Cross-Border/International eDiscovery

October 24, 2012

© 2012

Robert D. Brownstone, Esq.

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

EIM

GR

OU

P© 2

Outline/Agenda

I. The Landscape – U.S. is Unique

II. Practical Impacts on U.S. Litigation

III. Key Principles of Complying with European Privacy Laws . . .

IV. Top Ten Tips to Avoid Pitfalls (in chronological order) . . . .

V. CONCLUSION/Q&A

EIM

GR

OU

P© 3

I. The Landscape –U.S. is Unique

FOUR KEY DIFFERENCES IN U.S.

• A. CIVIL DISCOVERY = BROAD

• B. EMPLOYEE PRIVACY = OXYMORON

• C. BREACH NOTICE DUTY = LIMITED

• D. A/C PRIVILEGE = BROADER

TO LEARN MORE:

• E. SOME Key Resources

EIM

GR

OU

P© 4

I. Landscape – The U.S. is Unique (c’t’d)

FOUR KEY DIFFERENCES IN U.S.

A. DISCOVERY in U.S. civil lit. = broad

Contrast, e.g., the UK

proportionality important But see Pippins v. KPMG, 2012 WL 370321 (S.D. N.Y. 2/3/12)

third party requests must ID specific documents/information

» See Edmund M. O’Toole and David N. Cinotti, E-Discovery in Cross-Border Lit.: Taking Int’l Comity Seriously, Int’l Dispute Resolution News 21 (Fall 2010), at .pdf pp. 1-2 & n. 19

EIM

GR

OU

P© 5

I(A). Foreign DiscoveryMuch Narrower (c’t’d)

General acknowledgment of difference . . .

Hague CONVENTION ON THE TAKING OF EVIDENCE ABROAD IN CIVIL OR COMMERCIAL MATTERS, Article 23 (3/18/70):

“A Contracting State may at the time of signature, ratification or accession, declare that it will not execute Letters of Request issued for the purpose of obtaining pre-trial discovery of documents as known in Common Law countries.”

See generally O’Toole & Cinotti, supra, slide 4

EIM

GR

OU

P© 6

I(A). Foreign DiscoveryMuch Narrower (c’t’d)

More re: explaining differences:• Houthoff Buruma, US e-discovery in the Netherlands

(Nov. 2010) (helpful in general)

• Thomas J, Shaw, Esq., aiim 2-part “Ediscovery in Asia/Pacific” series (last visited 10/19/12):

U.S. Litigation Exposure for Asian Cos.

Litigation Readiness for Asian Cos.

• Hou Man, South Korea litigation guide, Shin & Kim (last visited 10/19/12)

• Kap-You (Kevin) Kim, South Korea: Surviving U.S. Civil Litigation: Strategic Advice for Korean Companies, Bae Kim & Lee PC (10/29/06)

EIM

GR

OU

P© 7

FOUR KEY DIFFERENCES IN U.S. (c’t’d)

• B. EMPLOYEE PRIVACY in U.S. can be readily taken away in advance re: all employees, per long-time case-law

Technology-Acceptable-Use-Policy (TAUP) can be, in large part a No-Employee-Expectation-of-Privacy-Policy (NoEEPP)

Legally defensible as long as in-trenches enforcement consistent with written policy

See generally Robert D. Brownstone, eWorkplace Privacy Materials, Nat’l. Employment Law Institute (NELI) (4/3/12) (Aug. 2012 version available on request)

I. Landscape – The U.S. is Unique (c’t’d)

EIM

GR

OU

P© 8

FOUR KEY DIFFERENCES IN U.S. (c’t’d)

• B. EMPLOYEE PRIVACY (c’t’d)

In Europe, need individual consent typically (and it is difficult to obtain compliant consent, esp. with huge volumes of data)

Company-wide TAUP deemed coercive

But see In re Employer Access of Worker E-Mail, Berlin Lab. Ct.,

No. DB 2011, 1281-1282 (June 2011), discussed in Jabeen Bhatti, Scope of Ruling Giving German Firms Access To Worker E-Mail Is Unclear, Attorneys Say, PSLR (BNA 9/5/11) and here

Bruno B. v. Giraud & Migot, No. (Cour de Cassation [France] 12/15/09); original/French version is here

I. Landscape – The U.S. is Unique (c’t’d)

EIM

GR

OU

P© 9

I(B). Privacy StrongerOutside U.S. (c’t’d)

Examples

• Europe:

France

Germany

Italy

UK

• Elsewhere:

Israel

Ukraine

EIM

GR

OU

P© 10

FOUR KEY DIFFERENCES IN U.S. (c’t’d)

• C. DATA-BREACH NOTIFICATION LAWS in U.S. = more diffused, narrower in scope & often longer/vaguer deadlines

Compare 46+ U.S. States’ statutes with, e.g.,:

Chile

Germany

India

Korea

Mexico

Qatar

Russia

I. Landscape – The U.S. is Unique (c’t’d)

EIM

GR

OU

P© 11

• D. ATTORNEY-CLIENT PRIVILEGE does NOT apply to in-house counsel in EC investigations . . . .

• Akso Nobel Chemicals v. Commission, Case C-550/07 P (ECJ 9/14/10) (in context of competition law investigation, emails to & from co. officials not privileged)

• Possible ramifications in other contexts

____________________________________________

E. TO LEARN MORE:• Verizon, 2012 Data Breach Investigations Report (4/30/12)

• Brian Hengesbaugh, Data Privacy and Security Compliance Recent Legal Developments; Int’l Requirements, Strafford Webinar (part), at .pdf pp. 19-29 (11/3/11)

• [U.S.] Nat’l Conf. of State Legislators (“NCSL”), Security Breach Legislation 2011 (9/12/11)

I(C). INTRO – Data Breach Laws (c’t’d)

EIM

GR

OU

P© 12

Clickable map – Trilantic, European Union Data Protection Rules (last visited 10/19/12)

Sedona Conference, Framework for Analysis of Cross-Border Discovery Conflicts: A Practical Guide to Navigating the Competing Currents of International Data Privacy and e-Discovery(Aug. 2008) (free registration required)

Huron Legal Institute, CROSS-BORDER DISCOVERY; Evolving Issues and Challenges (9/19/11)

Yoeli Barag, Esq. & Salim Elkhou, Bridging the Divide: Solutions for U.S. - European Cross-Border Electronic Discovery, e-Stet e-Discovery (4/7/10)

I. INTRO (c’t’d) – D. SomeKey Resources

EIM

GR

OU

P©

13

II. Practical Impactson U.S. Litigation

Common Scenarios

• Responding to discovery requests: Europe custodians (of U.S.-based co.)

• Issuing or responding to subpoenas involving European entities

• Opponent may invoke EU privacy laws to stonewall discovery responses

Potential impacts include increased costs and extra litigation delays

EIM

GR

OU

P© 14

II. Impacts (c’t’d) – Location, Location, Location . . . .

It’s 2 AM; do you know where your data is?• Central server/network in EU?• Central server/network in US? • Foreign individual’s data on a server in

U.S.? Rock (int’l law) & hard place (ECPA)? Suzlon Energy Ltd. v. Sridhar [Microsoft], 671

F.3d 726, 2011 WL 4537843 (9th Cir. 10/3/11) (U.S.-stored Hotmail emails of foreign citizen)

IP address(es) from ISP’s? • Different views in EU and US

resources available from presenter on request• Compare In re Bittorrent Adult Film Order & Copyright Infringe-

ment Cases, Nos. 11-3995, 12-1147, et al. (E.D.N.Y. 5/1/12)

EIM

GR

OU

P©

15

Serious repercussions possible . . .

Blocking statutes impose civil and/or criminal penalties . . .

• In re Avocat “Christopher X,” , Decision No. 7168, France Supreme Court (12/12/07)

French attorney working on a U.S. federal lawsuit prosecuted under French blocking statute for attempting to obtain information under false pretenses from member of board of French co. involved in purchase of U.S. insurer

II. Impacts (c’t’d)

EIM

GR

OU

P©

16

II. Impacts (c’t’d) – U.S.Courts Unsympathetic

AccessData Corp. v. ALSTE Techno-logies GmbH, 2010 WL 318477 (D. Utah 1/21/10)

Enquip Tech. Group, Inc. v. Tycon Technoglass, S.R.L., 2010 WL 53151 (Ohio App. 2 Dist. 1/8/10)

Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 5/29/07)

Gerling Global Reins. Corp. v. Low, 296 F.3d 832, 847 (9th Cir. 7/15/02)

In re Vitamins Antitrust Litigation, 2001 WL 1049433 (D.D.C. 6/20/01)

EIM

GR

OU

P©

17

II. U.S. Courts (c’t’d) – Five-Factor Balancing Test

E.g., Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 5/25/07) citing . . .

Restatement (3d) of Foreign Relations Law § 442(1)(a) as to . . .

• 1) Importance to litigation

• 2) Degree of specificity of request

• 3) Whether information originated in U.S.

• 4) Availability of alternative means

• 5) Weigh extent to which:

non-compliance would undermine important U.S. interests; AND

compliance would undermine important foreign interest

EIM

GR

OU

P©

18

III. Key Principles of Complyingwith European Privacy Law

EU, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”• Processing of Personal Data

• Transferring of Personal Data

• NOTE: Art. 26(1)(d) exception re: “transfer . . . necessary or legally required . . . for the establishment, exercise or defence of legal claims.”

• But see individual EU countries’ rules

EIM

GR

OU

P©

19

III. Keys (c’t’d) –Tag; You’re It

See also Kevin Nichols eDiscovery “Think Tank” Offers Concrete Pointers, KLN Consulting Group TM (3/9/12) (quoting me)

An aside re: strictness of EU countries . . .

EIM

GR

OU

P©

20

III. Keys – Tag . . .You’re It (c’t’d)

Strictness of EU countries (c’t’d):

• Facebook settings have recently changed . . . Facebook, Making It Easier to Share

With Who[m] You Want (8/23/11)

• Apparently a response to EU countries’ probes of tagging and facial recognition

• But, in U.S., one court – in a divorce/custody case – OK’d tags – Lalonde v. Lalonde, No. 2009-

CA-002279-MR (Ky. Ct. App. 2/25/11)

EIM

GR

OU

P©

21

III. Keys re: EU LawsCompliance (c’t’d)

Processing Personal Data

• Personal data -- potentially including email address -- is any data identifying a person

• Processing: any collection, storage, alteration, retrieval, or transmission of data – including copying information from one file to another

• Permitted only under limited circumstances . . . :

Unambiguous written consent of custodian

Necessary to comply with any legal obligation

EIM

GR

OU

P©

22

Transferring Personal Data

• Satisfying the “adequacy” requirement . . .

Participation in the U.S. Dept. of Commerce U.S.-EU Safe Harbor Framework program OR . . . .

Model data protection agreements approved by E.U.

III. Keys re: EU LawsCompliance (c’t’d)

EIM

GR

OU

P©

23

III. You Say Controller;I Say Processor . . .

Distinction has been murky

Pros/Cons . . .

Note:• Cannot use an ad hoc contract

to definitively designate/classify data recipient’s status as “controller” or “processor”

• “[D]etermining . . . actual status [must] must be based on concrete circumstances.” EU Article 29, Opinion 1/2010 on the

concepts of “controller” and “processor”, WP 169, 0264/10/EN (2/16/10)

EIM

GR

OU

P©

24

III. You Say Controller;I Say Processor (c’t’d) . . .

What about law firm lawyers?

See WP 169, at p. 28 (.pdf p. 30):

EIM

GR

OU

P©

25

Latest big developments:

• EU REGULATION “adopted”: “Safeguarding Privacy in a

Connected World A European Data Protection Framework for the

21st Century,” at pp. 40-98 [.pdf pp. 41 – 99] (1/25/12)

(sandwiched between two lengthy explanations) <ec.europa.eu/justice/data-protection/document/review2012/com 2012 11 en.pdf#page=41>

See also

Home page <ec.europa.eu/justice/newsroom/data-protection/news/120125 en.htm>

Directive on personal data processing by prosecutorial authorities <ec.europa.eu/justice/data-protection/document/review2012/com 2012 10 en.pdf>

Various speeches by EC Vice-President Viviane Reding <ec.europa.eu/commission 2010-2014/reding/multimedia/speeches/index en.htm>

III. EU Data ProtectionReform . . . as of 2015

EIM

GR

OU

P©

26

Latest big developments (c’t’d):

• U.S. Blueprint: “CONSUMER DATA PRIVACY IN A NETWORKED WORLD:

A FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING

INNOVATION IN THE GLOBAL DIGITAL ECONOMY” (2/23/12)

<whitehouse.gov/sites/default/files/privacy-final.pdf>

• “EU-U.S. joint statement on data protection” (3/19/12)

<europa.eu/rapid/pressReleasesAction.do?reference=MEMO/12/192>

III. EU Data ProtectionReform . . . (c’t’d)

EIM

GR

OU

P©

27

Update and modernization in progress; implementation anticipated by 2015

“key changes”, per this EU two-pager:

• single set of rules valid across EU

• single national data protection authority (DPA) w./ which each co. has to deal

• national DPA’s strengthened

• EU rules will apply to cos. not established in EU, if offer goods or services in EU or monitor online behavior of EU citizens

III. EU Data ProtectionReform . . . (c’t’d)

EIM

GR

OU

P©

28

III. EU Data ProtectionReform . . . (c’t’d)

“key changes” (c’t’d)

• increased responsibility and accountability for those processing personal data.

• removal of unnecessary administrative burdens, such as notification requirements for companies processing personal data

• consent to be specific, not assumed

• right to be forgotten

• right of data portability

• right to refer all cases to home national DPA

See generally Ruth Boardman, Draft EU Data Protection Rules revealed (3/2/12)

EIM

GR

OU

P©

29

III. EU Data ProtectionReform . . . (c’t’d)

“Administrative Sanctions”

• maximums for various types of intentional or negligent non-compliance to range from 0.5% to 2% of “annual worldwide turnover” (a/k/a “annual gross sales revenue”)

REGULATION, at pp. 92-94 [.pdf pp. 93 – 94]

EIM

GR

OU

P©

30

IV. Top Ten Tips to Avoid Pitfalls (in chron. Order)

1. Develop general plan/protocol, including flagging issue in checklist(s)

2. Develop plan/protocol for each country

3. Consult foreign counsel

• referrals available from presenter on request

4. Get IT/InfoSec/Cloud house in order

5. If apt, get contracts in place

EIM

GR

OU

P©

31

IV. Top 10Tips (c’t’d)

6. Start planning as soon as LIT-Hold issue arises (re: incident-response, investigation, gov’t inquiry, suit, etc.)

7. Discuss key issues with client 8. Alert opp. counsel (& judge in 1st CMC)

• Ex: DaSilva Moore v. Publicis, No. 11-cv-1279 (S.D.N.Y.): Opinion and Order, at 7, 8 Hearing Transcript, at 33, 35 (2/8/12)

9. Retain local/foreign counsel? 10. Have data transferred properly

& handled carefully (encryption, etc.)

EIM

GR

OU

P© 32

Conclusion/QuestionsLet’s be careful out there . . .

Robert D. Brownstone

• <fenwick.com/professionals/Pages/bobbrownstone insights.aspx>

• 650.335.7912 or <rbrownstone@fenwick.com>

• <twitter.com/ediscoveryguru>

• <linkedin.com/pub/robert-d-brownstone-esq/0/a2/801>

• <facebook.com/rbrownstone>

Please visit home page for F&W’s EIM GroupTHESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL

UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.