As if e-discovery wasn’t already difficult enough, U.S. and international data protection and privacy laws are making it more complicated. For cases in U.S. courts, discovery of electronically stored information, or ESI, is often compulsory while access to ESI located outside of the U.S. can be complicated with exhaustive data protection laws and statutes of foreign jurisdictions regarding collecting, processing and transferring data containing personally identifiable information. In many jurisdictions, for example EU member states, blocking the transfer of ESI to certain countries is required by privacy laws.
Recent court cases confirm the difficulties of navigating cross-border e-discovery in the context of data protection rules – but offer inconsistent guidance on how organizations ought to address these complexities. The recent Law.com article, “Judges Test Balance Between FRCP, Foreign Data Privacy Law,” highlights two trademark infringement cases, less than a month apart from each other, with similar facts but contrasting approaches. In Tiffany (NJ) v. Qi Andrew, the court ordered the plaintiff to use the Hague Convention to obtain discovery in China from two non-party banks; in the similar Gucci America, Inc. v. Weixing Li, the court allowed the plaintiffs to bypass the Hague treaty.
Short of clarity by the courts or more direction from individual countries regarding data protection, how should organizations address FRCP requirements with ESI that is protected in other countries? While there is a spectrum of possible responses, organizations should consider proactive measures they can take now, before litigation or investigations arise, to limit exposure to risk.
Guidance from Canada
The Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia recently released guidance entitled “Getting Accountability Right with a Privacy Management Program,” sets forth best practices “for developing a sound privacy management program, for organizations of all sizes, in order to meet obligations under applicable privacy legislation.”
Although intended for Canadian businesses, which have statutory obligations relating to privacy, the guidance is significant outside Canada since “personal information has become a global commodity, flowing constantly around the world, touched by organizations operating in multiple jurisdictions,” and “the need for consistent approaches to personal information protection has never been greater.” Organizations and countries are working to address this need with, for example, the EU’s Article 29 Working Party Opinion on Accountability, The Sedona Conference Working Group Six (WG6) initiatives formed in its recent annual meeting and the American Bar Association, (ABA) which issued resolution 103 earlier this year seeking to reconcile U.S. civil discovery obligations with international laws that “block” or impede discovery. (Also, earlier this year, the EU proposed a reform of its data protection rules to strengthen online privacy rights, establishing a general EU framework for data protection and a directive on protecting personal data processed for the purpose of prevention, detection, investigation or prosecution of criminal offenses and related judicial action.)
The Canadian guidance offers building blocks that organizations in many countries, including the U.S., can benefit from by incorporating into their information management program:
Develop a culture that respects privacy. The first building block is the fostering of a “privacy-respectful culture” through the development of appropriate internal governance structures. Buy-in from senior management is essential, and a privacy officer (or office, in larger organizations) should be responsible for executing the privacy management program. Additionally, organizations should establish procedures for internal reporting and monitoring compliance.
Establish program controls. Next, organizations should establish program controls to implement the mandate in the governance structure. First, an organization should take a “personal information inventory” and assess “what personal information it holds, how it is being used—and whether it really needs it at all.” Data mapping – in which organizations proactively inventory and track key data sources so legal teams can quickly identify the location of private or protected information – can be an effective tool. Then, the organization should develop policies relating to handling the personal information in its possession, which it should document and communicate to employees.
Create training and education plans. Organizations should train all employees to be “actively engaged” in privacy protection.
Establish breach and incident management response protocols. Organizations should create procedures and readiness plans that they will implement in the event of a breach. The plans should address internal and external reporting requirements and appoint someone to handle the fallout from the breach.
Ensure proper management of third parties. Organizations that outsource the handling of personal information to third-party service providers have additional responsibilities. Organizations must make sure their contracts with service providers include privacy provisions, including the requirements that the third party adhere to their privacy policies and notify them in the event of a breach, as well as audit provisions to ensure compliance.
Communicate the program outside the organization. Organizations should ensure they communicate their policies to the people they interact with. This communication should do more than just regurgitate the privacy law; rather, it should inform the public of the purpose for collecting personal information and explain how that information is used, retained, and disclosed.
Maintain and improve the program regularly. Organizations cannot just set their privacy plans in motion and forget about them. Instead, they must monitor their program regularly. This includes an oversight and review plan that describes how the program will be monitored and evaluated so that it can be kept up to date and accounts for developments in the use of personal information.
Use the appropriate technology. Application of the appropriate technology, while not called out specifically by the Canadian document, plays a key role in establishing controls, from targeted data mapping and early case assessment (for quick evaluation whether and what private data may exist within a matter) to documenting measures taken to prevent disclosing private information through chain-of-custody and audit trails.
More and more, organizations are faced with the difficult tasks of identifying, acquiring, processing, searching, hosting and transferring data subject to a litigation or investigation – while making sure not to run afoul of the myriad data protection and privacy rules of foreign jurisdictions. Taking proactive measures is the first step in navigating these murky waters.
Sheila Mackay is Senior Director of Conduent’ E-Discovery Consulting group. She regularly advises in-house legal teams and their outside counsel on best practices for designing and implementing repeatable, consistent and defensible litigation readiness and e-discovery response programs. She can be reached at smackay@conduent.
About the Author