Thank you for sharing!

Your article was successfully shared with the contacts you provided.
During the last decade, lawyers faced with the novelty of electronic discovery have reacted in different ways. Some lawyers have mastered it, some have become reasonably conversant with it and some have just added it to the list of things they know they don’t know. However, there is an aspect of e-discovery that even the most experienced practitioners may not even know they don’t know: the complexities of e-discovery in the international setting. This article gives a brief overview of issues that can arise in connection with international e-discovery, in particular those relating to data protection regimes, the technical requirements for processing data from other countries and other issues that may arise in the collection and review process. Many countries, most notably the countries of the European Union, have data-protection laws vastly different from those of the United States. EU countries were among the first to adopt data protection regimes, which then served as models for many other countries. The European Commission’s Directive on Data Protection went into effect in 1998. See Council Directive 95/46/EC, 1995 O.J. (L. 281) 31 (EC). The directive regulates the processing of personal data and prohibits the data’s transfer from the EU to non-EU countries if they do not meet the EU standards for “adequate” data protection. The directive requires EU member countries to adopt implementing legislation and set up supervisory authorities for data protection. ( Id., arts. 28 & 32.) The implementing legislation and practice under the directive vary from country to country. A starting point for questions about the data-protection law of any particular country is the Web site of Privacy International. The directive broadly defines “personal data” as “any information relating to an identified or identifiable natural person.” ( Id., art. 2(a).) This language has been construed to include not only data typically considered personal, but also ordinary business documents that refer to a data subject, regardless of whether the data subject is an employee, customer or third party. A business e-mail of which an employee is the identified sender thus might be deemed “personal data” subject to the directive. The definition of “processing” is also broad and includes the “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” of such data. ( Id., art. 2(b).) The directive permits the processing of personal data only in certain circumstances. One is when the data subject has given his or her consent unambiguously. Another is when processing is necessary for compliance with a client’s legal obligation or for purposes of legitimate interests pursued by the client or the third party or parties to whom the data are disclosed, except when such interests are overridden by the interests of the fundamental rights and freedoms of the data subject. ( Id., art. 7.) The directive provides additional protections for certain kinds of sensitive personal data. ( Id., art. 8.) Consent of Data Subjects If possible, it is preferable to obtain the consent of individuals whose personal data are being processed, even if the processing of the data is otherwise permitted under Article 7 of the directive. This is because, as a practical matter, the collection of documents responsive to a document request or subpoena requires counsel to sift through and review other data not responsive to document request or subpoena. Written consents are also desirable because the local supervisory authority for data protection may interpret the other exceptions narrowly. The form of written consent sought from individuals should be as simple and straightforward as possible, given the circumstances and specific language requirements often imposed by local law. Even when consents are obtained, however, there can still be questions about their validity. In some E.U. countries, such as Germany, there are ongoing debates in legal circles about whether the consent of an employee is freely given and valid when given at the behest of the employer. The directive contains requirements for notification of the data subject if personal data are being processed. In addition, the client must notify the country’s supervisory authority for data protection of the processing. ( Id., art. 18.) Because notification requirements and the practices of the data protection authorities vary among member countries of the European Union, it is important to retain local counsel expert in data protection law to guide the client through this process. Counsel must pay special attention to where the collected data are stored and reviewed. The directive prohibits the transfer of personal data to countries that are deemed to lack adequate data-protection laws, and the United States is considered one of those countries. Fortunately, there are ways to send the data to the United States while remaining in compliance with the directive. One is for the entity receiving the data in the United States to self-certify to the U.S. Department of Commerce that it is a “safe harbor,” meaning that the entity has met certain standards to ensure the protection of personal data. The requirements for safe harbor status are set forth on the Web site of the Department of Commerce, which negotiated the terms of the safe harbor framework with the European Union. ( See, id.) Data Protection Agreements Another way to facilitate compliance with the directive is to use a data protection agreement between the data exporter (the client) and data importer (for example, the law firm receiving the data). The European Commission has approved two model agreements, either of which parties can use verbatim but not modify. See model contracts for the transfer of personal data to third countries. Under these agreements, the data importer is responsible for ensuring that parties subsequently receiving the data, such as vendors, comply with the agreement. In either of these cases, however, application to the local supervisory authority for permission to export data still may be necessary. Even if approval is automatic, it may take several weeks. There may also be a mandatory waiting period to allow individuals to opt out. Again, guidance of local counsel expert in this area is essential. A violation of the directive can result in sanctions. ( See, directive, art. 24.) The directive has been implemented and interpreted in such a way as to create a private right of action, by which individuals may either lodge a complaint with the domestic data-protection office or pursue an action in a local court. ( Id., arts. 22, 23.) Moreover, some countries, including the United Kingdom and Germany, impose personal liability, administrative and/or penal, for violators. See, U.K. Data Protection Act, 1998, �� 55-56 and www.out-law.com/page-413; Bundesdatenschutzgesetz (German) [Federal Data Protection Law], Dec. 20, 1990 BGBl.I 1990 S.2954 at � 43, amended by law of Sept. 14, 1994 BGBl. I S. 2325, and www.fas.org/irp/world/germany/docs/bdsg.htm (English). Thus, the consequences for clients who violate the directive can be grave. In addition to data-protection laws enacted pursuant to the directive, there may be other laws, regulations and practices that prohibit or regulate the collection or review of data. For example, document custodians may be subject to certain protections by their works councils and the labor laws of their countries. They also may have documents related to works council activities intermixed with their work documents, which can lead to questions as to whether the documents are discoverable and who holds any privileges that might apply to them. Local laws concerning electronic communications and official books and records may also apply. And, if the data are being taken out of the country in media such as DVDs or magnetic tapes, delay or difficulties may arise in getting the data through customs or border control. Most data protection regimes are unlikely to serve as effective “shields” to discovery in the United States. U.S. courts have not been receptive to the argument that parties should not have to respond to discovery requests or cannot obey certain disclosure requirements imposed by U.S. law due to the directive. See, e.g., Gerling Global Reins. Corp. v. Low, 296 F.3d 832, 847 (9th Cir. 2002), rev’d on other grounds, 539 U.S. 396 (2003); Columbia Pictures Indus. v. Bunnell, No. CV 06-1903FMCJCX, 2007 WL 2080419, at *11-*12 (C.D. Calif. May 29, 2007). Document Collection and Review In the international setting, the practical experience and information that lawyers have acquired in domestic e-discovery may be wrong or incomplete. Some of the more important considerations related specifically to international e-discovery are described below. Obviously, documents located in other countries are likely to be in languages other than English, and sometimes will be in several languages. Less obviously, this fact will affect the selection of the vendor or vendors to process the data and the system used to store and review the data. Many electronic data vendors and review systems use only the American Standard Code for Information Interchange (ASCII) and cannot process special characters used in other languages. The best format for supporting a multilingual review is Unicode, as it will process diacritical marks (such as accents, umlauts, diereses and cedillas) and special characters in Latin alphabets (such as Eszett (�), Thorn (�), and �thel (�)), as well as characters from languages not written in the Latin alphabet, e.g., Chinese and Arabic. Processing systems that cannot handle something as small as an accent mark can render large amounts of text almost unintelligible; the inability to process diacritical marks may result not just in a failure to capture the marks, but the corruption of the text generally. The physical scope of the data collection is also relevant to the choice of vendor. Lawyers should consider whether the vendor has sufficient reach to collect the data in all of the relevant locations, or good relationships with qualified subvendors who can do so. Subvendors may be desirable in some locations because they may have experience with obscure hardware and operating systems used in the area, as well as with local data backup practices. A vendor should provide technical specifications for the types of load files it needs to process the data, and therefore selection of the vendor before document collection begins is critical. If the document collection is from several locations, it may be useful to collect, process and review samples of data from each location to ensure that the process is working correctly before committing to it. Search terms play an essential role in data processing by trimming the amount of data to export, host and review, and therefore limiting expense and data export issues. Search terms will be more successful if they address language-specific characters and modifications (for example in German, writing terms with “ss” in addition to “�” or “ue” in addition to “�”). Local clients and vendors may be able to provide information on common workarounds such as the above, which document custodians/authors might have used in creating the data (especially in e-mails and on mobile devices), and which vendors might use in processing it. Another choice to consider carefully is where the server on which reviewers will review the data should be physically located. Clients may feel safer if their attorneys host the data internally, especially if the firm is certified as a safe harbor, but in some cases keeping the server in-country or within the European Union has advantages in dealing with data export issues. Depending on the scope of the document collection, it may be necessary to employ contract attorneys who read foreign languages, even relatively obscure ones. Many countries lack robust markets for contract attorneys, so it may be easier to find speakers of some foreign languages in New York or London than in the countries where the languages are spoken. This article is only a brief summary of international e-discovery. In any matter involving international e-discovery, lawyers should be constantly on the alert for unexpected and novel issues and work closely with their clients and local counsel to identify and address those issues. Jaculin Aaron is a partner in the litigation department of New York-based Shearman & Sterling, where her primary practice areas are corporate, securities and commercial litigation. Laura J. Lattman is a litigation associate at the firm, where her practice has focused on investigations under the Foreign Corrupt Practices Act. Danforth Newcomb and Philip Urofsky, partners at the firm; Joachim Grittmann, an associate; and George Rudoy of the practice technology support group provided assistance with this article.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.