Data privacy laws are proliferating in the United States and abroad. While the headliners are Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), those statutes are only the tip of the iceberg. Data privacy laws—in particular foreign laws that restrict the transfer of potentially relevant documents to the U.S.—fundamentally conflict with comprehensive U.S. discovery obligations, often resulting in irreconcilable priorities in transnational litigation, arbitration, and investigations. Fortunately, advances in technology and intelligent workflows empower practitioners to successfully navigate this conflict of laws. This article presents four such strategies:
1. Plan Early and Carefully
At the onset of a dispute, most attorneys—whether in-house or outside counsel—typically react with a narrow focus on the merits: what are my claims and defenses, what is my exposure, who are my witnesses? Even disputes, however, that appear to be entirely domestic (e.g., Delaware parties in a Texas court applying state law to local conduct) can trigger cross-border discovery obligations if potentially relevant documents happen to reside abroad (e.g., if a party’s parent, subsidiary, affiliate, agent, or IT service provider resides abroad). Thus, it is imperative that counsel promptly assess whether (and how) evidence located abroad may impact the discovery process.
If foreign sources of potential evidence are identified within a jurisdiction that has a data privacy statute (or other regulation restricting the transfer of that data to the U.S.), counsel should proactively raise that issue with its adversary (and as necessary, the court) to identify workarounds. In addition to the other recommendations in this article, specific provisions in a discovery stipulation and order can address many of these concerns, including:
- a rolling production schedule for documents that may need to be reviewed and/or redacted abroad;
- confidentiality and information security provisions, including permission to file documents with personal information under seal and provisions governing how the receiving party will protect personal data; and
- agreements on the use of redactions to make personal data anonymous in order to mitigate the impact of foreign privacy laws.
The failure to raise such issues in a timely manner can have drastic consequences. In a decision out of Nevada, Jacobs v. Las Vegas Sands, et al., Index No. 10-A-627691 (Dist. Ct. Clark Co., March 6, 2015), substantial sanctions were imposed against one of the defendants in connection with its efforts to navigate the data privacy laws of Macau. The Jacobs court went out of its way to chastise counsel for failing to raise data privacy laws or their impact on discovery during the parties’ Rule 16 meet-and-confers or in their joint stipulation on discovery.
2. Look for an Applicable Exception
Many data privacy laws prohibit transferring personal information to third parties (and/or third countries) but then establish exceptions that are relevant to the context of cross-border e-discovery. Article 49(1)(e) of GDPR, for example, permits the transfer of personal information abroad where such “transfer is necessary for the establishment, exercise or defence of legal claims.” Likewise, section 1798.145(a) of the CCPA provides that the obligations imposed by the CCPA “shall not restrict a business’ ability to…(2) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities…[OR] (4) exercise or defend legal claims.” Practitioners should assess whether they can take safe harbor in such exceptions, as well as the practical nuances involved. For example, GDPR Art. 49(1)(e) arguably requires that relevant data be “minimized” abroad before being brought to the U.S.
3. Conduct E-Discovery “In-Country”
One of the surest ways to comply with data privacy–related restrictions on transferring data abroad is to execute as much of the e-discovery process as possible in the jurisdiction where the data resides. By processing, deduplicating, and running search terms and data filters against the data abroad, as much as 80–90% can be filtered out. Further reductions can occur by conducting a responsiveness and privilege review abroad. Ultimately, if the only data that is transferred to the U.S. is the “production set,” the party’s exposure under local privacy laws is substantially mitigated, if not completely neutralized (e.g., under Article 49(1)(e) of the GDPR).
Thus, parties should look for service providers with infrastructure (e.g.., data centers and project management teams) in the jurisdiction where the data is located, or in another country that provides an “adequate level of protection” and thus can receive personal information. Even better, some service providers can travel to the client’s offices or data centers abroad and establish a temporary, on-premise e-discovery environment to collect, process, review, and redact documents in-country. Such service providers are also likely to have data privacy consulting expertise. In the complex and nuanced intersection of U.S. and foreign legal obligations, your service provider should be your partner and trusted advisor, not merely a resource to execute tasks on command.
4. Use Advanced Technology
Finally, take advantage of advanced technology that can be introduced to the e-discovery workflow to foster a streamlined, cost-efficient process. For example, regular expression scripting software empowers you to automate searches for certain categories of personal information within the data set. Once identified, such data can be set aside for a separate privacy review, redaction, or approval from data subjects or foreign regulators. Meanwhile, the remainder of the data set that did not “hit” on the personal data search can potentially be transferred to the U.S. for a traditional e-discovery workflow and rolling production. Emerging technologies also facilitate the automated redaction of certain types of personal information. This results in a far more efficient and reliable privacy review. Through redaction, the data set can be anonymized of personal information rendering it outside the scope of foreign privacy law altogether.