Cross Border Discovery

Organizations involved in global litigation can face a variety of challenges.

In January 2008, the Court of Cassation in France upheld a fine of 10,000 Euros imposed on a French lawyer (“Christopher X”) for providing information to a U.S. firm even though he had acted in compliance with a U.S. civil court’s discovery orders.

The U.S. court had ordered the defendant to discover bank records that were held in France. The defendant argued that transferring the records out of France would expose it to prosecution under a French blocking statute enacted to prevent such a transfer.

The blocking statute, part of the French Penal Code, prohibited the disclosure of any information of a commercial, industrial, financial or technical nature for use as evidence in foreign proceedings, except by international treaty or agreement. The U.S. court ordered discovery in any event, citing the low practical risk of prosecution. When the defendant’s French lawyers complied with the U.S. court but failed to follow the relevant international treaty (the Hague Evidence Convention), the prosecution went ahead nonetheless and received the hefty fine.

The collection processes involved in this case—the transfer of documents, data and information across international borders for discovery in local litigation and arbitration— are generally called “cross-border” or “trans-border” discovery.

The Christopher X case is fair warning for litigation support managers that crossborder discovery is a growing area of concern. Not only is this area an international crossroad between discovery obligations and rights of privacy, but there are practical as well as legal consequences which litigation support personnel must address.

What makes cross-border discovery different?

The location of information today is typically decentralized and includes hard copy archives off-site and electronically stored information (ESI) located in simultaneous multiple locations. Therefore, legal teams need to cast a wide net in their litigation and discovery strategies to deal with these multi-jurisdictional issues.

Statutory requirements for the collection, storage and use of information in one country will not necessarily ensure compliance with another, particularly where personal information is involved. Retrieving case information in a compliant way from different countries can take an unexpectedly long time, and careful planning is required.

Legal teams—attorneys and litigation support managers—working on projects involving client information stored overseas may need to ensure they are familiar with their clients’ privacy obligations and their own. Legal teams seeking to resist overseas efforts to obtain locally-based information should be equally prepared.

What are the key issues?

Cross-border discovery involves unique legal and compliance issues, as well as some logistical issues not often encountered. Organizations involved in global litigation can face a variety of challenges. Their information (hard copy documents, electronic information and IT networks) is located at multiple sites. Key people are located across many time zones. Foreign languages and cultural issues can arise and the local legal team might be encountering the information privacy laws of foreign jurisdictions for perhaps the first time. In new or unfamiliar areas simple terminology can be misleading. For example, in cross-border discovery, countries are generally referred to as “States.” This term should not be confused with States that are domestic levels of government (as in the United States and Australia).

The unique combination of issues arising in cross-border discovery exercises can affect the likelihood of a successful legal result. Managing these issues can also minimize the risks and costs involved in collecting the information. The issues can include:

• The potential need to obtain consent to process and transfer personal data.
• Ensuring the integrity and security of the collection process for personal data and its subsequent handling and production, particularly where the data exists in electronic form.
• Ensuring that the amount of personal data collected and the extent of its use in litigation is proportional to the actual issues in dispute.
• Complying with crossborder data transfer rules to ensure the absence of unauthorized onward transfer or use of personal data.

These four areas that can identify a particular individual. Some additional categories of data have greater privacy value or deal with more sensitive aspects of an individual. Sometimes referred to as “sensitive information” or “special categories,” these can include information about an individual’s health or medical, religious, racial or political information. Such information is often accorded even greater protection against disclosure.

How does the Hague Evidence Convention assist?

The 1970 Hague Evidence Convention, an international treaty, sets out a procedure States may adopt for the local use of evidence from foreign jurisdictions. Currently 28 States have ratified to the Convention and agreed one-on-one with a matrix of other States to be bound by the Convention in cases that arise between them.

The Convention allows for the transmission of Letters of Request (similar to Letters Rogatory or Interrogatories) from one signatory state (where the evidence is sought) to another signatory state (where the evidence is located) without recourse to consular and diplomatic channels.

Although this process exists, a State that has ratified the Convention can still deny a request if it believes the request threatens “sovereignty of security,” or the national interest. States that have such a reservation include France, Germany, Italy and Spain. As can be seen from the Christopher X case, States have used these reservations and other “blocking statutes” to create legal structures to thwart outgoing crossborder discovery entirely, irrespective of the relevance the information might have within the requesting jurisdiction. When handling cross-border collection processes from were recently identified by The Sedona Conference® in its discussion paper, “Framework for Analysis of Cross-Border Discovery Conflicts,” as areas that have the highest potential for disputes in cross-border discovery.

Why are privacy laws relevant?

Privacy laws seek to protect the “processing” of “personal information.” The term “processing” incorporates any action which touches data during its lifecycle and includes collection, use, disclosure to others, and destruction. Accordingly, the recovery of data to be used in the discovery process falls within its ambit. The term “personal information” generally means any information that can identify a particular individual. Some additional categories of data have greater privacy value or deal with more sensitive aspects of an individual. Sometimes referred to as “sensitive information” or “special categories,” these can include information about an individual’s health or medical, religious, racial or political information. Such information is often accorded even greater protection against disclosure.

How does the Hague Evidence Convention assist?

The 1970 Hague Evidence Convention, an international treaty, sets out a procedure States may adopt for the local use of evidence from foreign jurisdictions. Currently 28 States have ratified to the Convention and agreed one-on-one with a matrix of other States to be bound by the Convention in cases that arise between them. The Convention allows for the transmission of Letters of Request (similar to Letters Rogatory or Interrogatories) from one signatory state (where the evidence is sought) to another signatory state (where the evidence is located) without recourse to consular and diplomatic channels.

Although this process exists, a State that has ratified the Convention can still deny a request if it believes the request threatens “sovereignty of security,” or the national interest. States that have such a reservation include France, Germany, Italy and Spain. As can be seen from the Christopher X case, States have used these reservations and other “blocking statutes” to create legal structures to thwart outgoing crossborder discovery entirely, irrespective of the relevance the information might have within the requesting jurisdiction. When handling cross-border collection processes from

States that have not ratified the Convention, it should be noted that the Convention may still be of relevance where any intermediate exchange of information is required between States that are Convention States.

Personal information privacy - a global sampler

THE USA

The USA has ratified the Hague Evidence Convention. As explained earlier, this will assist the lawful movement of personal information to another State. The introduction of concepts of personal information privacy into U.S. statutes has occurred in an unstructured way. A raft of privacy statutes regulate information held by financial, health and credit reporting institutions, and may affect discovery processes out of the U.S.. This legislation should be closely reviewed against the contents of any information considered for “export.” The United States Department of Commerce and the European Commission have negotiated a “Safe Harbor” framework for organizations commonly dealing with cross-border transfer between the E.U. and the U.S. This allows organizations to “selfcertify” that they have adequate privacy protections.

CANADA

Canada has not ratified the Hague Evidence Convention.

Canada’s personal information privacy regime arises from the Privacy Act and the Personal Information Protection and Electronic Documents Act (the ‘PIPEDA’). These statutes apply to the handling of personal information by federal agencies and commercial organizations operating in Canada and may preclude any organization from disclosing personal information as part of a cross-border collection process. Under the PIPEDA, individuals can file complaints with the Privacy Commissioner regarding the handling of their personal information. To pursue an alleged breach, individuals or the Commissioner may apply to the Federal Court of Canada which has jurisdiction to conduct a hearing and powers to enforce the Act and award substantial damages for breach.

Personal information may be disclosed without consent in order to comply with a subpoena, warrant or court order, or to comply with the rules of court relating to the production of records. Similar schemes apply at Provincial and Territorial level.

THE EUROPEAN UNION

The aims and objectives of European data protection laws derive primarily from Article 8 of the European Convention on Human Rights, which declares that “everyone has the right to respect for his private and family life, his home and his correspondence.” The minimum standard for each Member State’s regulations for “processing” personal data is set by the 1995 EC Data Protection Directive. The concept of processing incorporates all actions on the lifecycle of the data including collection, use, disclosure and destruction, and so the recovery of data for discovery falls within its ambit.

In practical terms, the movement of personal information between EU member States is not restricted. Export to a thirdparty State which might be considered to have inadequate privacy protection is generally prohibited, with limited exceptions. Each State has implemented the Directive with different levels of protection over personal information, and this will affect the amount of work that may be required to comply with their laws.

Compliance timeframes may vary enormously. Some other EU States are less strict. For example, the authors have encountered varying delays due to data protection issues in the release of documents from States including Germany, France, Switzerland and Italy. The strictest State is probably Switzerland, which prohibits the export of any personal information without an external audit of the information.

ASIA

Concepts of personal information privacy cross the spectrum in Asia. For example, privacy concepts are now well developed in Japan, which has introduced the Personal Information Protection Act of 2003. This Act provides a structure of obligations for organizations that collect “personal information” but has potentially weak powers of enforcement. The near-absence of privacy concepts in the People’s Republic of China has prompted ongoing debate. However China’s “State Secrecy Laws” may assist defendants with information held in China in resisting discovery requests.

AUSTRALIA

Australia has ratified the Hague Evidence Convention and has accords in place with 37 other states. It also has a “letter of request” process for obtaining witness testimony under the Foreign Evidence Act 1984.

The Privacy Act 1988 regulates the export of personal information from Australia. National Privacy Principle 9 (NPP 9) covers “transborder data flows” and is largely modelled on the approach of the 1995 EC Data Protection Directive. These requirements currently only apply to private sector organizations. However, this is expected to extend to the public sector following a report of the Australian Law Reform Commission recommending such change. Under NPP 9, an organization in Australia may lawfully transfer personal information out of Australia where the individual has consented, where similar privacy regimes are believed to exist in the State of import, and in other circumstances. Australia has enacted a limited blocking statute. Under the Foreign Proceedings (Excess of Jurisdiction) Act 1984, the Attorney-General may prohibit compliance with foreign discovery orders and judgments in foreign antitrust proceedings if satisfied that the order is desirable “for the protection of the national interest.” The Attorney-General also has the power to prohibit the production of Australian documents to a foreign court, and any action in Australia that might lead to the documents being produced in a foreign court.

Tackling the Logistical and Practical Challenges

With the variety of foreign laws regulating cross-border discovery, retrieving case information in a compliant way all must be factored in to any processing times as well as court deadlines by litigation support managers. Informing and educating the local legal team, the client and the court about potential challenges may also be necessary. Most privacy laws were not drafted with e-mail or other ESI in mind. The likelihood that the majority of relevant discoverable information will be electronic is now high in every project. As the Sedona Conference’s discussion paper observed, “…the most important piece of evidence may be an electronic file that was created by an employee in Berlin, which now sits on a server in Singapore, and was recently downloaded by a co-worker at a café in Paris. Technology has significantly changed, and the law must keep pace with such change.” Global business also means more worksites holding relevant information, and those sites could be located in different States.

What technical issues can arise with foreign custodians?

Managing cross-border discovery often requires multiple sites processing information simultaneously. In this environment, procedures must be established to ensure documents can be retrieved for processing using consistent selection techniques. This is often when custodians’ document retention policies (where they exist) are found to have been applied inconsistently. The ability to process hard-copy and electronic information to a standard may vary at each site. Local vendors may need to be chosen carefully or an experienced external team should be brought in to process the collection.

Managing foreign language issues may require specialized IT and a processing team that can effectively handle translation and foreign law skills. Even then, the time required to analyze case information can vary dramatically, particularly for languages with their own character sets. Other issues are purely cross-cultural, but require planning and perhaps some flexibility. Some cultures treat the sexes differently in daily life. Sending teams of mixed sexes to sites in these States may require different travel, accommodation or other arrangements. Given the affect privacy laws can have on legal processes and timelines, priority should be given to establishing the type of information held by each custodian. Is it company tax records which may be considered personal information? Is it medical information about third-party individuals which may be sensitive information requiring additional legal processes before release? In dealing with custodians, officials and laws of a foreign State, it also pays to be alert for signs of unfamiliarity or inexperience with the management of ESI.

Planning a cross-border collection project

Planning for cross-border discovery involves a consideration of the broad context in which each custodian is working: the law, the physical environment, the social culture and the organizational culture. Having considered these elements, if there are no apparent legal impediments to the collection, litigation support managers should seek appropriate consents to release, manage the information with integrity and appropriate security, collect what is proportional, and comply with local laws as required. In planning the collection process, litigation support managers may also need to consider:

• Custodians who have their own agenda over the information, perhaps influenced by local organizational culture or a resistance to external interference.
• The importance of collection procedures that adopt prudent organizational or records management requirements —these are as critical as legal compliance. Addressing the custodian’s concerns about their information can only help the process.
• The potential need for all parties in the collection process to comply with the foreign jurisdiction’s requirements. This compliance obligation may include anyone from outside counsel and foreign counsel to foreign subsidiaries and onsite collection teams or agencies.
• The potential need for unusually rigorous steps to ensure compliant collection. This may include the need for nominated personnel to eyeball the information from start to finish and ensure safe hands delivery to the local court.
• Jurisdictions that require the local authority to review the data itself before releasing it for export (e.g. Switzerland). Timeframes in these jurisdictions can be unexpectedly long.

Hurdles in the process may arise from any part of the custodian’s broader context, and the likelihood of these issues affecting the collection process should be assessed, planned for and managed.

Strategies in a Nutshell

• Assess the information protection laws in the States where your information is located, so you can plan a legal strategy for discovery.
• Assess the volume and format of the information you intend to collect, and plan the resources you may require.
• Ensure the client can work with you locally on-site or find a reliable local agent.
• Prepare for unusually long timelines so you can manage the risk.
• Make sure the court is aware of the procedural and timing issues you are facing in retrieving information from any foreign jurisdiction.

One reality of today’s business environment is that a client does not have to be an international company to have information stored across the globe. Litigation support managers need to ensure that the legal team asks the right questions early on. This strategy will help managers to handle the expectations of all parties, including the court, about the discovery of cross-border information.

Contributor: Material for this article was contributed by Sandra Potter. Ms. Potter is an internationally recognized expert in the law and technology field, managing director of legal technology consultancy Potter Farrelly & Associates and on the executive board of The Sedona Conference® Working Group 6: International Electronic Information Management, Discovery and Disclosure. Derek Begg is an associate director of Potter Farrelly & Associates and has an extensive background as a solicitor practicing in commercial litigation. The authors acknowledge the contribution of Potter Farrelly & Associates consultant Rob Scott in writing this article.