E-discovery obligations often conflict with international data privacy laws, creating headaches for the growing number of companies that store data abroad.
The New York City Bar Association’s E-discovery Working Group has reviewed state and federal case law pertaining to this emerging issue in order to create a best practices guide for litigators attempting to comply with domestic discovery rules that conflict with foreign privacy restrictions. ABA Section of Litigation leaders agree with the report’s emphasis on addressing potential data privacy challenges at the beginning of a case before they become unmanageable.
A High Stakes Issue
Foreign data issues have begun to arise more frequently as strict privacy laws proliferate and companies expand their international footprints, according to the New York City Bar’s report. Over 80 countries have implemented restrictions to protect individuals’ personal information from disclosure, including “blocking statutes” that restrict transfer of documents beyond a country’s borders. The European Union has some of the most stringent laws, the report states, effectively prohibiting the transfer of personal data for production in a U.S. lawsuit. When a misstep occurs, the penalties can be severe, even resulting in criminal liability in some countries.
The report emphasizes that these restrictions create a quandary for counsel, because a U.S. court may require production of documents that a foreign statute forbids. Federal Rule of Civil Procedure 34, for example, requires litigants to produce materials in their “possession, custody, or control,” with no exception for documents located overseas. “The result is a ‘catch-22’ pitting domestic discovery obligations against foreign data transfer restrictions,” the report explains. The report summarizes key cases addressing cross-border discovery issues and their disparate outcomes, which sometimes turn on balancing a foreign country’s interest in protecting privacy against the parties’ need for discovery. In some cases, courts ordered documents produced notwithstanding a foreign statute forbidding disclosure.
Section members should use the report to educate themselves about the severe implications of producing e-discovery that originates in a foreign country, says Michelle M. Burke, Morristown, NJ, cochair of the Section of Litigation’s Young Advocates Committee. “This report provides real value because it educates lawyers regarding complicated discovery issues they may not have seen in their practice,” Burke explains.
And if they have not yet encountered such issues, they soon will. According to the report, it is inevitable that litigators will encounter this issue at some point, because “it is increasingly rare to represent a purely ‘domestic’ corporate client.”
Burke agrees. “With a global economy, this is an issue you cannot escape,” she says. “There is a lot of risk involved when data is located overseas, and lawyers can follow the advice in this report to avoid that risk.”
Best Practices: Start Early, Know Your Client, and Leverage Local Expertise
“An attorney should conduct a full investigation at the outset of a case to see if data may potentially be located overseas,” Burke advises. Best practices include reviewing a client’s organizational structure and interviewing a client’s IT department to determine if any data resides with a foreign affiliate or on a server located abroad. Even a case between U.S. parties in a U.S. court “can trigger transnational discovery obligations when potentially relevant documents happen to reside abroad,” the report warns.
After locating the data, a lawyer should identify potentially applicable laws and determine if his client controls the data within the meaning of applicable discovery rules, advises Kenneth M. Klemm, New Orleans, LA, cochair of the Section’s Pretrial Practice & Discovery Committee. “When representing a multinational corporation, an attorney must be familiar with the corporation’s operations and how its parent, subsidiary, and related companies interact with one another,” Klemm says. “Such interactions could dictate whether a U.S. court will view data to be in the possession, custody, or control of a litigant.”
Once the time comes to collect data, best practices call for relying on a local expert familiar with the foreign rules at issue, according to the report. “The report also suggests retaining a vendor with a presence in the foreign jurisdiction to assist with the data collection to avoid violating foreign laws,” Klemm observes.
Talk It Out: Communicate with Opposing Counsel and the Court
Burke advises Section members to engage in early, transparent discussions about data privacy concerns with opposing counsel and, if necessary, the presiding judge. “Bringing these issues to the forefront with your adversary is something lawyers should do at the outset of every case, regardless of whether the venue’s applicable procedural rules require an initial conference,” she says. The report emphasizes that one court sanctioned counsel for not conferring regarding the impact of foreign data privacy laws or addressing it in a joint stipulation on discovery.
“If possible, enter a disclosure agreement to govern discovery where data resides in a foreign jurisdiction,” Klemm advises. The report suggests, for example, that the parties may agree to a rolling production schedule with enough time allotted to conduct a thorough review. In addition, some foreign statutes allow production of documents after obtaining necessary approvals. Entering an order or stipulation containing information security provisions may convince foreign individuals and regulators to provide permission to produce, the report advises.
Geoff A. Gannaway is a contributing editor for Litigation News.
Hashtags: #crossborder, #ediscovery #dataprivacy
- ABA Resolution 103 (adopted Feb. 6, 2012).
- George L. Washington Jr., “An Examination of Factors Considered by U.S. Courts in Ruling on Requests to Conduct Discovery on Information Located in Foreign Countries,” ABA Annual Meeting (Aug. 8, 2014).
- Kristen L. Burge, “Electronic Data Stored Abroad Now Subject to Federal Seizure,” Litigation News (Aug. 16, 2018).
- Andrew J. Kennedy, “Guidelines Emerge with Rise in E-Discovery of Employee Devices,” Litigation News (June 5, 2018).
- Wojciech Wandzel et al., “The GDPR – New EU Law on Personal Data,” Comm. & Bus. Litig. (Apr. 27, 2018).
- Societe Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522 (1987).
- Motorola Credit Corp. v. Uzar, 73 F. Supp. 3d 397 (S.D.N.Y. 2014).
Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).