An international organization with offices in both the United States and France is sued in the United States for fraud. Much of the data relevant to the US litigation is located on centralized servers in France, although the data can be accessed by individuals in the United States. The organization is unsure whether or how it can produce that data in the US litigation without running afoul of France’s data privacy laws and blocking statute.
Data Consolidation & Globalization
Given the impact of globalization and cross-border ownership, it is not uncommon for information sought in discovery in US proceedings—including electronically stored information (ESI)—to be located outside of the United States. Access to such information is complicated by the unique and often differing perspectives of various foreign jurisdictions toward the discovery or disclosure of such information.
In addition, many organizations are moving, or have already moved, toward “cloud computing” models, which consolidate the organization’s and its affiliates’ information technology infrastructure and services in order to improve consistency in data management, manage costs and improve efficiency. Those cloud computing models have the potential to further complicate the legal questions that arise in connection with US discovery.
International Data Privacy & E-Discovery
While the United States has a discovery system that encourages extensive production of information, many other countries have far more protective schemes. In particular, the European Union Member States have detailed data protection laws based on the European Union’s Data Privacy Directive. Those laws tightly regulate when and how personally identifiable information (which encompasses a broad range of information including name, age, gender, marital status, nationality, citizenship, veteran status, personal or business contact information, identification numbers, etc.) may be collected, processed, stored and transferred by an organization.
In addition, several European countries have enacted blocking statues designed to protect sovereignty and shield foreign nationals from intrusive US-style litigation. Violations of these foreign laws may result in serious consequences for the organization, including criminal charges. Taken together, these laws create a tension between the mandate of the US Federal Rules to produce all relevant electronic records and the laws regulating discovery and transmission of ESI abroad.
There are several questions an organization will face when determining whether data located abroad must be produced in a US litigation. First, what are the conditions under which ESI stored outside of the United States is deemed to be in a domestic party’s “possession, custody, or control” under the Federal Rules of Civil Procedure? Consistent with the emphasis on full disclosure in the American legal system, US courts construe the term “control” broadly. Thus, a party often will be deemed to have control if it has the legal right, authority or practical ability to obtain the materials sought upon demand. Second, does the applicable foreign law permit the processing, transfer and production of overseas ESI? The answer to this question will depend on location of the data and the laws of the country at issue. Third, will the US courts require the production of relevant data regardless of any foreign restrictions? The answer to this question is generally “yes,” although US courts have proved more willing to give deference to restrictions arising from data privacy laws than those arising from foreign blocking statues.
Best Practices for Managing International Data Privacy Issues in E-Discovery
Because the US courts tend to require the production of relevant data in an organization’s possession, custody and control regardless of any foreign restrictions, it is helpful for an organization to consider the best ways to ensure that it can meet both its US and foreign legal obligations. As with any effort to manage and minimize risks, the best practice is to evaluate those risks before litigation arises and implement standard controls.
- Know Your Data & Your Legal Obligations. Every organization should be familiar with the laws governing its data and how that data may be collected, processed, retained or transferred before litigation commences. Involving local counsel and data privacy professionals in the litigation process will help to minimize the risks associated with the collection, processing and transfer of data in connection with US litigation and ensure that the organization does not violate its local rules and regulations.
- Limit Collection. A good way to help to minimize the risks associated with collecting, processing and transferring data located abroad in connection with a US litigation is to limit the scope of the data at issue in the litigation. Litigation counsel should negotiate the scope of data to be produced with opposing counsel in an effort to reduce the amount of unnecessary and non-responsive data collected. And an organization should consider implementing collection procedures that are specifically targeted at identifying relevant data from the outset, rather than employing a broad collection philosophy and relying on the review process to narrow the data for production.
- Consider On-Site, In-Country Review. In some instances, an organization may facilitate its ability to collect and process data relevant to a US litigation by conducting the review of that data in the country where the data is located. This review will help to identify only the information that is actually relevant to the US litigation before it is transferred, and may minimize the quantity of personally identifiable information at issue.
- Consider Redaction or Anonymization. Even where data located abroad is relevant and must be produced in a US litigation, it may not be necessary to produce data that constitutes personally identifiable information. Use of anonymization techniques or redaction of personally identifiable information may address an organization’s data privacy obligations.
- Evaluate Transfer Options. An organization may retain responsibility for ensuring that personally identifiable information is protected in accordance with the laws of its place of origin, even after the data is transferred to the United States. There are various options for such transfers, (e.g., use of “Safe Harbor” vendors, employing the Hague Evidence Convention procedures, negotiating vendor contracts that include model contractual language or other provisions designed to ensure the data protection, or implementing strict protective orders); however, depending on the circumstances, use of these methods of transfer will not necessarily satisfy data protection requirements.