Posted on: December 28, 2017in Blog
How to Navigate International Data Privacy Laws for eDiscovery
Overcoming the cross-cultural differences at play is only the tip of the iceberg when it comes to cross-border discovery. The Hague Evidence Convention, national blocking statutes—and most significantly—foreign data privacy protection laws are an example of “hard” legal obstacles to cross-border discovery.
China’s Cyber Security Law establishes rules for “Data Transfer” for exporting data out of China. Each of these is a potential legal barrier to production of cross-border discovery materials in U.S. federal courts. A small but growing body of decisions, from magistrates to the Supreme Court, provides counsel with guidance in navigating these legal obstacles concerning cross-border discovery.
Managing Different International Data Privacy Laws in Litigation
What is the Hague Convention?
The Hague Convention provides a procedure for obtaining evidence located in foreign countries required for local litigation, and because the Hague Convention was ratified by the U.S., making it U.S. law, it would seem to provide the solution to cross-border discovery. Unfortunately, the guidelines are extremely time consuming, limited in their scope, are cumbersome and not recognized in some countries such as China. The aforementioned inadequacies are multiplied when one realizes that The Hague Convention has a rather limited number of signatory nations and that several countries, such as The Netherlands and Germany, have added provisos that essentially negate complying with American pretrial discovery.
In addition to the shortcomings of the Hague Convention, some countries have adopted blocking statutes that make it illegal—even criminal—to provide certain ESI for litigation in foreign courts. Nevertheless, comity dictates that the laws of a foreign jurisdiction are respected in American courts. This generally means the issue of the blocking statute is raised, and the court applies comity analysis and resolves in favor of ignoring the blocking statute and compelling discovery.
The European's Stance on Data Privacy
The limitations of the Hague Convention and foreign blocking laws are not the end of the legal obstacles for counsel to navigate in cross-border discovery. European data privacy protection laws pose a significant obstacle to complying with federal discovery, much like the Health Insurance Portability and Accountability Act (HIPAA), foreign data privacy protection laws protect private personal information.
Unlike HIPAA, most European data privacy protections go much further than medical information and protect against disclosure of any personal information. These restrictions on data privacy can extend so far as to include email addresses. Any data that can potentially identify a private individual can be protected against disclosure to a third party, including an American federal court.
While these guidelines appear to be comprehensive—even accommodating to U.S. Litigation—issues arise in applying the guidelines country by country.
The European Commission Article 29 Data Protection Working Party issued an opinion in 2009 on pretrial discovery for cross-border civil litigation. This opinion provides guidance to data controllers subject to EU law regarding U.S. federal litigation involving ESI that contains private information located within the EU. Additionally, it offers direction to member states’ data privacy authorities regarding ESI containing personally identifying information as it relates to cross-border litigation, particularly in the U.S.
Challenges with the Hague Convention and FRCP Guidelines
While these guidelines appear to be comprehensive—even accommodating to U.S. Litigation—issues arise in applying the guidelines country by country. For example, while “consent” looks to be grounds for processing and producing ESI for litigation purposes in the U.S., consent in Spain does not mean the same thing as it does in Germany, where consent obtained by an employer from an employee is presumptively invalid.
The Hague Convention’s rules for pretrial discovery, blocking statutes and foreign data privacy laws are often at odds with FRCP discovery rules. The Supreme Court’s decision in Societe Nationale Industrielle Aerospatiale v. United States Dist. Court for S. Dist., 482 U.S. 522 (1987) provides courts guidance in reconciling the conflict between the Hague Convention, blocking statutes and the FRCP using a non-exhaustive five-factor test.
Recently, the U.S. District Court for the Northern District of California in BrightEdge Techs., Inc. v. Searchmetrics, GmbH, 2014 U.S. Dist. LEXIS 112377 (N.D. Cal. Aug. 13, 2014) concisely applied the original five-factor test supplied by the Supreme Court in Aerospatiale in addition to two more factors. Without more, the Hague Convention, blocking statutes and foreign data privacy protection laws do not provide a significant legal obstacle to complying with FRCP discovery rules. Despite all the obstacles to production of cross-border ESI, the holding in Aerospatiale essentially presents a very high bar for the producing party to clear before granting any relief from complying with discovery under the FRCP.
Navigating these Legal Obstacles to Cross-Border eDiscovery
The tension between the holding of Aerospatiale and the Hague Convention, blocking statutes and data privacy protection laws may seem to place counsel navigating cross-border discovery in the Bermuda Triangle. Nevertheless, the framework created by those various sources of law, when read together, provides counsel a number of avenues to comply with FRCP in cross-border discovery.
To keep reading on how to navigate legal obstacles, download a full copy of the white paper here.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted August 15, 2018
Document Review Best Practices: 9 Steps to Prepare Your Workflow
Posted August 10, 2018
Data Reuse in eDiscovery: 4 Questions to Help Start Your Policy
Posted August 03, 2018
Taking a Team Approach to eDiscovery Projects
Posted July 27, 2018
How eDiscovery Managed Services Can Benefit Any Team
Posted July 20, 2018
X1 Discovery’s Insight & Collection Shows Promise to Close the Gaps in the EDRM
Posted July 13, 2018
What is the GDPR? 4 Basic Facts Experts Want You to Know
Posted July 06, 2018
Who Determines eDiscovery Requirements for ESI Production?
Posted June 29, 2018
Social Media Law Update: Your Tweets, Tom Brady, and Violating Copyright?
Posted June 22, 2018
Why It is Crucial to Have a Litigation Response Plan
Posted June 15, 2018
What is ESI? Terms and Concepts Every Attorney Should Know