A decade ago in New York, a judge named Shira Scheindlin famously issued a series of opinions in a case called Zubulake v. UBS Warberg that would change the world—or at least the United States. Since 1938, when the Federal Rules of Civil Procedure were first enacted, lawyers have had the power to compel the production of documents from their litigation adversaries. Zubulake forced lawyers and parties to realize that in this age, “documents” not only means the “paper” lawyers had produced for decades, but also all those relevant emails, PowerPoints, electronic spreadsheets, security video and any other electronically stored information spawned from the computer revolution.
It took years, but most U.S. lawyers and clients eventually came around to understand at least the basics of this burgeoning field called e-discovery. New words and concepts came into the litigation vernacular. “Litigation holds” are now required to prevent custodians from deleting potentially relevant electronically stored information. “Employees” become “custodians” if they have potentially relevant information. “Spoliation” happens if, for example, a litigation hold is not issued and a custodian deletes potentially relevant information, even if otherwise required by company retention and deletion policies. And spoliation is usually followed by words like “default” and “sanctions,” because, that is what happens if parties do not comply with their U.S. discovery obligations.
As a result, a multibillion dollar industry grew of lawyers and vendors who collect, process, host, review and produce all these petabytes of electronic information potentially relevant to U.S. litigation. Corporate America grumbled about the expense but learned the buzzwords and came in line with the new paradigm.
But what happens when the party to begin litigation is not part of corporate America, but corporate Europe? Say, for example, a famous movie star dies driving his new Italian sports car. His estate sues the manufacturer for $150 million in lost future earnings. The lawsuit is filed in Miami, where the car was sold and the accident happened, and the plaintiff immediately seeks all documents relating to the manufacturer’s new disc brake cooling system that allegedly failed. Easy, right? The manufacturer issues a litigation hold, hires a vendor to search for and collect all the emails and related documents from every custodian in Italy who worked on the design team. It then hires a crew of contract lawyers to review those documents for privilege, and produces the relevant ones to the plaintiff. Simple. But very dangerous.
Dangerous because in the last 20 years every member country of the European Union has enacted laws complying with the EU’s privacy directive, known as 95/46-EC. That directive grew out of Europe’s post-World War II determination that privacy of one’s correspondence is a “fundamental human right.” Europeans take their right to data privacy seriously; like Americans and their right to carry guns. Thus, the EU privacy directive only permits companies in Europe to process, or search, their employees’ email under very limited circumstances—and being a defendant to a $150 million lawsuit in Miami is not clearly stated as one of them. Moreover, under the privacy directive, companies also cannot transfer data from a member state to any other country that does not ensure an adequate level of privacy protection, and that definitely includes the U.S.
The result is a classic Catch-22: Either the Italian defendant to the Miami product liability action produces the documents to the U.S. plaintiff and violates European law, or it complies with the European law and gets defaulted on $150 million in liability by the U.S. court. This is an obvious dilemma, and there is no elegant solution. Often in international circles, countries massage these things with erudite solutions like the doctrine of comity or letters rogatory, but those tricks generally will not work here. As shown by at least one EU administrative working-party report, European regulators are well aware of the “U.S. litigation” problem many of their international businesses face, but offer no solution. In fact, they provide little sympathy by only suggesting that one might comply with the law, for example, by providing anonymized data. But producing emails with the names deleted just does not work for judges, or plaintiffs, in U.S. courts. The European authorities even go so far as to say that the mere act of preserving data beyond the expiration of its normal business purpose—as is done with a litigation hold—can itself be a violation of the prohibition on “processing.”
The result is that representing foreign clients under the jurisdiction of U.S. courts can present a whole new trap for the unwary. The now normal “hold and collect” methods that U.S. lawyers and businesses finally came to understand could result in criminal prosecution in Europe. Sophisticated U.S. lawyers faced with this issue when representing a foreign client usually blend a secret sauce of interviews leading to voluntary production by the custodian, limited but in-country data mining and forced confidentiality agreements with the other U.S. parties—all sautéed in a pan of deference to the privacy directive. But there is no guarantee that any of these ingredients would actually sate a European administrator hungry only to zealously enforce the right to privacy.
What about the future? Over the past several years jurisdictions including Argentina, Chile, Israel, Switzerland, the Bahamas, Canada, Hong Kong and even Australia have enacted legislation that is either strikingly similar or identical to the EU privacy directive. Rather than a move to the middle, they seem to be circling the wagons.