Corporate counsel conducting investigations in the United States are accustomed to unfettered access to employees’ company email and data without much limitation. When investigations involve data and documents created or received by overseas personnel, however, starkly different procedures may apply. Counsel must be sensitive to local rules governing both the “processing” of such data (a term that encompasses everything from collection through culling and review) and its transfer out of the country, particularly to the United States. This article discusses the principal rules to which counsel must refer prior to conducting overseas document collection and before transporting or transmitting any documents or data collected to the United States, as well as the collateral consequences of a decision to transfer documents to the United States.
Overseas Privacy Law Limits
The initial steps for counsel conducting an overseas investigation are familiar to U.S. attorneys: identifying relevant custodians, issuing document retention notices, conducting initial document collection interviews, arranging for the preservation of documents, and undertaking data collection and review. However, foreign regulatory frameworks require counsel to conduct such data collections in conformity with limitations found in the data privacy laws of the countries in which the documents’ custodians are located—and sometimes also the rules of the home countries of people referred to in the documents.
The rules of a given jurisdiction may be codified, as they are in the European Union. Or they may be uncodified or dispersed in scattered statutes and regulations, as is true in China, where local laws and strict concern for state secrets form a web of data privacy requirements.1 Consultation with knowledgeable local counsel is, therefore, critical no matter where an investigation takes place.
The stringent European privacy framework illustrates the complications faced by counsel operating abroad. European Directive 95/46/EC addresses both the “processing” and “transfer” of personal data. Although the directive itself is a uniform governing document, its interpretation and implementation vary considerably from country to country. The obligations under these laws include a general requirement that an employee’s consent be obtained before the employer processes personal data, subject to certain exemptions.
Under both the directive and implementing laws, corporations may collect and review personal information and company files without providing this individualized notice so long as the corporation acts in light of “specified, explicit and legitimate purposes,”2 or where enumerated exigent circumstances arise. Such circumstances include processing that is “necessary for compliance with a legal obligation to which the [data] controller is subject” or if the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority.3
Countries also often apply a “proportionality principle” that is meant to strike a balance between the needs of the employer and those of employees whose data may be at issue. This further reinforces the necessity of consultation with local counsel regarding specific local practices. Note that early interviews of custodians may assist both in providing notice to employees and isolating as narrow a set of data to be collected as practicable.
In some countries, local law may require notification of national privacy officials prior to undertaking a collection, even in those circumstances in which an exception to general requirements of notification and consent seems applicable. While some countries permit corporations to assess unilaterally the necessity of such a collection process, other countries, e.g., the Netherlands, have exacting requirements relating to the notification of national privacy officials prior to data collection.4 This, too, is a matter as to which local counsel should be consulted.
If data is to be transferred outside the country of collection, privacy laws often will require that any jurisdiction to which protected data is to be transferred meet minimum adequacy requirements relating to the protection of data privacy. Under Directive 94/46/EC and national implementing legislation, certain jurisdictions have been certified as adequately protective. The United States has not been so certified, however, and official approval generally is required before transfer of data to the United States.
The United States and European Union have entered into an agreement that creates a “safe harbor” for data transfers among companies that agree to seven data protection principles. Because one of those principles is that transferred data must be relevant and reliable for the purpose for which it was collected,5 it is generally a best practice to cull data in-place and transfer at most a clearly relevant subset of data to the United States.
Once documents have been transferred to the United States, corporations lose whatever protection European Union and other data privacy regimes may have afforded them from producing documents in U.S. judicial proceedings had those documents remained within a foreign jurisdiction whose privacy laws restrict their transfer. Counsel therefore should carefully consider the need to transfer data to the United States—as opposed, for example, to conducting review within the collection country—and transfer only data necessary to the issues at hand. In particular, counsel should take care to avoid unintentional transfer of documents by, for example, backing up worldwide files in the United States or allowing U.S.-based reviewers to use software that may be portrayed as having transferred the files themselves, rather than just document images, to the United States.
Even when documents are maintained overseas, corporations—whether or not they are parties to U.S. proceedings—may well be ordered to produce them. Protections are greater for non-parties not otherwise subject to a court’s personal jurisdiction. For example, the Hague Convention on the Taking of Evidence Abroad, which provides a framework for cooperation among the judiciaries of signatory states when one state issues discovery orders aimed at documents held in another, permits signatories to refuse requests “issued for the purpose of obtaining pretrial discovery of documents” or otherwise contrary to their data protection statutes. France’s accession to the convention thus precludes French judges from effecting broad, “Common Law” discovery requests—an exception designed with French privacy protections in mind.6
Protections are much more limited, however, if a corporation is a party to a U.S. suit. U.S. courts derive broad power over parties from the Federal Rules of Civil Procedure, which permit one party to inspect any relevant documents or data that can be obtained, even indirectly, by the responding party, and which permit a court to compel compliance with such a request through orders and sanctions.7
In Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court, the Supreme Court addressed a French aircraft company’s attempt to avoid a discovery order issued pursuant to the Federal Rules of Civil Procedure, without the use of the convention’s procedures, in a dispute arising from the crash of the aircraft company’s plane.8 Referring to the text and legislative history behind the convention’s ratification, the court concluded that the discovery of documents held by a party to litigation need not be limited by the mechanisms of the Hague Convention, rendering the convention effectively optional with respect to parties to a civil action.
Despite the Aerospatiale holding, keeping documents outside of the United States may still provide some degree of protection even for parties to civil litigation. Even in Aerospatiale, the Supreme Court endorsed respect for the concept of international comity and the need for a district court to analyze a foreign state’s sovereign interest in the privacy of its citizens prior to conducting discovery without resort to the Hague Convention’s procedures or the procedures of the foreign state.9 Thus, the maintenance of data and documents overseas may aid even a party to U.S. litigation in the event that the data’s host country maintains a strong interest in the privacy of its citizens, for instance through a separate “blocking statute” drafted to impede production of documents sought outside the framework of the Hague Convention or similar national discovery procedures.10
Bringing documents into the United States from abroad also may have consequences in regulatory or criminal enforcement actions. Typically, regulators and prosecutors may use letters rogatory or the procedures of an applicable Mutual Legal Assistance Treaty (MLAT) in order to request the production of documents held overseas by a foreign entity. MLATs provide the country receiving a request for production an opportunity to assess the validity and scope of that request, which may ultimately provide some protection for documents held abroad, particularly in light of a foreign signatory’s concerns over data privacy.11 Once documents have been transferred to the United States for any reason, however, those protections may no longer be available in regulatory or criminal actions.12
By contrast, if the company maintains documents only outside U.S. jurisdiction, some protections may exist even when regulators seek documents through a subpoena served directly on a company, rather than through MLAT procedures. U.S. courts have recognized that regulatory and grand jury subpoenas seeking documents held overseas by foreign entities may be subject to modification, or quashed, in deference to foreign sovereigns’ privacy protections. While courts afford such subpoenas a presumption of enforceability, they are subject to limitations on unreasonably broad demands for production, which may include demands that cause insurmountable obstacles in light of foreign blocking statutes and privacy laws.13
Thus, courts have modified government subpoenas seeking productions that would run afoul of foreign restrictions,14 and parties may argue that foreign data privacy laws prohibit compliance with a U.S. subpoena—again, only where the subpoenaed party can demonstrate a credible threat of prosecution. Regulators dispute these claims for protection, however—as the SEC has in the recent action brought against five Chinese accounting firms that performed audits on Chinese companies traded on U.S. exchanges15—and courts often enforce subpoenas even over a foreign sovereign’s privacy concerns.16
A clear understanding of the limits and protections of foreign data privacy laws is essential for U.S. counsel operating abroad. An understanding of those laws will help counsel to prevent or defend against compelled disclosure of foreign documents or data in the event of civil litigation or regulatory and criminal enforcement actions. Attention to these complicated issues—often in close collaboration with knowledgeable local counsel—is the key to ensuring a client’s data remains secure in the face of uncertainty.
Michael B. Mukasey, the former U.S. Attorney General and former chief judge of the Southern District of New York, is a partner in the litigation department at Debevoise & Plimpton. Andrew J. Ceresney is a partner in the firm’s litigation department and was an assistant U.S. attorney in the Southern District. Andrew C. Adams, an associate at the firm, assisted in the preparation of this article.
1. See, e.g., Severin Wirz, “The Experts Weigh In: E-Discovery Strategies for International Anti-Bribery Investigations” (2012).
2. Directive 95/46/EC, art. 6, 7.
3. Act No. 78-17 of 6 Jan. 1978 on Information, Technology, Data Files, and Civil Liberties, Art. 8, cl. 5 (Fr.).
4. See Daniel P. Cooper, Corporate Investigations & EU Data Privacy Laws—What Every In-House Counsel Should Know, at 25 (2008).
5. See U.S.-EU Safe Harbor List, Dept. of Commerce, available at https://safeharbor.export.gov/list.aspx.
6. Hague Convention on Taking of Evidence Abroad, Art. 23, Oct. 7, 1972, 23 U.S.T. 2555; see also France—Central Authority, Practical Information, HAGUE CONFERENCE ON PRIVATE INTERNATIONAL LAW (Jan. 2, 2012), http://www.hcch.net/index_en.php?act=authorities.details&aid=500 (noting French privacy laws as a basis for impeding a request under the Convention).
7. Fed. R. Civ. Pro. 34, 37.
8. 482 U.S. 522, 539-40 (1987).
9. Id. at 543-44, 544 n. 29.
10. E.g., French Penal Code Law No. 80-538, Art. 1A.
11. E.g., Treaty on Mutual Legal Assistance in Criminal Matters, U.S.–U.K., Dec. 2, 1996, S. Treaty Doc. No. 104–2, at Art. 3, ¶1; see also Agreement on Mutual Legal Assistance Between the E.U. and the U.S., Art. 9, cmt.
12. In re Grand Jury Subpoenas (White & Case LLP), 627 F.3d 1143 (9th Cir. 2010) (holding that a grand jury subpoena overrides a civil protective order for documents collected abroad in civil litigation).
13. Fed. R. Crim. Pro. R. 17(c)(2); id. R. 17(e).
14. E.g., In re The Chase Manhattan Bank, 297 F.2d 611, 613 (2d Cir. 1962) (affirming modification of grand jury subpoena conflicting with Panamanian blocking statute).
15. Sec. & Exchange Comm’n, SEC Charges China Affiliates of Big Four Accounting Firms with Violating U.S. Securities Laws in Refusing to Produce Documents (Dec. 3, 2012).
16. See, e.g., Carrick Mollenkamp, “UBS Cites Swiss Law in Tax-Data Standoff,” Wall Street Journal, May 1, 2009; see also United States v. Davis, 767 F.2d 1025 (2d Cir. 1985) (rejecting Cayman Islands interest in bank secrecy as a bar to the admissibility of evidence obtained over defendant’s objections).