Sun Microsystems CEO Scott McNealy summed up the American policy on the disclosure of corporate and personal information when he said, “You already have zero privacy — get over it.”
Corporate America has widely accepted the erosion of data privacy and the fact that electronic data residing within an organization is no longer private. Legal and IT departments take it one step further, understanding that any and all electronic data housed within an enterprise is subject to discovery for litigation or investigatory purposes.
Without weighing in on the pros and cons of our lack of information privacy, it is interesting to note that the U.S.’s laissez-faire concept of privacy exists in stark contrast to the ideas held in much of the developed world, where data privacy is a “fundamental human right.”
However, as regulators increasingly crack down under laws such as the Foreign Corrupt Practices Act (FCPA), and more and more business transactions cross international borders, this debate moves from the philosophical to the practical.
With the increase in global business comes more cross-border conflicts, lawsuits and investigations. It is in this global realm where it first becomes apparent how the differing ideas of dispute resolution and data privacy can cause significant headaches in litigation. In fact, the divide is so expansive that “cross-border e-discovery has become a major source of international legal conflict, and there is no clear, safe way forward,” according to the Sedona Conference report, “International Electronic Information Management, Discovery and Disclosure, Framework for Analysis of Cross-Border Discovery Conflicts.”
Know the Lay of the Land
The launching point for safe passage needs to be a more nuanced understanding of the differences between concepts of privacy on opposite sides of the Atlantic. Without an appreciation of exactly how disparate the paradigms are, it becomes all too easy to assume too many similarities between the European and the admittedly insular American approach.
While the roots of expansive data privacy protections can be traced back to the European Convention on Human Rights of 1950 (“ECHR”), the privacy initiative really gained momentum with the passage of the 1995 European Union’s Data Protection Directive (the “Directive”).
Article 1 of the Directive states that “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”
Although the 30 member states have implemented the Directive in different ways, the main thrust is that data transfers to counties outside the EU are largely prohibited, unless the receiving country or party can provide adequate assurances about the data’s confidentiality.
This level of customization means that a U.S.-based organization with international offices or partnerships should enlist counsel in the country where the requested data is located, in order to determine the safest path moving forward. Options include obtaining consent from individual employees or consulting other standards bodies, such as the Hague Convention, before processing or transferring data.
Beware of Criminal Penalties
In most instances, running afoul of privacy laws in a given jurisdiction will result in fines and sanctions, either per the Directive or other applicable blocking statutes. Yet certain jurisdictions wield an even larger club in the form of criminal penalties.
Within its borders, for example, France has criminalized e-discovery by private parties for litigation abroad: “Subject to international treaties or agreements and laws and regulations in force, it is forbidden for any person to request, seek or communicate, in writing, orally or in any other form, documents or information of an economic, commercial, industrial, financial or technical nature leading to the constitution of evidence with a view to foreign judicial or administrative procedures or in the context of such procedures.”
As an example, in the case In re Advocat “Christopher X, the French Supreme Court upheld a conviction of a French attorney for violating the French Blocking Statute when he tried to conduct e-discovery for a civil action in an American federal court.
Processing Is Perilous
The implications of this privacy gap are wide ranging, especially for organizations dealing with an active cross-border dispute. Assuming they have acquired a base level of understanding of how complex our litigation and privacy regimes are, enterprises then must determine how to accomplish their given case objectives.
In most instances, those objectives will involve e-discovery and, as such ,will require data to be “processed,” which is defined in broad terms by EU directives to include manual or automated “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”
This “processing” definition is in stark contrast to the narrow American concept, which is much more oriented toward technical data manipulations such as hashing, indexing, deduplication and the like.
As a result, in-country data processing is emerging as a new and important best practice. Initially, this approach keeps data within the country of origin — and since the data isn’t transported across borders, it reduces the chance for privacy violations.
Next, since the data is first screened for relevancy (presumably using keyword, date range and other transparent search tools), a significant tranche of potentially personal data can be culled and removed if it’s not germane to the action.
Finally, when instances of personal data are still located amidst the relevant dataset, it’s then advisable to redact or anonymize such information before it’s moved out of the EU. This protocol, if executed properly, establishes a reasonable approach to privacy protection and reduces chances for unauthorized disclosure.
Another approach to the challenges of processing is to obtain Safe Harbor “certification,” which has been developed by the U.S. Department of Commerce in consultation with the European Commission. It is designed to safely facilitate the transfer of personal information to the U.S.
Safe Harbor certification requires the certified company to validate that it adheres to seven safe harbor principles. Even assuming the certification can be obtained, the actual protections applied by the Safe Harbor are still nebulous, at best. For this reason, processing the data in-country still exists as the safest option.
Manage the Conflicts
As much of the foregoing illustrates, the U.S. e-discovery process (dictated in large part by the Federal Rules of Civil Procedure, aka FRCP) and the EU’s data privacy regime are squarely in conflict. This often represents a losing battle for U.S. enterprises conducting business across borders, and there are several examples of what happens when this process isn’t navigated successfully.
The Sedona Report cites a number of instances in which the difficulty of conducting e-discovery abroad is not an effective excuse for noncompliance, including United States v. Vetco. The Ninth Circuit upheld sanctions against Vetco for not complying with an IRS summons, despite its argument that this would violate Swiss banking secrecy laws.
In other instances, the FRCP have been upheld despite apparent conflicts. In the case Hagenbuch v. 3B6 Sistemi Elettronici Industriali S.R.L., a U.S. district court determined that the Federal Rules should apply despite Italy’s express declaration against the obtaining of pretrial discovery documents in common law countries. Needless to say, these conflicts become difficult to both predict and resolve, since each will turn not only on the conflicts of laws, but also upon the unique facts in the case.
In sum, the existence of inherent conflicts between privacy and discovery means that legal and IT groups at enterprises doing business globally will need to instill some form of process and policy to minimize the impact when cross-border e-discovery disputes arise.
Understanding the landscape and emerging best practices is the only way to manage this issue, given the disconnect between governance in the U.S. and abroad. Savvy organizations will take a “belt and suspenders” approach by hiring local counsel, seeking certification, and processing data in-country, all of which will serve to demonstrate a reasonable approach to a basically unreasonable challenge. Failure to take these numerous precautions can lead to fines and criminal penalties — which, for most, will result in proceeding with an abundance of caution.
Dean Gonsowski, Esq., is vice president of e-discovery services at Clearwell Systems, where he helps enterprise customers deploy best practices as they bring e-discovery in-house. He is a member of the Sedona Conference Working Group on Electronic Document Retention and Production, and the Electronic Discovery Reference Model, and he teaches a series of continuing legal education courses on various e-discovery topics.