Cross-border e-discovery often places organizations in the precarious position of choosing to violate the law of the U.S. or abroad. The increasingly globalized world economy and the proliferation of electronic data have made an already daunting challenge even more acute. Global organizations have no choice but to proactively approach the use of electronically stored information (ESI) in its foreign operations with a combination of human expertise and technological innovation. That's the view expressed in a new white paper, “Protecting Privacy in Cross-Border Litigation," by Scott Giordano, Exterro's corporate technology counsel. In it, Giordano describes the “privacy minefield" that provides the setting of global e-discovery and offers a number of best practices for mitigating the risk of costly blunders.
Overcoming Conceptual Differences
Preparing for cross-border e-discovery must involve a careful evaluation of local privacy standards. Foreign nations tend to have much broader definitions of what constitutes “personal data" than the U.S. does. Giordano says that expansive definitions of personal data abroad create opportunities for conflict. He writes, “The consequence of these differing approaches is that organizations involved in cross-border litigation have to be prepared to have a wide variety of data types considered personal data and adapt their e-discovery strategy accordingly." Likewise, the U.S. concept of data processing differs significantly from that of many foreign jurisdictions. Giordano says routine legal actions, such as the establishment of a legal hold, constitute “processing" in some foreign jurisdictions, such as the EU, and can require employee consent. Further complicating matters, Giordano points out, is that consent can be withdrawn at any time, potentially stopping an e-discovery process in its tracks.
Future of Safe Harbor Uncertain
Once the processing of data has been justified, transferring data to the U.S. from abroad presents its own set of hurdles. The U.S.-EU Safe Harbor provides a legal framework for U.S. companies to transfer personal data of EU residents outside the region. Participation in the Safe Harbor framework requires that companies self-certify to the U.S. Department of Commerce that it complies with the privacy principles enumerated in EU's Data Privacy Directive. However, Giordano notes that the Safe Harbor program has come under heavy scrutiny from European data authorities stemming from the belief that the program is not being adequately enforced. The recent NSA surveillance scandal only heightened concerns. Giordano posits that upcoming changes to the overall data privacy regime in the EU may ultimately limit of even eliminate the safe harbor creating even more stringent barriers for data transfer from the EU to the U.S.
Best Practices for Conducting Cross-Border E-Discovery
Parties in the U.S. often employ a “carpet bombing" approach to e-discovery which involves collecting very broadly and then sifting through the resulting corpus to identify responsive ESI. Besides being costly and inefficient, Giordano says the approach is legally untenable in the EU where privacy controls prevent such haphazard methods for collecting and exporting data. Giordano identifies three mutually reinforcing principles that support privacy protection in cross-border e-discovery:
- Narrowing the Scope of ESI
- Implementing Controls
- Providing Transparency
Narrowing the Scope
By leveraging technology and developing well-defined processes, organizations have ample opportunity to limit the amount non-responsive ESI (and the personal data that it comprises) that must be preserved and collected. Giordano offers a number of examples including the use of data mapping as a means to track which servers and repositories contain ESI with sensitive material and the use of advanced search and analytics tools during the early case assessment phase to identify irrelevant data and also locate data that contains pattern-based personally identifiable information, such as national identification numbers, phone numbers or IP addresses.
Giordano advises that safeguards be put in place that limit the exposure of personal data. Examples include sending foreign custodians questionnaires to determine whether the individual has personal data that requires special attention or including a consent checkboxes in legal hold notices to foreign custodians, ensuring that data isn't illegally processed. He adds that during the collection phase, it is often prudent to keep data on servers in the same geographic location in which it was collected to avoid the thorny process of exporting the data back to the U.S. until it is absolutely required.
The challenge of cross-border e-discovery, Giordano says, is as much a cultural issue as it is a legal one. For this reason, efforts should be made to provide complete transparency into the process to demonstrate good faith. Examples include keeping foreign custodians apprised of how their information is being used and ensuring that they understand their rights with respect to withholding consent. According to Giordano, reporting takes on added significance in the context of cross-border e-discovery because the incidence of conflict is far greater than in domestic litigation. Having documentation that clearly illustrates a given series of events, who was responsible and why certain decisions were made can make the difference between onerous and limited sanctions.
To learn more about these issues and how Exterro addresses cross-border privacy compliance, read the complimentary white paper, “Protecting Privacy in Cross-Border Litigation."