From Sanctions to Safe Harbors: Global E-Discovery Gets Complex
Laws and regulations differ greatly between the U.S. and Europe and Asia. In the post-Snowden era, cross-border e-discovery and compliance won't get easier.
International e-discovery has never been easy. Differences of language, currency, culture and, of course, law, have historically made crossing borders to conduct e-discovery a challenge. However, 2014 may be the year that challenge became much more daunting.
For several years, many European regulators and lawmakers have viewed some American companies, such as Google and Facebook, as threats to the privacy of European citizens. On the other side of the world, the Chinese have criminal penalties for data privacy violations, and the People’s Republic limits what personal data can leave the country. Making matters more difficult, the U.S. Federal Rules of Civil Procedure allow far more discovery than the laws of other nations.
The Europeans are now considering replacing the 1995 Data Protection Directive with a more binding General Data Protection Regulation, and in the wake of the Edward Snowden-National Security Agency controversy, some Europeans are calling for an end to the U.S.-European Union Safe Harbor Framework, which has allowed some data transfers for e-discovery.
From Directive to Regulation
At the moment, data protection in Europe is governed by "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,", known commonly as the E.U. Data Protection Directive. The idea behind the proposed General Data Privacy Regulation is to harmonize data privacy law among the 27 E.U. member states.
At first glance, the idea of harmonizing data privacy requirements across the E.U. sounds as though it would make life easier for international information compliance professionals. The problem for U.S. lawyers and their corporate clients is that the proposals under consideration in Europe would make European data privacy law even more at odds with the laws of their American cousins.
For instance, the Europeans are considering a so-called "right to be forgotten"’ which would allow citizens to demand online information about them be removed. Although California enacted a law last year granting a similar right for minors, the California law has substantial limitations and loopholes. The Europeans are considering a far more robust right to be forgotten, which would make U.S. e-discovery requests even more difficult.
Not So Safe Anymore?
Despite these transoceanic differences, corporate enterprises could always take solace in the U.S.-E.U. Safe Harbor Framework. Developed by the U.S. Department of Commerce and the European Commission—with a separate program for the U.S.and Switzerland—the Safe Harbor program allows the transfer of data between enterprises in the U.S. and Europe where the American enterprise has met the standards of the program and been certified as meeting European requirements.
European privacy partisans have never been big fans of the Safe Harbor Framework, arguing the self-certification program is merely an end run around European privacy protections. Of course, Edward Snowden helped their cause immensely, causing many Europeans to rethink whether there should even be a safe harbor for prying Americans trying to get their hands on European data. These Europeans always believed the Americans had little if any respect for personal privacy, and—in their minds—the NSA imbroglio confirmed it.
Although these are trying times for the Safe Harbor Framework, the program will probably survive. In November, the European Commission issued a report highly critical of U.S. data privacy protection, noting that Snowden’s revelations about the NSA’s PRISM surveillance data mining program. Nevertheless, the report also said there was no need to scrap the Safe Harbor at the moment, but it did make 13 recommendations on improving the program, including having U.S. government agencies conduct inspections for compliance and having the American government agencies report back to the Europeans.
Americans may have dodged a bullet for now on the Safe Harbor, but it will be a hollow victory if the NSA controversy results in a global defense posture realignment with severe restrictions on data transfers.
Around the Globe
Today, at LegalTech New York, a panel will discuss these challenges and others around the globe. Sponsored by FTI Consulting and moderated by FTI partner Craig Earnshaw, the panel includes Gareth Evans, partner at Gibson, Dunn & Crutcher; Simpson, Thatcher & Bartlett litigator Ellen Frye; Jennifer Hamilton, global e-discovery counsel at John Deere; and David Horrigan, analyst and counsel at 451 Research.
Here are a few preview thoughts from the panelists:
- Evans notes that the challenges go beyond Europe. “While much of the focus has been on the E.U., restrictions on the processing and transfer of personal information have been enacted or proposed in important Latin American and Asian nations, including Argentina, Brazil, Colombia, Costa Rica, South Korea, Taiwan, Hong Kong, and Macau,” said Evans.
- “Breaching data protection rules can typically lead to fines and sanctions, however breaching State Secrecy laws in China can land you in jail,” observed FTI’s Earnshaw, with Evans adding, “Indeed, North Asia has been described as the most ‘data privacy intensive’ region outside of Europe.
- The conflicts between broad U.S. e-discovery requests and strict European data laws are well-documented, and the conflicts between the U.S. and Asia are growing. Noting a recent matter in which a U.S. Securities and Exchange Commission administrative law judge sought to sanction Chinese affiliates of the Big Four accounting firms for failing to produce audit work papers of Chinese companies under investigation for fraud—documents the Chinese government prohibited the firms from sending to the U..S, Evans summarized the problem facing lawyers attempting to conduct international e-discovery: “Sometimes it’s not possible to please two masters.”
David Horrigan is industry analyst and counsel at 451 Research and a former reporter for The National Law Journal and LTN.