Posted on: 10/17/2012
Karin Geissl, Dana Post
View Latest Articles
With the ever-increasing expansion of multinational corporations and globalized business transactions, it is exceedingly likely that attorneys will, at some point, have to conduct cross-border e-discovery on behalf of their clients. In nearly all commercial disputes in U.S. courts, a substantial amount of electronically stored information ("ESI") is demanded and, if necessary, ordered to be produced. Complying with such requests poses great challenges when the information sought is located outside of the U.S. and foreign data privacy and discovery blocking statutes are involved. Being prepared for the complications and burdens associated with cross-border discovery is critical for any party to U.S. litigation with ESI located in non U.S. jurisdictions. This article provides an overview of the legal requirements and suggests guidelines and strategies to address such difficulties.
Electronic Discovery and EU Data Privacy Laws
In the European Union, data privacy law is based on European Directive 46/95/EC. Council Directive 46195/EC, 1995 O.J. (L. 281/31), (the "Directive"). Article 1 of the Directive describes the object of the Directive as follows: (1) "Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data; and (2) "Member states shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection under paragraph 1."
Further complicating matters is that Member States implement the Directive in different ways, and some Member States have chosen to give additional protection to personal data. For example, in some jurisdictions, including France, "blocking statutes" may prohibit and impose criminal penalties for exporting certain information for use in U.S. litigation. In Germany and France, it may be necessary to inform or consult with the local works council before copying and reviewing employees' e-mails.
Under Article 7 of the Directive, in order to search for and collect personal data in response to a U.S. discovery request, the responding party must either obtain the consent of those whose data will be transferred, show that processing the data "is necessary for compliance with a legal obligation to which the controller of the data is subject," or demonstrate that processing of the data is "necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."
Any transfer to a non-EU country can only occur where the outside country has put "adequate" data privacy protections into place. See the Directive, art 25. This step contains particular difficulties for transfers to the U.S. because, as a general rule, the EU has deemed data privacy protections in the U.S. inadequate to support a transfer. However, there are two crucial exceptions to this rule. Under Article 26(1)(d), a transfer may occur when in furtherance of an important public interest or the exercise, establishment or defense of legal claims. The meanings of these provisions are hotly contested and the EU Article 29 Working Party, established as an independent advisory board under Article 29 of Directive 95/46, has explained that the Article 26(1) exceptions must be interpreted restrictively and that member states may provide for the exemptions not to apply in a particular case. [See] Article 29 Working Party, [Working Document 1/2009 on Pretrial Discovery for Cross-Border Civil Litigation]. (Feb. 11, 2009).
For purposes of U.S. e-discovery, the legal claims exception probably carries more weight, but has important limitations to consider. Discovery in the United States is aimed at gathering evidence in preparation for the actual trial and does not, typically, take place before the court. As the pre-trial gathering of evidence is not a familiar element of civil procedure laws in most European countries, this exception provision is likely not intended to apply to large-scale data transfers in preparation for the possibility of a future trial.
U.S. View of Foreign Laws Preventing U.S. Discovery
In contrast to the stringent data privacy regulations described above, the scope of pretrial discovery in the United States is the most expansive of any common law country. Indeed, the Federal Rules of Civil Procedure ("F.R.C.P.")—the formal procedure pursuant to which parties to a U.S. litigation exchange information—not only allows for discovery of relevant information, but discovery of information that "appears reasonably calculated to lead to the discovery of admissible evidence." See Fed. R. Civ. P. 26(b)(1). F.R.C.P. 34, which applies when one party seeks ESI and documents from another party, further requires each party to produce all documents or information within its possession, custody or control. F.R.C.P. 45 similarly applies where a party seeks documents and ESI from a non-party to a litigation.
Further distinguishing United States litigation from other countries is that, in the United States, a party who is on notice that litigation is reasonably anticipated must issue a "legal hold" on all potentially relevant documents and ESI. See Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 464-65 (S.D.N.Y. 2010). That legal hold obligates potential custodians to preserve, and suspend the automatic deletion, of all relevant documents. Failure to adequately preserve such information may result in court-imposed sanctions ranging from monetary penalties up to and including a dispositive judgment.
Given the stark contrast between broad U.S. discovery and preservation obligations, and the significantly narrower non-U.S. data protection laws, it is not surprising that conflicts between the two frequently arise. These conflicts occur most often when documents and ESI located overseas are sought in a U.S. litigation from parties and non-parties. In such cases, the court must first determine whether the responding party has sufficient "control" over the information sought to require its production in the United States. Control "is defined not only as possession, but as the legal right to obtain the documents requested upon demand." Tiffany (NJ), LLC v. Andrew, 276 F.R.D. 143, 147 (S.D.N.Y. 2011) (internal citations and quotations omitted). Control may also be found where an entity has "access to" and the "ability to obtain the documents." Id. If the information is found to be controlled by an entity subject to jurisdiction of a U.S. court, then the information is discoverable under the F.R.C.P. subject to the limitations described below.
In that regard, courts in the United States have consistently found that the foreign requirements and restrictions for taking discovery, such as those established by the Convention on the Taking of Evidence Abroad in Civil Matters (the "Hague Evidence Convention") and the data privacy laws, do not trump the F.R.C.P. as to actions in U.S. courts. In the seminal case, Société Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for the S. Dist. Of Iowa, for example, the United States Supreme Court specifically rejected the proposition that the Hague Evidence Convention provided the exclusive means for obtaining discovery in foreign jurisdictions. 482 U.S. 522 (1987). Société Nationale involved a French owned defendant corporation which moved for a protective order upon receiving discovery requests arguing that plaintiffs were required to use the Hague Evidence Convention, and not the F.R.C.P., to obtain discovery, and that the discovery request violated the French blocking statute. The Court opined that "the concept of international comity requires in this context a more particularized analysis of the respective interest of the foreign nation . . . to determine whether to compel production" under the F.R.C.P. Id.
Accordingly, the Société Nationale Court suggested utilizing the factors listed in the Restatement (Third) of Foreign Relations Law 442(1)(c) to determine whether information protected by data protection laws should be produced pursuant to the F.R.C.P. Those factors include: (1) the importance of the documents or information requested to the litigation; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of retrieving the information; and (5) the extent to which non-compliance with the request would undermine the important interests of the state where the information is located. Id. at 545. In addition, "courts in the Second Circuit may also consider the hardship of compliance on the party or witness from whom discovery is sought [and] the good faith of the party resisting discovery." Gucci Am. v. Curveal Fashion, No. 09 Civ. 8458, 2010 WL 808639, at * 2 (S.D.N.Y. Mar. 8, 2010).
Recent decisions employing the framework set forth in Société Nationale reveal that U.S. courts generally favor access to information when balancing foreign privacy data laws against the interests of the United States. For instance, in In re Air Cargo Shipping Serv. Anti-Trust Litig., the Eastern District of New York invoked the reasoning in Société Nationale to order defendant Société Air France to produce documents that it had withheld on the ground that the production was prohibited by the French blocking statute. No. 06-MD-1775, 2010 WL 1189341 (E.D.N.Y. Mar. 29, 2010), at *1. Société Air France argued that the plaintiffs were required to comply with the procedures of the Hague Evidence Convention to obtain discovery. Id. The court rejected Air France's argument on the ground that it faced no real threat of prosecution for producing the documents and the U.S. interest in enforcing its antitrust laws outweighed France's interest in controlling access to information within its borders. Id. at *4; see also Vivendi Universal, S.A. Sec. Litig., No. 02 Civ 5571RJHHBP, 2006 WL 3378115 (S.D.N.Y. Nov. 16, 2006) (court rejected non-party's contention that as a matter of comity and in deference to the French blocking statute, that plaintiffs should be required to obtain the French documents pursuant to the Hague Evidence Convention noting that that "the majority of courts that have examined the issue have held that France has little interest in enforcement of its Blocking statute").
The court in Weiss v. National Westminster Bank, PLC, also applied the Société Nationale factors to order the production of documents which were argued to be precluded from disclosure by English law. 242 F.R.D. 33 (E.D.N.Y. 2007). The plaintiffs in Weiss, survivors and heirs of victims of terrorist attacks in Israel, sought documents and information from defendant National Westminster Bank PLC ("Natwest") relating to bank accounts maintained by NatWest of an alleged terrorist organization. Id. at *38-40. NatWest objected to the requests on the ground that the disclosure of such information would violate English bank customer secrecy laws. Id. at *39. The Weiss court ordered NatWest to produce the documents and information mainly because the "mutual interests of the United States and United Kingdom in thwarting terrorist financing outweighs the British interest in preserving bank customer secrecy—especially where Britain has not expressed an interest in bank security and has acted upon its own interest in international cooperation to detect, monitor and report customer links to terrorist organizations, and freeze funds used for terrorist financing." Id. at *58.
The above cases illustrate the challenges faced by courts and parties when foreign based documents are sought in U.S. litigation, especially where foreign data privacy and blocking statutes are involved. Such difficulties were recently addressed in American Bar Association ("the ABA") Resolution 103 which "urges" that:
[W]here possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.
In supporting its resolution, the ABA stated that "[l]itigants often face a Hobson's Choice: violate foreign law and expose themselves to enforcement proceedings that have included criminal prosecution, or choose noncompliance with a U.S. discovery order and risk U.S. sanctions ranging from monetary costs to adverse inference jury instructions to default judgments." Resolution 103 at 2. The ABA opined that courts should give more consideration "to the national interests behind the non-U.S. laws" such that the comity factors are weighed and applied "in a manner that demonstrates respect for those laws and the principles of international comity." Resolution 103 at 17.
Dealing with the Conflict
Counsel and parties must be aware of the risks involved in requesting and transporting data located outside of the United States when data protection laws are at play. For those facing such challenges, the following important considerations can help avoid negative consequences.
First, counsel should utilize U.S. law and procedures to appropriately limit discovery. This includes raising objections to discovery requests on privacy grounds, seeking protective orders to protect the personal data against access by third parties, or filing under seal. It is crucial to attempt to convince the U.S. court not to demand access to personal data in the European Union that would violate EU data privacy laws and to substantiate the legal requirements in the respective country. By suggesting ways to obey court orders while remaining compliant with European data privacy laws, the court may agree that the party is in good faith cooperating with the discovery request.
Further, to minimize potential liability under the data privacy laws, the responding party should anonymize or pseudo-anonymize each custodian's data and only transfer the depersonalized information. This can be accomplished by simply redacting any personally identifiable information in the respective documents. If redacting and removing the protected information is not an option, there may be other alternatives, such as obtaining the consent of the data subject. Obtaining consent can, however, be problematic, costly and impractical because the consent of each data subject is required and data subjects may include customers, third parties and ex-employees. And, in the case of employees, it may be questionable whether consents are freely given.
Attorneys and their clients should consider the legal and logistical issues in advance and implement a plan for collecting and reviewing data. For example, if a company's ESI is located in several European Member States, it may make sense to transfer the data to one central location within the EU where it can be stored, processed, culled, reviewed, and de-duplicated. Culling and review can significantly reduce the amount of ESI that must be transferred and can thus decrease the burden of complying with data privacy restrictions, such as removing personal information from ESI.
If conflicts between the two legal systems cannot be resolved prior to trial, it is recommended that European companies consult and cooperate with the responsible data protection agency to obtain guidance and/or approval for the specific situation. For example, if a company can demonstrate to the data protection agency that the information will be treated in a secure and protected manner in U.S. litigation, then the data protection agency may be more willing to show some flexibility or leniency.
No doubt, any litigation with a European e-discovery component holds layers of complexity not normally present in an all-American lawsuit. The conflict between U.S. discovery requirements and European privacy law is ongoing and has not yet been resolved. Nevertheless, the practical solutions discussed above can help attorneys involved in cross-border e-discovery to adequately react to disclosure requirements and remain compliant with European data privacy laws.
Karin Geissl is counsel in the dispute resolution group at Freshfields Bruckhaus Deringer's Munich office. She specializes in litigation with the focus on U.S. and international litigation. She advises companies on issues that arise in cross-border litigation, including jurisdictional challenges, Hague Convention issues and other matters. She has extensive experience with U.S. discovery, especially the discovery of electronically stored information.
Dana Post is a senior associate in the dispute resolution group at Freshfield Bruckhaus Deringer's New York offices. She handles all aspects of commercial litigation in federal and state courts and arbitration tribunals. Ms. Post's responsibilities include advising clients on their e-discovery obligations including the preservation, collection, processing, review, and production of electronic information. She also helps clients formulate e-discovery strategies and defensive procedures.