In September, the Sedona Conference released its latest publication on e-discovery matters, Practical In-House Approaches for Cross-Border Discovery & Data Protection, for public comment. The publication addresses a number of hot-button issues for corporate counsel engaged in cross-border litigation, including varying international laws governing data privacy and protection and the differing ideas of disclosure and discovery. In doing so, it illustrates principles and practical guidance for handling cross-border matters with hypotheticals.
Given the complexities of cross-border discovery, we’ve provided below a summary of the most salient points:
- Organizations should use best practices that mitigate conflicts between their discovery obligations and foreign data protection laws.
This begins with identifying cross-border data sources, reviewing the applicable laws, and working with privacy counsel to determine how to comply. E-discovery specialists can suggest methods for handling discovery with minimal disruption to data, such as organizing on-site processing and review. In addition, organizations should set up a comprehensive plan for discovery that includes all stakeholders, which will likely include the legal team and data custodians as well as human resources for navigating personnel concerns and cultural conflicts, and corporate communications for constructing appropriate messaging. Documentation can also go a long way toward demonstrating good faith, and the publication appendices include a suggested case management form and internal protocol for discovery. The appendices also include a sample infographic, frequently asked questions, and a heat map that can help foreign counsel and staff understand what is at stake.
- Parties should take measures to restrict the scope of preservation and discovery of protected data.
Organizations should take several steps to cull and filter their data before transferring it for review. First, they can tailor their keyword searches to the relevant business terms, names, and dates. They should also apply terms that will identify e-mails or other documents that contain personal data, such as the names of financial institutions or e-mail domains usually used for personal accounts. Eyes-on review of documents may be necessary to ensure that protected data in nonresponsive documents is not transferred. When producing responsive documents that contain protected data, organizations should consider using automated anonymization, randomization, or redaction techniques.
- Court orders or stipulations should minimize any conflict between data-privacy laws and discovery requirements.
Parties should work with opposing counsel to identify and define privacy issues early in a matter and obtain a stipulation; alternatively, they may need to ask the court for a protective order. This way, they can show data protection authorities as well as foreign document custodians that they have taken reasonable efforts to protect personal data.
- Organizations should be able to demonstrate that they have addressed their data-protection obligations.
A primary issue with collecting information from foreign data subjects is that they can revoke their consent to data processing and transfer at any time. Therefore, counsel may find it useful to set up a series of transparency checkpoints throughout the matter lifecycle that permit subjects to reaffirm their consent, such as by implementing and periodically renewing a legal hold that requests consent to data transfer.
- Organizations should retain protected data only as long as needed to meet their legal or business needs.
At the end of a matter, organizations should release legal holds and return or dispose of data that was transferred to the United States from abroad. The less personal information that organizations retain, the lower their risk.
The public comment period ends December 15, and you can e-mail your thoughts to email@example.com. Although in draft form, this document can still serve as a helpful blueprint for organizations handling matters involving international e-discovery.