In 2016, the UK did the unthinkable: it voted to leave the European Union. And in the U.S., a dark horse presidential victory was nearly as big a surprise. Both events are impacting U.S. law firms and corporations that do international business, particularly the usually reliable M&A sector. In the interim, many law firms are hedging their bets by pursuing high growth, lucrative areas such as cross-border investigations.
Lucrative. And high risk.
Cross-border investigations are not a new business for global law firms, and they have never been easy. But global uncertainty, the need for speed and efficacy, and complex compliance make them even riskier, right at the time that law firms are kicking cross-border practices into high gear. Take, for example:
- One of the fastest growth areas for cross-border investigations is Asia. The region is experiencing fast economic growth, and China in particular welcomes multinational company partnership and investment. However, cross-border compliance has not kept up with business growth. It’s also easy — and potentially a serious problem — to run afoul of state secrets in China. And regions such as India and South America have their own sets of compliance issues.
- In 2015, the European Court of Justice dismantled the Safe Harbor framework that dated from 2000. The trigger? Edward Snowden’s alarming revelations about the scope of NSA surveillance. The press has reported that the Court ruled any European data protection authority – regional, national, even municipal – had the right to decide if a data transfer was compliant with the body’s data privacy rules. As reported, each body has the right to complain to their national courts, which in turn can refer to matter to the European Court of Justice.
- The General Data Protection Regulation (GDRP) will become European law in Spring 2018. GDPR addresses data privacy and processing rules within European Union member nations. (Replacing the old data protection directive, Directive 95/46/EC), it is further reported that the GDPR is designed to strengthen data protection for individuals within the European Union (EU) and unify it across all member states.) The regulations will also punish non-compliant organizations, with steep fines as high as 4% of the erring business’s global revenue.
Protect Yourself with a Timely Approach to Cross-Border Investigations
Large global matters with millions of document pages and terabytes of data are at the highest risk of cross-border stumbles. However, there are numerous smaller matters (including, for example, internal investigations, which are on the rise) that don’t reach these rarified heights, but still create relativity outsized risk. The greatest danger doesn’t seem terribly dangerous, but it is: time. Time to collect, analyze, produce, and review in a compliance environment that ranges from disorganized to hostile. Even if a team builds extra time into a cross-border investigation, this raises costs by requiring more upfront resources. Worse, missed deadlines and slipping schedules cost even more money and take on higher risk of sanctions, poor eDiscovery results, and lost judgments.
Several factors conspire to balloon the time for cross-border investigations:
- Documents must stay on-site.
- Getting permission to migrate documents for off-site analysis and collection is uncertain and takes weeks.
- Smaller matters already have tight deadlines, upping the risk of missing project milestones.
- Sensitive matters with a high need for discretion.
- Data custodians working in different regions and countries.
- Multiple languages in data sets.
How Are Counsel Addressing These Challenges? One Option: Backpack In.
There are a number of strategies to consider when addressing cross-border matters, especially when custodians and data are located in one or more foreign jurisdictions, and speed is of the essence. One option that savvy companies and their counsel take is to partner with a service provider that can literally backpack into the site that stores the data with an eDiscovery appliance and set up tools to manage the project.
To avoid implicating transfer statutes when data privacy rules are involved, many organizations turn to “backpack” solutions. These systems can eliminate the need to transfer data—whether among products, vendors, or even between countries—by providing comprehensive eDiscovery services including project management, collection, processing, review, and production. Others use a hosted, cloud-based review platform capable of limiting access to approved legal and compliance professionals within a single country. The strongest platforms include multiple approval points before data can be sent to recipients outside the country, mitigating the risk of unauthorized data transfers.
Of note, before transferring or producing any information, organizations can also use various forms of technology to protect sensitive data. Some businesses use automated tools to redact all personally identifiable information. They may deploy advanced search tools capable of recognizing patterns, such as identification numbers or account numbers, and then automatically redacting all corresponding content. Other organizations have successfully used anonymization or randomization techniques to obscure confidential information and ensure that the people described in the data remain unidentifiable.
Once the team has completed the project, then based on local compliance regulations they can produce it, export it to a review platform, or move relevant data to a regional or national data center.
Whether teams employ mobile eDiscovery as part of a larger investigation, or use it to knock out many smaller ones, it can be ideal for saving time and minimizing risk.