The conflict between US e-discovery and EU data protection means that many multinational companies have to choose between restricting an e-discovery or acting in breach of data protection legislation. This article considers the possible solutions available for multinational companies.
It is important that companies that are subject to a legal action are familiar with the legal position in other jurisdictions if required. This may be achieved by co-ordination between legal counsels and the sharing of information with their counterparts and the relevant courts on the requirements of European data protection law. Although US courts have become more understanding of the challenges posed by European data protection laws, it is still advantageous to ensure that the court is aware of a company’s individual requirements.
Before entering into discussion with the opposition counsel, companies should carry out an internal assessment of its own situation in order to create an understanding of how its data processing works, the type of data involved, and where and how long it is stored. The company should also establish the possible scope of an e-discovery order so that it can be aware of any potential issues relating to specific jurisdictions. The company should also have an awareness of the sensitivity of the different categories of data to assess the level of restrictions on the relevant categories.
Particular Multinational Issues
A company should be aware of the manner and locations that its processes are operating in. Many groups of companies may now have virtual employees located across the world communicating with headquarters via internet communications. This trend is making e-discovery much more complex. Many companies are off-shoring and outsourcing their processes and this has impacted data access and monitoring issues. Therefore records of these processes should also be documented for e-discovery purposes.
IT data management can vary from country to country depending on the technology available. Many companies, however, tend to centralise their data storage, especially with the advances in cloud computing. This means that US-based employees of multinationals often have access to data stored outside of the jurisdiction. Because of the implications of this access, companies should ensure data access across borders is properly managed and documented.
A firm needs to determine the data that is required to be produced in the context of an e-discovery order in order to be able to obtain the relevant documents. The firm should assess the nature of the data to see whether it is sensitive data relating to employees, customers, or third party individuals. They should assess whether the disclosure will affect company secrets or confidentiality agreements made with third parties.
The firm should also find out where the anticipated US trial will be held and according to what rules, as rules and standards may vary from state to state.
The firm should establish what legal frameworks should be complied with while conducting an e-discovery outside of the US. This includes a consideration of EU data protection legislation or ‘blocking statutes’ from local jurisdictions. The company should consider who within the company should be tasked with meeting these requirements and whether it would be beneficial to create an internal e-discovery organisation.
A form of an acceptable compromise would be the targeted collection of data with notification provided to the affected employees, followed by a detailed questionnaire for employees to indicate the data sources that they use along with notifying the company of potentially relevant data. This enables the company to identify data easier and comply with transparency provisions under data protection legislation. Companies should also ensure that any content provided should remove the names of the employees included in the content.
Many multinationals are beginning to consolidate European data in one jurisdiction in order to streamline any possible e-discovery, as the rules of only one country will have to be applied. For example, Switzerland does not have any formal requirements for a guarantee of adequate data protection so long as the guarantee is adequate.
Protection of data after e-discovery
A company’s duty to protect personal data continues after the data has been transferred to the US. The standard protection procedure is for the US court to issue a protective order. This ensures that business secrets are not disclosed by anybody involved in the proceedings and ensures that the court keeps all records under seal.
The methods described above can assist multinational companies to comply with data protection legislation in Europe (and elsewhere). However, by adopting internal procedures to deal with e-discovery without the need of a particular legal matter, the knowledge and experience may be built up over time to deal with such matters, thus reducing the cost and burden of any future e-discovery.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Resolving multinational compliance conflicts (I.C.j.)