Let’s face it: technology has made the world smaller. It’s no longer extraordinary for what was once termed a “mid-sized” or “regional” company to trade and outsource in foreign markets. Indeed, the Internet has made it possible—even probable—that the storied “mom and pop” shops of Americana reach millions of potential customers across the globe, rendering them active participants in international commerce.
International trade means international litigation. Not surprisingly, then, studies have suggested “double digit growth” in the global e-discovery market over the next few years. Put another away, experts expect the international e-discovery market to expand by approximately 15% annually—from $1.7 billion in 2013 to $2.9 billion by 2017.
Of the many issues that that global litigants will grapple with in the coming years, international privacy laws will no doubt be at the forefront. For example, what was virtually buried under the debris of Judge Peck’s groundbreaking TAR decision in Da Silva Moore was the fact that plaintiffs sought the ESI of the defendants’ CEO—who was based in France. Citing the Sedona Conference International Principles on Discovery, & Data Protection – which provide that “[w]ith regard to data that is subject to preservation, disclosure, or discovery, courts and parties should demonstrate due respect to the Data Protection Laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws” - the court concluded that because Monsieur Fleuriot’s emails were stored in France, they were likely covered by the French privacy laws and blocking statutes, thus making him an unsuitable candidate for a “first-phase custodian.”
Data privacy laws and blocking statutes would have been only a couple of the major hurdles that litigants like the Da Silva plaintiffs would have to overcome in order to get their hands on emails residing in members of the European Union. While the Hague Evidence Convention appears to cover conflicts on discovery laws, there exists a fundamental disconnect between how the treaty is interpreted and applied. On the one hand, the EU considers privacy (or data protection) to be a human right. Full stop. Courts in the United States, however, seem to view the issues more pragmatically—favoring a “balancing of the interests test” in the name of international comity.
Given the discrepancy in how data protection is treated between the United States and its counterparts overseas, EU member states have evinced a certain level of distrust of US courts in permitting the transfer of protected data, even for discovery purposes. Specifically, one of the legal bases that a litigant must demonstrate in order to compel the production of “private” data is “adequate protection”—i.e., that the processing country will provide adequate protection of the individual’s fundamental privacy rights. Needless to say, the EU has not traditionally viewed the United States as an “adequate country.”
Of course, the EU is not the only global citizen to enter into the fray. While China continues to make its mark on the global economy, US courts are struggling to make heads or tails of the country’s relatively impenetrable legal system. For example, China’s Accounting Archives Management Measures, which prohibit the export of a company’s “accounting archives,” can make it troublesome for U.S. litigants to obtain financial data residing in China. Moreover, due to the fairly ubiquitous role of the Chinese government in the nation’s commerce, state-owned companies are far more prevalent than one might think, giving rise to issues of state secrecy under the China State Secrets Law (which provides that the Chinese government shall be the final arbiter on what constitutes a “state secret” that is protected from disclosure).
What does this mean for the proactive? For those companies with operations all over the world, there are certain measures they can take in order to be prepared—both offensively and, in some cases, more importantly, defensively:
Map Your Data: Large companies should have maps of their data, just like they have maps of their operations. They should be as familiar with the locations of their servers, data warehouses, clouds and even third party storage vendors, as they are with each of their manufacturing plants, customer service centers, or corporate headquarters.
Define Access To Data: Is it absolutely necessary for the manufacturing plant in Austin, Texas to have access to the financial records of the facility in Shanghai? Weeding out unnecessary access to data residing on foreign soil may not only be an effective cost-cutting measure, it might also prove useful in protecting the disclosure of that material in the future.
Understand The Law Of Your Data’s Home: The laws of each foreign jurisdiction are unique. Even the member states of the EU will not apply the law uniformly. Accordingly, it is imperative that companies with international operations educate themselves on the ever evolving privacy laws of their lands.
Consider Consolidation: While geography and freight may play a large role in where a company’s primary manufacturing plant must be, technology provides companies with much more flexibility in determining where one’s data should be headquartered. Centralizing the data into a consolidated repository in a favorable jurisdiction may prevent headaches in the future.
Know Your Data: Finally, it’s not just the “where” that makes a difference, when it comes to privacy laws. The “what” can be just as (if not more) important. Not all types of data are created equal in the eyes of privacy law. In some jurisdictions, personal data (i.e., data that reflects name, gender, etc.) can be entitled to far more protection than other types. Banking information may also be subject to stricter privacy laws.