Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Ceic 2010 international panel slide deck
1. International eDiscovery: Data Protection,
eDiscovery:
Privacy & Cross-Border Issues
Cross-
Red Rock Resort
Summerlin, Nevada
May 26, 2010
y ,
2. Agenda
The Panel
Moderator: Patrick Burke, Guidance
Software
M. James Daley, Esq., Daley & Fey LLP
Dominic Jaar, Ledjit inc.
George Rudoy, Shearman & Sterling LLP
P A G E 1
3. M. James Daley
M. James Daley, Esq., CIPP
Partner, Daley & Fey LLP
jdaley@daleylegal.com
(913) 522-8901
www. daleylegal.com
Partners with clients to contain the costs and reduce the risks of global
data privacy, e-discovery and data security challenges
p y, y y g
Chair of The Sedona Conference® Working Group on International E-
Disclosure and Records Management (WG6)
Co-Editor-in-Chief of The Sedona Conference® Framework for Analysis
Of Cross-Border Discovery Conflicts (2008)
Certified Information Privacy Professional (CIPP) – International
Association of Privacy Professionals
P A G E 2
4. Dominic Jaar
Dominic Jaar
President, Ledjit Consulting inc.
CEO, Canadian Centre for Court Technology
Member of the Sedona Conference
Editorial board (Sedona Canada)
WG1
WG6
Guidance Software Strategic Advisory Board
P A G E 3
5. George Rudoy
George Rudoy
Shearman & Sterling, LLP
Director, Global Practice, Information & Knowledge Management
Founding member of the E-Discovery Training Academy at Georgetown
E Discovery
Law Center
Chair of the ALM Law & Business’s Legal Tech Educational Board
Vice President of the International Legal Technology Association (ILTA)
Practice Management Peer Group
P A G E 4
7. The Current Landscape
Cross-border ediscovery is a “Catch 22”
Catch 22
U.S. Courts require production or relevant
information located outside the U.S.
US
Many non-U.S. jurisdictions restrict and/or
block th
bl k the processing and transfer of such
i dt f f h
information to the U.S.
P A G E 6
8. Differing notions of privacy
Privacy is a fundamental right in much of the
world
ld
Definitions of personal data subject to privacy
protection outside th U S are extremely
t ti t id the U.S. t l
broad
Privacy protections in the U.S. are industry
specific
Personal data subject to protection is limited to
specific categories (e.g., Social Security
numbers, medical i f
b di l information, b ki d t )
ti banking data)
P A G E 7
9. Differing Notions of Privacy
Restrictions on disclosure outside the
European Economic Area (E.U. member states
plus Norway, Iceland, and Liechtenstein)
Generally, personal data cannot be sent to
countries with less privacy/data protection
p y p
than in the E.U.
Only a handful of jurisdictions meet
standards to allow data transfer
P A G E 8
10. Latin American Privacy Laws
Based on Constitutional Right of “Habeas
Data”
D t ” or “th right to your data”
“the i ht t d t ”
Brazil – 1988
Paraguay
Peru
Argentina
Costa Rica
Mexico
P A G E 9
11. Transfers outside the EU
Exceptions and derogations to general
principle
Issues include necessity for the transfer,
y
proportionality (how the truly personal data is
culled), and specifics in enabling laws of
member states.
b t t
Critical to consult local counsel
Transmission may require
notification/permission of local Data Protection
Agencies
P A G E 10
12. Differing Notions of Discovery
Common law: expansive pre-trial discovery y
conducted by the parties with judicial supervision as
needed to resolve disputes or manage court calendar
U S most expansive: di
U.S. t i discovery permitted of
itt d f
documents which may lead to admissible evidence
Canadian “semblance of relevance test almost as
semblance relevance”
expansive
U.K.: parties must p
p produce “documents relied upon
p
and documents that adversely affect or support
litigant’s position” but document request must seek
specific documents not broad categories
documents,
P A G E 11
13. Civil Code jurisdictions
Disclosure is limited to admissible evidence
Court closely supervises disclosure and
determines admissibility and relevance of
proposed evidence
For example, in Germany, litigants need only
F l i G liti t d l
produce those documents which will support
their claims
P A G E 12
14. The Hague Convention
Hague Convention on the Taking of Evidence
Abroad (1972)
Ab d
An attempt at compromise: a uniform
procedure f collection of evidence b t
d for ll ti f id between
common law and civil law jurisdictions.
Letters of request (“
L f (“rogatory”) i
”) issue f
from court
in one nation to designated central authority
(often a court) in another requesting
another,
assistance in obtaining information
P A G E 13
15. The Hague Convention
Aerospatiale: U.S. courts are not required to resort
to the Hague Convention procedures over the
Federal Rules of Civil Procedure
Fi f t b l
Five-factor balancing test:
i t t
Importance of the evidence to the litigation
R
Respective i t
ti interests of the U.S. and th f i
t f th U S d the foreign
nation where the information is located
Specificity of the request
Whether the information originated in the U.S.
Availability of alternative means to obtain the
information
P A G E 14
16. Blocking statutes
Shields for nationally sensitive data
Statutes which restrict cross-border discovery
of information intended for use in foreign
judicial
j di i l proceedings
di
Not limited to civil law jurisdictions (Australia
and C
d Canada h
d have bl ki statutes)
blocking )
May be general (France and Venezuela) or
industry-specific (e.g., Switzerland re banking
information)
P A G E 15
17. Blocking Statutes
Contrary to certain U.S. and U.K. judicial
decisions, blocking statutes can have severe
consequences
Venezuela: In Lynondell-Citgo Refining LP v.
Petroleos de Venezuela, defendant accepted
an adverse i f
d inference i t ti rather th
instruction th than
turn over board minutes and related documents
France: In January, 2008, the French Supreme
Court affirmed a criminal conviction for
speaking to a potential witness about a U S
U.S.
lawsuit
P A G E 16
18. Trends
The French Supreme Court decision, in re
Christopher
Ch i t h X may tip the balancing test in
ti th b l i t ti
favor of recognition of the significance of
blocking statutes and result in more recourse
to the Hague Convention
Some U.S. courts had already required
US
recourse to the Hague Convention
(Connecticut District Court, In Re Perrier
Bottled Water Litigation; New Jersey State
Court, Husa v. Labatoires Servier S.A.)
P A G E 17
19. Trends
Potential narrowing of the definition of
“personal data” in U.K.
“ ld t ”i UK
Durant v. Financial Services Authority, Court of
Appeal (Ci il Di i i ) 2003 “O l
A l (Civil Division), 2003: “Only
information that names the (the individual) or
refers to him” qualifies for protection under the
him
Directives and U.K. enabling laws
Court described its holding as a “a narrow
a
interpretation of personal data” and is not
u e sa y o o ed
universally followed
P A G E 18
20. EU Article 29 Working Party
Comprised of all 27 EU Member State Data Protection Authorities
(
(DPAs) and interprets provisions of EU Data Protection Directive
) p p
95/46/EC: http://ec.europa.eu/justice_home/fsj/privacy/
Notice: subjects whose data is being collected should be given notice of such collection.
Purpose: data collected should be used only for stated purpose(s) and for no other purposes
purposes.
Consent: personal data should not be disclosed or shared with third parties without consent
from its subject(s).
Security: once collected, personal data should be kept safe and secure from potential abuse,
theft, loss
theft or loss.
Disclosure: subjects whose personal data is being collected should be informed as to the
party or parties collecting such data.
Access: subjects should granted access to their personal data and allowed to correct any
inaccuracies.
inaccuracies
Accountability: subjects should be able to hold personal data collectors accountable for
adhering to all seven of these principles.
P A G E 19
21. WP 158
Issued February 2009 as a “work in
progress”
Attempt by Article 29 Working Party to
address cross-border discovery issues
Relies on August 2008 Sedona
Framework on Cross-Border Transfers
Opens way for further U.S. – EU
dialogue on Cross Border issues
Cross-Border
P A G E 20
22. CNIL Declaration
CNIL is the French National Data Protection Authority
(
(Commission nationale de l'informatique et des libertés)
q )
On August 19, 2009, CNIL issued Deliberation No.: 2009-474,
articulating its recommendations on responses to U.S. discovery
requests for civil litigation discovery.
discovery
Main Provisions: In country culling of personal data; limitations
on scope of processing, without review; adherence to approved
methods for transfer of personal data in civil litigation and
th d f t f f l d t i i il liti ti d
regulatory context
P A G E 21
23. WP 168
Working Party “The Future of Privacy” opinion adopted on 01
December 2009
A Joint contribution to the Consultation of the European
Commission on the legal framework for the fundamental right to
protection of personal data
Clarify the application of some key rules and principles of data
protection (such as consent and transparency).
Innovate the framework by introducing additional principles
(such as ‘privacy by design’ and ‘accountability’).
Include the fundamental principles of data protection into one
comprehensive legal framework, which also applies to police
and judicial cooperation in criminal matters.
P A G E 22
26. Trends
Increased attention to privacy in the United
States
Media coverage of compromises of personal data
through loss of laptops and backup tapes
Security breaches of large public and private
databases
Increasing incidence of identity theft
Recent (and first) HIPAA civil monetary penalty
proceeding to result in penalties, revamped electronic
privacy plan and compliance reports
P A G E 25
27. Ways to Mitigate Risk
Dialogue with Data Protection Authorities on
g
common interests
In-country collection, processing and culling
collection
and possibly review
Development of a uniform confidentiality
designation, i.e., “EU Confidential,” for
personal data involved in
discovery/disclosure cross borders
P A G E 26
28. Ways to Mitigate Risk
Development of specific E.U. (and perhaps
Asia- Pacific d S th A
A i P ifi and South America) provisions
i ) i i
for U.S. court protective orders and case
management orders
Addition of cross-border discovery and
conflicts training to judicial education curricula
Development of approved protocols for
processing and pre filtering of personal data in
pre-filtering
the host country to assure only relevant
pe so a
personal data is t a s e ed for d sco e y
s transferred o discovery
purposes
P A G E 27
29. A way forward
Education and Awareness:
Legal Restrictions
Records Management – Cultural Divide
Records
Technology Realities
Risk Benefit A l i
Ri k B fit Analysis
Efforts to Mitigate Risk
Continued Communication and Collaboration
P A G E 28
31. Upcoming event
The Sedona Conference®
International Program
I t ti lP
on Cross-Border eDiscovery,
eDisclosure & Data Privacy
15-17 September 2010
p
Washington, D.C.
P A G E 30
34. Canada
The State of E-Discovery
Ontario Guidelines
Sedona Canada Principles
Rules of Civil Procedure
Nova Scotia
Ontario
Practice Directions
British Columbia
Alberta
Quebec Code of Civil
Procedure
Federal
P A G E 33
35. Privacy
Canada as the Safest Harbour
Principles
Purpose
Consent
Limited
— Collection
C ll ti
— Use
— Disclosure
— Retention
Accuracy
Canadian Charter of Rights and Freedom
Personal Information Protection and Electronic Documents Act
(PIPEDA)
P
Provincial Legislation
i i l L i l ti
Sedona Canada White Paper on Privacy (To be published)
P A G E 34
36. Blocking Statutes
Reacting to USA’s Extraterritorial
Laws
Cuban Policy
Asbestos
Uranium
National and Provincial
Politics and Economics
Federal
Foreign Extraterritorial Measures Act
Provincial
Quebec Business Concerns Records Act
Ontario Business Records Protection Act
P A G E 35
37. Privileges (Solicitor-Client and Litigation)
Quasi-Constitutional Rights
Canadian Charter of Rights and Freedoms
Waiver
Explicit
p
Implicit
Cross-Border Production
P A G E 36
38. Proportionality
A Reality, not a Mere Principle
Rules of Civil Procedure
Nature of the case
Value
Burden
Accessibility
Relative Relevance
Confidentiality
— Privacy
— Privileges
— Intellectual Property
p y
— Commercial/Industrial Secrets
P A G E 37
39. International E-Discovery
Practical Challenges
Language
Identification
Processing
Review
Presentation
Technological
g
Standards
Legacy systems
Multinational enterprise-
wide content search
Criminal/Penal charges
Jurisdiction over act
P A G E 38
41. Non English Language Documents
ASCII vs. Unicode
• Computers only understand
l d d
numbers—0’s and 1’s..
• ASCII d i d t allow humans
designed to ll h
to communicate with computers.
• Invented for teletypes
• Original ASCII character set
limited to 127 characters.
A -> 0100 0001
P A G E 40
42. Non English Language Documents
Printable ASCII Characters
0123456789abcdefg
hIjklmnopqrstuvwx
yz
ABCDEFGHIJKLM
NOPQRSTUVWXYZ
~ ! @ # $ % ^ & * ( ) _ + ` -= =
[ ] { } | ; ’: ” , . / < > ?
P A G E 41
43. Non English Language Documents
ASCII vs. Unicode
• Other languages needed additional
characters.
• Extended ASCII added ramped to
256 characters.
• Special encoding developed to reach
beyond extended ASCII.
• Result: multiple coding sets emerged
p g g
using the same byte sequences.
P A G E 42
44. Non English Language Documents
The bottom line…
• Chinese language has 65,000+
g g ,
symbols
• Unicode assigns numbers to every
possible character set.
• UTF-8 has become defacto
Unicode standard to represent
multi-byte languages.
E-Discovery processing software must support Unicode!
P A G E 43
45. Non English Language Documents
Non English Language Tokenisation
• Western search based on spaces
and punctuation.
P A G E 44
46. Non English Language Documents
Non English Language Tokenisation
• Some llanguages often don’t use
f d
spaces or punctuation.
P A G E 45
47. Non English Language Documents
Non English Language Tokenisation
Thedogatemydinnerbeforeicouldstophimnexttimeiwill
p
puthimoutbeforeieat
The dog ate my dinner before I could stop him.
Next time I will put him out before I eat.
裁判所はどこにありますか?
Where is the courthouse?
P A G E 46
49. Non English Language Documents
Non English Language
Chinese
Tokenisation
中國人
• Words may consist of one or
d
more symbols
i f
Middle country person
yp
China
中國
Middle country
y
P A G E 48
55. EU
Location: Europe between the North Atlantic Ocean in the west
and Russia, Belarus, and Ukraine to the east
, ,
Legal System: comparable to the legal systems of member
states; first supranational law system
P liti l structure: a h b id intergovernmental and supranational
Political t t hybrid i t t l d ti l
organization
Population: 491,018,683
Languages: Bulgarian, Czech, Danish, Dutch, English, Estonian,
Finnish, French, Gaelic, German, Greek, Hungarian, Italian,
Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian,
Slovak, Slovene, Spanish, Swedish
P A G E 54
56. EU
Be aware of balance and possible conflict of individual country
rules vs. EU rules
Transport and use of data is highly guarded and restricted
Prepare schedule of annual holidays and observances
p y
Polite direct requests
Take the time to clarify project purpose and plan
Clarify vernacular for technology (Services v. Share)
Establish client-side project liaison
C
Consider local labor laws
id l ll b l
P A G E 55
57. EU
Minimal experienced local vendor support, most located in UK
I
Involve IT in interview process to identify relevant technology
l i i i id if l h l
landscape
Explain discovery process in detail with the support of visual
p yp pp
diagrams and documentation
Local Counsel
IT Personnel
Interview process
Translate project requirements and scope
P A G E 56
59. Former USSR
English not widely spoken, even less so in non-capital cities
Remaining xenophobia of foreigners, especially Americans
foreigners
Local customs are unique and expected to be followed
Very little regard for privacy
Many layers of authority and management
Border security varies and customs can be negotiated with
No local vendors
Limited familiarity with litigation requests
“Government secrets” still an issue
Persistent refusal to sign any documents (chain of custody
form, privacy waiver, etc)
P A G E 58
62. Collecting ESI in Russia
Privacy Rights in Russia
Article 23 of the Constitution of the Russian Federation
— Everyone has the right to privacy, personal and family secrets, protection of
one’s honor and good name.
— Right to privacy of correspondence, telephone communications, mail, cables
and other communications.
— Any restriction of these rights require a court order.
Federal law “on information”
— Each person has the right to search and receive any information in any forms
and from any sources subject to specific limitations.
— Limitations provide only for data related to a state secret, commercial secret,
official or other secret (e.g. tax secret), professional secret, privacy or family
( g ), p ,p y y
secrets which are regulated by separate federal laws.
P A G E 61
63. Penalties
Penalties can be disciplinary, civil, administrative or criminal.
Specifically criminal liability for violation of the immunity of private life
Specifically, life,
violation of secrecy of communications and infringement of home
involiability, as well as liability for unauthorized access to legally
protected computer information.
Civil liability if an individual suffers physical or moral damages by violation
of his or her non-property rights or any other non-material welfare rights.
A court can force financial compensation.
P A G E 62
64. Russian law on transferring data through data
telecommunications networks
Article 15(5) of the Federal law “On Information” provides that
data can be transferred through data telecommunications
g
networks without any limitations subject to the protection of
intellectual property except
“On personal data” (
p (Article 7) requires the operator ensure for the
) q p
confidentiality of received personal data with two exceptions:
— Instances involving depersonalization of personal data, and
— Publically available personal data.
— Most importantly, the operator can process personal data only with a person’s
consent (Article 6) subject to certain exceptions.
— Personal data is broadly defined to include “any information related to an
individual…or information on the basis of which an individual may be
identified.” Examples include surname, birthdate, address, family status,
income and education.
P A G E 63
65. Consent
On the one hand, consent is required “when directed by law” such as
collection and transborder transfer of personal data.
On the other hand, in practice, where a company puts employees on
written notice by policy or specific notice that their email and
documents are company property and can be accessed for business
uses at any time, written consent can be made by the company.
Written consent is prudent – the burden of proof is on the operator and
Russian courts usually require documentation.
No standard consent form, but lists six criteria to include:
,
— full name of person giving consent including address, passport number, date of issue and
issuing authority.
— Name and address of operator to whom consent is given.
— List of personal data that may be processed.
— List of operations to be performed with personal data, and general description of the
processing methods.
— Term of validity of the consent and the procedure for its revocation.
P A G E 64
66. Exceptions to Consent
Personal data process on the basis of federal law (primarily supporting
law enforcement).
Personal data processed to perform an agreement to which such
individual is a party (e.g. employment agreement).
Personal data processed for scientific or statistical purposes, and it is
sanitized.
iti d
Personal data processed to protect life, health or important individual
interests and it’s not possible to obtain consent.
Personal data processed to deliver mail or telecommunications
customer settlements.
Processed for professional activity of a journalist or for scientific
literature or creative activity
activity.
Data subject to publication in compliance with federal laws such as
state officials or candidates to elective posts.
P A G E 65
67. Australia
Land Mass: Slightly smaller than the US contiguous 48 states
Legal System: Based on English common law; accepts
compulsory ICJ jurisdiction, with reservations
Population: 21,007,310
Ethnicity: Caucasian 92% Asian 7% aboriginal and other 1%
92%, 7%,
Languages: English or strine spoken
P A G E 66
68. Australia – Cultural
Highly regulated environment
Legal compliance is accepted and valued
Polite direct requests
Informal business environment
High use of technology, mobile technology and email
Due to “listing” requirements objective data and metadata
integrity is important
The Legal Hold concept loosely translates
Vigilant customs and security
L
Local vendors
l d
Familiar with litigation requests
P A G E 67
69. China
Land Mass: Slightly smaller than the US
Legal System: Based on civil law system; derived from Soviet
and continental civil code legal principles; legislature retains
power to interpret statutes; constitution ambiguous on judicial
review of legislation; has not accepted compulsory ICJ
jurisdiction
Population: 1,330,044,544
Ethnicity: Han Chinese 91.5%, Zhuang, Manchu, Hui, Miao,
Uyghur, Tujia Yi, Mongol, Tibetan Buyi Dong Yao Korean
Uyghur Tujia, Yi Mongol Tibetan, Buyi, Dong, Yao, Korean, and
other nationalities 8.5%
Languages: Standard Chinese or Mandarin (Putonghua, based
on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese),
Minbei (Fuzhou), Minnan (Hokkien-Taiwanese), Xiang, Gan,
Hakka dialects, minority languages
P A G E 68
70. China - Cultural
Dispute resolution process not aligned
Not familiar with litigation requests
Many layers of authority and management
“Party” plays a role
Titles and formality is important
Timeframes may slip
Can be difficult getting hardware in and out
Payment customs can be misunderstood
Exceptions based on relationships
Labour cost and efficiency y
Self service
Vendor selection and testing
P A G E 69
71. Privacy in China
China lacks comprehensive privacy legislation.
A draft Personal Data Protection Law has been submitted to the State
Council, China’s executive branch.
It is not unusual for searches to be undertaken on company computers
without an employee’s consent.
p y
Nonetheless, obtaining written consent is a prudent practice.
P A G E 70
72. Privacy in Hong Kong
Two sources of privacy protection
Personal Data (Privacy) Ordinance
Common law (generally applies only to information which has the necessary quality of
confidence, was imparted in confidence, and used without authorization to the detriment of the
party communicating it (Coco v AN Clark (Engineers) Ltd. [1969] RPC 41).
Under Personal Data (Privacy Ordinance), “personal data” is defined as any data
(a) relating directly or indirectly to a living individual,
(b) from which it is practicable for the identity of the individual to be directly or indirectly
ascertained, and
(c) in a form in which access to or processing or use of the data is practicable.
The use of personal data (including collection, processing and transfer) must be
consistent with the purpose for which the data were originally collected or
directly related to it, otherwise the prior consent of the employee must be sought
and obtained.
Beware a newly enacted section 33 of the Privacy Ordinance – which may not yet
be in force – which prohibits the transfer of personal data outside Hong Kong
and unclear if consent overcomes that.
P A G E 71