Significant problems await attorneys attempting to collect or produce data housed in a foreign country for the sake of a lawsuit or discovery. Due to vastly different interpretations of what constitutes privacy in the U.S. and abroad, and the resulting blocking statutes and regulations surrounding data extraction those nations have established to protect their citizens’ data, American companies often struggle to mine data from most foreign jurisdictions. It essentially becomes a balancing act for businesses, as they have to weigh the effects of potentially breaching U.S. laws or potentially breaching foreign laws. And when the weight shifts too much to one side or another, and collections aren’t done through the proper channels, the penalties can be severe.
In many nations, including China and much of Europe, it’s considered the equivalent of a felony for U.S. companies to improperly collect private data. In the European Union, which has strict privacy regulations compared to the U.S., potential fines for improper collection or procedure vary from country to country—the highest currently being France, where a company can receive a €4.5 million penalty. Fortunately for U.S. companies, however, is that those whopping sums are still somewhat mythical.
“They’ve never actually issued a fine that large,” says Latham & Watkins Partner Gail Cartwright. “The fines in France are generally €300,000 to €400,000, which is probably a fairly good benchmark for the highest fines you’d get from privacy issues.” The biggest problem within Europe, she adds, is reputational. “That can have a huge impact on your business.”
In the U.S., the problems are typically not as monetarily damaging, but still equally onerous. When companies don’t comply with orders, they can face contempt of court charges and findings of adverse inference where a court can find the facts favorable to the parties seeking disclosure. Noncompliance also can impact the awarding of fees.
Another problem is that while the sanctions in Europe and abroad can be severe, many people in the U.S., judges included, don’t necessarily take them terribly seriously.
In a recent French case, In re Advocat Christopher X, the French Supreme Court upheld the criminal conviction and fine of €10,000 of a French lawyer for violating a French blocking statute. It involved a case filed in New York federal district court where there was a claim that the defendant essentially was a front for the Islamic political party Hamas, and the records validating the claim were located in France.
The defendant filed a motion for a protective order with the federal court, claiming that the French blocking statute prohibited disclosure of the information. The court denied the protective order and ordered the defendant to produce the records in the U.S. within 30 days. In doing so, the court specifically rejected the defendant’s argument that it would face criminal prosecution in France, holding that there was a low likelihood of actual prosecution.
In response to the federal court order requiring the defendant to produce this information, a French lawyer then interviewed a witness, which led to his criminal prosecution for violating France’s blocking statute.
“Every day in the U.S., lawyers go out and engage in that type of activity,” says Littler Mendelson Shareholder Paul Weiner. “Here, a French court held that interviewing a witness—we weren’t even at the point of actually producing the documents—was a violation of the blocking statute and upheld a criminal conviction and a significant fine against the lawyer. This is a pretty significant issue, and often there is no clear, safe way forward because, on the one hand, you have a U.S. federal judge who is saying you have to produce information in a federal lawsuit, and on the other hand, you have the data privacy commissioners and the blocking statutes which say you can’t on the threat of severe civil and criminal sanctions. It leads to a serious Catch-22.”