By now most U.S.-based companies are becoming more comfortable with the e-discovery drill.
Issue a litigation hold when litigation becomes foreseeable, then collect, process, review and produce the data to the other side as necessary to comply with the court’s discovery obligations. Maybe not simple, and definitely not cheap, but at least the obligations and procedures have become clear over the past decade as the rules and case law developed. That is, unless companies face the international problem.
What if, for example, your business that is a party to U.S. litigation has an office in Europe, and must produce data made and maintained by your employees there?
Now everything changes.
This is because many (if not most) nations outside the U.S. (including all EU member states) have privacy statutes that can expressly prohibit the transfer of data to the U.S., even for use in defending litigation. Moreover, these statutes also prohibit the “processing” of data (even in the home country), and the definition of processing may include not only the searching and review of data, but also the storage of data for longer than usual. As one European data commission noted, this can call into question the mere issuing of a U.S.-style litigation hold.
Unlike the somewhat farcical “blocking statutes” that some nations (most notably, France) conjure to protect their citizens from having to take part in U.S. litigation, data privacy is usually taken very, very seriously. In fact, after World War II, the European Commission found that the right to privacy in one’s correspondence is a “fundamental human right.”
Thus, there will often be no exception to allow the processing and transfer of business correspondence, even assuming a corporate policy stating that employees have no right of privacy to correspondence that they generate on company systems. One may be happy to find exceptions or derogations to these laws based on “legal necessity” or “public policy” grounds, only to then find them unhelpful because U.S. legal and public policy requirements don’t count. Even express agreements by employees that the company can review and produce their email may be invalid because of the perceived unequal bargaining power between the employer and employee. At best, the employees will likely be able to rescind any such agreement at any time.
Depending on the laws of a specific country, this could quite possibly be one of the rare legal problems with no elegant solution. Companies in this situation may well have to face the Hobson’s choice of either not producing the data in the U.S. litigation, and being defaulted, or producing the data in violation of another country’s law.
So what is the responsible international corporate citizen to do?
First and foremost, recognize that, when faced with the possibility of having to produce data made and stored abroad, it is not business as usual. Businesses must even undertake the issuance of a litigation hold with deft care. Usually, companies should get legal advice from a privacy lawyer local to the country immediately, before taking any action.
But don’t be surprised if that lawyer advises that processing and transfer cannot be done, or is only possible through a mechanism such as going through the Hague Convention or anomymizing or pseudonymizing the data to prevent any reference to real people, which the U.S. court will not find acceptable.
No lawyer should advise violating any law. So the reality is that the company may have to make a catch-22 business decision to comply with U.S. discovery obligations and produce the data, while taking the risk under foreign law.
In such a case, all the U.S. lawyers can do is make every effort to reduce this risk. This will often involve:
- Educating both the U.S. court and opposing counsel early on regarding the legal hurdles involved
- Securing a protective order prohibiting the disclosure of any private materials outside the litigation context
- Minimizing the amount of data that the company must process and transfer
- Enlisting so-called (and perhaps incorrectly called) “safe harbor” vendors to help with the process
- Allowing the affected employees to assist with and agree to (to the extent possible) the production and,
- Showing that the company, in general, has done everything possible to respect at least the spirit of the foreign privacy laws
This process is not easy, and certainly not foolproof, but may well be critical in the event a foreign data authority ever questions the situation.
The important thing to remember is that things are different for companies having to produce, for U.S. litigation, information from abroad. Simply issuing a litigation hold, then searching for, collecting and producing this information in the same way as is done at home may be a very costly mistake.