Other countries have not tailored their laws to suit the convenience of American trial lawyers. How inconsiderate.
Don't expect to just dance right in to collect the data either.
I know this is a hard concept for Americans to grasp, but the force of U.S. law does not extend outside the U.S. If you’re litigating a case where discoverable information sits in other countries, don’t think that you can swagger in there John Wayne-style, collect it, and bring it back to the U.S. for a look-see — not even if the data is located on servers belonging to a European subsidiary or parent of your corporate client. It’s not theirs to give and it’s not yours to take, at least not without first jumping through a few legal and cultural hoops.
Privacy laws outside the U.S. make what is otherwise routine and procedural here illegal over there. Lawyers representing U.S. companies have been prosecuted in Europe for collecting electronic data for U.S. legal proceedings.
You can either comply with the law here or you can comply with the law there, but you can’t easily do both. It’s not that you can’t take electronic data outside of countries with privacy protection laws — you can, but only if you do it the right way. And sometimes it’s just easier to work with it there instead of trying to get it out.
On day two of LegalTech West Coast in Los Angeles June 25, one of the morning presentations was titled Globalization and International E-Discovery, moderated by George Rudoy, with Browning
Not wanting to scare you or anything, but you really won't like it if you're arrested over there.
Marean and Michael R. Polin as panelists. I’m glad I chose this session, and I am sure the rest of the audience feels likewise. If the materials and audio become available online, I recommend them. Another recent presentation I recommend is a FIOS webcast presented April 21, 2009 titled The Sedona Conference® Update: Addressing the Challenges of Cross- Border e-Discovery, presented by FIOS and the The Sedona Conference. This is available online at the FIOS website.
For a country that traditionally prizes the rights of the individual, the United States does a poor job of protecting personal privacy. Other countries have comprehensive privacy protection laws. Other than a patchwork of topic-specific protections, such as medical information under HIPAA (the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191), we do not have privacy legislation.
Privacy protection in the U.S. is mostly about protection against governmental infringement, such as the Fourth Amendment to the Constitution prohibiting unreasonable search and seizure. We don’t seem to care much about nosy intrusions by non-governmental entities. Privacy protection in Europe is about protection not only from state-sponsored abuses – Europe’s twentieth century experiences of these are truly horrific [Note 1] – but also against abuses by corporate and other private interests. For example, individual credit reporting is much more restricted in Europe, limited for the most part to a registry warning of persons who have defaulted on consumer debt.
In the U.S. you have to actively opt-out of receiving telemarketing calls. In Europe, they don’t have your information in the first place, so they can’t bother you. While it’s been quite a few years since I’ve had dinner at a friend’s home in Europe, I have a hunch that their dinnertimes are interrupted by annoying telemarketing calls a lot less than ours are.
Most other industrialized countries, civil code jurisdictions in particular, have a much more restricted scope of discovery in their civil litigation. However that is not what prevents data from other countries from entering the US. It’s a combination of Directive 95/46/EC of the European Parliament, part one here , part two here, and the privacy legislation of each of the member states that prevents such transfer. For a table of links to all the EU member privacy protection statutes, go to http://ec.europa.eu/justice_home/fsj/privacy/law/implementation_en.htm. Not all of them have English translations available.
EU Directive 95/46 sets the minimum standard for privacy legislation of the member countries. Some, like Germany’s, go quite a bit beyond the directive’s requirements. However, provided another member country’s legislation meets the minimum requirements of the directive, and they all do, then data can be transferred from one member country to another.
Outside of the European Union and the European Free Trade Area, only two non-European countries have fulfilled the EU’s requirements. The United States is most definitely not one of them. These two countries are Canada and Argentina. For the EU’s certification that Canada is compliant, go to http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/canada_st15644_06_en.pdf
In the case of Canada, this is somewhat ironic. All of Canada’s provinces except Quebec are common law jurisdictions with broad discovery like the U.S. (see Ontario’s Rule 30 here) , but that doesn’t mean data can be freely gathered there and brought into the U.S. for the purposes of civil litigation. Canada, like the 27 member countries of the European Union, has comprehensive privacy legislation, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5. (known as “PIPEDA”.) You’ll need to engage local counsel in Canada to assist you with this legislation and any other relevant provincial or federal laws in Canada before gathering any electronic data there and bringing it south of the border.
Conversely, while its discovery and other rules of civil procedure are substantially the same as the U.S. and significantly more expansive than continental Europe, data from continental Europe that cannot be transferred into the U.S. can be transferred into Canada. Again, a caveat – get the advice of local counsel in Europe or Canada – ideally both — to make doubly sure that it will be all right to move data from continental Europe to Canada for hosting on a server for your reviewers to log in to from California.
What constitutes transfer of data outside the EU? Is it copying it from its source and then loading it onto a server, and if that server is within an EU member state, all is well? Or does transfer constitute ability to access online – so even if the data reside on a server on European soil, does a review room in New York with access to that database on that server in Europe violate that European country’s privacy laws and the EU’s directive?
The answer depends on the specific country’s legislation. Some of them are so strict that the review room itself has to be on European soil. Others are fine with access from anywhere, as long as the digital files themselves remain housed on media located within Europe, or within a country that is certified by the EU as compliant with its privacy directive. Quick quiz, what did we just say those two countries
Don't cry for me or your data.
are? Once again, Canada and Argentina.
Another question: is it simply the fact that the data is electronic, or the fact that the data collection may contain items within it that are personal in nature, that runs afoul of European privacy laws?
Asking that question betrays my American frame of reference and way of thinking. We’re now into a discussion not just of differences in law, but of differences in culture.
Here in the U.S. an employee has no expectation of privacy when he or she uses employer-provided equipment and infrastructure to shop online or to send an e-mail to a spouse reminding him or her to pick up the dog from the veterinarian or the kids from day-care, whereas in Europe an employer has no right to those personal communications and transactions notwithstanding they were done on company time and equipment. Different societal priorities.
But it goes further than that. The splitting of a person into a “company self” and a “personal self”, while normal to our way of thinking, seems to be an unknown concept in Europe. An e-mail sent or received by an employee entirely in his or her corporate capacity is still “personal” in the laws of European countries because it has that employee’s name on it. A person is a person is a person, even when he’s working for The Man. In other words, merely removing what we in the U.S would regard as the “really” personal contents of an individual’s corporate e-mail box (the messages to friends and family, the receipts for online purchases, etc.) does not render the rest of it all right to transfer from Europe to the U.S.
So, when is it all right to transfer European data to the U.S?
First, maybe consent will suffice. If consent to the transfer is given by the person identified as the “data subject”, then that takes you a long way toward being all right with bringing it in. Note that you’re not home safe yet. In some source countries, that consent might be sufficient; others with more restrictive legislation may still have a problem with what happens downstream with data in U.S. discovery, because it may have to leave the control of the company initially collecting it. Another point to remember is that in some countries, a consent given by an employee at the request of an employer is presumed not to be voluntary, in other words, no consent at all.
Second, you might consider getting official authorization. All EU countries have a privacy commissioner (Canada seems to have dozens), and their respective privacy statutes all provide for a procedure to seek the approval of this official for the transfer of data out of the country to the U.S. Make a good case that the removal of the data falls within one of the enumerated reasons to permit it, and you’re good to go. Of course, the wheels of European bureaucracy can grind even more slowly than the wheels of U.S. justice.
Third, there’s the “Safe Harbor” route. These two words should not be confused with the safe harbor concept in Fed. R. Civ. P. 37(e). We’re talking about totally different harbors here. The United States Department of Commerce maintains a list of companies that are certified as compliant with the EU privacy directives. Data can be transferred from Europe to the U.S. if it is going into the hands of one of these companies.
Safe Harbor certification is self-certification. It has to be. The Department does not have and should not be expected to have the resources to inspect the data handling practices of hundreds or thousands of companies. Companies have to re-certify themselves each year, and they are subject to a of Department of Commerce audit, which may be triggered by a complaint, and if they fail that audit, they’re off the list and potentially subject to other penalties for having inaccurately certified themselves.
Because of the arguably subjective and transitory nature of Safe Harbor certification (companies on the
This place might be safe.
list one year can be gone the next), one Canadian e-discovery vendor distributed fliers at New York LegalTech a couple of years ago with a photograph of the Toronto waterfront with the caption “Your safest safe harbor.”
Aside from comprehensive privacy acts passed since 1995 by various member states to comply with EU directive 95/46, there are also “blocking statutes”. Some of these have been around for a longer time. These are laws that may be quite specific in prohibiting the removal of data from a country.
As Browning Marean told the audience at LegalTech in L.A., even a nice “you don’t look foreign” country like Canada can get unpleasant this way. Two decades ago, well before Canada’s PIPEDA legislation, Browning had a trial in U.S. District Court in New Mexico. A Canadian blocking statute prohibited the removal of certain industry-specific information from Canada. This had prevented his client from being able to fulfill its discovery obligations.
Too bad. The judge entered default judgment against Browning’s client for 2.4 billion dollars. Back then, that was a lot of money.
Sometimes there's a little sibling rivalry
That judge’s imperious ruling seems to imply that Browning and his client should have ignored Canada’s law; this fits completely with the stereotypical American who can’t quite grasp the idea that the reach of U.S. law ends at the border. How dare some other country presume to interfere with our discovery processes even if it is on their soil? Think of Ann Coulter’s diatribe in 2007 on Fox News (where else?) that Canada “better hope the United States doesn’t roll over one night and crush them”. (You can watch this, if you really must, at http://www.youtube.com/watch?v=LmcZG87Fmxc.)
As I mentioned earlier, if the materials from the West Coast LegalTech presentation by George Rudoy, Browning Marean, and Michael Polin do become available online, I recommend them. Most of this post has been about Europe and Canada, and this was mainly Browning’s to speak about, but the session gave equal time to the rest of the world. George had some interesting information about Russia and other former Soviet bloc countries. Did you know that Russians will never sign anything? You could have a hundred Russian employees of a multinational company, all perfectly agreeable to their data being removed from the country to the U.S., but ask them to sign their name to paper consenting to this? Forget it. They’ll never do it. Memories of the KGB and the gulags die hard. Michael Polin has an international law practice that specializes in China. If you think the stuff about Europe was complicated, try navigating your way around the laws in Beijing.
The key take-away from all speakers regarding all countries – you will need to work with local counsel.