Posted on: December 28, 2017in Blog
How to Navigate International Data Privacy Laws for eDiscovery
Overcoming the cross-cultural differences at play is only the tip of the iceberg when it comes to cross-border discovery. The Hague Evidence Convention, national blocking statutes—and most significantly—foreign data privacy protection laws are an example of “hard” legal obstacles to cross-border discovery.
China’s Cyber Security Law establishes rules for “Data Transfer” for exporting data out of China. Each of these is a potential legal barrier to production of cross-border discovery materials in U.S. federal courts. A small but growing body of decisions, from magistrates to the Supreme Court, provides counsel with guidance in navigating these legal obstacles concerning cross-border discovery.
Managing Different International Data Privacy Laws in Litigation
What is the Hague Convention?
The Hague Convention provides a procedure for obtaining evidence located in foreign countries required for local litigation, and because the Hague Convention was ratified by the U.S., making it U.S. law, it would seem to provide the solution to cross-border discovery. Unfortunately, the guidelines are extremely time consuming, limited in their scope, are cumbersome and not recognized in some countries such as China. The aforementioned inadequacies are multiplied when one realizes that The Hague Convention has a rather limited number of signatory nations and that several countries, such as The Netherlands and Germany, have added provisos that essentially negate complying with American pretrial discovery.
In addition to the shortcomings of the Hague Convention, some countries have adopted blocking statutes that make it illegal—even criminal—to provide certain ESI for litigation in foreign courts. Nevertheless, comity dictates that the laws of a foreign jurisdiction are respected in American courts. This generally means the issue of the blocking statute is raised, and the court applies comity analysis and resolves in favor of ignoring the blocking statute and compelling discovery.
The European's Stance on Data Privacy
The limitations of the Hague Convention and foreign blocking laws are not the end of the legal obstacles for counsel to navigate in cross-border discovery. European data privacy protection laws pose a significant obstacle to complying with federal discovery, much like the Health Insurance Portability and Accountability Act (HIPAA), foreign data privacy protection laws protect private personal information.
Unlike HIPAA, most European data privacy protections go much further than medical information and protect against disclosure of any personal information. These restrictions on data privacy can extend so far as to include email addresses. Any data that can potentially identify a private individual can be protected against disclosure to a third party, including an American federal court.
While these guidelines appear to be comprehensive—even accommodating to U.S. Litigation—issues arise in applying the guidelines country by country.
The European Commission Article 29 Data Protection Working Party issued an opinion in 2009 on pretrial discovery for cross-border civil litigation. This opinion provides guidance to data controllers subject to EU law regarding U.S. federal litigation involving ESI that contains private information located within the EU. Additionally, it offers direction to member states’ data privacy authorities regarding ESI containing personally identifying information as it relates to cross-border litigation, particularly in the U.S.
Challenges with the Hague Convention and FRCP Guidelines
While these guidelines appear to be comprehensive—even accommodating to U.S. Litigation—issues arise in applying the guidelines country by country. For example, while “consent” looks to be grounds for processing and producing ESI for litigation purposes in the U.S., consent in Spain does not mean the same thing as it does in Germany, where consent obtained by an employer from an employee is presumptively invalid.
The Hague Convention’s rules for pretrial discovery, blocking statutes and foreign data privacy laws are often at odds with FRCP discovery rules. The Supreme Court’s decision in Societe Nationale Industrielle Aerospatiale v. United States Dist. Court for S. Dist., 482 U.S. 522 (1987) provides courts guidance in reconciling the conflict between the Hague Convention, blocking statutes and the FRCP using a non-exhaustive five-factor test.
Recently, the U.S. District Court for the Northern District of California in BrightEdge Techs., Inc. v. Searchmetrics, GmbH, 2014 U.S. Dist. LEXIS 112377 (N.D. Cal. Aug. 13, 2014) concisely applied the original five-factor test supplied by the Supreme Court in Aerospatiale in addition to two more factors. Without more, the Hague Convention, blocking statutes and foreign data privacy protection laws do not provide a significant legal obstacle to complying with FRCP discovery rules. Despite all the obstacles to production of cross-border ESI, the holding in Aerospatiale essentially presents a very high bar for the producing party to clear before granting any relief from complying with discovery under the FRCP.
Navigating these Legal Obstacles to Cross-Border eDiscovery
The tension between the holding of Aerospatiale and the Hague Convention, blocking statutes and data privacy protection laws may seem to place counsel navigating cross-border discovery in the Bermuda Triangle. Nevertheless, the framework created by those various sources of law, when read together, provides counsel a number of avenues to comply with FRCP in cross-border discovery.
To keep reading on how to navigate legal obstacles, download a full copy of the white paper here.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted June 15, 2018
What is ESI? Terms and Concepts Every Attorney Should Know
Posted June 08, 2018
Computer Forensics Investigations Unlock Key Digital Evidence
Posted June 01, 2018
Global Legal & IP ConfEx | New York, NY | London, UK
Posted June 01, 2018
7 Factors to Consider Before Creating an Email Retention Policy
Posted May 25, 2018
Record Retention Best Practices: 5 Things to Consider for Paper Documents
Posted May 18, 2018
Burdensome eDiscovery Requests: How to Manage the Cost of Review
Posted May 11, 2018
Contract Dispute Case Study: Beyond TAR 1.0
Posted May 03, 2018
7 Tips to Preserve and Review Mobile Device Data
Posted April 26, 2018
GDPR and Blockchain: My Rights vs. My Immutable Records
Posted April 25, 2018
Relfest London 2018 | Your GDPR Last-Minute Preparation Checklist