considering expanding SH to non-profit sector. Washington DC conference last March: mixed EU/Us panel on Safe Harbor: videotaped . Sanctions:will become important factor in ediscovery risk management. Compare risk of sanctions if dont disclose the data v if disclose the data.
Adequacy: Commissions delegated acts ?seperate sectors? US health & financial sectors? Hipaa & glb Safe Harbor: the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson. March 2012 “In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”./DEpt of Commerce considering expanding SH to non-profit sector. Washington DC conference last March: mixed EU/Us panel on Safe Harbor: videotaped . Sanctions:will become important factor in ediscovery risk management. Compare risk of sanctions if dont disclose the data v if disclose the data.
Hot off the presses! Sedona is also working to provide more guidance on international discovery.