Karl Geercken/Kelly Holden/Michael Rath/ Mark Surguy ... · Karl Geercken/Kelly Holden/Michael...

Offprint

Karl Geercken/Kelly Holden/Michael Rath/Mark Surguy/Tracey Stretton

Irreconcilable Differences?Navigating Cross-BorderE-DiscoveryHow best to understand and deal with the conflictbetween e-discovery and data protection principles

Karl Geercken/Kelly Holden/Michael Rath/Mark Surguy/Tracey Stretton

Irreconcilable Differences? Navigating Cross-Border E-DiscoveryHow best to understand and deal with the conflictbetween e-discovery and data protection principles

¸ Karl Geercken and Kelly Holden are U.S. attorneys at Alston & BirdLLP, New York; Dr. Michael Rath is a German attorney, certified expertlawyer on information technology and partner at Luther, Cologne, Ger-many; Mark Surguy is a solicitor and partner at Eversheds, London,U.K.; and Tracey Stretton is a legal consultant at Kroll Ontrack, Lon-don, U.K. Further information abaout the authors at p. 63.

Electronically stored information (‘ESI’) such as emailshave become the corporate memory and central to fact-finding in lawsuits and investigations, providing anaccurate and detailed record of what happened or whatwas said at any point in time. This also means that com-panies involved in litigation now have to disclose andproduce these electronic communications and docu-ments on short notice to comply with the rules of courtgoverning pre-trial discovery. At the same time, theinformation stored in mailboxes or on company or evenprivately owned devices may well contain or be co-min-gled with the personal and private data of companyemployees or other third parties. Europe has a long his-tory of preserving the individual’s right to privacy andhas a complex network of legal rules designed to protectit including the restriction against transferring personaldata across borders unless special conditions are met.This immediately causes difficulties in international liti-gation which relies on evidence scattered across jurisdic-tions. A conflict inevitably arises between the discoverylaws of one country and the data protection laws ofanother. This article examines the challenges that arisewhen the discovery laws of another country clash withthe data protection laws of another and how companiesare addressing these challenges by relying on legal mech-anisms and technology solutions.

In section I. the article provides an overview of the dataprotection framework in Europe and the discovery rulesin the U.K. and U.S. and sets out the legal conflict whicharises due to conflicting rights and obligations in thesetwo legal regimes. The article examines in particular theimpact of the U.K. Data Protection Act on disclosurerules in civil litigation conducted under the rules of courtin England. In Section II., the article discusses the Ger-man data protection regime as a prominent example ofcivil law jurisdictions in the European Union and how itimpacts on requests for e-discovery. The article high-lights some of the data protection issues that arise andexplores the enforceability of e-discovery requests inEurope. Finally, in Section III., the article explores howthe conflict between e-discovery and data protectionprinciples can be addressed in practice, especially whenit comes to overcoming the prohibition or restrictions oncross-border data transfers. In doing so, the article looksat official guidance from data protection authorities andThe Sedona Conference and at legal mechanisms such asobtaining the consent of individuals concerned, relianceon legal exemptions, binding corporate rules and datatransfer agreements. The article also considers how tech-nology can be used to facilitate international discoveryand reduce the risk of contravening data protectionlaws.

I. The Conflict Between Discovery and DataProtection Laws

Because discovery obligations cross territorial bound-aries, a company in the U.S. engaged in litigation thatneeds to comply with the U.S. rules of court must dis-close documents stored at its facilities or subsidiaries inother locations around the world. Similarly, a companyin the U.K. involved in litigation must disclose docu-ments stored on foreign countries. The European DataProtection Directive (95/46/EC) on the protection ofindividuals in relation to the automatic processing andfree movement of personal data (the ‘European DataProtection Directive’) has been adopted into local law inthe member states of the EU and sets out eight basic dataprotection principles which strictly control how ‘per-sonal data’ is obtained, kept, processed and data trans-fers. Despite these laws many courts, especially those inthe U.S. will still expect global discovery from parties toU.S. litigation that have international operations. Law-yers face the often difficult task of ensuring that discov-ery obligations are met while at the same time not violat-ing the local laws of the place in which discovery issought.

1. The European Data Protection FrameworkThe purpose of the European Data Protection Directive– until replaced by the European Data Protection Regu-lation a draft of which is currently being discussed1

1 The draft of the General Data Protection Regulation can be found athttp://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

– isto harmonise the regulation of personal data in the Euro-pean Union. The Directive essentially regulates the wayorganisations collect and use information about individ-uals and seeks to harmonise the position in Europe bydirecting how Member States should introduce nationaldata protection legislation. The key premise is that theEuropean Data Protection Directive regulates ‘personaldata’ which is defined as ‘any information relating to anidentified or identifiable natural person’ (‘data subject’).An identifiable person is one who can be identified,directly or indirectly, in particular by reference to anidentification number or to one or more factors specificto his physical, physiological, mental, economic, cul-tural or social identity.’2

2 Directive (95/46/EC), Art 2(a).

This broad definition meansthat even names, birthdays, addresses, telephone num-bers, fax numbers and email addresses are considered tobe personal data. In the context of litigation, therefore,personal data is likely to be contained in any email orother document that is disclosed in the process of pretrial discovery. The Data Protection Directive also regu-lates ‘processing’3

3 Directive (95/46/EC), Art 2(b): ‘... processing of personal data (‘process-ing’) shall mean any operation or set of operations which is performedupon personal data, whether or not by automatic means, such as collec-tion, recording, organization, storage, adaptation or alteration,

, which is essentially any type of activ-

44 CRi 2/2013

retrieval, consultation, use, disclosure by transmission, dissemination orotherwise making available, alignment or combination, blocking, era-sure or destruction.’

ity one can contemplate with personal data. This meanscertain rules must be observed in all cases when data iscollected from EU member states and then processedand reviewed for production in U.S. legal proceedingsfor discovery purposes.

The key provisions of the Data Protection Directiveinclude:

¸ Lawfulness and Fairness: This requires that certainconditions must be satisfied in order to lawfully pro-cess personal data, with special controls in relationto ‘sensitive’ personal data;

¸ Purpose Limitation: This requires, for example, thatdata subjects are provided with a ‘fair processingnotice’ and then the personal data is only processedas described in the notice;

¸ Proportionality: There must be limits to the process-ing of personal data that is undertaken, and this pro-vision requires that user data is only processed if andto the extent that such processing is proportional inrelation to the applicable circumstances;

¸ Data Accuracy: There is an obligation on those com-panies that are responsible for the personal data toensure the accuracy of the personal data;

¸ Data Retention: Personal data, once collected, mayonly be retained in identifiable form for so long as isnecessary in the circumstances;

¸ Data Security: All companies that handle personaldata must implement appropriate technical andorganizational measures to guard against unautho-rized or unlawful processing of personal data and/oragainst loss or destruction of, or damage to, personaldata;

¸ Data Subject Rights: This requires that data control-lers respond to ‘subject access requests’ from datasubjects, to provide information about the natureand scope of processing undertaken or to stop pro-cessing data in a way they can object to;

¸ Data Transfers: This requires, in summary, that thecompany may not transfer data outside the Euro-pean Economic Area4

4 The EEA includes all countries in the European Union, together with Ice-land, Liechtenstein and Norway.

(‘EEA’) to jurisdictions whichdo not ensure an adequate level of protection of per-sonal data, without taking certain steps (e.g., imple-mentation of model contractual clauses, obtainingdata subject consent, obtaining the U.S. Departmentof Commerce Safe Habor certification or obtainingBinding Corporate Rules accreditation); and

¸ Notification: Most companies in Europe arerequired to register/notify as a ‘data controller’, ifprocessing personal data in the context of an estab-lishment in a member state. They may also need tonotify if they seek to transfer personal data abroad.

Despite attempts to harmonise how personal data is reg-ulated in the EU there are still a number of importantlocal variances. These arise because of more stringentnational data protection legislation in some countries,differing enforcement powers granted to national data

protection authorities, variations in the way in whichnational courts approach data protection issues andfinally by considerable differences in the way that dataprotection authorities approach infringement.

2. The Disclosure/Discovery Framework inCivil Litigation in Common Law Jurisdictions

The terms ‘discovery’ and ‘disclosure’ are commonlyused in both England and the U.S. to describe the processof pre-trial evidence collection and production. In boththe rules governing civil litigation in England and Wales(the Civil Rules of Procedure, ‘CPR’) and in the FederalRules of Civil Procedure (‘FRCP’), the term ‘disclosure’refers to each party’s duty to provide other parties withcertain categories of information. In the U.S., ‘disclo-sure’ is followed by ‘discovery’ (FRCP 34), whereby par-ties have an opportunity to seek additional information,from each other and other sources, through several ave-nues, including specific document requests, depositions,interrogatories, and on-site inspections. Where informa-tion is properly requested by one party during U.S. dis-covery, the responding party is generally under a duty toproduce them, unless the producing party can raise con-vincing arguments to the contrary.

3. E-Discovery in the U.S.E-discovery occurs in the context of American ‘pre-trial-discovery’ or comparable procedures initiated in com-mon law jurisdictions. The purpose of this judicial pre-liminary process is the finding of facts and/or discoveryof the relevant evidence and is, to a large extent, con-ducted by the parties without the participation of judges.During this process, the parties can demand from theiradversaries’ comprehensive information concerning allfacts and evidence which could be ‘relevant’ to thealleged claim or defence (FRCP 26).5

5 See Fed. R. Civ. P. 26(b)(6)(1) (‘Unless otherwise limited by court order,the scope of discovery is as follows: Parties may obtain discovery regard-ing any non privileged matter that is relevant to any party’s claim ordefense including the existence, description, nature, custody, condition,and location of any documents or other tangible things and the identityand location of persons who know of any discoverable matter.’).

The definition of‘relevant’ is broad; evidence may be relevant, for exam-ple, if it can lead to the discovery of useful evidence.6

6 See Fed. R. Civ. P. 26(b)(1) (‘Relevant information need not be admissi-ble at the trial if the discovery appears reasonably calculated to lead tothe discovery of admissible evidence.’).

Extensive and detailed pleadings are generally not neces-sary under U.S. notice pleading rules, in part because ofthe liberal and expansive pre-trial-discovery tools,which are available to U.S. litigants and allow them toidentify relevant facts and witnesses. In practice,requests for information are carried out by written inter-rogatories (i.e. written questions to the opposite party),judicial discovery orders, or requests for the productionof documents (i.e. a request brought to a litigant byanother party’s lawyer to prepare and present relevantdocuments). Significantly, according to Rule 34 of theFRCP, ESI is governed by pre-trial-discovery regulationsin the same manner as documentary evidence.7

7 See Fed. R. Civ. P. 34, Producing Documents, Electronically StoredInformation, and Tangible Things, or Entering onto Land, for Inspec-tion and Other Purposes.

Thismeans that a company’s electronic information system(its servers, hard drives, backup systems, software docu-ment management systems and third party document

Geercken/Holden/Rath/Surguy/Stretton

Irreconcilable Differences? Navigating Cross-Border E-DiscoveryCRi 2/2013 45

retention systems) is subject to discovery.8

8 For example, a party to a lawsuit may rightfully request access to anopponent’s emails relating to a certain time period or for documentscontaining certain key words. See Coleman Holdings, Inc. v. MorganStanley, No. 502003CA005045XXOCAI, 2005 WL 679071, at *1 (Fla.Cir. Ct. Mar. 1, 2005).

However, theFRCP offers little flexibility to limit the inclusion of suchpersonal information.9

9 The FRCP does not directly address redactions in the context of docu-ment discovery. It does, however, offers guidelines regarding the redac-tion of certain personal information from documents filed with court,and law firms often mirror these guidelines in making decision to redactinformation from documents produced to opposing counsel.

FRCP Rule 5.2, for example,permits a party to redact10

10 To ‘redact’ a document means to remove part of the text of a document,typically by blacking it out and inserting the word ‘Redacted’. Parties,for example, may redact certain words, numbers or sentences of a docu-ment. Redactions are most often done to prevent privileged materialfrom being produced to an adversary.

only the following: an indi-vidual’s social-security number, taxpayer-identificationnumber, or birth date, the name of an individual knownto be a minor, or a financial-account number.

4. Sanctions in U.S. Courts for Infringement ofthe Discovery Obligation

A foreign company’s failure to comply with U.S. discov-ery obligations due to data protection concerns couldlead to considerable sanctions. U.S. courts are not unfa-miliar with the differing data protection laws of manyEuropean countries and, as discussed in Section 4.1below, U.S. courts employ a balancing test to determinewhether a foreign entity must produce documents in aU.S. litigation case. Failure to comply with the court’sdecision could lead to sanctions such as striking plead-ings, taking certain matters as proven, holding a party incontempt, preventing the party in breach from relyingon its evidence on a specific issue (which could have theeffect of reversing the initial burden of proof), entering ajudgment against the party in breach, permitting use ofan adverse inference instruction to the jury, or ultimatelydismissal.11

11 Fed. R. Civ. P. 37, Failure to make Disclosures or to Co-operate in Dis-covery Sanctions. See also Zubulake Revisited, 2010 U.S. Dist. LEXIS1839, at *24 (S.D.N.Y. Jan. 11, 2010) (noting that a Court shouldalways impose the least harsh sanction that can still provide an adequateremedy, and noting that possible sanctions from ‘least harsh’ to ‘mostharsh’ include: ‘further discovery, cost-shifting, fines, special juryinstructions, preclusion, and the entry of default judgment or dismissal’)(internal citations omitted).

Additionally, the party in breach may beordered to pay considerable fines.

5. Disclosure in EnglandIn England, each party must disclose documents onwhich it relies and which support or adversely affecteither its case or another party’s case.12

12 Civil Procedure Rule 31.6.

This thereforeincludes adverse and damaging documents. This isknown as ‘standard disclosure’ and replaces the former(and wider) definition of ‘relevance’ as the basis of dis-closure. In almost every case, each party must make this‘standard disclosure’ by way of a list which identifiesdocuments which are in existence (or once existed in thepast but which have since been lost or destroyed) andwhich fall within the definition of ‘standard disclosure’.A party is required to disclose only those documents(i) on which it relies; (ii) which adversely affect its case;(iii) which adversely affect the other party’s case;(iv) which support the other party’s case; or (v) whichare required to be disclosed in specific circumstances by

particular court rules. The scope of this disclosure is nar-rower than under the previous rule and was therebyintended to reduce the costs associated with disclosure.In assessing what is disclosable material, a party has aduty to make a ‘reasonable search’, in proportion to thesums in issue and the costs of carrying out the search13

13 Civil Procedure Rule 31.7. Practice Direction 31 and Revised PracticeDirection 31B set out various factors to be taken into account whenassessing ‘reasonableness’.

and to make a disclosure statement, verifying the extentof the searches that have been carried out. The legal rep-resentative has the duty to ensure that the person makingthe statement understands the duty of disclosure appli-cable. If a party believes that another party has any spe-cific documents which he has failed to disclose, he maymake an application for ‘specific disclosure’. In both‘standard disclosure’ and ‘specific disclosure’, the dutyof disclosure is limited to documents that are, or havebeen, in a party’s control. Therefore, documents whichhave been lost or destroyed need to be considered as dodocuments held by third parties in respect of whom thereis a right to compel documents to be handed over. It ispermissible, subject to the discretion of the court onchallenge by an opponent to redact parts of a disclosabledocument which are irrelevant or confidential. Strictlyspeaking if the document as a whole is within the scopeof the disclosure obligation, confidentiality and irrele-vance (unlike legal professional privilege) are not abso-lute objections to the obligation to disclose. Whilst it isnot unheard of for personal information or sensitiveinformation to be redacted in the context of litigation, itis an expensive process and would only be carried out forvery good reason. The disclosing party would in mostcases be entitled to rely on the protection of the court’sorder obliging disclosure to be given. It is worth notingthat under the former system of civil litigation the rulesobliged the parties to give automatic disclosure at a cer-tain state of the proceedings whereas under the newregime the obligation only arises when the court makesan order. This enables the court to more strictly controlthe process.

A natural consequence of the existing approach to stan-dard disclosure has been that a lawyer is required toreview all documents gathered in the reasonable searchbefore handing them over, a process which is costly giventhe large volume of documents now available and oftendisproportionate to the value of the case. A new CivilProcedure Rule CPR 31.5, introduced on 1 April 2013makes provision for a menu of disclosure orders and dis-closure directions, to allow for a more tailored approachin substantial cases. There will no longer be a presump-tion in favour of standard disclosure. Instead, thecourt must decide which of a range of orders to makeranging from dispensing with disclosure, to issue-basedto disclosure and also full-blown “train of enquirybased” disclosure in appropriate cases. In selecting anappropriate order the court will take into account theoverriding objective of the rules and the need to limit dis-closure to that which is necessary to deal with the casejustly. In the amendments to the CPR implemented on 1April 2013, the overriding objective has been amendedto include a reference to the need to deal with cases at aproportionate cost.

These amendments are being introduced in conjunctionwith a package of amendments including new cost man-


Irreconcilable Differences? Navigating Cross-Border E-Discovery46 CRi 2/2013

agement rules and together they are designed to keep thecosts of litigation under control in line with the reformssuggested by Lord Justice Jackson following his reviewof the costs of civil litigation in the UK. The new costmanagement rules set out in proposed new rules CPRrules 3.12 to 3.18 and Practice Direction 3E will requireparties to file and exchange budgets before the first casemanagement conference for approval by the court.Costs will thereafter be actively managed by the courtwithin the boundaries of those approved budget. At theend of a case the successful party will be able to recoverthe reasonable costs of the case and when these areassessed the court will take into account the approvedbudget.

6. How the U.K. Data Protection Act Impactson Disclosure Obligations

The Data Protection Act 1998 in the U.K. implementsthe European Data Protection Directive. The Informa-tion Commissioner is the supervisory authority for thepurposes of the Directive and Act. His duty is to promotebest practice and the observance of the Act. Thisincludes the production of codes of practice. The Act’s‘protection’ enables citizens to rely on the civil and polit-ical rights contained in the European Convention onHuman Rights. The privacy of individuals with respectto the processing of relevant data is protected and thefree flow of personal data in the interests of promotingtrade is permitted. A balance therefore is requiredbetween these competing interests. The nature of theregulation was intended to be proportionate and not abox-ticking procedure.

When it comes to understanding the meaning of the Actit has to be interpreted in line with the policy of theDirective.

a) Compliance Duty on Data ProtectionPrinciples

The scheme of the legislation is that the ‘Data Control-ler’ is under a duty to comply with the ‘Data ProtectionPrinciples’. The Data Controller is the person whodecides how ‘personal data’ (i.e. data which relates to aliving individual who can be identified) are to be ‘pro-cessed’. Processing is a very wide term and effectivelycovers any activity to which the data might be subject(for example obtaining, recording, holding, retrievingdata, as well as the use, adaptation, alteration, organiza-tion, disclosure, dissemination of data and making itavailable, consulting it erasing and destroying it). Anyform of pre-trial disclosure to a party in litigation andeven the collection and review work required in prepar-ing to make disclosure constitute ‘processing’. Impor-tantly, the Act applies to any Data Controller who isestablished in the U.K. (ordinarily resident in or incorpo-rated in any part of the U.K.). It also applies to a DataController that is established neither in the U.K. norother EEA state, where equipment which is in the U.K. isused to process the data otherwise than for transitionthrough the U.K.

b) Exceptions to Compliance DutyCollecting and reviewing data in the U.K. for pre-actiondisclosure can generally be carried out within the con-

fines of these exceptions without too much difficulty.The correct approach is therefore first to ask whether theprocessing in question is exempt from the duty to com-ply with the eight Principles. In order to understand theexceptions it is important to understand the distinctionbetween the so called ‘non-disclosure’ provisions of theAct (broadly those of the eight Principles which restrictlawful data processing and which if not complied withmay make the processing unlawful) and the ‘subjectinformation’ provisions (those which confer the right onthe data subject to ask for or to be notified about why hispersonal data is being processed). The way the excep-tions apply depends on which of these two sets of provi-sions apply. Both sets of provisions would generallyapply to disclosure in the context of litigation. Examplesof the non-disclosure provisions are the requirements forthe data processing to be proportionate and for the dataprocessing to be for a specified purpose which is a lawfulpurpose. An example of the subject information provi-sions is the right of the data subject to be notified that hispersonal data is being processed. The conditions givingrise to the exceptions must then be satisfied. An exampleof an exception to the non-disclosure provisions wouldbe where the disclosure is to prevent crime or to detectcrime or to prosecute offenders. An example of anexception to the subject information provisions is wherenotification would prejudice the security of the health,safety or welfare of workers.

aa) Corollary Conditions

Where the exceptions do not apply, a number of alterna-tive conditions have to be met before the data can be saidto be ‘fairly and lawfully’ processed in line with the Prin-ciples. In the present context, those conditions are thatthe ‘data subject’ has given consent or where it is neces-sary for the Data Controller to comply with a non-con-tractual legal obligation or where it is necessary for thelegitimate interests pursued by the Data Controller.Given a relatively high threshold to satisfy the concept of‘necessary’ then the ‘consent’ condition is most com-monly encountered in practice. Further, processing willnot be ‘fair and lawful’ unless the Data Subject is notifiedthat the processing is taking place. There is no need togive notification if it would either be disproportionate ordisclosure is necessary to comply with a legal obligationof the Data Controller. In addition to these consider-ations, the processing has to be for one or more specifiedand lawful purposes and the processing must not be‘excessive’. The principles also make it clear that techni-cal and organisational steps must be taken to safeguardagainst the loss, destruction or unlawful processing ofdata and that the data shall not be transferred to a coun-try outside the EEA unless equivalent levels of protectionare provided as those conferred by the Act. Consider-ation therefore has to be given to the use of appropriatetechnology and technology providers.

bb) Scope of the Exceptions

As mentioned, there are exceptions to the duty to com-ply with the ‘non-disclosure’ provisions where the datais being processed for the detection or prevention ofcrime. There is also an exemption to the ‘subject infor-mation’ provisions where the processing would preju-dice the discharge of the Data Controller’s functions toprotect the public against dishonesty, improper conductor financial loss. These exceptions do not have general



application to routine commercial litigation but maycover some contexts. The exception under s. 35 of theAct only extends to the ‘non-disclosure’ provisions. Thecircumstances in which this exception arises are the mostapposite to the present context. They are where the dis-closure is required by a court order, enactment or rule oflaw or where disclosure is ‘necessary’ in connection withprospective of actual legal proceedings or for obtaininglegal advice or otherwise where it is necessary to estab-lish, exercise, or defend legal rights. It can be seen fromthis complex interplay of principles and exceptions thatin the absence of ‘consent’ and in most cases notifica-tion, the collecting, reviewing and disclosing data in thecontext of litigation could amount to a breach of a dutyto comply with principles or at least there would be min-imal certainty as to whether the principles have beencomplied with or not.

c) Concept of ConsentConsent is a concept that has generally caused little diffi-culty in the U.K. but issues related to the “quality” ofconsent and its vulnerability to withdrawal have createdmore difficulty in other parts of the EU, notably France.Whilst in the context of disclosure in litigation a combi-nation of the s. 35 exception and the derogation from therequirement to give notice where disclosure is necessaryto comply with a legal obligation may mean that noticeis not required, it is nevertheless common practice fororganisations to attempt to satisfy the notificationrequirement through generic notices in employment pol-icies and on other official documentation. Whilst techni-cally these attempts may not achieve strict compliance,for the reasons stated earlier this is unlikely to give rise toany problems with admitting the evidence in court. Ifdata is processed otherwise than in accordance with theterms of the Act the Data Controller may be censured,but in most civil cases (and probably in most criminalcases) the judicial discretion to exclude unlawfullyobtained evidence is very unlikely to mean that the per-sonal data will not be admissible in the litigation itself.

7. Sanctions in EnglandWhere there are English proceedings and the personaldata is located in the U.K., it is very unlikely that theduties imposed by the U.K. Data Protection Act will pre-vent the data from being tendered in evidence in the pro-ceedings. If the Act is not complied with, the data is stilllikely to admissible. Suppose in a U.K. litigation casewhere the U.K. Data Protection Act applies, some of thedata to be disclosed is controlled by a party to the litiga-tion in Germany. What happens if because of the appli-cation of the German data protection rules, the litigantcannot produce the data it controls? The approach of theEnglish courts is illustrated in the case of CMCS Com-mon Market Commercial Services AVV v. Taylor [2011]EWHC 324 (Ch). In this case there was an issue as to theownership of a company that was claiming possession ofa property. The alleged ultimate owner of the companywas joined as a party to the proceedings and was orderedto disclose documents relating to his ownership. Thealleged ultimate owner was based in Switzerland and didnot give full disclosure on the basis that Swiss secrecylaws obliged him not to. The alleged ultimate owner’srefusal to comply with a court order for full disclosureled to him being barred from continuing to take part in

the case. Whilst the case is directly about wasted costsand solicitors’ misconduct, it is a useful example of thefact that a litigant who is unable to give full disclosuredue to the application of non-U.K. laws (including forexample because the data is in Germany and Germanlaw will not release it), could ultimately be barred fromcontinuing his case. The remedy of debarring a litigant isone of last resort and is only appropriate where the fail-ure to give disclosure cannot be dealt with either by thedrawing of adverse inferences against the non-compliantparty or otherwise where justice cannot be done.

Where the documents are needed for U.K. proceedingsbut located outside the U.K. in a country that will not,for data protection reasons, permit the lawful disclosureof the personal data, the Data Controller will have toweigh up the relative merits and demerits of sanctions inthe U.K. proceedings vs. sanctions under the law of thecountry where the data protection rules do not permitthe release of the data. The power to impose sanctionsfor non-disclosure may include the striking out ofclaims, costs awards, the drawing of adverse inferencesor a contempt of court. The penalties for non-compli-ance with data protection laws may include heavy finesor imprisonment in some countries. When it comes topenalties and enforcement in the U.K., from 6 April2010 the Information Commissioner’s Office has beenable to impose penalties of up to £500,000 for seriousbreaches of the Data Protection Act14

14 Data Protection (Monetary Penalties) (Maximum Penalty and Notices)Regulations 2010. See www.ico.gov.uk.

.

II. E-Discovery in Germany – An Example ofthe Position in Europe

In comparison to the U.S. or U.K. most European coun-tries do not have discovery procedures in place. Never-theless it may be the case that a discovery or disclosureobligation that initiates in the U.S. or the U.K. includesdocuments that are in the possession and control of com-panies located in one of these European countries.Hence, companies based in Germany or in other parts ofEurope15

15 See The Sedona Conference, International Overview of Discovery, DataPrivacy and Disclosure Requirements, September 2009, for an overviewof other jurisdictions.

might be faced with such e-discovery requeststo produce ESI.16

16 See Burianski/Reindl, SchiedsVZ 2010, 187 et seq. on E-Discovery inInternational Arbitration.

This is especially the case if, for exam-ple, such companies operate in the U.S. or Englandthemselves (for example, by ‘doing business’ or estab-lishing ‘minimum contacts’) or if they are subsidiaries ofAmerican corporate groups due to the ‘alter ego theory’.According to the ‘alter ego theory’ a plaintiff seeking topierce the veil of limited liability must prove that the sub-sidiary in question and the corporate group do not act asif they were a separate legal entity. Without such sepa-rateness a court may rule that the subsidiary and thegroup are one and the same. As a result the subsidiarywill have unlimited liability for all of the group’s disclo-sure requirements.

1. Enforceability of E-Discovery Requests underthe Hague Convention

It is the common belief of many U.S. lawyers and judgesthat foreign courts may be competent to impose discov-



ery obligations on companies located in European coun-tries like Germany or France directly. It is not, however,clear whether such formal e-discovery productionrequests will in fact be successful due to proceduralobstacles such as those set out in the Hague Conventionon the Taking of Evidence Abroad.17

17 Convention on the Taking of Evidence Abroad in Civil or CommercialMatters, Mar. 18, 1970, 23 U.S.T. 2555, T.I.A.S. No. 7444, 847U.N.T.S. 231 (1972).

The Hague Con-vention is a treaty signed in 1970 by e.g. the U.S. and anumber of other nations. Article 23 of the Hague Con-vention sets forth a uniform procedure for the issuanceof letters of request.18

18 The letters of request are petitions from a court in one nation to a desig-nated central authority in another country requesting assistance fromthat authority in obtaining information that is located within the centralauthority’s borders. An approved letter of request permits the transferand processing of data.

However, among other states inthe European Union, Germany has raised a reservationunder Article 23 of the Hague Convention not to dealwith requests for legal assistance to be given in the con-text of pre-trial discovery taking place in Common Lawcountries.19

19 It is not clearly established whether this reservation would also apply inthe context of e-discovery, as ‘documents’ and ESI are not treated asbeing equivalent under the FRCP. It is also important to note that e-dis-covery was not known in Germany at the time the Hague Conventionbecame applicable and when the German reservation was made.

Hence, litigants from the U.S. or Englandcould not impose any direct enforceable obligation ofassistance on German companies under the Hague Con-vention.

American courts and attorneys, however, do not alwaysseem to regard the stipulations contained in the HagueConvention as authoritative. For example, in the breachof contract case Accessdata Corp. v. Alste Techs.GmbH20

20 Accessdata Corp. v. Alste Techs. GmbH, 2010 U.S. Dist. LEXIS 4566(D. Utah Jan. 21, 2010).

, the defendants objected to disclosure of ESIrelated to the case since disclosure would be blocked byGerman law and the Hague Convention rules. The basisof their objection was that it would be a ‘huge breach offundamental privacy laws in Germany’ and subject thedefendants to ‘civil and criminal penalties for violatingthe German data protection law and the German Consti-tution.’ The Court explicitly disagreed and ordered dis-closure of ESI even assuming that the German privacylaw prohibited disclosure of personal third-party infor-mation. It argued that the United States Supreme Courthad addressed this issue in Societe Nationale IndustrielleAerospatiale v. United States District Court where itheld that ‘it is well settled that such [blocking] statutesdo not deprive an American court of the power to ordera party subject to its jurisdiction to produce evidenceeven though the act of production may violate that stat-ute.’21

21 Id. at 544 n. 29.

In a U.S. case involving a French litigant, Straussv. Credit Lyonnais, S.A.22

22 249 F.R.D. 429 (E.D.N.Y. 2008).

, a magistrate judge for theEastern District of New York upheld a previous orderwhich ordered disclosure of documents from a Frenchbank in relation to a terrorist attack in Israel. The defen-dant sought a protective order against sanctions for fail-ing to discover documents using as justification a letterreceived from the French Ministry of Justice whichstated that discovery not in compliance with the HagueConvention would result in a ‘violation of the sover-eignty of the French State.’ Disregarding the defendant’scontention that violation of the Hague Convention

would result in criminal sanctions, the Court cited theRestatement (Third) of Foreign Relations Law of theUnited States, § 442, which sets out five factors to con-sider regarding the disclosure of foreign documents thatare relevant to U.S. disputes. Based on these factors, theCourt again denied the defendant’s motion.23

23 These factors which U.S. courts consider in deciding whether to issue anorder directing production of information located outside the U.S. are:(1) The importance to the investigation or litigation of the documents orother information requested; (2) the degree of specificity of the request;(3) whether the information originated in the U.S.; (4) the availability ofalternative means of securing the information; and (5) the extent towhich non-compliance with the request would undermine importantinterests of the U.S., or compliance with the request would undermineimportant interests of the state where the information is located.

Such caseshave been arising with increasing frequency. The Strausscase echoed Enron v. J.P.Morgan Securities, Inc, wherethe Court ordered production of documents located inFrance, finding that the French blocking statute24

24 Countries may enact blocking statutes specifically intended to blockinternational data transmission, even if the collection, processing orother use of information would be permissible within the country’s bor-ders. See for example, French Penal Law 80-538 which provides: Subjectto international treaties or agreements and laws and regulations in force,it is forbidden for any person to request, seek or communicate, in writ-ing, orally or in any other form, documents or information of an eco-nomic, commercial, industrial, financial or technical nature leading tothe constitution of evidence with a view to foreign judicial or adminis-trative procedures or in the context of such procedures.’

wasnot a sufficient bar to disclosure25

25 Enron v. J.P.Morgan Securities, Inc., No. 01-16034 (Bankr. S. D. N.Y.July 18, 2007).

. Similarly, in Reino deEspana v. American Bureau of Shipping, the Court heldthat Spain’s privacy laws cannot exempt materials fromdiscovery since those laws were not applicable in theU.S26

26 Reino de Espana v. American Bureau of Shipping, 2006 WL 3208579(S.D.N.Y. Nov. 3, 2006).

. As a result in most cases the discovery obligationworks at least indirectly because most companies adhereto court orders due to the fear of facing sanctions orbecause they may have an interest in the process.

Importantly, a significant reason why discovery requestsare so successful despite European privacy laws is thatthe responding party fails to demonstrate that providingpersonal information would be a breach of fundamentalprivacy laws. Therefore, it is necessarily required to sub-mit precisely the facts about the foreign privacy law andexplain the court in detail the conflict. Shira A. Scheind-lin, judge for the Southern District Court of New York,recently said at an event of the Georgetown Advanced E-Discovery Institute that it is the job of lawyers to educatethe judge, problem is that many U.S. judges have noexperience in foreign law and international issues. Theparties, therefore, need to encourage U.S. courts to takeinto consideration and respect foreign privacy law. U.S.discovery of foreign materials has not proven limitless,however. In Linde v. Arab Bank, the Court applied thesame balancing test that was applied in Strauss, and inthis case it found that since the majority of the factorsweighed in favour of the party opposing discovery, theIsraeli confidentiality laws could serve as a barrier to dis-covery27

27 Linde v. Arab Bank, 2009 WL 1456573 (E.D.N.Y. May 22, 2009).

.

2. Data PrivacyIn contrast to U.S. data protection laws, the data protec-tion laws in Europe protect the individual against hisrights to privacy being impaired through the handling of



his personal data.28

28 See Sedona Conference Framework for Analysis of Cross-border Dis-covery Conflicts – A practical guide to navigating the competing cur-rents of international data privacy and discovery – April 23, 2008 (Pub-lic Comment Version), A Project of the Sedona Conference WorkingGroup 6 on International Electronic Information Management, Discov-ery and Disclosure, www.thesedonaconference.org/dltForm?did=WG6_Cross_Border.

Under the compulsory requirementsof European Union data protection laws, the disclosureand transfer of personal data is generally prohibited29

29 Article 7 of Directive 94/46/EC.

.In addition, European Union and German privacy lawsare inspired by the principles of data avoidance and dataeconomy, i.e. as little personal data as possible should becollected, processed and used.30

30 Section 3 of the German Data Protection Act.

This gives the individualthe right to control any third party access to his personaldata and this is recognised – at least under German law –as a high ranking, fundamental and even constitutionalright and principle. It follows that under German law,the collection, processing and disclosure of data col-lected in the context of an e-discovery exercise is subjectto the German Data Protection Act31

31 The German Federal Data Protection Act (Bundesdatenschutzgesetz).See Rath/Klug, K&R 2008, 596 (598).

. Therefore, a datacontroller is under full responsibility to collect, processand use (which includes the production and transfer of)personal data contained in electronic files in accordancewith principles set out in the data protection law. Viola-tions of the German Data Protection Act may be prose-cuted as administrative or criminal offences (accordingto Section 43 German Data Protection Act the formerare punishable by fines and the latter, according to Sec-tion 44, paragraph 1 of the German Data ProtectionAct, even by imprisonment for up to two years).32

32 See Gola/Schomerus, BDSG, § 43 no. 16.

In theFrench case In re Advocat Christopher X, Cour de Cas-sation33

33 Appeal No.: 07-83228 (Supreme Court, France, Dec. 12, 2007).

the French Supreme Court affirmed a criminalconviction under France’s Blocking Statute34

34 French Penal Law 80-538.

. This wasthe first reported conviction under this statute. The casearose from a discovery order in Straus v. Credit Lyo-nais35

35 242 F.R.D. 199 (E).

. In addition, the provisions of the German DataProtection Act may also be enforced by the individualdata subjects (Section 34 German Data Protection Act)as well as the competent data protection authorities(Section 38 German Data Protection Act).

This means that the collection, production and transferof personal data can only be carried out if permitted bythe German Data Protection Act or any other Germanlegal provision or if the data subject has explicitly con-sented. Only exceptionally, e-discovery exercises mightbe permitted without fulfilling these categories. How-ever, this exemption may only be used very restrictivelyin order to comply with the principle that under Germandata protection law any collection, processing or use ofpersonal data is basically prohibited unless explicitlyallowed.36

36 See Simitis, BDSG, § 28 no. 133.

Furthermore, as regards personal data fromemployees, this is only possible under the strict regula-tions of Sections 28 and 32 German Data Protection Act.Under Section 32, the processing of personal data of cur-rent employees and also former staff is only permittedunder certain, very limited circumstances.37

37 Section 32, paragraph 1of the German Data Protection Act currentlyreads as follows: ‘Personal data of an employee may only be collected,processed or used for the purposes of the employment relationship if this

is necessary for the decision of the establishment of an employment rela-tionship or, after establishment of an employment relationship, if this isnecessary for its performance or termination.’

Further-

more, the collection and storage of data may only be per-missible if required for the safeguarding of legitimateinterests (e.g. in the context of legal proceedings) and if itis balanced with the rights of the data subjects.38

38 Section 28, paragraph 1, No. 2 of the German Data Protection Actreads – in its relevant parts – as follows: ‘The collection, storage, modifi-cation or transfer of personal data or their use as a means of fulfillingone’s own business purposes shall be admissible 1. [...],2. insofar as this is necessary to safeguard justified interests of the datacontroller and there is no reason to assume that the data subject has anoverriding legitimate interest in his data being excluded from processingor use, [...].

Thismeans that the respective data controller (the companygathering ESI) must balance the protection of the emplo-yees’ rights with the purpose for which such processingis being required and determine whether it is used for thepurpose of the employment relationship. Therefore,before producing emails that may contain personal datathe company must also balance the protection of theemployees’ rights (considered as data subjects) with thepurpose for which such processing is being required.This exercise has to be carried out on a case by case basis.Even if the collection and production of electronic datahas taken place, the subsequent transfer of the relevantESI abroad may also be problematic. Under Section 4b,paragraph 2 of the German Data Protection Act, a cross-border transfer of data from Germany to a foreign coun-try may only be carried out if an adequate level of dataprotection is guaranteed in the country to which the datais to be transferred. It is important to note that underGerman law the level of data protection existing in Ger-many is not considered to be the same outside the EU/EEA.39

39 Furthermore, in Germany, such transferred data could only be used inthe context of legal proceedings. In the U.S., however, documents filed aspart of public legal actions are generally available to the public. Thiswould also conflict with the requirements of Sections 4b and 4c of theGerman Data Protection Act and of Article 25 and 26 of Directive 94/46/EC.

It follows that the broad extent of data transfers oftenrequired under the American process of e-discovery isnot compatible with German or European Union dataprotection law. The fact that many employees at compa-nies are permitted to use email and Internet for their ownpersonal use may also render the situation more compli-cated as in such situations, the employer is treated as aprovider of telecommunication services under the Ger-man Telecommunications Act. In these situations, thecompany is obliged to protect the secrecy of telecommu-nications. Similar to the German data Protection Act,the German Telecommunication Act contains specialrequirements for the cross-border transfer of personaldata. Those requirements apply to any cross-bordertransfer, even within the EU. Therefore the transfer ofESI to countries like England might be problematic aswell. It is important not to forget that the Works Council(if any should exist within the relevant German compa-nies) also has certain rights of determination in connec-tion with the use of emails and Internet access of theemployees under the Works Constitution Act. In mostcases, the potential collection and transfer of such datato the U.S. would, therefore, have to be first discussedwith the relevant Works Council at an early stage of thee-discovery exercise.



III. An Irreconcilable Difference?For all the reasons discussed above, European data pro-tection laws and the rules of discovery/disclosure in theU.S. and U.K. seem to be incompatible. Differentapproaches to the predicament haven been taken aroundthe globe. Against a backdrop of a complex set of laws,diversity in these laws from country to country andincreasing penalties for not complying with them, howcan companies go about transferring data whenresponding to discovery requests for information in alegally compliant manner?

1. Guidance from European Data ProtectionBodies

In Europe, the ‘Article 29 Data Protection WorkingParty’40

40 The Article 29 Data Protection Working Party was set up under Arti-cle 29 of Directive 95/46/EC. It is an independent European advisorybody on data protection and privacy. Its tasks are described in Article 30of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. Furtherinformation can be found at http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.

has adopted the ‘Working Document 1/2009 onpre-trial discovery for cross-border civil litigation (WP158)’41

41 http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp158_en.pdf.

, which provides guidance to data controllerssubject to European Union law on dealing with requeststo transfer personal data to another jurisdiction for usein civil litigation. In this document, the Working Partyrecognizes that the parties involved in litigation mayhave a legitimate interest in accessing information that isnecessary to make or defend a claim, but also that thismust be well balanced with the rights of the individualwhose personal data is being sought.42

42 The Working Party considered the effects of the Restatement (Third) ofForeign Law of the United States no. 442 and the various decisions ofU.S. courts acknowledging that a balancing exercise should be carriedout with the aim that the trial court should rule on a party’s request forproduction of information located abroad only after balancing:(1) the importance to the litigation of the information requested(2) the degree of specificity of request(3) whether the information originated in the U.S.(4) the availability of alternative means of securing the information(5) the extent to which non-compliance would undermine the interestsof the U.S. or compliance with the request would undermine the interestsof a foreign sovereign nation; see id, p. 5 et seq.

The WorkingParty acknowledges the need for reconciling the require-ments of the U.S. litigation rules and the EuropeanUnion data protection provisions, but also confirms thatthere must be compliance with applicable data protec-tion requirements. Therefore, in order for the pre-trialdiscovery procedure to take place lawfully, the process-ing of personal data needs to be legitimate and to satisfythe grounds set out in Articles 7 and 26 of the Data Pro-tection Directive (which have been implemented intoGerman data protection law as set out above).

In essence, the Working Party as well as the Germanequivalent, the so-called ‘Düsseldorfer Kreis’, hold thatan obligation imposed by a foreign legal statute or regu-lation (such as Rule 26 of FRCP) would not qualify as alegal obligation by virtue of which data processing relat-ing to e-discovery requests could be made legitimate.The Working Party also confirms that from a EuropeanUnion perspective that there is an unalienable duty uponthe data controller (the company) involved in litigationto take such steps as are appropriate (in view of the sensi-tivity of the data in question and of alternative sources ofthe information) to limit the discovery of personal data

as much as possible and to that which is objectively rele-vant to the issues being litigated. Also, where it is possi-ble for The Hague Convention to be followed, the Work-ing Party urges that this approach should be consideredas a method of providing for the transfer of informationfor litigation purposes.43

43 The ‘Sedona Principles Addressing Electronic Document Production’published by the ‘Sedona Conference’ provide some additional guidanceon the handling of ESI in the context of an e-discovery exercise takingplace in the U.S A copy of the Sedona Principles is available for down-load at the Sedona Conference’s website, www.thesedonaconference.org. See Sedona Conference Framework for Analysis of Cross-borderDiscovery Conflicts – A practical guide to navigating the competing cur-rents of international data privacy and discovery – April 23, 2008 (Pub-lic Comment Version), A Project of the Sedona Conference WorkingGroup 6 on International Electronic Information Management, Discov-ery and Disclosure, www.thesedonaconference.org/dltForm?did=WG6_Cross_Border.

The Working Party also offerssome practical guidance on how to handle personal datain a litigation context and states the following: “As afirst step controllers should restrict disclosure if possibleto anonymised or at least pseudonymised data. After fil-tering (“culling”) the irrelevant data – possibly by atrusted third party in the European Union – a much morelimited set of personal data may be disclosed as a secondstep.”44

44 See Working Document 1/2009 on pre-trial discovery for cross-bordercivil litigation (WP 158), page 10.

Besides the German data protection authorities, also theFrench Data Protection Authority (Commission natio-nale de l’informatique et des libertes)(‘CNIL’) has issuedguidance to help French companies comply with dataprotection obligations after receiving pre-trial discoveryrequests from the US.45

45 The CNIL guidelines on discovery are available in French at http://op.bna.com/pl.nsf/r?Open=byul-7v5nrv. The summary provided can befound in an article by Lisa Nuch Venbrux in the Privacy and SecurityLaw Report of 24 August 2009 available at http://www.hunton.com/files/tbl_s10News%5CFileUpload44%5C16570%5CBNA_FrenchDataProtection_8.09.pdf.

Data located in France can bedirectly transferred to the US for discovery purposes ifcertain conditions are met:

¸ The data transfer takes place only once.

¸ The data transfer contains a ‘non-massive’ amountof personal data.

¸ There are safeguards in place to protection thedata.46

46 Such transfers can be justified by an exception under Article 69 of thedata protection act, Act n°78-17 of 6 January 1978 on Data Processing,Data Files and Individual Liberties (Amended by the Act of 6 August2004 relating to the protection of individuals with regard to the process-ing of personal data).

The recommendations also list methods companies canuse to comply with data protection principles in cross-border litigation. CNIL has suggested that data control-lers use electronic filtering systems in order to check onthe proportionality and quality of the data. If data can-not be anonymised, categories of data to be transferredmust be limited to a data subject’s name, job title,address, telephone number and data directly related tothe litigation. Personal data should be kept secure andaccess to it should be tracked electronically. It should notbe retained for longer than is needed for the litigation.

2. Guidance from “The Sedona Conference”Engaged in an active dialogue with the Article 29 Work-ing Party and the national data protection authorities,



the American organisation “The Sedona Conference”has also published some suggestions to manage the legalchallenges of cross-border e-Discovery.47

47 Founded in 1997, The Sedona Conference is a “non-profit, research andeducational institute dedicated to the advanced study of law and policyin the areas of antitrust law, complex litigation and intellectual propertyrights” (about The Sedona Conference: https://thesedonaconference.org/aboutus).

In view of thecomplexities and conflicts on cross-border litigation,particularly related to the international management,discovery and disclosure of electronically stored infor-mation, The Sedona Conference 2005 launched “Work-ing Group 6” to address issues and develop some practi-cal guides. In December 2011, Working Group 6 drafteda framework to provide guidance to American courtsand international litigants on how to handle the conflictbetween stringent European data privacy law and liberalAmerican discovery and preservation rules. The socalled “International Principles on Discovery, Disclo-sure & Data Protection” were written by an interna-tional group of experts in the field of data privacy lawand cross-border disputes. It is a non-binding recom-mendation, including best practice instructions forcross-border litigation. Basic idea of the principles is thetheme of cooperation. The Sedona Conference is con-vinced that potential conflicts of law concerning discov-ery often can be avoided or minimized just throughextensive cooperation between the parties, particularlythrough confidentiality agreements and protectiveorders. As far as possible the plaintiff and defendant, inthe phase of pre-trial discovery (the requesting andresponding party), should try to reach agreements thatallow them to commit relevant information in compli-ance with EU laws.

Thereby the International Principles propose a three-stage approach for parties to prevent conflicts: (1) a stip-ulation by the parties or court order to ensure specialprotections for data that is subject to data protectionlaws; (2) a scheduling court order that guarantees aphased discovery process (with enough time to imple-ment data protection processes and examine if relevantinformation can be gathered from sources that are notcovered by data protection laws); (3) a detailed legitimi-zation plan by the parties to achieve the best possiblelegal compliance with European data protection law andU.S. discovery rules48

48 As appendix to the Principles, the publication included a model protec-tive order and a Cross-Border Data Safeguarding Process and TransferProtocol (as basis for a legitimization plan).

. This overarching idea of coopera-tion and collaboration is based on six general principles,the Sedona Conference suggests as guidance for the par-ties during the discovery phase of litigation. They are asfollows:

(1) “With regard to data that is subject to preservation,disclosure, or discovery, courts and parties shoulddemonstrate due respect to the Data ProtectionLaws of any foreign sovereign and the interests ofany person who is subject to or benefits from suchlaws.

(2) Where full compliance with both Data ProtectionLaws and preservation, disclosure, and discoveryobligations presents a conflict, a party’s conductshould be judged by a court or data protectionauthority under a standard of good faith and rea-sonableness.

(3) Preservation or discovery of Protected Data shouldbe limited in scope to that which is relevant and nec-essary to support any party’s claim or defense inorder to minimize conflicts of law and impact on theData Subject.

(4) Where a conflict exists between Data ProtectionLaws and preservation, disclosure, or discoveryobligations, a stipulation or court order should beemployed to protect Protected Data and minimizethe conflict.

(5) A Data Controller subject to preservation, disclo-sure, or discovery obligations should be prepared todemonstrate that data protection obligations havebeen addressed and that appropriate data protec-tion safeguards have been instituted.

(6) Data Controllers should retain Protected Data onlyas long as necessary to satisfy legal or businessneeds. While a legal action is pending or remainsreasonably anticipated, Data Controllers shouldpreserve relevant information, including relevantProtected Data, with appropriate data safe-guards.”49

49 International Principles on Discovery, Disclosure & Data Protection:Best Practices, Recommendations & Principles for Addressing the Pres-ervation Discovery of Protected Data in U.S. Litigation, EuropeanUnion Edition, December 2011.

3. Practical Experiences

a) U.S.: Balancing TestIn determining whether to order a party to produce doc-uments in contravention of the laws of a foreign country,U.S. courts may employ a balancing test as they did inGucci Am., Inc. v. Weixing L50

50 2011 U.S. Dist. LEXIS 97814, at *15-16 (S.D.N.Y. Aug. 23, 2011).

i and Strauss v. CreditLyonnais51

51 249 F.R.D. 429, 438 (E.D.N.Y. 2008).

. Courts in New York, for example, balancethe following five factors: (i) the importance to the inves-tigation or litigation of the documents or other informa-tion requested; (ii) the degree of specificity of therequest; (iii) whether the information originated in theU.S.; (iv) the availability of alternative means of securingthe information; and (v) the extent to which non-compli-ance with the request would undermine important inter-ests of the U.S., or compliance with the request wouldundermine important interests of the state where theinformation is located52

52 See Gucci Am., Inc., 2011 U.S. Dist. LEXIS 97814, at *15-16. SeeRestatement (Third) Foreign Relations Law § 442(1)(c).

.

b) The German PerspectiveAlthough parties may require the assistance of the courtto resolve irreconcilable differences, practice at somefirms indicates that alternative arrangements can beagreed to among the parties. One example of such coop-eration is when cross-border litigants enter a data trans-fer agreement, which governs the foreign party’s produc-tion of materials, such as ESI. Consider the followinghypothetical scenario: A U.S. litigant sends a documentrequest to its German adversary, which calls for the pro-duction of all emails for certain individuals for a fiveyear period. In this case, the German adversary mayrefuse to produce such emails due to German data pro-tection laws. A helpful solution to this problem, that



would not involve going to the judge, would be to rely ona data transfer agreement. Pursuant to that agreement,the German adversary could agree to produce therequested documents in a redacted format; any informa-tion – such as names or job titles – contained in theemails could be substituted with generic information.Instead of listing ‘Joe Smith’ as the email’s author and histitle of ‘Compliance Analyst’ as Joe Smith’s title, theredacted format would list ‘Individual 1’ and ‘Low LevelEmployee.’ Creative and alternative solutions such asthis hypothetical agreement can be tailored to meet dif-ferent country’s data protection rules.

c) The U.K. PerspectiveFrom the U.K. perspective, there are three possibilitieswhen it comes to cross-border data transfers:

aa) A Transfer to the U.S.

A transfer to the U.S. does not give rise to any insolubleproblem in practice. The U.K. has no blocking statutesand there are exceptions (contained in schedule 4 to theUK Data Protection Act) to the ‘no transfer’ rule whichare workable in most cases. As noted above, the DataProtection Act in the U.K. forbids the transfer of per-sonal data out of the EEA in circumstances where thereis no equivalent protection in the recipient state to thatprovided by the Act. Therefore, in relation to a transferfrom the U.K. to, for example, the U.S. (where data pri-vacy law is generally less stringent than that of the 1998Act) the solution is to structure a contractual agreementbetween the ‘exporting’ Data Controller and the recipi-ent organization to guarantee equivalent protection tothat provided by the Act.

In circumstances where it is not possible to create such acontract, the solution is to obtain an order from theEnglish Court. In Re Madoff Securities InternationalLimited53

53 [2009] All ER (D) 31.

the liquidators of the English companywanted to transfer personal data to the U.S. There wasan inadequate level of data protection inherent in thetransfer.

The Court expressly referred to s.4 of the 1998 Act, ‘per-sonal data shall not be transferred to a country or terri-tory outside the European Economic Area unless thatcountry or territory ensures an adequate level of protec-tion for the rights and freedoms of data subject in rela-tion to the processing of personal data.’ The Court wassatisfied in the circumstances of the case that the excep-tion to this rule in schedule 4 paragraph 4(1) of the Act(the transfer is necessary for reasons of substantial pub-lic interest) applied to enable the transfer of the informa-tion to unravel the alleged fraud and what had happenedto the assets. The Court was also satisfied that the otherexceptions in schedule 4 (the transfer is necessary for thepurpose of or in connection with any legal proceedings(including prospective legal proceedings)) was satisfiedas indeed was the exception that the transfer is otherwisenecessary for the purpose of establishing, exercising ordefending legal rights. Interestingly, the court thoughtthat it was likely that the third exemption (the transfer isnecessary for the purpose of obtaining legal advice) wasalso satisfied but made no finding to that effect.

bb) A Transfer to Europe

A transfer from the U.K. to Europe presents no problemsince the restrictions of the Act do not apply.

cc) A Transfer from Europe

A transfer from Europe to the U.K. or from Europe tothe U.S. when viewed from the perspective of Englishlaw should be as workable as a transfer from the U.K. tothe U.S. In practice, however, the application of the locallaw in the European state (other than the U.K.) may wellconflict with the approach of the U.K. law and substan-tially complicate the position. The problem would seemto be most acute in the case of proposed transfers to theU.S. from non-U.K. EU states.

4. The Use of Technology to Overcome DataProtection Obstacles

Apart from the legal mechanisms which can be reliedupon, technology can also be effectively employed toprocess data for discovery purposes and reduce the riskof breaching data protection and privacy laws. Elec-tronic filtering is often used to ensure that large data setsare reduced so that it can be argued that the processingof personal data is proportionate and searching andselection tools can also be used to isolate personal andsensitive data and allow it to be handled carefully. Fromthe perspective of a provider of e-discovery technologyand services, a variety of approaches to addressing dataprotection laws are taken by organizations and theirappointed legal advisors not just within Europe but alsowithin specific countries.

a) On-Premise SolutionAt one end of the spectrum an organization can use it’sown IT infrastructure to process documents at its ownpremises, filter them to identify relevant documents andmake them available for review to a legal team also situ-ated within the organization. In this way all possibledata transfers can be prevented and controlled by thecompany as it is possible to disable all access to the datavia the Internet. This approach tends to be more costlythan others but is used to minimize any contraventionsof data transfer related laws and where the data is of aparticularly sensitive nature

There are also mobile data processing facilities whichcan be set up on certain cases, bearing in mind that largevolumes of data are best handled in a data centre.

b) Intra-Country SolutionAnother option is to make use of an IT infrastructurelocated in the same country in which the data was origi-nally collected (as opposed to an ‘on-premise’ solutionas described above) to process the data and make itavailable for review. Organizations sometimes insistthat those with the ability to access and review the docu-ments are located in the same country as the data or areat least within the EU. Others allow the review team tobe situated outside of the EU including in the U.S. and toaccess the data via the Internet. A key question, and onerequiring local legal advice, is whether the mere act ofviewing the data in another country is considered to be a‘transfer’ of personal data prohibited by data protectionlaws.



c) Centralised Data Processing CentreA third option is to make use of a centralised data pro-cessing centre in Europe to process and filter the dataand make it available for review. A key question here iswhether the transfer of data from the country where it iscollected to a data centre in the U.K., for example, is law-ful. Generally speaking intra-country data transfers inthe EU present less challenges than transfers of datafrom Europe to the U.S. for processing, but this is notalways the case and local legal advice is again recom-mended. The same considerations in relation to thereview of the data discussed above also apply in this sce-nario.

When technology is used to provide filtering (whetherthis is done on-site, in the country, or at a central dataprocessing centre in Europe) keyword searching isapplied to the data. This can be done on an ‘inclusive’basis, i.e., including documents that contain one or morewords from a list and on an ‘exclusive’ basis, i.e., exclud-ing documents that contain one or more words. Whilstthis approach is not foolproof and it is possible, indeedlikely that personal data will pass through these filters,the process at least demonstrates to the relevant authori-ties that rigorous attempts have been made to excludepersonal data and to identify the data strictly relevant tothe issues at stake, as required by the Article 29 WorkingParty in its opinions on pre-trial discovery for cross-bor-der civil litigation.

Self selection of data is also employed, either in isolationor in conjunction with other options in order to removepersonal data. In its most straightforward form thisentails asking individuals to either identify documentswhich are responsive to a specific discovery request orobligation or to identify private documents and emails.This can be done either within the source application(e.g. within Microsoft Outlook) or within a first passdocument review tool. By involving the employee in thisprocess it is likely that personal documents will beexcluded from the subsequent data transfer. However,relying on the employee to select responsive or relevantdocuments or to have any input into the document iden-tification is clearly not without its dangers as in certainsituations this could be used as an opportunity toremove key documents. The neutrality of technologicalfiltering approach is therefore lost. Organisations havealso been known to set up proactive internal proceduresin which employees are instructed to mark any privateemails, by for example, using certain keywords in thesubject line. Automated searches are then used toexclude these documents from data transfers. In thisway, the onus is on the employee to identify personaldocuments.

Commonly, where data needs to be transferred to theU.S. from an organisation in continental Europe, it isfirst transferred to a data processing centre in Europe,for example the U.K., where it is processed, filtered andhosted.

A legal team will then carry out a ‘first pass’ documentreview in which it identifies documents that are likely tobe relevant and excludes personal data by using a combi-nation of keyword searching and manual review. Redac-tions can also be used in order to hide personal informa-tion where necessary. The resultant ‘anonymised’ dataset is then exported to another database in which a full

and more comprehensive document review related to theissues in the case is carried out. This database can behosted in the U.K. or in the U.S. as required. By process-ing and searching across the data in Europe first a partycan show that steps have been taken to limit the datatransferred to that which is strictly necessary to the case.This is in line with the Article 29 Working Party require-ments that efforts should be made to restrict the transferof personal data as much as possible and that only datawhich is relevant to the issues being litigated should betransferred.

IV. ConclusionCross-border litigation is growing in the global economyand complexity in cross-border cases (whether U.S.-ledor not) results from legal variances in different jurisdic-tions. Companies in Europe are no longer only subject toEuropean Union rules and regulations and an inevitableconflict arises between discovery obligations on the onehand and privacy rights on the other. Apart from that,there are significant differences in the maturity of atti-tudes towards e-discovery in different jurisdictions andthe existence or scope of the discovery obligation variesfrom one jurisdiction to the next, particularly asbetween the common law jurisdictions and the non-common law countries of the EU. Despite the Data Pro-tection Directive (and in the future the Data ProtectionRegulation) applying across Europe, other domesticlaws and the differing interpretations of the Directivecreate something of a mine field when it comes to the“processing” of personal data, including its movementacross certain legal jurisdictions. The Article 29 DataProtection Working Party and The Sedona Conferencerecognize the difficulties that arise when cross-borderdata transfers need to take place in the context of pre-trial discovery but do not offer a simple legal solution,no doubt because no such simple solution is yet avail-able. The Working Party and The Sedona Conferencehave nevertheless provided useful practical guidance onhow technology and electronic filtering systems can beused to restrict the disclosure of personal data.

In terms of the future, a radical reform of the EuropeanData Protection Directive is planned. At present, theEuropean Commission is going through a review pro-cess of the European data protection framework.54

54 See European Commission: Justice, Review of the Data Protection LegalFramework, available at http://ec.europa.eu/justice/policies/privacy/review/index_en.htm (last accessed 20 January, 2012).

Keychanges in the reform are the introduction of a single setof rules on data protection valid across the EU; somenew privacy principles such as data minimization andaccountability, new data controller responsibilities; arequirement to report data breaches as soon as possible;stronger enforcement powers and fines and the applica-tion of the EU rules if personal data is handled abroad bycompanies that are active in the EU market and offertheir services to EU citizens.

However, the proposed EU General Data ProtectionRegulation will not provide a solution to the conflictbetween privacy and discovery.55

55 The draft of the General Data Protection Regulation can be found athttp://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

According to Arti-cle 17 of the draft of the EU Regulation any person



should have the right to have personal data concerningthem rectified and a ‘right to be forgotten’ where theretention of such data is not in compliance with this Reg-ulation. It is expected that this provision will fuel theflames of conflict regarding e-discovery. In addition theRegulation repeats the derogation in the Directive whichstates that a transfer of personal data to a third countrywith inappropriate safeguards may by way of exceptiontake place if the transfer is necessary for the defence oflegal claims56

56 See Article 44 paragraph 2 lit. e of the Regulation and of Article 27 par-agraph 1 lit. D of Directive 94/46/EC.

. From a German perspective, the Düssel-dorfer Kreis has already held that pre-trial discoverydoes not fall into the scope of this derogation becausepre-trial discovery does not serve as defence. It remainsto be seen if U.S. courts agree with this approach. Rather,the new Regulation is likely to see the requirement forconsent to transfers of personal data across borders to bestrengthened to ‘explicit consent’ as is the case underU.K. data protection law. Further rules are expected inrelation to transfers of data out of the EEA but within acorporate group57

57 One of the most significant changes in the revised framework is the revi-sion to the Binding Corporate Rules, which will have a statutory basis.Article 40 of the Proposed General Data Protection Regulation (‘Regu-lation’) will streamline the BCR approval process and make BCR avail-able to data processors as well as data controllers.

. These reforms are not likely to lessenthe difficulties presently being experienced. Most nota-ble of all the proposed reform is the possibility of fines of2 % of global turnover in relation to serious breaches ofthe Directive. If anything the risks and difficulties are set

to increase. Local legal advice is therefore essential toensure compliance with the different procedural rulesand privacy laws that come into play, to avoid sanctionsfor non-compliance and to ensure the litigation is notprejudiced. Besides it has proven to be helpful to presentto the competent common law court and/or attorney alegal opinion setting out the imperative rules of Euro-pean privacy laws and showing that the broad e-discov-ery requests are likely to be in violation of law. Inessence, at least where there is a true conflict of laws suchas between American law and that of a foreign jurisdic-tion, applicable conflict of law rules will require theCourt to conduct a comity analysis.58

58 Pursuant to Rst. § 442, the Court should also weigh the extent towhich ... compliance with the [discover] request would undermine theimportant interests of the state where the information is located, Max-well Communication Corp. v. Societe Generale (In re Maxwell Commu-nication Corp.), 93 F.3d 1036, 1050 (2d Cir. 1996); Hilton v. Guyot‚159 U.S. 113 (1895).

There is no silverbullet available that will cut through the labyrinth ofcomplex laws that must be navigated in order to devisean effective and pragmatic approach to cross-borderdata transfers in international litigation. It is vital thatorganisations not only have a strong knowledge of thecurrent legal and IT landscape but also of technologicaloptions available to facilitate lawful data processing andcross-border data transfers and to reduce the risk of bre-aching privacy laws. It is only by keeping a close eye onthe way both of these constantly evolve that businessescan ensure that they adopt appropriate procedures andkeep risks in check.



Karl Geercken is the chair of the Lit-igation and Trial Practice Team inNew York at Alston & Bird. Hispractice focuses on complex com-mercial litigation and arbitration,bankruptcy litigation and productsliability defense. Karl has extensiveexperience in representing interna-tional clients, and, in particular,European commercial and govern-mental entities in sophisticated liti-gation matters. Karl received hisundergraduate degree, magna cumlaude, from the University of Roch-ester in 1987 and his J.D. from TheGeorge Washington UniversityNational Law Center, where he wasa member of the Journal of Interna-tional Law and Economics. Karl is amember of the American Council onGermany and is also on the boardand executive committee of CDSInternational, Inc., a not-for-profitorganization that fosters interna-tional professional exchanges.

Kelly Holden is an associate in theNew York office of Alston & Birdand a member of the firm’s Litiga-tion and Trial Practice Group. Herpractice is focused on general com-mercial litigation. Kelly received herJ.D. degree from Boston UniversitySchool of Law (BUSL) in 2008.While at BUSL, she was the techni-

cal editor of the International LawJournal. She completed her M.A.degree in international relations inDecember 2008. Before law school,Kelly attended the University ofMichigan, where she received B.A.degrees in English and Arabic/Islamic Studies.

Michael Rath is a German attorney-at-law and a partner at LutherRechtsanwaltsgesellschaft mbH,Cologne, Germany, with a high spe-cialization in matters relating toinformation technology (IT), dataprotection and copyright law. He isa certified expert attorney on IT lawand became member of the GermanBar in 1999. Michael has gainedparticular experience in technology-related transactions including out-sourcing, licensing and technologytransfer. He advises German andinternational clients including foren-sic services consultants in e-discov-ery disputes and internal investiga-tions. Michael often advises on pri-vacy and (IT-) compliance issues andis author of various publications inthe IT sector.

Tracey Stretton is a Legal Consul-tant at Kroll Ontrack in the UK andadvises lawyers and corporations onthe use of technology in investiga-

tions and litigation. Her experiencein legal technologies has evolvedfrom exposure to its use as a practic-ing lawyer and consultant in a vari-ety of international jurisdictions.She speaks regularly at conferencesand has written numerous articleson the impact of technology on lawand business. She is a contributingauthor to the book “Electronic Evi-dence and Discovery – What EveryLawyer Should Know Now”, pub-lished by the American Bar Associa-tion. She has also contributed to theSweet & Maxwell Encyclopaedia ofIT Law on the topic of “The Man-agement of Technology RelatedRisks.”

Mark Surguy is Partner in the FraudGroup of Eversheds LLP speciali-sing in multi-disciplinary, complexand commercially sensitive caseswhere urgent legal remedies arerequired and where large volumes ofelectronic information have to becollected, searched and produced incourt. Formerly Head of Fraud at alarge international law firm, he cen-tres on advising corporate and insti-tutional victims of fraud and com-mercial dishonesty, often in a cross-border context.

CRi 2/2013 63

Yes, I subscribe to the journal Computer Law Review International and receive the first issue free of charge as a test� for the annual subscription fee of 194,– €.� for the annual subscription fee of 174,– € available to ITechLaw members.I have the right to cancel the test subscription within 14 days after having received the free issue, at the latest. After that, I have the right to cancelmy subscription up to six weeks before the end of the year. Prices 1.1.2013

ww

w.o

tto-

schm

idt.

de

Subscribenow!Subscribe now to Computer Law Review International (CRi)and secure the advantages of legal comparison for your practice: state-of-the-art approaches and solutions from other jurisdictions – every second month, six times a year.

Please place this subscription order with your local book shop or fax it directly to Verlag Dr. Otto Schmidt · Postfach 51 10 26 · 50946 Cologne · Germany

Subscription Order Fax +49 221 9 37 38-943

MY RIGHT: This is a test subscription without anyrisk – I can send the note of cancellation either tomy bookshop or to Verlag Dr. Otto Schmidt

_______________________________________________________Date/Signature 10/12

___________________________________________________________________________________________________________________________Name Post code/Town

___________________________________________________________________________________________________________________________Street Date/Signature

Karl Geercken/Kelly Holden/Michael Rath/ Mark Surguy ... · Karl Geercken/Kelly Holden/Michael...

Documents

Transcript of Karl Geercken/Kelly Holden/Michael Rath/ Mark Surguy ... · Karl Geercken/Kelly Holden/Michael...