Litigation teams face new challenges when an ediscovery project crosses borders – from multilingual data and unique cultural norms to unfamiliar laws, regulations and data privacy practices. In addition, the international data protection landscape is changing and U.S. businesses with global operations need to be prepared. Companies need to think carefully about the risks of transferring data across borders.
To help practitioners navigate these challenges, Kroll Ontrack synthesized information on more than seventeen countries to create a succinct, new guidebook, A Practical Guide to Cross-Border Ediscovery: Insights for U.S. Lawyers.
This guide includes practical insights into how organizations all over the world are managing a wide range of business challenges using ediscovery technology, including:
- Case studies on cross-border litigation and FCPA investigations;
- An “At a Glance” visual map that shows the legal system, applicable rules and ediscovery practices for key countries in the Americas, EMEA and APAC regions;
- Short summaries from experts on the ediscovery landscape in key countries; and
- A timeline of EU Data Privacy and Protection milestones.
Litigation, compliance demands and investigations are part of the regular course of business for U.S. lawyers. With global considerations and cross-border implications, law firms and companies now rely on mobile ediscovery technologies, in-country data centers and local expertise to empower the processing and transferring of data in a compliant and cost-effective manner. This guide is just one way that Kroll Ontrack is here to help attorneys and their counsel thrive and adapt in a changing ediscovery world. Read the new cross-border guide today.
A recent article by my Kroll Ontrack colleagues from across the pond, Lawrence Ryz and Tracey Stretton, details the new EU Data Protection Regulation, which aims to solidify and unify the European Union’s data protection laws. As the Regulation takes effect, American companies with operations or customers in the EU will soon find themselves having to comply with a new set of laws.
US Discovery and EU Privacy Collide
In US litigation, the fundamental principle of broad discovery conflicts with the wide-ranging privacy framework of the European Union. US civil litigation under the Federal Rules of Civil Procedure (FRCP) is premised on the idea that expansive pre-trial discovery cuts to the heart of a dispute because it allows judges to focus on the legal issues with a well-developed record. European law is founded on the idea that citizens have a broad right to privacy, with little government intervention. The strengthened Regulation prohibits the transfer of any personal data processed in the European Union to a country whose privacy laws are considered inadequate by the EU’s determination such as the United States, which poses a significant conflict with US discovery obligations.
EU Gains Sword to go with its Shield
The extraterritoriality of the new Regulation is particularly worrisome for discovery in the United States. While the European Union has strengthened its shield against data collectors with the Regulation, it has also equipped itself with a shiny new sword. When the fundamental principles of American discovery and European privacy collide in a US court judges must choose between adhering to the traditional discovery rules of the FRCP and respecting an EU litigant’s legitimate right to privacy. Furthermore, with the addition of pending changes to the EU-US Privacy Shield agreement (a replacement for the Safe Harbor data transfer agreement which was invalidated by the European Court of Justice last October), the landscape of international data privacy and data transfer laws grows more complex by the day.
Impact on Ediscovery Providers
The current Directive only applies to data controllers, but the Regulation introduces a number of detailed obligations and restrictions on data processors and is therefore likely to have a significant impact on ediscovery providers and those that engage them. In the future, penalties can be imposed on data processors that do not comply with their new responsibilities and, if they act outside of the instructions received from data controllers, they could be held to be joint controllers subject to higher standards of accountability. The new obligations include the following:
- Maintain documentation about the processing operations under their responsibility
- Implement appropriate security measures
- Carry out data protection impact assessments
- Obtain prior authorization or undertake prior consultation
- Comply with the international data transfer requirements
- Cooperate with a supervisory authority
For more on the new EU Data Protection Regulation and its impact, be sure to read the full article, EU Data Protection Gains a Sword to go with its Shield.
Deep Web. Hidden Web. Invisible Web.
These are names for the underbelly of the Internet that most of us know nothing about. If you’re in that camp, below you will find a few deep Web facts that every legal professional should consider as the lines between security, privacy, data breach, fraud, computer forensics and ediscovery blur.
9 Deep Web Facts
- Underneath the World Wide Web lies a whole other Internet where sites are hidden unless you know how to use them and exactly what to look for.
- This underside of the web is known as the deep Web, and it contains many, many layers of content. (See an infographic explaining the layers of the deep Web.)
- Ninety-nine percent of all the data on the Internet is stored in the deep Web.
- The deep Web is a place on the Internet where search engines have not indexed the information.
- The deep Web is “invisible” to the mainstream public – especially sites behind private networks, archived sites or standalone pages that connect to nothing at all.
- The vast majority of the deep Web holds pages with valuable information – databases, internal corporate websites, government documents, academic journals, etc.
- Some parts of the deep Web are associated with illegal or black market transactions – drugs, fake identifications, stolen credit card numbers, counterfeit cash and weapons.
- The anonymous nature of the deep Web makes it a breeding ground for unconventional conduct, such as: geeky or esoteric forums, information sharing in censored or turbulent political environments and leakages of confidential documents by whistleblowers or intellectual property (IP) thieves.
- The deep Web holds future potential as a place to securely communicate, especially for individuals deeply concerned about privacy or security.
What do the Impacts of the Deep Web mean for Lawyers?
One of my Kroll Ontrack colleagues, Michele Lange, recently sat down with Inside Counsel to explain the deep Web and when it can be a valuable source of evidence in litigation. To learn more about the deep Web, read Michele’s full Inside Counsel interview, “The source that ESI lawyers need to stop overlooking.”
Court Upholds Government’s Search and Seizure Despite Acknowledging Right to Privacy in E-Mail Communications
United States v. Warshak, 2010 WL 5071766 (C.A.6 (Ohio) Dec. 14, 2010). In this criminal case, the defendants appealed their numerous convictions for fraud claiming the government violated the Fourth Amendment prohibition against unreasonable search and seizures by obtaining private e-mails without a warrant. The defendants also argued that the government turned over immense quantities of discovery in a disorganized and unsearchable format, that the government violated its Brady obligations by producing “gargantuan ‘haystacks’ of discovery” and that the district court erroneously denied a 90-day continuance to allow the defendants to finish sifting through the “mountains of discovery.” Addressing the Fourth Amendment concerns, the court first found the defendant plainly manifested an expectation that his e-mails would remain private given the sensitive and “sometimes damning substance” of the e-mails, viewing it as highly unlikely the defendant expected the e-mails to be made public as people “seldom unfurl their dirty laundry in plain view.” Next, the court determined that it would defy common sense to treat e-mails differently than more traditional forms of communication and found that neither the possibility nor the right of access by the Internet Service Provider (ISP) is decisive to the issue of privacy expectations. Based on these conclusions, the court held the government may not compel an ISP to turn over e-mails without obtaining a warrant first. However, the court ultimately found the government relied in good faith on the Stored Communications Act in obtaining the e-mails and determined the exclusionary rule does not apply. Turning to the “prodigious” volume of discovery that consisted of millions of pages, the court disagreed with the defendants’ arguments, noting in particular that Fed.R.Crim.P. 16 is silent on what form discovery must take.
This lengthy opinion contains several critical holdings and is certainly worth a thorough read. In particular, it is interesting that this decision holds the SCA to be unconstitutional to the extent it permits disclosure of e-mails without the use of a search warrant. In addition, although the court held the officers relied on the SCA in good faith, moving forward, law enforcement officials can no longer rely on those provisions in good faith moving forward as the SCA was deemed unconstitutional with respect to the warrant requirement. This serves as a significant caution and warning to law enforcement officers in the Sixth Circuit and elsewhere (despite the fact that the holding is only mandatory with respect to officers in the Sixth Circuit seeking to compel disclosure under the SCA)