Quick Links
Advertise with Sarbanes Oxley Compliance Journal
News


< Back

Sarbanes Oxley : Thought Leader

Why Cross-Border Litigation is a Compliance Concern




Brandon Cook
Senior Product Marketing Manager
Clearwell Systems
As the global economy expands, more and more organizations are conducting business across borders, inevitably leading to litigation, government inquiries and compliance audits that span international boundaries.  Not surprisingly, cross-border litigation often results in complex electronic discovery (often referred to as e-discovery) issues, where organizations are required to produce electronically stored information from various countries as evidence.

One needs only to look at today’s headlines to see examples of this in practice.  New York may be the epicenter of the Bernard Madoff financial scandal, but its devastating effects have rippled across the globe.  Consequently, the scandal has set off an avalanche of lawsuits by investors globally.  For example, Repex Ventures SA recently named Bernard Madoff and Sonja Kohn, chairwoman of Bank Medici AG, in a lawsuit claiming that the bank’s chairwoman didn’t disclose that her client’s investments were being funneled into Madoff’s funds.  This matter exemplifies the e-discovery complications encountered in cross-border litigation because the plaintiff, Repex Ventures, is a British Virgin Islands corporation and has filed the lawsuit in the New York federal court against Bank Medici AG, which is based in Vienna. Examining a case like this, it comes as no surprise that globalization, combined with the growth in litigation, have resulted in a dramatic increase of cross-border e-discovery requirements.

Responding to cross-border e-discovery requirements can be a risky and complex procedure since it is not simple to transfer electronic data from one country to another.  In contrast to the U.S., where most emails and documents produced in the office belong to the company and can be used openly, Europe fervently protects the privacy of employees, restricting the disclosure of anything that could be considered personal data.  In the aforementioned example, the legal requirements of at least three different countries must be considered during the e-discovery process.  In this case specifically, both the European Union’s Directive 95/46/EC (regarding the protection of personal data) and country-specific laws (i.e., “blocking” statutes) have legal implications associated with the processing and transfer of data. 

As background, Directive 95/46/EC was adopted by the European Commission in 1995 and provides data privacy protection for citizens of member states.  It defines requirements for personal data privacy and protects personal data from disclosure in many instances.  The Directive defines personal data as “any information relating to an identified or identifiable natural person.” This broad definition means that many types of information, such as email addresses, are considered personal data.  Chapter 4 of the Directive specifically dictates regulations for the transfer of “personal data” to countries outside the EU and states that data may not be transferred to countries that do not provide an adequate level of protection.

The required level of data protection is high, and so far only Switzerland, Canada, Argentina, Guernsey, and the Isle of Man have been approved as compliant countries. The EU is particularly sensitive to EU data not being processed or reviewed in the United States so that it is not subject to the Patriot Act which conflicts directly with EU Data Protection Directive.  The European Union has demonstrated the seriousness of these requirements by levying fines against parties who have attempted to comply with U.S. e-discovery requirements at the cost of violating EU Directive 95/46/EC. 

In a U.S. court trial, Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 2007), the judge ordered Credit Lyonnais to produce documents in accordance with the FRCP, despite the fact that doing so would force the company to violate French privacy law. Id. at 224-26, 228.   This argument fell on deaf ears however, and the U.S. court concluded that there was little evidence the French statute would be enforced.  In order to comply with the U.S. discovery requirements in the time required, Credit Lyonnais’s French counsel ignored Hague Convention procedures and requested the information, without receiving consent to do so. This action, despite being dictated by a U.S. court, violated French privacy laws, and the French attorney was criminally prosecuted in France. The resulting sanctions case went to French Supreme Court, which upheld the conviction and the €10,000 fine. Id. at 21; In re Advocat "Christopher X," No. 07-83228 (Cour de Cassation Dec. 12, 2007). This may be the first case where a litigant has been tried for attempting to comply with a U.S. discovery order, but it serves to strongly support the need to perform cross-border e-discovery while complying with EU and country-specific data protection directives.

Other instances of fines levied for violations of the EU Data Privacy Directive exemplify the risks associated with cross-border data transfers, and demonstrate the aggressive enforcement of Europe’s data privacy laws.  In 2004, a French court levied a €30,000 fine on AOL LLC for transferring customer data outside the EU without the consent of their customers.

In a widely publicized 2007 decision, La Commission Nationale de L'informatique et des Libertés (CNIL) levied a €30,000 fine on Tyco International Ltd., after the company’s French subsidiary, Tyco Healthcare France, transferred data to its U.S. headquarters.
France is not the only nation enforcing these privacy laws.  In 2008, Britain’s Financial Services Authority (FSA) fined UNAT Direct, a subsidiary of American International Group (AIG), £640,000 for transferring data outside of the European Union without adequately protecting the data prior to transfer. These examples serve to show that the risk of sanctions and negative publicity for violating privacy directives are tangible and real, even when attempting to respond to court requirements at home.

So, how can companies respond to e-discovery requirements that span international borders without landing themselves in the headlines and receiving sanctions?  There are a few models that have been proposed, but none of them, to date, seem to provide a safe and cost-effective solution that companies operating in today’s global economy require. 

The first method is to obtain the consent of all individuals whose data will be transferred.  This presents two practical issues, the first being that it is time consuming and logistically difficult to obtain the consent of all individuals involved in the discovery process.  Secondly, EU guidelines dictate that any consent given can only be valid if it is fully revocable at any time.  Serious complications can arise should individuals revoke their consent during litigation, which adds risk to e-discovery conducted in this manner.

The second common method is to allow the transfer of data across borders under the “Safe Harbor” framework, which was developed by the U.S. Department of Commerce in consultation with the European Commission and is designed to facilitate the transfer of personal information.  Safe Harbor “certification” requires the certified company to validate that they adhere to the seven Safe Harbor principles:

•    Notice - Individuals must be informed that their data is being collected and about how it will be used.
•    Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
•    Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
•    Security - Reasonable efforts must be made to prevent loss of collected information.
•    Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
•    Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
•    Enforcement - There must be effective means of enforcing these rules.

The applicability of Safe Harbor certifications to e-discovery has been called into question because the certification specifically dictates what companies can do with the data.  It is intended for companies that need to transfer internal data across borderers and the certification does permit various processing actions required during e-discovery.  For example, the processing and consequent presentation of evidential data does not comply with Safe Harbor protocols, making this solution untenable for many e-discovery use cases. 

A third method is to obtain a letter of request under the Hague Evidence Convention from a district court.  The Hague Evidence Convention is a European treaty that allows the transmission of evidence from one state to another under certain guidelines.  Obtaining an approved letter of request permits the transfer and processing of data.  However, this process can take 6-12 months, often rendering this solution inapplicable to e-discovery requests with strict court-appointed deadlines.

Despite European provisions that protect personal data and restrict the transfer and use of that data, U.S. courts have been largely unsympathetic to defendants facing these obstacles and have even sanctioned companies who have failed to comply with discovery requests that violated local and international data privacy laws.  For example, in Enron v. J.P. Morgan Securities Inc., No, 01-16034 (Bankr. S. D. N.Y. July 18, 2007), the court ruled that the threat of the French Blocking Statute did not excuse the defendant from its obligation to produce relevant documents from France.  Furthermore, the court ruled that the matter did not warrant application to Hague Evidence Convention in order to obtain permission to conduct discovery across borders.

Making the matter more challenging, U.S. courts have even sanctioned companies who have refused to violate a country’s data privacy laws in the face of FRCP requirements. In the case of United States v. Vetco, 691 F2d 1281 (9th Cir. 1981), Vetco was sanctioned for not producing documents requested by the IRS, despite the fact, their attorney’s argued, that doing so would violate Swiss laws.

It is clear that the current approaches to cross-border e-discovery each have their challenges in light of the vague and perilous data privacy landscape. As a result, most enterprises are choosing a new approach of conducting e-discovery in the country where the data resides, which allows them to circumvent restrictions on the processing, review, and transfer of electronic documents.  This approach serves to significantly reduce the cost and risk of cross-border e-discovery. 

The Sedona Conference’s Framework for Analysis of Cross-Border Discovery Conflicts supports this best practice saying, “Any processing needed to determine the relevance of the personal data should be done within the EU before any transfer,”  (A Project of The Sedona Conference® on International Electronic Information Management, Discovery and Disclosure (WG6) August 2008). In this new approach, the first step is to process, search, cull-down, and review data in country. This dramatically reduces the size of the dataset, allowing local counsel to quickly remove irrelevant documents and focus on the relevant data and custodians involved.  Once the relevant documents have been identified, the local counsel can redact personal information before exporting only the relevant documents.  Processing, searching, culling, and reviewing the data set in country will reduce the risks associated with cross-border e-discovery. 

In some instances, exporting documents with all personal information redacted may still not be a viable solution if litigation requires this information as evidence.  In this case, it is best to consult the data privacy commissioner of the country where the data resides.  In the UK, for example, the data privacy commissioner will likely ask the company to show that reasonable steps are being taken, where possible, to protect the privacy of the individuals involved and that this process is documented.  Other jurisdictions may be more difficult, in which case obtaining approval via the Hague Evidence Convention may be necessary, despite the lengthy approval process.  While in-country processing offers the most viable avenue for safely conducting cross-border e-discovery, it still presents some obstacles for many companies.

The challenge with conducting e-discovery in-country is that it is often performed using traditional IT tools and manual processes, which are very expensive and time-consuming. In order for e-discovery in-country to be a viable option, enterprises must embrace next generation solutions that have several features. First, such solutions should offer an innovative delivery model where the product is shipped directly to the country where the data resides and shipped back once the task is completed.  Second, solutions need to be up and running quickly (the typical software deployment of several months will not work in this case) and offer an intuitive web 2.0 user interface, making it easy for attorneys to start using the application immediately.  Third, these solutions must provide advanced search and analysis capabilities that enable early case analysis, rapid cull-down, and quick review. Finally, processing languages in various text formats with Unicode support is an important criterion since products that do not have this capability will interpret foreign language text as symbols and encounter additional challenges when trying to interpret foreign words.  Companies should leverage solutions that have language identification as well, enabling allocation of specific review sets to the language-appropriate reviewers.

Organizations facing these cross-border e-discovery challenges must ensure that their people and processes match the technologies being utilized and are appropriate in their specific legal environment.  The best way to ensure this is to solicit local counsel in the country in which e-discovery is being conducted.  Not only can they advise on the local data privacy requirements that exist in addition to those dictated by the EU’s Data Protection Directive, but they can add unique insight when interpreting email and document data that often contains local colloquialisms and contexts. This can prove invaluable when culling irrelevant data, conducting searches, and performing early case assessments.   

While there is no easy answer to cross-border litigation, there are strategic ways to systematically reduce risk and cost, and maintain compliance with laws and directives of the countries involved.  Leading enterprises are utilizing intelligent e-discovery solutions that allow them to reorganize their cross-border e-discovery efforts and ensure cost-effective and timely responses. Cross-border litigation and regulation will continue to grow in step with expanding global commerce, leaving no question that corporations will be forced to examine their current capabilities and adopt new technologies and process that will allow effective responses to e-discovery in the global environment.

Brandon Cook is senior product marketing manager at Clearwell Systems, Inc. He specializes in e-discovery with a focus on international issues related to cross-border litigation. Brandon has hosted various web seminars in the e-discovery space and researches current trends and issues relating to e-discovery technology. He holds a BS in Economics from Duke University.
About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY