© 2012 Winston & Strawn LLP
E-Discovery and Privacy Implications for Multinational Companies Cross-Border Privacy Issues
© 2012 Winston & Strawn LLP
Today’s eLunch Presenters
© 2012 Winston & Strawn LLP
John Rosenthal
Sheryl Falk
Litigation Washington, D.C.
Litigation Houston, TX
[email protected]
[email protected]
3
Challenges In Navigating Conflicts With US Litigation And Foreign Laws
Daily Operations
Privacy Data Protection
Litigation
Privacy Blocking Statutes U.S. Discovery Rules
© 2012 Winston & Strawn LLP
4
Privacy
United States
Self-regulatory, “cause of action” approach to privacy US Patriot Act Protection of specific information against specific disclosure
HIPAA Fair Credit Reporting Act
European Union and Elsewhere
Privacy is often treated as a fundamental right and protected with few or no exceptions “Personal data” is “any information relating to an identified or identifiable natural person”
© 2012 Winston & Strawn LLP
5
At Stake for Multinational Companies
Outside the US
Fines and penalties Sanctions Non-enforcement of foreign judgments Criminal consequences Lawsuits in consumer and employee actions
U.S.
Complying with governmental regulations Sanctions Spoliation and adverse Inference rulings Lack of access to exculpatory evidence and testimony
© 2012 Winston & Strawn LLP
6
A “Hobson’s Choice”
Generally, parent corporations are responsible for discovery of documents located in foreign branches or subsidiaries Choices:
Either collect documents outside one’s jurisdiction (and potentially face foreign civil and criminal sanctions); or Fail to collect such documents (and face domestic civil and criminal sanctions)
© 2012 Winston & Strawn LLP
7
Obtaining Evidence Two options: 1. Rules 26 – 38 of US Federal Rules 2. Treaty or Convention (e.g., Hague)
© 2012 Winston & Strawn LLP
8
The Hague Convention
Hague Convention on the Taking of Evidence Abroad (1972) An attempt at compromise; a uniform procedure for collection of evidence between common law and civil law jurisdictions
© 2012 Winston & Strawn LLP
9
Discovery through the Hague Convention
Letters of Request (Letters Rogatory) issue from a court in one nation to the designated authority in the second nation (often a court), requesting assistance in obtaining information Signatories often limit U.S. discovery; (for example, no depositions) Requests must be specific to be granted Compliance can take 6-12 months Most EU countries require compliance with the Hague to transfer information
© 2012 Winston & Strawn LLP
10
Societe Nationale Industrielle Aerospatiale v. Iowa U.S. District Court, 482 U.S. 522, 556 (1987).
U.S. Supreme Court held that five-factor test set forth in The Restatement (Third) of Foreign Relations Law Section 442(2)(a) is “relevant to any comity analysis . . . .” Trial court should balance the following factors where information sought is subject to the privacy laws in another foreign jurisdiction:
finds (contrary to most foreign countries’ beliefs and expectations) that resort to the Hague Convention is unnecessary the significance of the discovery/disclosure to issues in the case; the degree of specificity of request; whether the information originated in the jurisdiction from which it is being requested; the availability of alternative means of securing the information sought in the discovery/disclosure request; the extent to which noncompliance would undermine the foreign sovereign interest in the information requested
© 2012 Winston & Strawn LLP
11
In re Vitamins Litigation In re Vitamins Antitrust Litigation, 120 F. Supp. 2d 45 (D.D.C. 2000) - Multidistrict litigation concerning vitamin price-fixing.
Defendants sought a motion for a protective order to bar discovery of personal data protected by the German BDSG, the Hague Convention, and Swiss and German privacy laws. The Court applied the Restatement of Foreign Relations law (3d) balanced test and found the requested discovery was not so intrusive that it affronted the national sovereign interests of Germany and did not warrant the Hague intervention. Held: the Defendant must comply with the FRCP. The Court held that Federal Rules be used not only for discovery on the merits but for discovery necessary to resolve a dispute over the court’s jurisdiction.
© 2012 Winston & Strawn LLP
12
In re Visa
Discovery dispute over two documents created in connection with EU’s investigation into Defendants’ conduct. EU seeks to restrict access to its own investigative procedures and asserts the US court should respect its confidentiality. The District Court explored whether the need for deference to a foreign sovereign entity trumps the Federal Rules’ liberal approach to discovery. District Court applied Aerospatiale factors and held EU’s interest in confidentiality overrules Defendants’ need for discovery.
© 2012 Winston & Strawn LLP
13
Enron v. J.P. Morgan
In Enron v. J.P. Morgan Secur. Inc., No. 01-16034 (Bankr. S.D.N.Y. July 18, 2007), the court held that the threat of the French blocking statute did not excuse a party from its discovery obligation and did not warrant the invocation of the Hague Convention. The court ordered the responding party to promptly comply with its discovery obligations.
© 2012 Winston & Strawn LLP
14
Interpreting the Restatement: The Volkswagen Case Volkswagen, A.G. v. Valdez - Volkswagen sued for product liability because of car accident
District court orders production of a German phone book containing work/home telephone numbers of German employees Volkswagen argued that German Data Federal Protection Act prohibited production of phone book and appealed Texas Supreme Court finds necessary application of five factors set forth in the Restatement (Third) of Foreign Relations Law Section 442(1)(c) (1987) Held: “there is no evidence in the record suggesting that VWAG’s failure to produce this phone book would undermine any important interest of this country, particularly when the record shows alternative methods for obtaining the information exist.”
© 2012 Winston & Strawn LLP
15
European Union Privacy Directive (95/46)
Member nations must implement laws to restrict all manner of “processing” of “personal data” meaning “any information relating to an identified or identifiable natural person” (see EU Directive Article 2)
Prohibits transfer of personal data outside the EU unless the country to which it is transferred provides “adequate protection” of personal data (EU Directive Article 25) or implements other measures Only a handful of countries are deemed to offer sufficient protection: Switzerland, Canada, Argentina, Guernsey, and the Isle of Man; not the U.S. Limited exceptions to Article 25 – when transfer is in furtherance of an “important public interest” or the “exercise, establishment of defense of legal claims.” (EU Directive Article 26(1)(d)) Exceptions historically have been narrowly interpreted by EU Advisory Board
© 2012 Winston & Strawn LLP
16
Methods to Collect and Transfer Information from EU Countries
Clear, Unambiguous Consent Safe Harbor Model Contractual Clauses Binding Corporate Rules
All involve significant limitations and specific procedural and substantive challenges © 2012 Winston & Strawn LLP
17
1. Consent A data transfer can be made on the condition that the data subject, or the person to whom the data pertains, has given his or her clear, unambiguous consent
To be valid, consent must be: 1) given before the transfer, 2) unambiguous, 3) specific to the transfer or category of transfers, 4) freely given, and 5) informed 6) not valid if coerced, which can be presumed if obtained by employer (Germany); consider going through Works Council
Some EU Countries have found that employees are incapable of voluntary consent (France) Article 29 Working Party Report: July 2011
© 2012 Winston & Strawn LLP
18
Article 29 Working Group Opines on Consent Requirements
Only affirmative statements or actions constitute valid consent – mere silence or opt-out will not be viewed as valid Consent must be given prior to data processing, after providing clear and unambiguous notice In an employment context, special consideration must be given to ensure consent is not coerced Reliance on consent does not relieve data controllers of their obligations to comply with other EU data protection laws A data subject can withdraw their consent, which requires the data controller to delete the data
© 2012 Winston & Strawn LLP
19
2. Safe Harbor
US Dept. of Commerce and European Commission developed “safe harbor” framework to provide predictability and continuity for those EU organizations that consistently send personal information to the US
Only available to US entities regulated by Dept of Transportation or Federal Trade Commission (excludes financial and telecoms) Allows personal data to flow between the EU and US without need for consent or other arrangement To use, organization must join a self-regulatory privacy program or develop its own in conformity with Safe Harbor requirements See www.export.gov/safeharbor
© 2012 Winston & Strawn LLP
20
Safe Harbor Principles
Notice to data subject Choice to “opt out” Prohibition against onward transfer Access to data Security of data Data integrity Enforcement of violations
© 2012 Winston & Strawn LLP
21
3. Model Contractual Clauses
European Commission adopted standard contractual clauses to ensure adequate safeguards for international transfers of personal data
Allows transfer of data outside EU if both parties agree to be bound by provisions equivalent to the Directive (Art. 26(2) Data importers must contractually agree to comply with Safe Harbor principles and allow audits of data handling methods Excludes company transfer of data to itself (i.e., internal ediscovery transfers are not allowed) Data subjects (employees) can block transfer or production of information at any time
© 2012 Winston & Strawn LLP
22
4. Binding Corporate Rules
Personal data can be transferred outside EU but within a group of companies in manner that ensures adequacy by adoption of binding codes of corporate conduct or binding corporate rules “(BCRs)”
Most appropriate for organizations with complex corporate structures and a web of cross-border data transfers Very difficult to manage. Rules must be binding within entire corporate group (parents and subsidiaries) Requires prior approval for all EU member states To date, the only corporations that have had BCRs approved by a DPA are General Electric (UK), Philips (Denmark), and Daimler-Chrysler (Germany)
© 2012 Winston & Strawn LLP
23
January 2012 - EU Proposes Comprehensive Reform of Data Protection Rules
A single set of rules on data protection, valid across the EU
Increased accountability and responsibility of data owners. Must notify of data breaches within 24 hours A “right to be forgotten” to help manage risk online
Companies will only have to deal with a single national data protection authority
Default privacy settings should be those that provide the most privacy Companies will be obliged to inform you clearly about how your data will be used
EU rules apply if personal data is handled abroad by companies who are active in the EU Penalties up to 1 million pound fine to 2% of the global annual turnover of the company
© 2012 Winston & Strawn LLP
24
Article 29 Working Group
The Working Party is an advisory board composed of DPAs from each member state and has no enforcement authority but offers opinions and makes recommendations. Authority resides in the member states.
2009 opinion addresses document retention/data processing, recommending, without providing a safe harbor, the following:
Document needed for pending or anticipated litigation should be retained as this constitutes a legitimate purpose
It is not a legitimate purpose to retain documents for potential or future litigation
Consent is not a legitimate basis for processing personal data unless it can be "freely given"
Document retention and destruction policies that destroy obsolete data are encouraged
Compliance with a foreign legal obligation (e.g., discovery requests in U.S. litigation) is not a legitimate basis for processing personal data; recommends a balance test of the foreign interest and the data subject's fundamental rights and freedoms
Personal data should be disclosed using pseudonyms where possible
Cull data prior to review in the country in which the data is originally stored
Be particularly careful about producing "sensitive personal data"
Companies should involve the local data protection officers at each stage
This opinion did not provide the clarity or guidance that companies or their counsel were hoping it would
© 2012 Winston & Strawn LLP
25
Article 29 Working Group -2012
On March 23, 2012, the Working Party adopted an Opinion on the EU’s data protection law reform proposals:
The Opinion indicates that the Working Party welcomes many aspects of the proposed regulation, including the proposal’s emphasis on:
the preventative use of privacy controls (e.g., though privacy impact assessments, privacy by design, privacy by default); new responsibility and accountability requirements that apply throughout the information life cycle; the legal recognition of Binding Corporate Rules (“BCRs”); specific security measures for data processors; and considering data processors to be data controllers if act outside the scope of the data controller’s instructions.
The Opinion also opines that IP addresses and cookies relate to identifiable persons and should be considered “personal data” © 2012 Winston & Strawn LLP
26
Recent High profile EU Decision
In March 2012, EU declared Google’s privacy policy in violation of EU law
EU was not consulted in preparation of policy Policy did not meet transparency requirements; “Impossible for average users to understand the policy” It allows Google to give data to third parties
© 2012 Winston & Strawn LLP
28
EU Addresses the Cloud
Microsoft enacts strict safe harbor agreement but admits that cloud data is not protected against the US Patriot Act EU upset over US Government ability to secretly obtain data Microsoft responds by allowing companies to designate geographical regions where data will be stored Microsoft launched the Office 365 Trust Center which offers its customers compliance with EU’s Data Protection Directive Microsoft is the first provider to sign a set of EU “Model Clauses”
© 2012 Winston & Strawn LLP
29
Blocking Statutes Blocking statutes are foreign laws designed to shield information – sometimes only very specific types of information – from foreign requests.
© 2012 Winston & Strawn LLP
30
French Blocking Statute
•
•
Bars the requesting, seeking, or disclosing of information directed toward establishing evidence for the purpose of legal or administrative proceedings abroad. French Penal law No. 80-538 (1980). French Supreme Court case: Conviction of French attorney under statute for seeking an interview from a French citizen for purposes of a US-based lawsuit.
© 2012 Winston & Strawn LLP
31
More Countries with Blocking Statutes
Switzerland and Germany Have blocking statutes or blocking mechanism in place China National Security Interest Law A state secrecy law was used to prevent disclosure; the 9th Circuit Court held that criminal penalties in China did not excuse the obligation to produce in the U.S. Canada The Foreign Extraterritorial Measures Act restricts the production of records that would infringe Canadian interests or sovereignty Quebec Business Concerns Records Act Bahamas, Bermuda, Liechtenstein, and Cayman Islands Prohibit disclosure of banking and financial records
Panama Prohibits the disclosure of corporate records or even removal of such records outside Panama
© 2012 Winston & Strawn LLP
32
Overview of Privacy Laws
Argentina - Privacy constitutionally protected; Enacted Data Protection Act in 2000 (modeled after EU) Australia - Privacy Act of 1988 and Amendments of 2000 (Does not impose EU standards but requires reasonable measures taken to ensure protection of data when transferred, including extra-territorial transfers) Brazil - Privacy constitutionally protected in 1988 Constitution; Habeas Data Act of 1997 and Brazilian Civil Code (2003) and Consumer Code of 1990 protect privacy of individuals and consumers Canada - Personal Information Protection and Electronic Documents Act (2000); Complies with EU privacy standards; Privacy Commissioner Guidelines of 2009) (Cross-border transfers not prohibited but must follow specific guidelines) Chile - Constitutionally protected; Data Protection law enacted in 1999 (first in Latin America - Protects personal data but does not restrict cross-border transfer; no DPA to supervise compliance) China - Has not enacted privacy law to date but has indicated that it will and added that will not mirror either the U.S. or the EU privacy regimes; Local privacy ordinances in provinces of Shanxi and Guangdon; Enacted anti-spam statute, Measures for Administration of E-Mail Services on the Internet, in 2007 [Needs to be updated per prior article circulated)] Colombia - Privacy is constitutionally protected (Interpreted to follow EU model on privacy); Law 1266 of 2008 regulates privacy and data protection (Scope of this law is still ambiguous - Interpreted at present through Ruling C-1011 to apply only to credit and financial information, commercial transaction data, and data protection regarding services rendered to and from third-party countries) Hong Kong - Special Administrative Region of PRC in 1997 but retained Personal Data (Privacy) Ordinance, which allows subjects to access, correct, and erase personal information under Privacy Commissioner for Personal Data’s authority; Unsolicited Electronic Messages Ordinance enacted in 2007
© 2012 Winston & Strawn LLP
33
Overview of Privacy Laws
India - Privacy is a fundamental right but not subject matter for legislation; Information Technology Amendment Act of 2008 (Provides for complaint and compensation for aggrieved individuals whose personal data has been improperly made available); Information Technology Rules, 2009 (Created Indian DPA and prohibits unauthorized monitoring); In practice, privacy and data protection are largely created and enforced at the corporate level as driven by client/customer concerns Israel - Protection of Privacy Law deemed to comply with EU law Japan - Personal Information Protection Law went into effect in 2005 and Amendments in 2008 (Applies to any company with offices in Japan that has data on more than 5,000 individuals); Anti-spam laws in 2002 and revised in 2008 Korea - No general privacy laws in effect; Some specific business sector laws; Act on the Promotion of Information and Communications Network Utilization and Data Protection of 2000 applies to information communications services Malaysia - Personal Data Protection Bill of 2009 is now pending in the legislature Mexico - Constitutional privacy protection; No comprehensive privacy law, though legislation has been introduced and is expected to be reintroduced by the current Congress; Privacy treated in piecemeal fashion focusing on protecting consumers, maintaining privacy in banking and medical records, and protecting intellectual property rights Morocco - Data Protection Law enacted in 2008 (Follows EU model) Philippines - Constitutional right to privacy; No comprehensive privacy law; Draft privacy legislation pending Peru - Enacted Data protection Law in 2001 (Similar to EU Model); 2005 Anti Spam Law (first Latin American antispam law)
© 2012 Winston & Strawn LLP
34
Overview of Privacy Laws
Russia - Federal Law on Personal Data went into effect in 2007 (Applies to both public and private sector processing of personal data) Serbia - Serbia Law on Personal Data Protection into effect in 2009, replacing 1998 law; Provides for notice, consent, access, right to correct, database registration, and data transfer guidelines Singapore - Privacy self-regulated; Investigating whether to develop privacy laws as of 2002, 2006, and 2009; Enacted anti-spam law in 2007 South Africa - Privacy legislation pending (Introduced in 2009 to comply with EU model) Taiwan - Computer Processed Personal Data Protection Act of 1995 (Applies only to financial, securities, insurance, mass media, and telecommunications companies; Amendment pending in legislature since 2004 would expand act to all business sectors) Thailand - Constitutional right to privacy; Personal data protection law for public sector but only in draft form for private sector Tunisia – Law Related to Personal Data Protection (2004) (Establishes DPA; provides for notice, written and express consent, database registration, access and correction rights, data retention policy, and security requirements) United Arab Emirates - Privacy law enacted but applies to Dubai only; Provides for notice, consent, access, correction, security requirements, database registration with the DPA, and cross-border transfers under specific guidelines United States - New executive branch position in Obama administration tasked to address privacy issues. [further update re pending bill] Uruguay - Uruguay Data Protection Law enacted in 2008 and is based on the EU model
© 2012 Winston & Strawn LLP
35
The Sedona Conference Working Group 6: Focus on International Issues
In December 2011, Working Group 6 issued International Principles on Discovery & Data Protection-Best Practices Includes analytical framework for Cross Border Discovery Conflicts www.thesedonaconference.org
© 2012 Winston & Strawn LLP
36
Sedona Principles 1. Parties should demonstrate due respect for foreign laws 2. Compliance should be judged by good faith and reasonableness 3. Preservation should be limited to relevant and necessary to support a claim or defense to minimize conflicts 4. Where conflict exists, a stipulation or court order should be employed to protect protected data and minimize conflict 5. A data controller should be prepared to address data protection obligations and implement safeguards 6. Data controllers should retain data only as long as necessary © 2012 Winston & Strawn LLP
37
Sedona Model Protective Order The Model order seeks to: acknowledge a party’s conflicting burdens and assign duties to the requesting party to protect and dispose of the protected data in a manner consistent with the applicable data protection laws. If no stipulated order is reached, file unilaterally See Appendix B: International Principles
© 2012 Winston & Strawn LLP
38
Basic Analytical Framework
Is There Jurisdiction?
Does the forum court have jurisdiction over the data?
Does an affiliate of a party have custody/control/access?
What is the location of the data?
Which non-forum entity has jurisdiction?
Determine whether there is jurisdiction over the activity (data processing/collection in the E.U.) Consider nationality factors Consider geographic factors
© 2012 Winston & Strawn LLP
Where is the data processed? Location of the subject and author of the data
39
The Framework (cont.)
Is There a Blocking Statute? Is There a Treaty, Legislation, or Agreement Between the Parties that May Provide a Solution?
Is the Hague Convention on Evidence available? May consent be obtained from a Data Commission? Will a protective order satisfy the pertinent provisions and/or Data Commission?
© 2012 Winston & Strawn LLP
40
The Framework (cont.)
Determine Whether the Data is Subject to a Provision Limiting Cross-Border Transfer
Consider the character of the data
Consider the jurisdiction of the limiting provisions
Personal? Sensitive (technological, national security, certain financial/company data)? Industry-specific (medical information, telecommunications)?
Regional (E.U. Directives) Country privacy laws Industry-specific (financial, anti-trust, technological)
Are there derogations or exceptions to the limiting provisions?
© 2012 Winston & Strawn LLP
41
Action Plan - Early Planning 1.
Understand the data and know where the data is located
2.
Carefully negotiate vendor contracts for data storage
3.
Know the laws for the countries where the client stores data
4.
Make sure client is in compliance
5.
Enact a good records retention policy and execute it efficiently
6.
Develop a plan to deal with Cross-Border issues for litigation
e.g., appropriately narrow litigation hold, consent forms drafted that comply with local laws
© 2012 Winston & Strawn LLP
42
Action Plan
Get Safe Harbor certified to address day-to-day transfers and processing
Get advance consents where possible
Provide notice to employees of potential treatment of information, including for U.S. litigation Address any necessary changes to IT structure
Develop relationships with key personnel, both legal and business, in offices abroad and, where necessary, local counsel Develop a public relations plan to implement in the event of litigation
© 2012 Winston & Strawn LLP
43
Action Plan (cont.)
Create litigation profiles and protocols for each foreign country in which you operate that includes, for example, whether there is a blocking statute, people to contact (IT, legal, HR, corporate, outside counsel, and local counsel if needed), consent forms needed, processing and transfer protocols, etc.
Separate personal files in Human Resources department
Create and implement data protection policies
Create a summary of costs associated with producing information from foreign operations to support argument that such discovery is unduly burdensome Create protective orders and case management orders that take into consideration the possible production of private information from the EU
Conduct training and discussion sessions at non-U.S. facilities for presenting and working through response plans and problems that may arise
© 2012 Winston & Strawn LLP
44
Action Plan (further cont.)
Develop relationships with the DPAs in every country in which have operations
Work with the DPAs to come up with solutions to conflicts between U.S. operations or litigation and each country's laws Request permission from DPA to remove and produce documents
Being denied permission prevents U.S. courts from sanctioning parties for non-compliance, though courts may still grant an adverse inference instruction
Ensure processing and review vendors and tools that can manage local country issues / languages Understand and be prepared to deal with the fact that people in other countries will have differing expectations of discovery obligations (civil v. common law) Understand and establish relationships and protocols to prevent cultural sensitivities, e.g., custodians’ expectations of personal privacy, religious holidays, language, etc. Allow additional time for processing and review challenges, e.g., time zone, languages
© 2012 Winston & Strawn LLP
45
Questions?
© 2012 Winston & Strawn LLP
Contact Information
John Rosenthal Chair, eDiscovery & Information Management Practice Group Washington, D.C. 1 (202) 282-5785
[email protected]
© 2012 Winston & Strawn LLP
Sheryl Falk Leadership Team, eDiscovery & Information Management Group Houston, Texas 1 (713) 651-2615
[email protected]
47
Thank You.
© 2012 Winston & Strawn LLP