The panel discussed international eDiscovery issues including differing privacy standards and blocking statutes across jurisdictions, trends toward increased privacy protections in the US and Europe, and practical challenges of cross-border eDiscovery such as dealing with non-English languages and legacy IT systems. Proportionality, risk mitigation strategies, and continued communication were presented as ways to address these challenges.

1. International eDiscovery: Data Protection,
eDiscovery:
Privacy & Cross-Border Issues
Cross-
Red Rock Resort
Summerlin, Nevada
May 26, 2010
y ,

2. Agenda
The Panel
Moderator: Patrick Burke, Guidance
Software
M. James Daley, Esq., Daley & Fey LLP
Dominic Jaar, Ledjit inc.
George Rudoy, Shearman & Sterling LLP
P A G E 1

3. M. James Daley
M. James Daley, Esq., CIPP
Partner, Daley & Fey LLP
 Partners with clients to contain the costs and reduce the risks of global
data privacy, e-discovery and data security challenges
p y, y y g
 Chair of The Sedona Conference® Working Group on International E-
Disclosure and Records Management (WG6)
 Co-Editor-in-Chief of The Sedona Conference® Framework for Analysis
Of Cross-Border Discovery Conflicts (2008)
 Certified Information Privacy Professional (CIPP) – International
Association of Privacy Professionals
P A G E 2

4. Dominic Jaar
Dominic Jaar
President, Ledjit Consulting inc.
 CEO, Canadian Centre for Court Technology
 Member of the Sedona Conference
 Editorial board (Sedona Canada)
 WG1
 WG6
 Guidance Software Strategic Advisory Board
P A G E 3

5. George Rudoy
George Rudoy
Shearman & Sterling, LLP
 Director, Global Practice, Information & Knowledge Management
 Founding member of the E-Discovery Training Academy at Georgetown
E Discovery
Law Center
 Chair of the ALM Law & Business’s Legal Tech Educational Board
 Vice President of the International Legal Technology Association (ILTA)
Practice Management Peer Group
P A G E 4

6. Principles of Privacy
M. James Daley, Esq., CIPP
Daley & Fey LLP

7. The Current Landscape
Cross-border ediscovery is a “Catch 22”
Catch 22
U.S. Courts require production or relevant
information located outside the U.S.
US
Many non-U.S. jurisdictions restrict and/or
block th
bl k the processing and transfer of such
i dt f f h
information to the U.S.
P A G E 6

8. Differing notions of privacy
Privacy is a fundamental right in much of the
world
ld
Definitions of personal data subject to privacy
protection outside th U S are extremely
t ti t id the U.S. t l
broad
Privacy protections in the U.S. are industry
specific
Personal data subject to protection is limited to
specific categories (e.g., Social Security
numbers, medical i f
b di l information, b ki d t )
ti banking data)
P A G E 7

9. Differing Notions of Privacy
Restrictions on disclosure outside the
European Economic Area (E.U. member states
plus Norway, Iceland, and Liechtenstein)
Generally, personal data cannot be sent to
countries with less privacy/data protection
p y p
than in the E.U.
Only a handful of jurisdictions meet
standards to allow data transfer
P A G E 8

10. Transfers outside the EU
Exceptions and derogations to general
principle
Issues include necessity for the transfer,
y
proportionality (how the truly personal data is
culled), and specifics in enabling laws of
member states.
b t t
Critical to consult local counsel
Transmission may require
notification/permission of local Data Protection
Agencies
P A G E 9

11. Differing Notions of Discovery
 Common law: expansive pre-trial discovery y
conducted by the parties with judicial supervision as
needed to resolve disputes or manage court calendar
 U S most expansive: di
U.S. t i discovery permitted of
itt d f
documents which may lead to admissible evidence
 Canadian “semblance of relevance test almost as
semblance relevance”
expansive
 U.K.: parties must p
p produce “documents relied upon
p
and documents that adversely affect or support
litigant’s position” but document request must seek
specific documents not broad categories
documents,
P A G E 10

12. Civil Code jurisdictions
Disclosure is limited to admissible evidence
Court closely supervises disclosure and
determines admissibility and relevance of
proposed evidence
For example, in Germany, litigants need only
F l i G liti t d l
produce those documents which will support
their claims
P A G E 11

13. The Hague Convention
Hague Convention on the Taking of Evidence
Abroad (1972)
Ab d
An attempt at compromise: a uniform
procedure f collection of evidence b t
d for ll ti f id between
common law and civil law jurisdictions.
Letters of request (“
L f (“rogatory”) i
”) issue f
from court
in one nation to designated central authority
(often a court) in another requesting
another,
assistance in obtaining information
P A G E 12

14. The Hague Convention
 Aerospatiale: U.S. courts are not required to resort
to the Hague Convention procedures over the
Federal Rules of Civil Procedure
 Fi f t b l
Five-factor balancing test:
i t t
 Importance of the evidence to the litigation
R
Respective i t
ti interests of the U.S. and th f i
t f th U S d the foreign
nation where the information is located
 Specificity of the request
 Whether the information originated in the U.S.
 Availability of alternative means to obtain the
information
P A G E 13

15. Blocking statutes
Shields for nationally sensitive data
Statutes which restrict cross-border discovery
of information intended for use in foreign
judicial
j di i l proceedings
di
Not limited to civil law jurisdictions (Australia
and C
d Canada h
d have bl ki statutes)
blocking )
May be general (France and Venezuela) or
industry-specific (e.g., Switzerland re banking
information)
P A G E 14

16. Blocking Statutes
Contrary to certain U.S. and U.K. judicial
decisions, blocking statutes can have severe
consequences
Venezuela: In Lynondell-Citgo Refining LP v.
Petroleos de Venezuela, defendant accepted
an adverse i f
d inference i t ti rather th
instruction th than
turn over board minutes and related documents
France: In January, 2008, the French Supreme
Court affirmed a criminal conviction for
speaking to a potential witness about a U S
U.S.
lawsuit
P A G E 15

17. Trends
The French Supreme Court decision, related
to U.S.
t U S case of St
f Straus v. Credit Lyonnais, may
C dit L i
tip the balancing test in favor of recognition
of the significance of blocking statutes and
result in more recourse to the Hague
Convention
Some U.S. courts had already required
recourse to the Hague Convention
(Connecticut District Court, In Re Perrier
Bottled Water Litigation; New Jersey State
Court, Husa v. Labatoires Servier S.A.)
P A G E 16

18. Trends
Potential narrowing of the definition of
“personal data” in U.K.
“ ld t ”i UK
Durant v. Financial Services Authority, Court of
Appeal (Ci il Di i i ) 2003 “O l
A l (Civil Division), 2003: “Only
information that names the (the individual) or
refers to him” qualifies for protection under the
him
Directives and U.K. enabling laws
Court described its holding as a “a narrow
a
interpretation of personal data” and is not
u e sa y o o ed
universally followed
P A G E 17

19. U.S. Data Privacy & Security: A
Patchwork Quilt
18
P A G E 18

20. The Surveillance Society
19
P A G E 19

21. Trends
Increased attention to privacy in the United
States
 Media coverage of compromises of personal data
through loss of laptops and backup tapes
 Security breaches of large public and private
databases
 Increasing incidence of identity theft
 Recent (and first) HIPAA civil monetary penalty
proceeding to result in penalties, revamped electronic
privacy plan and compliance reports
P A G E 20

22. Ways to Mitigate Risk
Dialogue with Data Protection Authorities on
g
common interests
In-country collection, processing and culling
collection
and possibly review
Development of a uniform confidentiality
designation, i.e., “EU Confidential,” for
personal data involved in
discovery/disclosure cross borders
P A G E 21

23. Ways to Mitigate Risk
Development of specific E.U. (and perhaps
Asia- Pacific d S th A
A i P ifi and South America) provisions
i ) i i
for U.S. court protective orders and case
management orders
Addition of cross-border discovery and
conflicts training to judicial education curricula
Development of approved protocols for
processing and pre filtering of personal data in
pre-filtering
the host country to assure only relevant
pe so a
personal data is t a s e ed for d sco e y
s transferred o discovery
purposes
P A G E 22

24. A way forward
Education and Awareness:
Legal Restrictions
Records Management – Cultural Divide
Records
Technology Realities
Risk Benefit A l i
Ri k B fit Analysis
Efforts to Mitigate Risk
Continued Communication and Collaboration
P A G E 23

25. Framework for Cross-Border
Discovery
P A G E 24

26. Upcoming event
The Sedona Conference®
International Program
I t ti lP
on Cross-Border eDiscovery,
eDisclosure & Data Privacy
15-17 September 2010
p
Washington, D.C.
P A G E 25

27. Think Globally, Act Locally
P A G E 26

28. Principles of Proportionality
Dominic Jaar
President,Ledjit Consulting inc.

29. Canada
The State of E-Discovery
 Ontario Guidelines
 Sedona Canada Principles
 Rules of Civil Procedure
 Nova Scotia
 Ontario
 Practice Directions
 British Columbia
 Alberta
 Quebec Code of Civil
Procedure
 Federal
P A G E 28

30. Privacy
Canada as the Safest Harbour
 Principles
 Purpose
 Consent
 Limited
— Collection
C ll ti
— Use
— Disclosure
— Retention
 Accuracy
 Canadian Charter of Rights and Freedom
 Personal Information Protection and Electronic Documents Act
(PIPEDA)
P
Provincial Legislation
i i l L i l ti
 Sedona Canada White Paper on Privacy (To be published)
P A G E 29

31. Blocking Statutes
Reacting to USA’s Extraterritorial
Laws
Cuban Policy
Asbestos
Uranium
National and Provincial
Politics and Economics
Federal
Foreign Extraterritorial Measures Act
Provincial
Quebec Business Concerns Records Act
Ontario Business Records Protection Act
P A G E 30

32. Privileges (Solicitor-Client and Litigation)
Quasi-Constitutional Rights
Canadian Charter of Rights and Freedoms
Waiver
 Explicit
p
 Implicit
Cross-Border Production
P A G E 31

33. Proportionality
A Reality, not a Mere Principle
Rules of Civil Procedure
 Nature of the case
 Value
 Burden
 Accessibility
 Relative Relevance
 Confidentiality
— Privacy
— Privileges
— Intellectual Property
p y
— Commercial/Industrial Secrets
P A G E 32

34. International E-Discovery
Practical Challenges
 Language
 Identification
 Processing
 Review
 Presentation
 Technological
g
 Standards
 Legacy systems
 Multinational enterprise-
wide content search
 Criminal/Penal charges
 Jurisdiction over act
P A G E 33

35. Principles of Language & Culture
George Rudoy
Shearman & Sterling LLP

36. Non English Language Documents
ASCII vs. Unicode
• Computers only understand
l d d
numbers—0’s and 1’s..
• ASCII d i d t allow humans
designed to ll h
to communicate with computers.
• Invented for teletypes
• Original ASCII character set
limited to 127 characters.
A -> 0100 0001
P A G E 35

37. Non English Language Documents
Printable ASCII Characters
0123456789abcdefg
hIjklmnopqrstuvwx
yz
ABCDEFGHIJKLM
NOPQRSTUVWXYZ
~ ! @ # $ % ^ & * ( ) _ + ` -= =
[ ] { } | ; ’: ” , . / < > ?
P A G E 36

38. Non English Language Documents
ASCII vs. Unicode
• Other languages needed additional
characters.
• Extended ASCII added ramped to
256 characters.
• Special encoding developed to reach
beyond extended ASCII.
• Result: multiple coding sets emerged
p g g
using the same byte sequences.
P A G E 37

39. Non English Language Documents
The bottom line…
• Chinese language has 65,000+
g g ,
symbols
• Unicode assigns numbers to every
possible character set.
• UTF-8 has become defacto
Unicode standard to represent
multi-byte languages.
E-Discovery processing software must support Unicode!
P A G E 38

40. Non English Language Documents
Non English Language Tokenisation
• Western search based on spaces
and punctuation.
P A G E 39

41. Non English Language Documents
Non English Language Tokenisation
• Some llanguages often don’t use
f d
spaces or punctuation.
P A G E 40

42. Non English Language Documents
Non English Language Tokenisation
Thedogatemydinnerbeforeicouldstophimnexttimeiwill
p
puthimoutbeforeieat
The dog ate my dinner before I could stop him.
Next time I will put him out before I eat.
裁判所はどこにありますか?
Where is the courthouse?
P A G E 41

43. P A G E 42

44. Non English Language Documents
Non English Language
Chinese
Tokenisation
中國人
• Words may consist of one or
d
more symbols
i f
Middle country person
yp
China
中國
Middle country
y
P A G E 43

45. P A G E 44

46. Cultural Guide to
Conducting E-Discovery in the International
E Discovery
Settings Selected countries and regions
P A G E 45

47. P A G E 46

48. European Union
P A G E 47

49. P A G E 48

50. EU
 Location: Europe between the North Atlantic Ocean in the west
and Russia, Belarus, and Ukraine to the east
, ,
 Legal System: comparable to the legal systems of member
states; first supranational law system
 P liti l structure: a h b id intergovernmental and supranational
Political t t hybrid i t t l d ti l
organization
 Population: 491,018,683
 Languages: Bulgarian, Czech, Danish, Dutch, English, Estonian,
Finnish, French, Gaelic, German, Greek, Hungarian, Italian,
Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian,
Slovak, Slovene, Spanish, Swedish
P A G E 49

51. EU
 Be aware of balance and possible conflict of individual country
rules vs. EU rules
 Transport and use of data is highly guarded and restricted
 Prepare schedule of annual holidays and observances
p y
 Polite direct requests
 Take the time to clarify project purpose and plan
 Clarify vernacular for technology (Services v. Share)
 Establish client-side project liaison
C
Consider local labor laws
id l ll b l
P A G E 50

52. EU
 Minimal experienced local vendor support, most located in UK
I
Involve IT in interview process to identify relevant technology
l i i i id if l h l
landscape
 Explain discovery process in detail with the support of visual
p yp pp
diagrams and documentation
 Local Counsel
 IT Personnel
 Interview process
 Translate project requirements and scope
P A G E 51

53. Former USSR
P A G E 52

54. Former USSR
 English not widely spoken, even less so in non-capital cities
 Remaining xenophobia of foreigners, especially Americans
foreigners
 Local customs are unique and expected to be followed
 Very little regard for privacy
 Many layers of authority and management
 Border security varies and customs can be negotiated with
 No local vendors
 Limited familiarity with litigation requests
 “Government secrets” still an issue
 Persistent refusal to sign any documents (chain of custody
form, privacy waiver, etc)
P A G E 53

55. P A G E 54

56. P A G E 55

57. Collecting ESI in Russia
 Privacy Rights in Russia
 Article 23 of the Constitution of the Russian Federation
— Everyone has the right to privacy, personal and family secrets, protection of
one’s honor and good name.
— Right to privacy of correspondence, telephone communications, mail, cables
and other communications.
— Any restriction of these rights require a court order.
 Federal law “on information”
— Each person has the right to search and receive any information in any forms
and from any sources subject to specific limitations.
— Limitations provide only for data related to a state secret, commercial secret,
official or other secret (e.g. tax secret), professional secret, privacy or family
( g ), p ,p y y
secrets which are regulated by separate federal laws.
P A G E 56

58. Penalties
 Penalties can be disciplinary, civil, administrative or criminal.
 Specifically criminal liability for violation of the immunity of private life
Specifically, life,
violation of secrecy of communications and infringement of home
involiability, as well as liability for unauthorized access to legally
protected computer information.
 Civil liability if an individual suffers physical or moral damages by violation
of his or her non-property rights or any other non-material welfare rights.
A court can force financial compensation.
P A G E 57

59. Russian law on transferring data through data
telecommunications networks
 Article 15(5) of the Federal law “On Information” provides that
data can be transferred through data telecommunications
g
networks without any limitations subject to the protection of
intellectual property except
 “On personal data” (
p (Article 7) requires the operator ensure for the
) q p
confidentiality of received personal data with two exceptions:
— Instances involving depersonalization of personal data, and
— Publically available personal data.
— Most importantly, the operator can process personal data only with a person’s
consent (Article 6) subject to certain exceptions.
— Personal data is broadly defined to include “any information related to an
individual…or information on the basis of which an individual may be
identified.” Examples include surname, birthdate, address, family status,
income and education.
P A G E 58

60. Consent
 On the one hand, consent is required “when directed by law” such as
collection and transborder transfer of personal data.
 On the other hand, in practice, where a company puts employees on
written notice by policy or specific notice that their email and
documents are company property and can be accessed for business
uses at any time, written consent can be made by the company.
 Written consent is prudent – the burden of proof is on the operator and
Russian courts usually require documentation.
 No standard consent form, but lists six criteria to include:
,
— full name of person giving consent including address, passport number, date of issue and
issuing authority.
— Name and address of operator to whom consent is given.
— List of personal data that may be processed.
— List of operations to be performed with personal data, and general description of the
processing methods.
— Term of validity of the consent and the procedure for its revocation.
P A G E 59

61. Exceptions to Consent
 Personal data process on the basis of federal law (primarily supporting
law enforcement).
 Personal data processed to perform an agreement to which such
individual is a party (e.g. employment agreement).
 Personal data processed for scientific or statistical purposes, and it is
sanitized.
iti d
 Personal data processed to protect life, health or important individual
interests and it’s not possible to obtain consent.
 Personal data processed to deliver mail or telecommunications
customer settlements.
 Processed for professional activity of a journalist or for scientific
literature or creative activity
activity.
 Data subject to publication in compliance with federal laws such as
state officials or candidates to elective posts.
P A G E 60

62. Australia
 Land Mass: Slightly smaller than the US contiguous 48 states
 Legal System: Based on English common law; accepts
compulsory ICJ jurisdiction, with reservations
 Population: 21,007,310
 Ethnicity: Caucasian 92% Asian 7% aboriginal and other 1%
92%, 7%,
 Languages: English or strine spoken
P A G E 61

63. Australia – Cultural
 Highly regulated environment
 Legal compliance is accepted and valued
 Polite direct requests
 Informal business environment
 High use of technology, mobile technology and email
 Due to “listing” requirements objective data and metadata
integrity is important
 The Legal Hold concept loosely translates
 Vigilant customs and security
L
Local vendors
l d
 Familiar with litigation requests
P A G E 62

64. China
 Land Mass: Slightly smaller than the US
 Legal System: Based on civil law system; derived from Soviet
and continental civil code legal principles; legislature retains
power to interpret statutes; constitution ambiguous on judicial
review of legislation; has not accepted compulsory ICJ
jurisdiction
 Population: 1,330,044,544
 Ethnicity: Han Chinese 91.5%, Zhuang, Manchu, Hui, Miao,
Uyghur, Tujia Yi, Mongol, Tibetan Buyi Dong Yao Korean
Uyghur Tujia, Yi Mongol Tibetan, Buyi, Dong, Yao, Korean, and
other nationalities 8.5%
 Languages: Standard Chinese or Mandarin (Putonghua, based
on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese),
Minbei (Fuzhou), Minnan (Hokkien-Taiwanese), Xiang, Gan,
Hakka dialects, minority languages
P A G E 63

65. China - Cultural
 Dispute resolution process not aligned
 Not familiar with litigation requests
 Many layers of authority and management
 “Party” plays a role
 Titles and formality is important
 Timeframes may slip
 Can be difficult getting hardware in and out
 Payment customs can be misunderstood
 Exceptions based on relationships
 Labour cost and efficiency y
 Self service
 Vendor selection and testing
P A G E 64

66. Privacy in China
 China lacks comprehensive privacy legislation.
 A draft Personal Data Protection Law has been submitted to the State
Council, China’s executive branch.
 It is not unusual for searches to be undertaken on company computers
without an employee’s consent.
p y
 Nonetheless, obtaining written consent is a prudent practice.
P A G E 65

67. Privacy in Hong Kong
 Two sources of privacy protection
 Personal Data (Privacy) Ordinance
 Common law (generally applies only to information which has the necessary quality of
confidence, was imparted in confidence, and used without authorization to the detriment of the
party communicating it (Coco v AN Clark (Engineers) Ltd. [1969] RPC 41).
 Under Personal Data (Privacy Ordinance), “personal data” is defined as any data
 (a) relating directly or indirectly to a living individual,
 (b) from which it is practicable for the identity of the individual to be directly or indirectly
ascertained, and
 (c) in a form in which access to or processing or use of the data is practicable.
 The use of personal data (including collection, processing and transfer) must be
consistent with the purpose for which the data were originally collected or
directly related to it, otherwise the prior consent of the employee must be sought
and obtained.
 Beware a newly enacted section 33 of the Privacy Ordinance – which may not yet
be in force – which prohibits the transfer of personal data outside Hong Kong
and unclear if consent overcomes that.
P A G E 66