In the U.S. District Court for the Southern District of New York, five female plaintiffs bring a lawsuit against an international advertising firm with a public relations subsidiary in the United States, asserting claims of systemic, company-wide gender discrimination. As part of discovery, the plaintiffs seek the electronically stored information (ESI), including emails, of the company’s CEO, who is based in France. Can the plaintiffs collect and produce this data in the course of the litigation without violating France’s data privacy laws and blocking statute, which prohibit French companies from disclosing personally identifiable information?
This is the backdrop to Da Silva Moore v. Publicis Groupe, No. 11 Civ. 1279 (ALC) (AJP), 2012 U.S. Dist. LEXIS 23350 (S.D.N.Y. Feb. 24, 2012), a case that has been extensively noted for its approval of technology-assisted review while the thorny discovery issues involved have been largely overlooked. In today’s global economy, litigants in U.S. courts increasingly need information created abroad in response to discovery requests and subpoenas. Furthermore, with the advent of cloud computing, litigants face additional challenges when accessing data that originated overseas. And unlike in the United States, where courts presumptively grant access to information so long as it is reasonably calculated to lead to the discovery of admissible information, a complex web of international laws governs the disclosure of information created and stored outside the United States, driving up the costs of litigation and posing significant delays in the litigation process.
Data Privacy Meets E-Discovery
Outside the United States, many nations, particularly in Europe, Asia, and Latin America, have adopted restrictive schemes designed to protect the privacy of their citizens’ personal information. For instance, member states of the European Union have detailed data protection laws based on the European Union’s Data Privacy Directive. These laws restrict when and how organizations can collect, process, store, alter, retrieve, and transmit—even by merely copying one file to another—what they call “personally identifiable information.” This information is defined broadly to include a person’s name, age, gender, marital status, nationality, citizenship, veteran status, personal or business contact information, identification numbers and email addresses, among other things.
In addition to the privacy laws, several European nations have enacted blocking statutes, which are designed with two purposes: protecting sovereignty and shielding citizens from what is considered an improper intrusion into their privacy. The United States does not have a similar privacy framework (although protection of personal information has become a more important issue in the United States over the past few years); thus, these countries—especially those that are part of the European Union—believe the United States does not offer adequate protection to allow the unrestricted sharing of data. It is difficult for parties to reconcile these laws with the directive of the Federal Rules of Civil Procedure (FRCP). When organizations share data across international borders to meet their U.S. discovery obligations without fulfilling the requirements of the foreign-based data protection authority, they may face serious consequences, including fines and criminal charges.
In general, organizations must undertake a three-part inquiry to determine whether they must produce data located abroad in response to discovery requests in a U.S. court. First, they must decide whether the information is within their “possession, custody, or control” under FRCP 34. U.S. courts tend to define the term “control” broadly: If a party has the legal right, authority or practical ability to obtain the information sought, it is generally considered within the party’s control. Importantly, access to that information from the United States through the organization’s IT network likely is sufficient to meet this prong of the inquiry.
Next, parties must evaluate whether the foreign law that applies allows the processing, transfer and production of the overseas ESI. The answer to this inquiry depends on the laws of the country where the ESI is located. Where the ESI is “located” may not be self-evident in a era of third-party cloud computing and/or multiple data centers located around the world. IT Departments are constantly migrating or transferring ESI, or providing redundancies for disaster recovery, in the ordinary course of business to increase the efficiency or cost-effectiveness of their systems. Understanding where any copies of ESI may be located at any particular moment may be challenging.
Finally, the parties must determine whether the U.S. court will require them to produce the ESI, regardless of any applicable foreign restrictions. The answer to this question is typically affirmative (albeit with some restrictions or limitations in deference to privacy concerns), but courts have generally deferred more readily to data privacy laws than to foreign blocking statutes.
Handling ESI Created, Stored Abroad
Organizations involved in cross-border litigation must carefully balance practical and legal implications of managing international data privacy issues when undertaking e-discovery, including ensuring the identification, management and minimization of risks while adhering to the requirements of both the U.S. and the foreign jurisdiction.
Chief among organizations’ responsibilities is developing a comprehensive strategy toward managing their ESI, balancing the legal risks, the business needs, and the cost considerations. Before engaging in any litigation, organizations should establish, and provide a means to comply with, protocols and policies that manage their ESI. These policies should include computer, mobile device and information technology usage policies that set employees’ privacy expectations, (e.g., work email may be preserved and collected in response to legal matters). Organizations must also ensure they have adequate data security measures in place to protect personal data from inadvertent transfers to different locations or data breaches, especially with third parties such as cloud computing service providers.
Once these policies are in place, organizations should engage in litigation-readiness planning so they are prepared to handle the discovery of documents in cross-border legal matters. First, they should “know their data,” meaning that they should understand what types of data they create and where they store it, in particular those data sources likely to be relevant to litigation or regulatory investigations. Spending the time to develop a data map of likely relevant data sources to pinpoint the locations of this data can prove invaluable during the crunch of litigation or an investigation. It can also help organizations determine whether their U.S. operations have unnecessary access to data stored abroad; if so, they can limit this access and thus minimize the likelihood that they will need to produce this data under U.S. discovery rules. Moreover, if organizations determine that they store ESI in multiple locations abroad, it may make sense to consolidate it in one centralized repository to avoid the need to comply with each nation’s privacy rules. Fluency in the laws of all jurisdictions that would control transmission, collection, and processing of ESI is a must to determine the optimal location for storing and processing the information.
Immediately following the implementation of a legal hold, organizations should initiate planning and execution of a more specific e-discovery strategy tailored to the circumstances of the particular matter. Because the laws of a foreign jurisdiction may create exposure to legal risk when organizations transfer, collect or process ESI housed abroad for purposes of U.S. litigation, they should employ methods for minimizing such risks where possible. Conducting on-site data review in the country where the data is located is one way to do so. Organizations should also investigate ways to limit the collection of foreign data. Organizations should work with opposing counsel to negotiate the scope of data for production and spend time targeting relevant data at the outset of litigation instead of implementing a broad collection philosophy.
Organizations may also consider the use of either an on-premise tool or a hosted or cloud model with U.S. data centers; both methods will enable an organization to conduct a review to identify, isolate and ultimately transfer only relevant data. Thus, organizations can potentially limit the quantity of personally identifiable information at issue. They should determine how they can best leverage technology to accomplish e-discovery goals while controlling costs and risks.
Utilize Technology, Minimize Exposure
Even after relevant data that an organization legally must produce in U.S. litigation is identified and isolated, concerns may linger over production of data that constitutes or contains personally identifiable information. The application of emerging redaction and anonymization techniques that eliminate personally identifiable information may assuage legal concerns with respect to data privacy statutes in foreign jurisdictions. While traditional manual redaction is time-consuming, challenging and prone to the errors of a subjective reviewer and therefore risks divulging private data, new tools are available that make redaction or anonymization techniques highly automated and therefore more efficient, accurate, and cost-effective. Most importantly, they help fulfill organizations’ data privacy obligations.
When international organizations involved in U.S. litigation retrieve data created abroad, they may discover that large portions of data contained in the documents are relevant and therefore subject to production. However, it is also likely that these documents may include a considerable amount of personally identifiable information, and processing and transferring it to the United States would violate the nation’s data privacy laws and, if applicable, its blocking statute. Therefore, organizations must balance their need to comply with their discovery obligations with their need to respect foreign privacy laws: One way to do so is via redaction of the private information while producing the relevant information.
Redaction tools allow reviewers options for simply clicking within an image of a document to make redactions, whether of certain words, an entire page or pages of text, or even all pages except a certain paragraph or portion. Users make redactions onto an image of the original document or, in some cases, the native version of the document may be redacted and then produced in native format. At the time of production, the organization turns over to the opposing party the image with permanent redactions burned into the image. Whenever producing redacted documents, always be certain that the metadata (particularly the text file) reflects the redactions made to the original image.
Also during e-discovery, organizations usually must review hundreds of emails and attachments, many of which include spreadsheets containing data subject to legal protection. In executing their redaction process in a timely and accurate manner, organizations can employ advanced search techniques that will recognize patterns of regular expressions and redact all content matching that pattern (for instance, national identification numbers or social security numbers).
Automated redaction tools search through the text of documents for user-provided terms and then automatically redact those terms from the image or native version of the document. Organizations may find automated redaction techniques with advanced data detection particularly helpful where it needs to conceal personally identifiable information within a document, including formatted numerical data such as social security numbers, employee identification numbers, claim numbers, or account numbers. Likewise, reverse redaction tools permit users to select specific text they wish to keep in a document and redact the remaining content. Reverse redaction technology allows for expedited redacting when the majority of a document or documents require redaction. Conducting such automated redaction may help meet the obligations of privacy protection of the origin country (particularly if employed with a more limited collection of relevant ESI) and allow for the transfer of documents to the United States where U.S. counsel can conduct a more manual review.
Beyond emerging redaction technology, other options remain available to organizations seeking to meet legal obligations to both a foreign jurisdiction with respect to personally identifiable information and the United States regarding the litigation in which they are involved. Even after data is transferred to the United States, organizations may retain responsibility for ensuring that any personally identifiable information is protected in accordance with the laws of its place of origin, such as by using “safe harbor” vendors, following the procedures set forth in the Hague Evidence Convention, negotiating contracts with third parties that include model contractual language or other provisions designed to protect data, or implementing strict protective orders. Keep in mind, however, that depending on the unique circumstances of each case, additional methods may be required to safeguard the information and meet foreign data protection requirements.
Although workarounds and new technologies have evolved to help organizations battling competing legal obligations, no perfect solution or set of options currently exists. For the foreseeable future, perhaps until the United States and other nations reach a more uniform understanding of what constitutes private information and a consensus as to the sanctity of such information, organizations will continue to walk a tightrope, balancing data protected by privacy laws abroad with discovery obligations under U.S. law.
Anthony J. Diana is a litigation partner at Mayer Brown in New York and co-heads the firm’s e-discovery and records management group. Gabriela P. Baron is vice president of business development at Xerox Litigation Services, where she oversees global business development activities.