Transcript

Angela Navarro: [0:06] Hello, everyone. My name is Angela Navarro. Welcome to today's webcast, Part 2 of this three-part Global E-Discovery Series. This event focuses on Europe and is brought to you by Corporate Counsel and sponsored by FTI Technology.

[0:21] I will help moderate this event, but before we get to the topic, let's get some simple housekeeping items out of the way.

[0:28] If you have a question for one of our speakers, please enter it into the Q&A widget on your console. We will endeavor to answer your questions throughout the presentation. We invite you to ask away. If we don't get to your question, you may receive an email response.

[0:45] In addition, there are some other customizable functions to be aware of. Every window you currently see, from the slide window to the Q&A panel, can either be enlarged or collapsed. If you want to change the look and feel of your console, go right ahead.

[1:01] As a reminder, this presentation is being recorded and will be made available to all registrants. Closed captioning is also available below your slide view in your audience screen.

[1:13] Now, let's look at the agenda for today.

[1:17] The agenda for today will begin with an overview of data privacy in Europe, including the legislative landscape and other protections on our data. Our experts will then provide some practical guidance on addressing data privacy concerns. We'll conclude by answering questions from our audience using the Q&A tool and sharing some additional resources.

[1:38] Now, let's meet today's speakers.

[1:41] Denise E. Backhouse is a shareholder with Littler Mendelson. She focuses on litigating the e-discovery aspects of class and collective actions, leveraging her significant international experience to help clients with cross-border discovery matters. She has engaged in e-discovery motion practice in multiple jurisdictions and has worked on discovery responses to the SEC, FINRA, DOJ, FTC, and state attorneys general.

[2:08] Ms. Backhouse is a member of the Sedona Conference international and e-discovery working groups, co-chair of the 2014 International Programme in London and a contributing editor to the Primer on Social Media. She is also a member of the International Association of Privacy Professionals and a Certified Information Privacy Professional for Europe.

[2:29] Welcome, Denise. Thank you so much for joining us today.

Denise E. Backhouse: [2:32] Thank you, Angela.

Angela: [2:35] Chris Dale of the UK-based eDisclosure Information Project, which disseminates information about the court rules, the problems and the technology to lawyers and their clients, to judges, and to suppliers. He was a member of Senior Master Whitaker's Working Party which drafted the 2010 e-Disclosure Practice Direction and the Electronic Documents Questionnaire.

[2:57] Chris Dale was a litigation partner in London and then a litigation software developer and litigation support consultant before turning to commentary on electronic disclosure and discovery. He writes an authoritative and objective website and blog on the subject, and is a well-known speaker and commentator in the UK and the US.

[3:15] Welcome, Chris. We appreciate you joining us.

Chris Dale: [3:18] Thank you very much. It's good to be here.

Angela: [3:21] Finally, Craig Earnshaw is a Senior Managing Director in FTI's technology segment, based in a London office, which he founded in 2006. Craig provides specific counsel to clients in the areas of European Union based evidence collection and disclosure, computer-based forensic and electronic data hosting for litigation and regulatory inquiries.

[3:42] His engagement experience includes multi-jurisdictional investigations and regulatory inquiries related to anti-competitive behavior, cartels and price fixing, in addition to fraud, bribery, and corruption investigations, intellectual property theft, and online libel.

[3:59] Craig has provided both written and oral expert evidence in the High Court in London, and has testified at depositions in the United States as well as submitting expert written evidence into such forums as employment tribunals and arbitrations.

[4:14] Welcome, Craig. We're so happy to have you today.

Craig Earnshaw: [4:17] Thank you very much, Angela. Pleasure to be here.

Angela: [4:20] With that, I'd like to turn the call over to our first speaker for today, Chris Dale. Chris, please go ahead.

Chris: [4:27] I've been given the task of describing Europe, because I suppose I frequently find myself in the US as the representative of big, bad Europe. It's always getting in the way of the legitimate demands of US authorities seeking discovery.

[4:44] What is Europe? Well, it's has a common name, the EU for many purposes, but it's important to realize that it's made up of a lot of disparate countries, and each of those countries is a legal jurisdiction in its own right.

[5:01] For example, where I come from, the UK, England and Wales, Great Britain, they're all different. They all describe different areas and different legal jurisdictions. One of the first points, and a point that we'll make as we go along, is that you must get advice in relation to the jurisdiction in which you are working, and not consider that the EU is a single place, for the purposes of discovery legislation.

[5:34] We move on to the next slide. We consider why it is that the EU is the first place to develop privacy regulation. The picture there is of a camp. It's not clear in which conflicts that camp was set up, but the point is that we have a history in Europe of other countries pouring over our borders and taking people off to camps because their names are on a list because of their political affiliations or their sexual orientation, or for some other reason that marks them down as being different.

[6:13] That has given us an early idea that privacy is an important thing to us. It's a fundamental human right, and that's a right which conflicts quite often with US ideas of openness, which is a feature of litigation and regulatory demands.

[6:37] Moving on, there are various components of privacy. Moving on from the where, if you like, to the what.

[6:49] It's not all data we're talking, not every bit of data that's subject to the protections that we're talking about. The data that we're concerned about primarily is personally identifiable information, which is generally reduced to PII.

[7:05] PII is information that can be used to identify an individual. That's more than just the name or the address, an email address, the place in which they were born -- some national identifying number, social security or some similar number.

[7:22] All these things are components of identification. Modern technology is such, as many of you will know, that you don't need all the components to be able to assemble them together to identify a person. In other words, the protection of PII is becoming harder as technology is getting better at marrying up the components of identity.

[7:47] In addition to the broad concept of PII, there's a category in Europe called sensitive personal information. That is of specific kinds. Things like race, religion, and trade union affiliation -- the sorts of things which deserve protection because history has shown that people get identified, pulled out, sent to camps, perhaps, treated differently because of some personal characteristic.

[8:18] The definition of PII specifically excludes information which is either anonymized, so that you are unable to identify a particular person, or which is aggregated. That itself raises interesting questions. If data is aggregated, is it still possible using modern technology to identify an individual? Increasingly it is so. For that reason amongst others, we're becoming increasingly cautious about private data.

[8:50] Moving onto the legislative framework, where do we look to for authority for the protection, the primary bit of legislation is an EU-wide directive from 1995, the European Data Directive. Each state of the EU implements it in a different way.

[9:13] In other words, the Directive required each country to implement its own laws that picked up the essential components of the EU Directive.

[9:25] Switzerland, it's important to realize, is not part of the EU, but it has its own legislation, for example, in relation to Safe Harbor, that parallels, either expressly or in practice, the restrictions of the EU. Indeed, it has even tougher regulations in many respects, particularly in relation to financial information.

[9:48] The people who are responsible, the ones who are in the front line when blame is to be handed out, all the data controllers and the data processors who are given the statutory responsibility. Companies have to identify who it is that is their data controller, for example. Particular responsibilities fall on them.

[10:10] There are penalties for both personal and corporate, for breaches of the various laws. Those penalties are likely to be going up following various changes in EU legislation, in part brought about by the increasing fears that I've talked about earlier.

[10:35] It's important, therefore, to companies to be aware that they are actually holding personally identifiable information. There's a temptation perhaps to think, "Well, we're not a credit card company. We're not a mail-order company. We don't have PII."

[10:50] Well, that's almost certainly wrong. Almost every HR department, for example, is holding information that falls under the heading of PII, a very, very broad definition.

[11:02] We know from the Enron data, for example, which has recently been analyzed, having been used by everybody for many years as a sample database, it has now become apparent recently that the Enron data is stuffed with personally identifiable information that should never have been kept at all, let alone promulgated in the way that everybody has been doing it.

[11:30] If we go onto the next slide, we see that the legislation I talked about is not the only other source of protection of data. France, for example, is the country most easily identified as one that is very restrictive about data. It has blocking statutes which are deliberately designed to frustrate American discovery. They say in terms that is what they exist for.

[11:58] That tends to upset US courts even more than the EU privacy legislation. The idea that a country creates restraints, especially to get in the way of American discovery, is not something that goes down well with American courts, and they tend to discount blocking statutes for that reason. Nevertheless, they are the law in France and in some other countries.

[12:25] The Christopher X case referred to as a specific example of a lawyer who was punished for breach of a French blocking statute.

[12:37] It goes beyond that. Employment laws in different countries offer protection, and rightly in my view, to employees. The US idea that everything, as employees, effectively, all his or her data is the property of the company. It's not one that we find attractive in the EU. Every jurisdiction has its own restraints on what information can be kept, let alone released about employees.

[13:07] In Germany, in particular, there are work councils, which is an ancient idea, or at least is a 100-year-old idea. Works councils weren't invented to deal with data protection. They've been around since, I think, 1919 in Germany, where in certain industries, there is a body called the Works Council with whom it's necessary to consult before data is removed or dealt with in any way that's inconsistent with the expectations and the norms.

[13:40] Beyond that again, there are specific export controls -- defense, armaments, and so on -- have their own restraints country by country, which provides specific bars on the export of data. If your litigation involves or touches on any of those industries, then there will be specific controls and restraints on top of the privacy restrictions that we've talked about. And there may well be others.

[14:14] The nature of these things is that, inevitably, they conflict with the demands of the Federal Rules of Civil Procedure. The idea that an American lawyer turns up and says, "I have here the order of an American court" doesn't cut much ice in the face of the sort of restraints that I've mentioned.

[14:37] Denise is going to take up from here and tell us how you deal with those.

Denise: [14:44] Thank you, Chris. A very excellent overview of the framework of data privacy and data protection in Europe. Looking at this from the US perspective, how do you react if you find that you are, indeed, involved in litigation in the US that implicates non-US sources of data?

[15:02] That's an increasingly common fact of life for parties in the US. Companies with global operations are routinely having to deal with this issue, confront it, and come up with protocols for addressing it.

[15:18] As many people on this call will be aware, you have a very limited timeframe for reacting and putting together a data preservation protocol that is going to insure that data isn't deleted. The fact that the data does not reside in the US, if it's relevant, will not get you an automatic [indecipherable 0:15:36] . So this is something you need to identify and confront as early as possible.

[15:43] Some of the questions that you need to ask yourself, the nature of the data, what's implicated. Sometimes data that resides in the EU already resides in the US. All of these factors are going to be important in setting the strength of you argument and how you are going to present this to the other side and to the court.

[16:04] For example, if you have an email server in the EU that is being replicated in the US, it's going to be very hard to argue that that kind of data is protected by European data protection laws from the US perspective.

[16:23] In terms of assessing which laws might apply, that can be very challenging. The Directive as enacted in a different country makes it clear that the location of the controller, and where there isn't a controller, there are other factors that can apply.

[16:39] In reality, that's often a split answer. I've often been in the situation where, potentially, you have multiple regulators who might have an interest in seeing how data is processed and disposed of in relation to US litigation. So, there's often not a simple answer to that and you have to take into account multiple different approaches to data privacy in the different locations where the data may reside or where there might be an interest.

[17:12] On the next slide, looking at the practical aspects of what you must actually do to produce the data, with an eye on Rule 26(b)(2)(b) under the Federal Rules of Civil Procedure, you may have an argument that you can develop that the burden or expense of producing the data from Europe outweighs the likely benefits.

[17:40] In that case, you are going to need to establish a number of factors that are disproportionate to the needs of the case. You need to take into the account the amount in controversy. The court will assess the party's resources to see what is reasonable for any particular party to do.

[17:58] You need to think about the importance of the particular data for the issues in the matter and in relation to actually resolving the dispute.

[18:07] It's not a straightforward argument to make and it's rarely going to get you a complete [indecipherable 0:18:12-0:18:19] that the court is likely going to pursue in terms of discovery.

[18:26] You need to be very specific when you are making these arguments. It really will not be enough to tell the court that it's urgent. You need to be able to quantify the kind of burden that is going to be involved in terms of assets, which can be hours, or the amount of resources that are going to be taken within a company, actual hard costs involved. And you need to be clear that you've investigated it.

[18:55] If one of your arguments is that it's going to be difficult dealing with multiple foreign authorities, you shouldn't be making those kinds of arguments in a vacuum. You need to show that you really have tried to do this, and that the authorities that you approached are vindicated that they are going to be interested in the data, and they are going to be taking an active role in controlling what's happening.

[19:21] So, the courts are generally looking for very concrete information, and will not look kindly on general assertions that it's too hard.

[19:31] One of the ways that you can approach this, apart from trying to get the foreign data taken off the table altogether, is to look for ways in the US to approach the subject of depots. One of the ways you might do this is to say to discovery, "look for ways to narrow or limit the data that is coming from those extra-US sources."

[19:54] We will discuss that in detail a little further along, but thinking creatively about how you can meet your obligations while actually moving forward with that US-style litigation outlook. Production, on day one from those sources, is going to be one of your chief approaches to managing the US court.

[20:17] I want to say another word here about using a third party to manage data, and not falling in a common situation, where for example, IT is outsourcing email archives or collaborative tools in the cloud, data being stored in the cloud. Data protection laws in Europe have a great obligation for so-called data processors, as well.

[20:45] Under that patent, where you have a third party involved, it is possible that the third party may take an approach that's not completely aligned with the interest of the data controller who placed that data with the third-party. It's something you need to account for in terms of time, and also to take transactions. Something you need to document properly, it's not uncommon for third parties in Europe to take positions at the data companies.

[21:18] I've even had some data positions that they can't make information available to accounts within the US, because that would be a violation of the law. For example, in one case, I recall data under legal holding by a third party was lost in migration, and we couldn't actually get a list of the names of the custodians whose data was lost.

[21:42] So, I'm anticipating that there could be certain issues where you have data outsourced to third parties with another one of those issues that you need to put on the table early.

[21:54] In the next slide...We talked a little bit about the idea of proportionality as an argument [indecipherable 0:22:05] ought to unburden. In the phase of discovery, you can take into account other sources of data. So, if we could look at the next slide, please?

Angela: [22:34] Now, Denise, this slide talks about, I guess the issue of compliance is not feasible and you cannot reach agreement with the requesting party, and some suggestions on how you can be prepared for a discovery dispute?

Denise: [22:49] Yes. It's organizing these items of value, plus the data you've worked over for the third parties involved, and you've taken some preliminary measures to scope out what was involved in preservation. We'll move along with the various methods of opposing counsel. Ideally, you are going to be aware of this early, and you'll be able to raise it during the primary conference before court.

[23:15] If you look at your data and decided that really, you can't comply without in some way infringing on the laws in Europe. For example, the data does include personally identifiable information that would be subject to protection if it is extradited to the US, and there's no easy way to make any kinds of arguments that is not going to be made available. You're going to need to move along and deal with an opposing counsel.

[23:51] In slide 14, we're prepared to educate the court, especially depending on this. This may be a very novel issue for a court to deal with. They may have never come across it before, and we need to raise it early and be prepared to substantiate early.

[24:12] Don't assume that your judge is going to understand what your positions are, and opposing counsel will generally not come across this issue, or be able to address it effectively.

[24:27] Educating the court, seeking support from the authorities. A number of judges who are well versed in this area have expressed that when the data protection authority actually comes in, we really do have an interest in this data.

[24:45] This is something that we are going to be concerned about this goes before a US court. That can be extremely persuasive to a US court in ways that general arguments about [indecipherable 0:24:56] may not see. That's something that's going to be available, definitely looking to getting support from your authority.

[25:06] On the flip side of that, there have been cases where parties have approached authorities in Europe and the authorities have said, "This is something we're very concerned about." In which case, if you already told the court that some things are unavailable, you need that information from the authorities [indecipherable 0:25:24] earlier stage, before you make those kinds of representations, making those overtures early if it's practical is something you need to consider.

[25:38] You can get familiar with different sources of information with your client organization. It's also going to be paged. This goes to [indecipherable 0:25:45] phasing of discovery, and looking for alternate sources. For example, if the opposing party is taking all emails for five years in a particular range of subjects, and what they really want is sales data, it may be that there is a source of data that controls the kind of information that's really sought here, but does not contain PI. In which case, you can proceed and offer up that other source of data, or perhaps a structured data report, rather than looking at emails, which by their own nature will contain personally identifiable information.

[26:24] Another way that this can sometimes be approached is that, if you have equal witnesses or custodians in different locations, you may be able to work with one custodian and defer or put off the other custodian's data and custody and just proceed with the US side of things.

[26:45] There are a number of ways you can go about that phase in discovery is another, hugely helpful thing to do. As a practical matter, it takes much longer to organize things when you're going after data in Europe. You don't have a ready response team, either in the market or on the client side, so the organization that goes into it, the technology and vendor selection, all of that takes more time than it would probably do in the United States. So, as a practical matter, you can find more time to deal with things in other jurisdictions.

[27:21] Another practical effect of that is the more you can defer the production, it may be that you find what other sources are available. As the facts developed, as some items dropped out of the development criteria, the other issue is that most cases settle.

[27:41] So, if you got to the point where you preserve data, then go ahead, process it and transfer it, you're effectively minimizing the amount of violation of the [indecipherable 0:27:53] laws, [indecipherable 0:27:55] actions that are taken in litigation in the US.

[28:01] Moving to the next slide, one argument that you see people trying to put forward from time to time under the federal or civil procedure is the data not reasonably accessible. Under the Rule 26(b)(2)(b) of the Federal Rules of Civil Procedure, there is a carve out [indecipherable 0:28:23] for data that isn't reasonably accessible due to costs or burdens.

[28:32] However, this really is generally a practical standard. That is the kind of argument that you might be able to apply successfully to a legacy database, or some data that was going to be restored from backup media, that kind of thing. But as an actual technical barrier, being able to produce the data is not reasonably accessible.

[29:03] Even if you had a technical argument, you need to be prepared to demonstrate the [indecipherable 0:29:05] what the costs would be, and be very concrete about the kind of arguments that you would go forward.

[29:13] The court, nevertheless, even if there is a technical argument, may compel production for good cause. I have not seen a court actually grant this for inaccessibility due to foreign laws, so it's not going to be a strong argument. Generally, there are certain dry runs to see if the court has an argument, or any kind of history of accepting that.

[29:45] Moving on to the next slide, one place that we can look for guidance on how to conduct discovery from EU sources in the US [indecipherable 0:30:04] Article 29 Working Party.

[30:08] The Article 29 Working Party was created under the EU Directive you heard about earlier, to include a member from each of the national data protection authorities.

[30:20] Each member state puts forward a member for the Working Party, and they consider a range of issues in implementing and understanding constraints [indecipherable 0:30:31] the Directive and providing guidance. It's non-binding guidance. It's not something that these countries have to comply with, nevertheless, let's explain the phrases, and there's a huge range of topics they will touch on.

[30:48] Back in 2009, Article 29 WP-158, which specifically deals with pre-trial discovery for both cross-borders and civil litigation. There are a number of issues in that title alone. We're talking about pre-trial discovery here. We'll discuss a little bit later on the extent that [indecipherable 0:31:12] party goes into discovery, it's really not considered for the US trial discovery. The matter is actually in trial before the court, so practically all the discovery we're doing in Europe is pre-trial.

[31:26] So, there's a specific project there to acknowledge. It's also finding that this is a civil litigation. There are other government-to-government rules for facilitating data transfers, if there are national interests involved.

[31:40] So, looking at the Article 29 WP-158, specifically, it wasn't new advice, for the most part. Over the years, a number of statements have been made that were gathered together here to provide general guidance on conducting this cross-border civil litigation discovery.

[32:02] The [indecipherable 0:32:02] practice in data transfer, the vast majority of the data is really about data processing and looking at the issues before data has been transferred, so how we go about processing data in the EU. At the end, [indecipherable 0:32:19] suggestions for the further guidance on transfer, but really that happens in [indecipherable 0:32:22] .

[32:26] Moving to the next slide, we'll look at some of the specific issues that the WP really stipulate. In Slide 17.

[32:38] Data processing and review within the EU is recommended. If you're going to process data, and that's an extremely broad term, that generally encompasses anything in the US that you would be doing by way of preservation of data. It's recommended that you do that within the EU without incurring cross-border transfer type issues.

[33:00] We'll talk a little bit later on about ways that that can be affected using appropriate tools provided by third party vendors, the company that develops specialized processes.

[33:13] The other thing to recommend is having a data composite [indecipherable 0:33:16] of processing. These would include the usual measures that we're taking in the US, [indecipherable 0:33:23] measures on the data while it's still inside the Europe. At the end, you have [indecipherable 0:33:30] which development convince that that really goes to the litigation of the [indecipherable 0:33:37] that miscellaneous data that conducts [indecipherable 0:33:38] in preservation process. It also outlines the data.

[33:45] The transfer guarantees that it can be relied upon [indecipherable 0:33:48] a little bit later. I've outlined some of those. Depending on which jurisdiction in and who verifies, you may need to take into account that the local data protection authority or court may need to be involved, and they may need to get the notice and get their buy-in and feedback on exactly what's being done. Those are some of the issues that are raised and those you can address.

[34:12] Moving into the next slide, Slide 18, how can you leverage the kind of guidance that the Working Party provided for US-EU litigation? As we discussed [indecipherable 0:34:26] e-discovery and focusing volume so that the data can be [indecipherable 0:34:35] in Europe.

[34:37] Alternate source is again key, looking for a way that you can make the same kind of...at the other side the expectations with data that's more available in the US [indecipherable 0:34:50] for information. The key question to ask the other side is, "What you really want out of this data?"

[35:00] It's part of the cooperating and behaving in a reasonable manner. You can also get a little dialogue around the fact that you just don't have the ability to do in Europe everything that you would normally do in the US, and that you can [indecipherable 0:35:16] look at what's really needed without being a [indecipherable 0:35:19] in a way that might occur in the US. But at the same time, this has to be very transparent process.

[35:27] You need to keep the other side informed [indecipherable 0:35:29] , if you're going to avoid some of the issues that we see in the recent case of a court finding a [indecipherable 0:35:37] . [indecipherable 0:35:38] actually take an action that will just not justifiable, for example, taking a too narrow view of preservation and [indecipherable 0:35:48] custodian is important enough to [indecipherable 0:35:54] . Those are things that need to be negotiated and need to make transparent to the other side.

[36:02] Some of the [indecipherable 0:36:04] mechanisms that you might look into. It involves the recommendation that data be anonymized so that you don't [indecipherable 0:36:11] or to lose the personally identifiable information.

[36:20] You can actually [indecipherable 0:36:20] data side of that kind of information. [indecipherable 0:36:24] surrounding transfer, at least under the data privacy rule [indecipherable 0:36:31] . You still may have other issues in terms of [indecipherable 0:36:36] and National Working Statute. [indecipherable 0:36:41] information is addressed in those documents [indecipherable 0:36:42] , of course, problems that are involved.

[36:46] But if you don't have personally identifiable information, you don't [indecipherable 0:36:48] , then your issues are basically resolved.

[36:54] One of the key things that we can do in the US to protect the data is to put in place a robust protective order. The Sedona Conference has put forward seven principles, [indecipherable 0::37:07] processing and transfer of data.

[37:11] That's available at the Sedona Conference website. That includes a model on protective order. In the US, the AVI has been putting up a number of [indecipherable 0:37:24] orders, and there is considerable amount of judicial education going on [indecipherable 0:37:28] resources available to judges so that people have resources to draw on.

[37:34] But a protective order is going to protect new data specifically going to define what the [indecipherable 0:37:40] data is, what special protections are going to be placed around that data. It's going to include an [indecipherable 0:37:48] litigation plan, so that the data isn't left floating out there after the litigation is completed.

[37:57] That's going to be key for compliance with the European data directive [indecipherable 0:38:06] the data in the first place for a specific purpose of which it was collected. Once that purpose is expired, then the right to have that data transferred [indecipherable 0:38:15] and it's important to [indecipherable 0:38:18] principle in a protective order. [indecipherable 0:38:23] the other side, opposing counsel to buy into that.

[38:29] Moving to the next slide, looking at this from the EU perspective, [indecipherable 0:38:38] Article 29 WP-158 guidelines tend to leverage and put in place [indecipherable 0:38:45] through a compliance discovery process. One thing that's going to be key is consulting your local counsel.

[38:54] As Chris has already mentioned, every country has its own version of the Directive. Some of them reproduced the Directive and most of the data. For example, in Belgium, it's pretty much the Directive at its central level.

[39:12] However, there's [indecipherable 0:39:13] interpretation. Other countries have enacted it quite different [indecipherable 0:39:21] responsibility [indecipherable 0:39:23] . If you compare the UK and Germany and all those different versions, there are some very substantial differences that you need to [indecipherable 0:39:31] . Within Germany and within Austria, [indecipherable 0:39:35] .

Angela: [39:44] Thank you for that, Denise. It appears that we've lost your sound quite a bit. Could we try to hear you again?

Denise: [39:51] Sure.

Angela: [39:53] I thank you.

Denise: [39:54] Can you hear that?

Angela: [39:56] Yes, thank you.

Denise: [40:00] One of the issues that Chris Dale said is that you do need to consult with local counsel, local data protection officers, and possibly a work counsel. In terms of understanding what exactly is required under the local law.

[40:14] For example, the Directive has been elected [indecipherable 0:40:17] in certain countries, for example, Belgium. But there are still issues in interpretation [indecipherable 0:40:24] language of the Directive are pretty much there.

[40:28] Then if you look at and compare country to country, the UK, for example, compared to Spain. There are very different positions about what are the grounds for going forward processing data. You need to understand those differences among the different countries.

[40:47] If you're looking at German, at a national level, you need to look at the state level. There's a multitude of different state protection authorities at the state level within different regions of Austria and Germany.

[41:04] Within a corporation, there may be a [indecipherable 0:41:06] designated, but there's a privacy officer. The data privacy officer will generally be dealing with these issues as a transactional matter in Europe.

[41:15] One important thing to bear in mind is that the European [indecipherable 0:41:17] really do not have much to do with the US discovery, since there are [indecipherable 0:41:24] with people [indecipherable 0:41:27] conducting business in Europe.

[41:31] The data privacy officer is dealing with these things as a [indecipherable 0:41:35] matter, as a transactional matter. But they may have already had exposure to litigation and maybe [indecipherable 0:41:42] processes and the requirements.

[41:45] Another place to look for information about the pre-existing [indecipherable 0:41:51] you may be able to leverage litigation is a work counsel. Chris has already mentioned having a pre-existing body sometimes [indecipherable 0:42:02] agreement surrounding data discovery. Sometimes, we need to have in place documentation templates, and you'll require the actual counsel itself to sign off on a protocol and the procedure for data collection and data processing.

[42:23] Then in conjunction with that, they need a digital consent for the custodian who's been implicated. Those are things that you need to take into account and, if they're available, work with them.

[42:39] Although they are sometimes [indecipherable 0:42:42] can go a long way [indecipherable 0:42:43] a way to actually proceed [indecipherable 0:42:47] discovery in the US.

[42:50] Another important [indecipherable 0:42:51] company [indecipherable 0:42:55] by design [indecipherable 0:42:56] .

[42:59] Another familiar concept in the US [indecipherable 0:43:02] , they've suggested that companies implement [indecipherable 0:43:09] on elements in IT infrastructure.

[43:11] You may have already in place technology that's [indecipherable 0:43:16] RPIs, isolating [indecipherable 0:43:19] personal information and otherwise marking data or creating data set that you can categorize ahead of time without further [indecipherable 0:43:30] analysis of the data. Processing the data in the EU with credential third party. Craig, is that something you'd like to comment on?

Craig: [43:43] Yeah, thanks, Denise. When it comes to purchasing data within the EU, there's actually a spectrum of options that a client can take in relation to the document review process. It's [indecipherable 0:43:54] various aspects of data privacy and the other legislations that we've been referencing so far today.

[44:02] Based in that spectrum of options, [indecipherable 0:44:05] provides a sliding scale of volume of the documents that are transferred outside of Europe, or the country of origin of the documents, the US.

[44:16] Typically, to look at that spectrum, I think at one end of the spectrum, you'd essentially be looking at scenarios where you'd be dealing with the data collection within Europe.

[44:26] All of that data is collected without any filtering, without any [indecipherable 0:44:29] , without any review is transferred wholesale to the United States subject to some of the provisions that we're going to be talking about shortly in terms of transferred data.

[44:42] In the middle of that spectrum, you'd be potentially looking at a scenario that informs the hosting phase documents from within Europe for review within a data transferring [indecipherable 0:44:54] with traditionally [indecipherable 0:44:57] in the US.

[45:00] You would only transfer the relevant documents to the US post [indecipherable 0:45:04] process. Therefore, [indecipherable 0:45:06] practically, the smallest population of documents becomes transferred to the US. Those that are transferred have already been reviewed and identified as being relevant.

[45:16] Now, that middle ground on the spectrum could really be broken down into two further parts. The first one as being posting, posting the data within Europe and with you [indecipherable 0:45:29] responsive material back from the US. Basically, if your review is based in the US, your data remains within Europe.

[45:39] Or, tentatively, you could actually post the data for review within Europe and actually perform the review in Europe. Say, for example, work with European co-counsel, work with possibly your cohorts or European officers or bring it with you into the country to insure that a review is performed in the country.

[46:01] Then at the far end of the spectrum is a different approach entirely, which is effectively looking at the collection and review of all of the documents associated with the matter in the country of origin. That may be within the client's offices or within counsel's offices in a country, either by way of using an in-country data center if you're operating in a country that has technology service providers.

[46:31] You can actually host data within that jurisdiction. Or, alternatively, utilizing a mobile document process review environment. If you were to go down this country, you're effectively looking at the smallest volume of documents being transferred as only the relevant documents are coming outside of the jurisdiction of the [indecipherable 0:46:52] Europe.

[46:54] You're then looking at the additional compliance [indecipherable 0:46:56] with additional legislation that sits within that particular country. It is worth noting that a few jurisdictions within Europe, say, places like the UK or Germany are likely to see providers within country data centers.

[47:15] For the majority of European jurisdictions, as well as many [indecipherable 0:47:18] , you might need to look at utilizing a lot of mobile document review environments to actually make that possible. Those environments could, at the small end of things, exist as small as one laptop is concerned.

[47:34] You have a small scale document review environment on a simple laptop. Or, tentatively, if you've got a large scale review that you've performed, you might be looking at a technology platform that's got multiple servers within it that's able to process terabytes of data and support of hundreds of reviewers so that there's a variety of different ways in which those mobile platforms could actually be deployed.

[48:07] I'm going to pass it back to Denise to touch on some of the data transfer guidelines that have been referenced on a couple of occasions.

Denise: [48:15] Thanks, Craig. The WP-158 outlines the cross-border transfer mechanisms that may be available. You need to confirm what's going to work under the particular circumstances. This may include having a contract in place so that the US affiliate of an EU company can receive the data.

[48:42] If that's the mechanism that they're using, you may need to also take into account that the data is going to pass on then to the US entity, possibly to a data processor, and the US [indecipherable 0:48:57] hosting further processing. It also will be potentially produced to the court and to other parties.

[49:10] Those transfer mechanisms only get to so far [indecipherable 0:49:13] to have mechanisms in place to insure that the data is being properly kept under the [indecipherable 0:49:21] protect the data while it's being used in litigation.

[49:27] Another mechanism found in corporate rules is the EU company has been able to put back in place. Then, essentially, the Directive umbrella extends over the globe and you can use the data, but then you've got those third party type issues.

[49:42] Another mechanism that supports its transfer is the Safe Harbor provision. Craig, would you like to talk about that a little bit?

Craig: [49:55] The Safe Harbor certification was perceptually put in place between the European connection and the US Department of Commerce as a mechanism to enable transfer of data between the US and...Sorry, between Europe and the US. It was also [indecipherable 0:50:15] second element in place that enabled transfer between Switzerland and the US.

[50:24] Be cautious about the application of Safe Harbor certification. From our perspective, it's one of those areas that clients often ask us about as a technology service provider working in a relation to cross-border European-US matter.

[50:44] Don't make the assumption that, as FTI is a Safe Harbor certified organization, that Safe Harbor certification can be utilized as the bridge to enable the transfer of the data from Europe to the US.

[51:01] However, the caution that goes with that is that that Safe Harbor certification doesn't provide for the onwards transfer from FTI in the US to a third party organization, such as counsel here needing to perform review of the documents or to allow the onward transfer as part of the disclosure of those documents in a [indecipherable 0:51:26] or a regulatory investigation.

[51:31] It does provide legal access to the material, but it doesn't provide things like onward transfer. It's something to be cautious about.

Denise: [51:42] Looking at Slide 20, this outlines where data can be transferred from the US, and specifically included in the Directives are the European Union itself along with the [indecipherable 0:51:57] in Norway. In addition, the Working Party has found that there are adequate protections in the countries listed.

[52:08] We have the limited agreements, as described by Craig, in the US, and the [indecipherable 0:52:12] Australia. They didn't take certain types of data. Outside of data management, and it indicated the US and Australia [indecipherable 0:52:22] for specific transactional purposes and [indecipherable 0:52:25] . You still need to think about those transfer issues. Moving to the final slide.

Angela: [52:41] Thank you, Denise. This one is on not approved countries and dealing with cross-border data transfer.

Denise: [52:49] We outlined some of the issues already on this, but looking at one that we have not really touched on yet, which is the Hague Convention. There is in place a multinational treaty. Many members of Europe and, of course, the States have signed onto it. Even those that haven't will often abide by it if you use the mechanism to do something similar.

[53:10] However, there are difficulties with using it. Many countries don't agree to use it for pretrial discovery. It's often an extremely slow mechanism, and most especially, US courts have found that parties are not obligated to resort to the Hague since that the Federal Rules of Civil Procedure or equivalent apply. We don't see the Hague used as much as you might expect. It's there to facilitate exactly this kind of exchange.

Chris: [53:41] I can speak up a bit for the Hague Convention. I think there's grown up attendance in the US certainly to dismiss it as a means of obtaining cover for transfers. It varies from country to country as to whether the Hague Convention is a useful mechanism. The UK, as it happens, has a pretty good mechanism provided the requests are framed properly for approving transfers. Since the convention is a treaty, there's a strong argument saying that a treaty comes with regulation.

[54:17] I once, for example, condemned the French mechanism in an open forum and was turned on by a French lady who said, "No, no, France is very good, but nobody ever bothers to ask." I treat with some skepticism the general dismissal of the Hague Convention as a mechanism. I think, perhaps, American lawyers and courts might make better use of it than they do.

Denise: [54:44] I think that's right because also there are streamlined ways you can use the Hague. If it's not a positional procedure, you can actually use it quite effectively to cooperate to get the data transferred. However, it's rarely done.

[55:03] [crosstalk]

Denise: [indecipherable 0:55:03] [55:04] we have finished with the slide.

Angela: [55:06] Yeah, thank you, Denise, and thank you, Chris for chiming in there. We now are ready to move into the Q&A section of today's presentation. If we're not able to get your question during today's presentation, you may receive an email response.

[55:19] Moving to the first question, Denise, this one is directed at you. Denise, the question reads, "Would data of an EU citizen stored on US based servers be considered EU data?"

Denise: [55:35] There are two answers to that. One is from the EU perspective. Most likely, it depends on how it got there and how it's being stored. There are a number of issues you'd need to look at, but basically, yes, it may well still be subject to EU protection.

[55:51] However, if you're before a US court, it will be extremely difficult to argue that that data is subject to protection, and to get that kind of protection, we'd otherwise not be able to get in discovery. It's just, as a practical matter, difficult to get that taken [indecipherable 0:56:12] in a US court.

Angela: [56:16] Thank you, Denise. We do have a couple more questions coming in, and it looks like we have time for one more. Again, we invite you to submit your questions. You may receive an email response if we're not able to get to them, as it appears that we won't on today's call.

[56:30] Denise, the next question also is directed at you. The question reads, "Is aggregated information potentially revealing a specific entity or individual's transactional partners excluded from protection?"

Denise: [56:46] For the most part, if it's an entity, not an individual, that's not going to constitute personal information. At one stage, some countries did have protection for entity data, but for the most part, that's been amended. The laws across Europe are kind of harmonized in that, partly in preparation to the amendments that we've seen at a central level.

[57:15] If you can identify the person, then the data will contain personal information, and it really depends on what you're doing if it's difficult to reconstruct the data. For example, if you give everybody a code name or code number and somebody has a key that you can unscramble that with, it's still personal information.

[57:35] Nevertheless it's recognized as one potentially legitimate way to protect privacy interests in the data. [indecipherable 0:57:41] It really depends on whether you can identify an individual based on how the data has been organized.

Angela: [57:53] Excellent, thank you. That appears to be all the time we have for today. I would like, once again, to thank our speakers for joining us, Denise Backhouse from Littler Mendelson, Chris Dale of the eDisclosure Information Project, and Craig Earnshaw with FTI Consulting in the technology practice from London.

[58:10] Again, we also would like to thank our audience for joining us. The slides and recording will be made available to all who registered. Than you, and we wish you a good day.

Show full transcript