An international banking organization with offices in both the United States and France is sued in the United States for fraud. Much of the data relevant to the United States litigation is located on centralized servers in France, although the data can be accessed by individuals in the United States. The organization is unsure if it can produce that data in the United States litigation without running afoul of France’s data privacy laws and blocking statute.
Data Consolidation & Globalization
It is not uncommon for information—including electronically stored information (ESI)—sought in discovery in US legal proceedings to be located outside of the United States. Access to such information is complicated by the differing perspectives of various foreign jurisdictions toward the discovery or disclosure of such information. In addition, the movement toward cloud computing models has the potential to further complicate the legal questions that arise in connection with US discovery.
International Data Privacy & E-Discovery
While the United States has a discovery system that encourages extensive production of information, many other countries have far more protective schemes. In particular, the European Union member states have detailed data protection laws based on the EU’s Data Privacy Directive. Those laws tightly regulate when and how personally identifiable information (which encompasses a broad range of information including name, age, gender, marital status, nationality, citizenship, veteran status, personal or business contact information and identification numbers) may be collected, processed, stored and transferred by an organization.
In January, 2012, the European Commission outlined plans to update the EU’s existing data protection law regime by establishing a single framework of data protection throughout the European Union. The plans call for bringing within the scope of the EU data protection rules those businesses based outside of the European Union but that target EU citizens. Recent reports state that the new EU data protection rules and a new cybersecurity framework are to be adopted by early 2015.
In addition, several European countries have enacted blocking statues designed to protect sovereignty and shield foreign nationals from intrusive US-style litigation. Violations of these foreign laws may result in serious consequences for the organization, including criminal charges. Taken together, these laws create a tension between the mandate of the US Federal Rules of Civil Procedure to produce all relevant electronic records and the laws of other countries regulating discovery and transmission of ESI.
There are several questions an organization will face in determining whether data located abroad must be produced in a US litigation. First, what are the conditions under which ESI “stored” outside of the United States is deemed to be in a domestic party’s “possession, custody, or control” under the Federal Rules of Civil Procedure? Consistent with the emphasis on full disclosure in the American legal system, US courts construe the term “control” broadly. Thus, a party has control if it has the legal right, authority or practical ability to obtain the materials sought upon demand. Second, does the applicable foreign law permit the processing, transfer and production of overseas ESI? The answer to this question will depend on location of the data and the laws of the country at issue. Third, will the US courts require the production of relevant data regardless of any foreign restrictions? The answer to this question is generally yes, although US courts have been more willing to give deference to restrictions arising from data privacy laws than those arising from foreign blocking statues.
Best Practices for Managing International Data Privacy Issues in E-Discovery
Because the US courts tend to require the production of relevant data in an organization’s possession, custody and control regardless of any foreign restrictions, it is helpful for an organization to consider the best ways to ensure that it can meet both its US and foreign legal obligations. As with any effort to manage and minimize risks, the best practice is to evaluate those risks before litigation arises and implement standard controls.
For inquiries related to this Tip of the Month, please contact Ed Sautter at , Mark Hilgard at or Kim Leffert at .Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at , Michael E. Lackey at , or Edmund Sautter at .
You have no pages selected. Please select pages to email then resubmit.