eDiscovery in Asia: What U.S. Legal Professional Need to Know
October 24, 2012 Cross-Border/International eDiscovery · 10/24/2012 · EIM GROUP © 2 Outline/...
Transcript of October 24, 2012 Cross-Border/International eDiscovery · 10/24/2012 · EIM GROUP © 2 Outline/...
Cross-Border/International eDiscovery
October 24, 2012
© 2012
Robert D. Brownstone, Esq.
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
EIM
GR
OU
P© 2
Outline/Agenda
I. The Landscape – U.S. is Unique
II. Practical Impacts on U.S. Litigation
III. Key Principles of Complying with European Privacy Laws . . .
IV. Top Ten Tips to Avoid Pitfalls (in chronological order) . . . .
V. CONCLUSION/Q&A
EIM
GR
OU
P© 3
I. The Landscape –U.S. is Unique
FOUR KEY DIFFERENCES IN U.S.
• A. CIVIL DISCOVERY = BROAD
• B. EMPLOYEE PRIVACY = OXYMORON
• C. BREACH NOTICE DUTY = LIMITED
• D. A/C PRIVILEGE = BROADER
TO LEARN MORE:
• E. SOME Key Resources
EIM
GR
OU
P© 4
I. Landscape – The U.S. is Unique (c’t’d)
FOUR KEY DIFFERENCES IN U.S.
A. DISCOVERY in U.S. civil lit. = broad
Contrast, e.g., the UK
proportionality important But see Pippins v. KPMG, 2012 WL 370321 (S.D. N.Y. 2/3/12)
third party requests must ID specific documents/information
» See Edmund M. O’Toole and David N. Cinotti, E-Discovery in Cross-Border Lit.: Taking Int’l Comity Seriously, Int’l Dispute Resolution News 21 (Fall 2010), at .pdf pp. 1-2 & n. 19
EIM
GR
OU
P© 5
I(A). Foreign DiscoveryMuch Narrower (c’t’d)
General acknowledgment of difference . . .
Hague CONVENTION ON THE TAKING OF EVIDENCE ABROAD IN CIVIL OR COMMERCIAL MATTERS, Article 23 (3/18/70):
“A Contracting State may at the time of signature, ratification or accession, declare that it will not execute Letters of Request issued for the purpose of obtaining pre-trial discovery of documents as known in Common Law countries.”
See generally O’Toole & Cinotti, supra, slide 4
EIM
GR
OU
P© 6
I(A). Foreign DiscoveryMuch Narrower (c’t’d)
More re: explaining differences:• Houthoff Buruma, US e-discovery in the Netherlands
(Nov. 2010) (helpful in general)
• Thomas J, Shaw, Esq., aiim 2-part “Ediscovery in Asia/Pacific” series (last visited 10/19/12):
U.S. Litigation Exposure for Asian Cos.
Litigation Readiness for Asian Cos.
• Hou Man, South Korea litigation guide, Shin & Kim (last visited 10/19/12)
• Kap-You (Kevin) Kim, South Korea: Surviving U.S. Civil Litigation: Strategic Advice for Korean Companies, Bae Kim & Lee PC (10/29/06)
EIM
GR
OU
P© 7
FOUR KEY DIFFERENCES IN U.S. (c’t’d)
• B. EMPLOYEE PRIVACY in U.S. can be readily taken away in advance re: all employees, per long-time case-law
Technology-Acceptable-Use-Policy (TAUP) can be, in large part a No-Employee-Expectation-of-Privacy-Policy (NoEEPP)
Legally defensible as long as in-trenches enforcement consistent with written policy
See generally Robert D. Brownstone, eWorkplace Privacy Materials, Nat’l. Employment Law Institute (NELI) (4/3/12) (Aug. 2012 version available on request)
I. Landscape – The U.S. is Unique (c’t’d)
EIM
GR
OU
P© 8
FOUR KEY DIFFERENCES IN U.S. (c’t’d)
• B. EMPLOYEE PRIVACY (c’t’d)
In Europe, need individual consent typically (and it is difficult to obtain compliant consent, esp. with huge volumes of data)
Company-wide TAUP deemed coercive
But see In re Employer Access of Worker E-Mail, Berlin Lab. Ct.,
No. DB 2011, 1281-1282 (June 2011), discussed in Jabeen Bhatti, Scope of Ruling Giving German Firms Access To Worker E-Mail Is Unclear, Attorneys Say, PSLR (BNA 9/5/11) and here
Bruno B. v. Giraud & Migot, No. (Cour de Cassation [France] 12/15/09); original/French version is here
I. Landscape – The U.S. is Unique (c’t’d)
EIM
GR
OU
P© 9
I(B). Privacy StrongerOutside U.S. (c’t’d)
Examples
• Europe:
France
Germany
Italy
UK
• Elsewhere:
Israel
Ukraine
EIM
GR
OU
P© 10
FOUR KEY DIFFERENCES IN U.S. (c’t’d)
• C. DATA-BREACH NOTIFICATION LAWS in U.S. = more diffused, narrower in scope & often longer/vaguer deadlines
Compare 46+ U.S. States’ statutes with, e.g.,:
Chile
Germany
India
Korea
Mexico
Qatar
Russia
I. Landscape – The U.S. is Unique (c’t’d)
EIM
GR
OU
P© 11
• D. ATTORNEY-CLIENT PRIVILEGE does NOT apply to in-house counsel in EC investigations . . . .
• Akso Nobel Chemicals v. Commission, Case C-550/07 P (ECJ 9/14/10) (in context of competition law investigation, emails to & from co. officials not privileged)
• Possible ramifications in other contexts
____________________________________________
E. TO LEARN MORE:• Verizon, 2012 Data Breach Investigations Report (4/30/12)
• Brian Hengesbaugh, Data Privacy and Security Compliance Recent Legal Developments; Int’l Requirements, Strafford Webinar (part), at .pdf pp. 19-29 (11/3/11)
• [U.S.] Nat’l Conf. of State Legislators (“NCSL”), Security Breach Legislation 2011 (9/12/11)
I(C). INTRO – Data Breach Laws (c’t’d)
EIM
GR
OU
P© 12
Clickable map – Trilantic, European Union Data Protection Rules (last visited 10/19/12)
Sedona Conference, Framework for Analysis of Cross-Border Discovery Conflicts: A Practical Guide to Navigating the Competing Currents of International Data Privacy and e-Discovery(Aug. 2008) (free registration required)
Huron Legal Institute, CROSS-BORDER DISCOVERY; Evolving Issues and Challenges (9/19/11)
Yoeli Barag, Esq. & Salim Elkhou, Bridging the Divide: Solutions for U.S. - European Cross-Border Electronic Discovery, e-Stet e-Discovery (4/7/10)
I. INTRO (c’t’d) – D. SomeKey Resources
EIM
GR
OU
P©
13
II. Practical Impactson U.S. Litigation
Common Scenarios
• Responding to discovery requests: Europe custodians (of U.S.-based co.)
• Issuing or responding to subpoenas involving European entities
• Opponent may invoke EU privacy laws to stonewall discovery responses
Potential impacts include increased costs and extra litigation delays
EIM
GR
OU
P© 14
II. Impacts (c’t’d) – Location, Location, Location . . . .
It’s 2 AM; do you know where your data is?• Central server/network in EU?• Central server/network in US? • Foreign individual’s data on a server in
U.S.? Rock (int’l law) & hard place (ECPA)? Suzlon Energy Ltd. v. Sridhar [Microsoft], 671
F.3d 726, 2011 WL 4537843 (9th Cir. 10/3/11) (U.S.-stored Hotmail emails of foreign citizen)
IP address(es) from ISP’s? • Different views in EU and US
resources available from presenter on request• Compare In re Bittorrent Adult Film Order & Copyright Infringe-
ment Cases, Nos. 11-3995, 12-1147, et al. (E.D.N.Y. 5/1/12)
EIM
GR
OU
P©
15
Serious repercussions possible . . .
Blocking statutes impose civil and/or criminal penalties . . .
• In re Avocat “Christopher X,” , Decision No. 7168, France Supreme Court (12/12/07)
French attorney working on a U.S. federal lawsuit prosecuted under French blocking statute for attempting to obtain information under false pretenses from member of board of French co. involved in purchase of U.S. insurer
II. Impacts (c’t’d)
EIM
GR
OU
P©
16
II. Impacts (c’t’d) – U.S.Courts Unsympathetic
AccessData Corp. v. ALSTE Techno-logies GmbH, 2010 WL 318477 (D. Utah 1/21/10)
Enquip Tech. Group, Inc. v. Tycon Technoglass, S.R.L., 2010 WL 53151 (Ohio App. 2 Dist. 1/8/10)
Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 5/29/07)
Gerling Global Reins. Corp. v. Low, 296 F.3d 832, 847 (9th Cir. 7/15/02)
In re Vitamins Antitrust Litigation, 2001 WL 1049433 (D.D.C. 6/20/01)
EIM
GR
OU
P©
17
II. U.S. Courts (c’t’d) – Five-Factor Balancing Test
E.g., Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 5/25/07) citing . . .
Restatement (3d) of Foreign Relations Law § 442(1)(a) as to . . .
• 1) Importance to litigation
• 2) Degree of specificity of request
• 3) Whether information originated in U.S.
• 4) Availability of alternative means
• 5) Weigh extent to which:
non-compliance would undermine important U.S. interests; AND
compliance would undermine important foreign interest
EIM
GR
OU
P©
18
III. Key Principles of Complyingwith European Privacy Law
EU, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”• Processing of Personal Data
• Transferring of Personal Data
• NOTE: Art. 26(1)(d) exception re: “transfer . . . necessary or legally required . . . for the establishment, exercise or defence of legal claims.”
• But see individual EU countries’ rules
EIM
GR
OU
P©
19
III. Keys (c’t’d) –Tag; You’re It
See also Kevin Nichols eDiscovery “Think Tank” Offers Concrete Pointers, KLN Consulting Group TM (3/9/12) (quoting me)
An aside re: strictness of EU countries . . .
EIM
GR
OU
P©
20
III. Keys – Tag . . .You’re It (c’t’d)
Strictness of EU countries (c’t’d):
• Facebook settings have recently changed . . . Facebook, Making It Easier to Share
With Who[m] You Want (8/23/11)
• Apparently a response to EU countries’ probes of tagging and facial recognition
• But, in U.S., one court – in a divorce/custody case – OK’d tags – Lalonde v. Lalonde, No. 2009-
CA-002279-MR (Ky. Ct. App. 2/25/11)
EIM
GR
OU
P©
21
III. Keys re: EU LawsCompliance (c’t’d)
Processing Personal Data
• Personal data -- potentially including email address -- is any data identifying a person
• Processing: any collection, storage, alteration, retrieval, or transmission of data – including copying information from one file to another
• Permitted only under limited circumstances . . . :
Unambiguous written consent of custodian
Necessary to comply with any legal obligation
EIM
GR
OU
P©
22
Transferring Personal Data
• Satisfying the “adequacy” requirement . . .
Participation in the U.S. Dept. of Commerce U.S.-EU Safe Harbor Framework program OR . . . .
Model data protection agreements approved by E.U.
III. Keys re: EU LawsCompliance (c’t’d)
EIM
GR
OU
P©
23
III. You Say Controller;I Say Processor . . .
Distinction has been murky
Pros/Cons . . .
Note:• Cannot use an ad hoc contract
to definitively designate/classify data recipient’s status as “controller” or “processor”
• “[D]etermining . . . actual status [must] must be based on concrete circumstances.” EU Article 29, Opinion 1/2010 on the
concepts of “controller” and “processor”, WP 169, 0264/10/EN (2/16/10)
EIM
GR
OU
P©
24
III. You Say Controller;I Say Processor (c’t’d) . . .
What about law firm lawyers?
See WP 169, at p. 28 (.pdf p. 30):
EIM
GR
OU
P©
25
Latest big developments:
• EU REGULATION “adopted”: “Safeguarding Privacy in a
Connected World A European Data Protection Framework for the
21st Century,” at pp. 40-98 [.pdf pp. 41 – 99] (1/25/12)
(sandwiched between two lengthy explanations) <ec.europa.eu/justice/data-protection/document/review2012/com 2012 11 en.pdf#page=41>
See also
Home page <ec.europa.eu/justice/newsroom/data-protection/news/120125 en.htm>
Directive on personal data processing by prosecutorial authorities <ec.europa.eu/justice/data-protection/document/review2012/com 2012 10 en.pdf>
Various speeches by EC Vice-President Viviane Reding <ec.europa.eu/commission 2010-2014/reding/multimedia/speeches/index en.htm>
III. EU Data ProtectionReform . . . as of 2015
EIM
GR
OU
P©
26
Latest big developments (c’t’d):
• U.S. Blueprint: “CONSUMER DATA PRIVACY IN A NETWORKED WORLD:
A FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING
INNOVATION IN THE GLOBAL DIGITAL ECONOMY” (2/23/12)
<whitehouse.gov/sites/default/files/privacy-final.pdf>
• “EU-U.S. joint statement on data protection” (3/19/12)
<europa.eu/rapid/pressReleasesAction.do?reference=MEMO/12/192>
III. EU Data ProtectionReform . . . (c’t’d)
EIM
GR
OU
P©
27
Update and modernization in progress; implementation anticipated by 2015
“key changes”, per this EU two-pager:
• single set of rules valid across EU
• single national data protection authority (DPA) w./ which each co. has to deal
• national DPA’s strengthened
• EU rules will apply to cos. not established in EU, if offer goods or services in EU or monitor online behavior of EU citizens
III. EU Data ProtectionReform . . . (c’t’d)
EIM
GR
OU
P©
28
III. EU Data ProtectionReform . . . (c’t’d)
“key changes” (c’t’d)
• increased responsibility and accountability for those processing personal data.
• removal of unnecessary administrative burdens, such as notification requirements for companies processing personal data
• consent to be specific, not assumed
• right to be forgotten
• right of data portability
• right to refer all cases to home national DPA
See generally Ruth Boardman, Draft EU Data Protection Rules revealed (3/2/12)
EIM
GR
OU
P©
29
III. EU Data ProtectionReform . . . (c’t’d)
“Administrative Sanctions”
• maximums for various types of intentional or negligent non-compliance to range from 0.5% to 2% of “annual worldwide turnover” (a/k/a “annual gross sales revenue”)
REGULATION, at pp. 92-94 [.pdf pp. 93 – 94]
EIM
GR
OU
P©
30
IV. Top Ten Tips to Avoid Pitfalls (in chron. Order)
1. Develop general plan/protocol, including flagging issue in checklist(s)
2. Develop plan/protocol for each country
3. Consult foreign counsel
• referrals available from presenter on request
4. Get IT/InfoSec/Cloud house in order
5. If apt, get contracts in place
EIM
GR
OU
P©
31
IV. Top 10Tips (c’t’d)
6. Start planning as soon as LIT-Hold issue arises (re: incident-response, investigation, gov’t inquiry, suit, etc.)
7. Discuss key issues with client 8. Alert opp. counsel (& judge in 1st CMC)
• Ex: DaSilva Moore v. Publicis, No. 11-cv-1279 (S.D.N.Y.): Opinion and Order, at 7, 8 Hearing Transcript, at 33, 35 (2/8/12)
9. Retain local/foreign counsel? 10. Have data transferred properly
& handled carefully (encryption, etc.)
EIM
GR
OU
P© 32
Conclusion/QuestionsLet’s be careful out there . . .
Robert D. Brownstone
• <fenwick.com/professionals/Pages/bobbrownstone insights.aspx>
• 650.335.7912 or <[email protected]>
• <twitter.com/ediscoveryguru>
• <linkedin.com/pub/robert-d-brownstone-esq/0/a2/801>
• <facebook.com/rbrownstone>
Please visit home page for F&W’s EIM GroupTHESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL
UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.