By Mike Quartararo.
Parties in the US are allowed broad and liberal discovery of electronically stored information (ESI) relevant and proportional to the claims and defenses in a legal action. When a US-based litigant seeks ESI stored in other countries, however, it raises thorny legal and practical issues. An ACEDS webinar on this topic entitled “Now What? Cross-Border and International Discovery Post-Schrems II” highlights some of the issues facing practitioners in this area. A link to the recorded webinar can be found here.
EU Courts Invalidate Privacy Shield
For several years now, practitioners relied on the Privacy Shield to effectively transfer ESI across borders. The Privacy Shield consisted of agreements between the US, the EU and Switzerland to permit cross-border data transfers.
The agreements were administered by the US Federal Trade Commission and required that those using the Privacy Shield adhere to seven primary data protection principles and sixteen self-certification principles. The agreements opened communication channels between US and EU data protection authorities, and they provide for binding arbitration to resolve any disputes.
In 2020, this all changed as the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, and then about a month later the Swiss data protection authorities did the same. The CJEU ruled in Data Protection Commissioner v. Facebook Ireland and Maximillan Schrems (“Schrems II”) that the Privacy Shield did not adequately protect the privacy citizens in the EU.
To keep things in context, outside of the US, the idea that someone can file a lawsuit and demand large volumes of ESI, including sensitive business, government, or personal information, is truly a “foreign” concept and is viewed cautiously, if not with outright alarm.
Data Still Needs to Move Across Borders
But the fact remains that ESI will still need to be moved across borders. If a request for ESI includes information that is located outside of the US, and it is determined that information is within the possession, custody, or control of the party receiving the document demand, that party must determine how that data may be transferred to the US.
Practitioners in the US and Europe need to be aware of and take into consideration the differing laws, legal rights, and obligations in other jurisdictions that are rooted in local cultural and political views.
Data Protection Laws and Regulations
Around the globe, laws and regulations restrict cross-border data transfers and limit the ability of parties to access information for use in US litigation. Many jurisdictions have data protection laws and regulations designed to protect against the unlawful use of individual’s personal information, including the transfer of information to other jurisdictions that lack adequate data protections.
The European Union General Data Protection Regulation (“GDPR”) is the most well-known data protection law. Many other countries have enacted (or are in the process of rolling out) data protection laws as well. The intent of these laws is to ensure that information that identifies a natural person is used only for authorized or lawful purposes.
Under the GDPR, there are limitations on collecting, processing, reviewing, and producing ESI that contains personal data. In the absence of a lawful basis for processing the ESI, or another specifically recognized legal reason, processing of such data is a violation of the law.
Data minimization is also a component of most data protection laws. This means that ongoing processing and retention of personal data should be limited to only what is reasonably necessary and established at the time of collection. Personal data should then be promptly destroyed; it should not be indefinitely preserved or retained.
How to Overcome Restrictions on Cross-border Data Transfers
There are several ways to overcome data privacy restrictions and enable cross-border transfers. It is important to note, however, that there are significant complexities to this area of law and practice, and experienced, qualified legal counsel should be consulted when faced with cross-border data transfers for the first time.
1. Removing Personal Data from Data Sets
First, if ESI does not contain personal data, it is generally outside the scope of data protection laws. In other words, if the ESI sought ontains no personal data, either because none existed or the personal data has been removed, there is no legal restriction under a data protection laws like the GDPR preventing transfer of that ESI. However, other superseding limitations on the transfer of that ESI may apply, including blocking statutes, state secrets laws.
Personal information can be removed from ESI in a few ways. The first is an agreement between the parties to strip all personal data of foreign data subjects from any information that will be transferred. This can occur, for example, with data sets where any personal data is discretely separated, such as in structured data, and the fields containing personal data are simply not exported. However, too often personal data is integrated into the document set such that excising it would require altering the documents, which could raise issues of authentication and subsequently impact admissibility.
The second option for removing personal data is to perform anonymization or deidentification on the data set to permanently hide all personal data of protected data subjects. This can be accomplished using redaction technology, but it can be expensive and would need to be performed prior to transferring the data.
2. Consent of the Data Subject
Some jurisdictions permit transfers of personal data based solely on consent of the individual. It is important to check with local counsel or data protection authorities for advice on a particular country. Individuals may consent to the processing of their personal data, but obtaining consent is no simple matter, and as
such is a least preferred basis for processing.
To be effective, consent must be given freely, voluntarily, and knowingly; it cannot be coerced, even mildly, by an employer. Evidence of consent must be clear, and importantly, consent, once given, may be revoked. Where obtaining consent is not feasible, the party from whom documents are requested must at least disclose to affected persons that their personal information will be processed and possibly disclosed and offer such persons the opportunity to object.
3. Binding Corporate Rules
Under the GDPR there is a safeguard known as Binding Corporate Rules (BCR) that allows the cross-border transfer of ESI to countries that lack adequate data protections. Binding Corporate Rules are data protection policies that companies may use to transfer personal data outside the EU within an organization. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers.
Approved BCR policies are used in day-to-day business for large international companies that need to regularly transfer personal data between offices around the world. They are complex instruments that require specific drafting and approval by data protection authorities. They should not be considered for use in one-off situations, such as a specific litigation, but rather as a long-term solution to ongoing cross-border data transfer needs.
4. Standard Contractual Clauses
Another way to transfer of ESI containing personal data, and perhaps the most common, is known as Standard Contractual Clauses (SCC). These are form contractual documents issued by the European Commission to be completed by the contracting parties. One form contract is for the transfer of data from one data controller to another data controller outside of the EU, while the second contract form is between a data controller and a data processor outside of the EU. This second contract is used for the transfer of documents containing personal data for discovery in another country. The form contains four parts and is completed by the data controller/exporter and the recipient of the data. Much of the forms cannot be changed and the parties are essentially agreeing to protect the data.
Once the SCC is filled in, signed, and completed by the data controller and the receiving country’s data processor, the personal data can be transferred, subject to the terms of the SCC. Unlike Binding Corporate Rules, SCC’s are good for one-off data transfers, although they can be used for continuing data transfers if and as specified.
5. Transfers Through the Hague Convention
Finally, many countries are parties to an international agreement called the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, commonly referred to as the “Hague Convention.” It is a process, originating in the 1960s, that is used in legal matters for service of judicial process from one contracting country to another without diplomatic or consular channels. The Hague Convention is not specifically related to discovery in litigation, but rather for the service of process or a subpoena and related documents in a legal matter.
When using the Hague Convention for the cross-border transfer of personal data that is subject to a data protection regime, considerations will still need to be made as to fulfilling legal obligations and the demands of the supervisory authority for the jurisdiction. And practitioners should note, too, that the process under the Hague Convention can be quite lengthy.
While the United States continues to adhere to civil procedure rules that allow for very broad discovery, it is important to understand that the rest of the world does not view discovery in the same way. Some countries view broad disclosure of information as outright suspicious and even criminal. When conducting international discovery or seeking to move ESI relevant to a matter across borders, it is critically important that the parties understand the rules of the locality in which the data resides.
About the Author
Mike Quartararo is the President of the Association of Certified E-Discovery Specialists (ACEDS), the world’s leading organization providing training and certification in e-discovery to law firms, corporate legal departments and the broader the legal community. He is also the author of the 2016 book Project Management in Electronic Discovery and has been successfully consulting in information governance, e-discovery, project management and legal technology for two decades, including 10-year stints at both Skadden Arps and Stroock. A graduate of the State University of New York, he is a certified Project Management Professional (PMP) and a Certified E-Discovery Specialist (CEDS). He frequently writes and speaks on e-discovery, legal operations, project management and technology topics. Reach him via email at firstname.lastname@example.org or on Twitter @mikequartararo.