Compared with the rest of the world, the United States has historically had a more open framework for dealing with information. Social media have made even the most mundane and possibly personal pieces of data available to many with a press of a finger. Such an open relinquishment of private information is almost assumed and has become part of the American culture. Those who think about how easy it is to access data understand how their own data have become part of the searchable cyberspace.
In litigation, U.S. laws have typically been more about sharing—even erring on the side of being over inclusive. We look to “discover” all relevant information so that there are no surprises at trial. Evolutions in litigation and discovery practice approaches have emphasized simplifying the search for, and disclosure of, information and reducing costs in that search, but not necessarily limiting the release of the data. While protective orders have historically provided a certain level of limitation to data disclosure, the protection of data and personal privacy information have not historically been given the same level of emphasis in the United States.
When it comes to data protection, Europe is different, and the differences in the data privacy laws also reflect a difference in culture. In Europe, privacy rights are assumed, information confidentiality is maintained, and the U.S. concept of “discovery” is scorned. There is a concern that European sensitive data should stay outside the United States because the protection of such data in the United States is not sufficiently strong.
It is therefore not a surprise that the U.S. and European laws are inconsistent when it comes to cybersecurity. Preparing for and handling litigation in multiple countries has become extraordinarily complex. How is one to run one’s business and comply with the myriad of cybersecurity-related requirements worldwide?