Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obligations
•Download as PPT, PDF•
3 likes•1,446 views
These slides are part of a presentation given at the IAPP Europe Data Protection Congress on November 15, 2012, by, in order of presentation, Monique Altheim, James Daley and Alexander Dix. The panel was moderated by Florian Thoma.
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (20)
Similar to Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obligations
Similar to Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obligations (20)
More from AltheimPrivacy
More from AltheimPrivacy (7)
Recently uploaded
Recently uploaded (20)
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obligations
- 2. New York, USA monique@altheimlaw.com www.altheimlaw.com
- 3. Mind the Gap: Bridging U.S. Cross-border E-discovery and EU Data Protection Obligations
- 4. Overview • The Catch 22 U.S. Discovery – E.U. Data Protection Conundrum • Imminent changes of the proposed EU regulation affecting cross-border discovery
- 5. 1. The Catch 22 U.S. Discovery – E.U. Data Protection Conundrum • U.S. Discovery Obligations: 1.Duty to disclose (Rule 26, FRCP) 2.Duty to preserve and Legal Hold 3.Sanctions for Non-Compliance
- 6. • Do US Discovery Obligations Apply to Companies Established outside the US?
- 7. YES Extra-territorial Application of US Discovery Obligation (Rule 34, FRCP) confirmed by case law • Rule 34 FRCP: (a) In General. A party may serve on any other party a request within the scope of Rule 26(b): to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party's possession, custody, or control
- 8. But, what about the Hague Evidence Convention? • Request under The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters or • US Court Order under Rule 34 FRCP?
- 9. Aérospatiale (Société Nationale Industrielle Aérospatiale v United States District Court, 482 U.S. 522, 544 n.28 )(1987) Court has option to order discovery under FRCP, despite Hague Evidence Convention. However, “International Comity” demands following balancing test to decide whether Hague Convention is applicable: 1) the importance to the litigation of the information requested; 2) the degree of specificity of request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; (5) the extent to which non-compliance would undermine the interests of the United States or compliance with the request would undermine the interests of a foreign sovereign nation. •
- 10. Catch 22 Conflict of Obligations for Companies Established in the EU and Subject to U.S. Discovery • Which obligations to comply with: local data protection obligations or US discovery obligations? • Proposed Solutions: Art. 29 WP 158 on Pre-Trial Discovery for Cross Border Civil Litigation The Sedona Conference International Principles on Discovery, Disclosure & Data Protection
- 11. 2. Imminent changes of the proposed EU regulation affecting cross-border discovery All changes will affect data controllers/processors involved in cross-border discovery
- 12. • Processing New Rules for Processors (art. 26). Ex. Processors need consent of controller to appoint sub-processor. Consent of data subject: from “freely given, specific and informed” to “freely given, specific, informed and explicit” Limitation of use of consent as basis for processing when significant imbalance of power. (employment context)
- 13. • Transfer to third countries: (art. 40-44) Adequacy: Commission may design separate sectors as adequate. BCRs expressly mentioned. Includes BCRs for processors. Standard Data Protection Clauses don’t need authorization. Non-standard Contractual Clauses with authorization.
- 14. • Transfer to third countries: (art. 40-44) Is Safe Harbor safe? Yes. Legitimate interest : no frequent & massive transfers; data controllers & processors must provide documentation of proper safeguards. Non-Legally Binding Instrument- with authorization. (art. 42 (5))
- 16. M. James Daley M. James Daley, Esq., CIPP/US Daley & Fey LLP • Partner, Daley & Fey LLP – over 30 years of complex litigation experience • Founder and Chair, The Sedona Conference® Working Group on International Discovery, Disclosure and Data Protection • Technologist – Masters in Management of Information Systems • Certified Information Privacy Professional (CIPP/US) • Senior Editor, The Sedona Conference® International Principles on Discovery, Disclosure and Data Protection (2011) • Editor-in Chief, The Sedona Conference® Framework for Analysis of Cross-Border Discovery Conflicts (2008) 16
- 18. 4 2011 Sedona International Principles The Sedona Conference International Principles on Discovery, Disclosure & Data Protection Who • Created by international experts in Working Group 6 • Addressed to courts, private parties, counsel and data controllers What 6 principles that address discovery of protected data Where Worldwide Why Provide guidance where multiple jurisdictions impose conflicting duties to produce and protect data When Released December 2011
- 19. 2011 Sedona Conference Principles 1. With regard to data that is subject to preservation, disclosure, or discovery, courts and parties should demonstrate due respect to the Data Protection Laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws. 2. Where full compliance with both Data Protection Laws and preservation, disclosure, and discovery obligations presents a conflict, a party’s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness. 3. Preservation or discovery of Protected Data should be limited in scope to that which is relevant and necessary to support any party’s claim or defense in order to minimize conflicts of law and impact on the Data Subject.
- 20. 2011 Sedona Conference Principles 4. Where a conflict exists between Data Protection Laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect Protected Data and minimize the conflict. 5. A Data Controller subject to preservation, disclosure, or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted. 6. Data Controllers should retain Protected Data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, Data Controllers should preserve relevant information, including relevant Protected Data, with appropriate data safeguards.
- 21. Framework for Cross-Border Discovery
- 22. 2013 International Conference The Fifth Annual Sedona International Conference® on Cross-Border eDiscovery, eDisclosure & Data Privacy June 19-21, 2013 Zurich, Switzerland
- 23. E-Discovery – the EU Data Protection Authorities‘ approach Breakout Session Mind the Gap: Bridging U.S. Cross-border E- discovery and EU Data Protection Obligations Dr. Alexander Dix, LL.M. Berlin Commissioner for Data Protection and Freedom of Information IAPP Europe Data Protection Congress 2012 15.11.2012 Brussels 16.11.12 ©Alexander Dix 23
- 24. Overview • Focus on transatlantic civil law suits • Dialogue between Sedona and Art. 29 WP • The latest response from Europe • Draft General Data Protection Regulation – any new ideas on transnational discovery ? 16.11.12 ©Alexander Dix 24
- 25. Focus on transatlantic civil law suits • Discovery requests by LEAs (e.g. DoJ) and administrative bodies (SEC) covered by mutual legal assistance treaties (e.g. EU- US) • Procedures of MLA-treaties should be observed, no direct requests to controllers in the EU • Focus here: transatlantic pre-trial discovery in civil law suits 16.11.12 ©Alexander Dix 25
- 26. Dialogue between The Sedona Conference and Art. 29 Working Party • The Sedona Conference (TSC) Framework for Analysis of Cross-Border Discovery Conflicts (2008) • Art. 29 Working Party WP 158 on pre-trial dicovery for cross-border civil litigation (2009) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/ 2009/wp158_en.pdf • TSC International Principles on Discovery, Disclosure and Data Protection (2011) 16.11.12 ©Alexander Dix 26
- 27. The latest response from Europe • Art. 29 Working Party has welcomed the International Principles, especially their emphasis on - necessity, proportionality and a phased approach to discovery (Principle 3), - the need to minimize the disclosure of personal data (Principle 3), - encouraging organizations to implement privacy by design (Principle 6). 16.11.12 ©Alexander Dix 27
- 28. Quotes from the TSC International Principles • Highlighting the importance of a restrictive data retention policy in vow of the fact that „many organizations worldwide have become data hoarders“ • Pointing to serious legal risks which may arise from the „over-retention of information“ 16.11.12 ©Alexander Dix 28
- 29. Remaining issues • Independence of EU DPAs (COM ./. Germany, Austria) and the US courts • International Principles without binding effect • HR and customer data • Telecommunications secrecy 16.11.12 ©Alexander Dix 29
- 30. Cloud Computing • Discovery in the Cloud (p. v TSC Principles) • Cf. Sopot-Memorandum of the International Working Group on Data Protection in Telecommunications („Berlin Group“) 2012 www.datenschutz-berlin.de/content/europa- international/international-working-group-on-data- protection-in-telecommunications-iwgdpt/working- papers-and-common-positions-adopted-by-the-working- group 16.11.12 ©Alexander Dix 30
- 31. EU Draft General Data Protection Regulation • „Leaked version“ v. 29.11.2011 contained restrictive rule on discovery (Art. 42) • Apparently deleted at the request of US Government • Patriot Act-issue is addressed in recital 90 of the current draft (public interest) • Legal situation would remain unchanged should the Draft become law (cf. Art. 44 Abs. 1 e) of the Draft Regulation and Art. 26 Abs. 1 d) of Directive 95/46) 16.11.12 ©Alexander Dix 31
- 32. Summing up (1) • Despite basic differences between legal cultures on both sides of the Atlantic practical ways and means to bridge the gap between European data protection law and US discovery are available • European companies should make use of all possibilities of US procedural law to comply with their obligations under EU data protection law • Restrictive retention policies are key 16.11.12 ©Alexander Dix 32
- 33. Summing up (2) • Get the company‘s Data Protection Officer involved as early as possible • Point to restrictions under Data Protection Laws as early as possible (even prior to the meet and confer stage) • Highlight the risk of criminal prosecution when processing data falling under telecommunications secrecy or patients‘ confidentiality • Phased culling in the country of origin • Check the requirements for exporting data to third countries • Apply for a protective court order 16.11.12 ©Alexander Dix 33
- 34. Thank you – any questions ? dix@privacy.de 16.11.12 ©Alexander Dix 34
Editor's Notes
- 1. Duty to disclose under Rule 26?FRCP: "parties may obtain discovery regarding any matter, not privileged, that is relevant to any party's claim or defense." The obligation of parties in a litigation to disclose all the information they have in a case so that they can effectively prepare for trial and won,t be caught by surprise by the introduction of new evidence at the trial itself, is a purely common law tradition and does not exist in countries with a civil code tradition. The obligation of parties in a litigation to disclose all the information they have in a case so that they can effectively prepare for trial and won,t be caught by surprise by the introduction of new evidence at the trial itself, is a purely common law tradition and does not exist in countries with a civil code tradition. In civil code countries, such as Europe, Latin America and other former European colonies, each party to the litigation submits its own evidence to the court in support of its case. The Judge decides whether or not to order additional evidence. Usually, one party can also request from the judge to order production of specific documents, that it suspects is in the possession of the other party, but the request must be very specific. 2. The Common Law imposes the obligation to preserve evidence from the moment that litigation is reasonably anticipated. Ex. Apple v. Samsung patent infringement case: Apple: gave Samsung a live presentation about specific patent infringement claims it had against Samsung in Aug. 2010. They sued in April 2011. Apple claimed obligation to preserve started in Aug.2010; Samsung April 2011; Crt agreed with Apple; Samsung could reasonably foresee from this presentation that litigation would follow Once the preservation duty has been triggered, the Common Law imposes an obligation to implement a "litigation hold" to insure the preservation of relevant documents. Companies' retention/ deletion policies have to be suspended and no relevant document or email may be deleted or altered. 3. Sanctions The sanctions for failure to make a required discovery and for spoliation ( destruction) of evidence are very real & serious. Judge can order dismissal of the case, can order punitive/ compensatory damages & can instruct the jury adverse inference. Ex. Apple v. Samsung case: after Apple's presentation to Samsung, Samsung issued a Litigation Hold to a number of key employees with instructions to retain all relevant email. But retention policy:,every 2 weeks, email,automatically deleted. Despite litigation hold, all emails continued to be automatically deleted. Crt found that Samsung was guilty of willful spoliation of evidence because it has failed to follow up on the litigation hold: did not train employees; did not monitor them; did not perform audits; did not reissue litigation holds regularly.the Crt ordered an adverse inference instruction, allowing the jury to presume that the lost evidence was relevant and favorable to plaintiffs. The jury ended up awarding Apple $1.049 billion in damages. Sanctions depends on judge, even within same district.
- What if you are a US plaintiff before a US crt product liability. Disabled bcause of side effects of a medicine. The manufactures main branch is based in Germany. Most of the data are there. You sue the co. in the US. you ask judge to issue order under Rule 34 FRCP.to compel discovery of all possibly relevant documents, so you can prove your that justice can be done? Can judge issue extra territorial order to conduct ediscovery in Germany?
- Case law interpretation art. 34 FRCP According to Rule 34 of the FRCP, a party may request another party to produce ESI that are in that party,s " possession, custody or control". Control does not require physical control. Contractual right of control is enough. If you have the right to demand your data, you have control. Subsidiaries, affiliates, fall under this category, as do 3rd party providers, such as cloud providers. I t all depends on the terms of the contract. There is some controversy in US case law whether there has to be a legal right to access the ESI or whether practical access is sufficient. The important principle here is that the fact that the ESI is overseas is irrelevant for this test of " possession, custody or control" . If a US employee can access ESI of an affiliate overseas on a shared network, the US company has " possession, custody and control" and the overseas ESI is discoverable on that basis
- Defendant will usually argue that the judge has to apply The Hague Convention; International Treaty; normally would trump Federal Rules History; The US ratified this treaty, as did many EU member states. The Hague Convention provides a procedure, where the Court of one country sends a letter of request to a designated authority of another country, requesting assistance from that authority in obtaining relevan information located within its borders. Advantages: There are a couple of advantages in using the Hague Convention: The EU recognizes it as a legal basis for transferring personal,data to the US. And it is a way to obtain production of ESI that is NOT under a party,s " possession, custody or control". But there are many problems with this procedure: Problems: • not all EU Member States are parties to the Hague Convention. (e.g. Belgium) • reservations under Article 23:“a contracting state may at the time of signature, ratification or accession declare that it will not execute letters of request issued for the purposes of obtaining pre-trial discovery of documents. Many signatory States, including France, Germany, Spain and the Netherlands have filed such reservations under Article 23. • unduly time consuming; can take more than a year. • discovery request must be very specific. Broad requests are denied. Normally, an international treaty trumps a national law.
- Supreme Court resolved this issue in 1987 with the landmark Aerospatiale case.. If US Crt has jurisdiction over the foreign entity (ex. Defendant in the case)..Case;Frech blocking statute; must make a case by case analysis, balancing many factors. most courts decide balancing test in favor of US; full discovery is in interest of US justice system ; exceptions: Tiffany trademark case (chinese bank of the defendant; letter from government will cooperate speedily with Hague Convention request . Tiffany (NJ) LLC v. Forbse (S.D.N.Y. May no time to go into details. Crt has choice.
- Assume defendant German pharmaceutical co. lost its Hague Convention defense. They invoked the strict german data protection laws. Judge applied the aerospatiale balancing test and decided that interest of injured parties in US to pursue justice is more important then German data protection laws. Ediscovery order from a US judge. mEanwhile, Varied types of data protection laws: Bank secrecy, data privacy, labor laws, blocking statutes. Defendant : Sanctions from US judge if don’t comply with ediscovery request; sanctions if do not comply with data protection laws? ..Data Privacy Laws: Laws:Art.29; prefers hague convention, but if not: recognizes discovery obligation as a legitimate interest basis for processing BUT balancing test - data protection directive applies. Little difficult in practice. Sedona Conference: practical solution.
- Of course, ALL the changes of proposed regulation will apply to crosssborder discovery. what changes are of specific interest for discovery one stop shop: BCRs; transfers; makes it easier than to apply to 27 or more separate DPAs rtbf: if individual requets DC to delete his data, data controller tis obliged to o delete them, unless there is a legitimate reason to retain it: Q: will Litigation Hold be considered a “legitimate reason” to refuse deletion? In case of discovery procedures: Will be Conflict of two obligations for DC: obligation to delete & obligation to preserve.
- Documentation: already now good business practice Explicit: now: only sensitive data- regulation: all personal data; the opposite of implied; a statement or a clear affirmative action. Article 29 WP Opinion on the definition of consent: “meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent.” Ex. Notice to employees that their emails will be subject to ediscovery. If employee does not consent, must call a number. NOT express consent. Express Consent= Statement of employees: I hereby agree that my personal data will be subject of ediscovery. Online, opt-in as opposed to opt-put. Note: consent never a good legal basis for processing/transfer of data in ediscovery context; difficult to obtain valid consent; data subject has right to withdraw his consent.
- Adequacy: Commissions delegated acts ?seperate sectors? US health & financial sectors? Hipaa & glb Safe Harbor: the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson. March 2012 “In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”./DEpt of Commerce considering expanding SH to non-profit sector. Washington DC conference last March: mixed EU/Us panel on Safe Harbor: videotaped . Sanctions:will become important factor in ediscovery risk management. Compare risk of sanctions if dont disclose the data v if disclose the data.
- Adequacy: Commissions delegated acts ?seperate sectors? US health & financial sectors? Hipaa & glb Safe Harbor: the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson. March 2012 “In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”./DEpt of Commerce considering expanding SH to non-profit sector. Washington DC conference last March: mixed EU/Us panel on Safe Harbor: videotaped . Sanctions:will become important factor in ediscovery risk management. Compare risk of sanctions if dont disclose the data v if disclose the data.
- Hot off the presses! Sedona is also working to provide more guidance on international discovery.
- 16.11.12