Pan-Pacific Data Privacy Laws & Regulations: Impact on U.S. E-Discovery and Investigations

Transcription

1 Pan-Pacific Data Privacy Laws & Regulations: Impact on U.S. E-Discovery and Investigations Mukesh Advani, Esq., Advisory Board Member, UBIC North America, Inc. UBIC North America, Inc. 3 Lagoon Dr., Ste. 180, Redwood City, CA / UBIC usinfo@ubicna.com REDWOOD CITY WASHINGTON DC NEW YORK SEOUL TAIPEI TOKYO LONDON

2 Table of Contents Introduction...3 The U.S. Courts Attempt to Resolve the Conflict between U.S. ediscovery and Laws of Other Jurisdictions...5 ABA Resolution...7 The Sedona Conference...7 Privacy Statutes in Asia-Pacific Jurisdictions...8 China...9 Japan...9 South Korea...9 Australia...10 New Zealand...10 Taiwan...10 Singapore...11 Hong Kong...11 India...11 How to Resolve Conflict and Best Practices...12 Getting Familiar with the Laws of Particular Jurisdiction...12 Attempt to Limit Discovery...13 Controlling Data That May Be Transferred to Foreign Jurisdiction...13 Conducting Review Overseas...13 Redacted and Anonymysed Version of Data...13 Obtaining Advance Consent of Employees and Others...14 Complying With Requirements of Foreign Jurisdiction...14 Selection of an Appropriate Vendor...14 Obtaining Confidentiality Orders from the U.S. Courts...14 Conclusion...15

3 Introduction Christopher X, a French lawyer, was arrested, convicted, and eventually sentenced to a fine of approximately $15,000 ( 10,000) for information search of an economic, commercial, industrial, financial or technical nature for the purpose of gathering evidence in the U.S. litigation. This conviction was affirmed by the French Supreme Court in The Hague Convention on the Taking of Evidence Abroad of 1970 ("The Hague Convention") prescribes means by which a judicial authority in one signatory jurisdiction may request evidence located in another signatory jurisdiction. However, the scope of discovery in the U.S. Courts of data located in foreign jurisdictions is not limited to the methods prescribed by The Hague Convention. Rather, the U.S Courts allow the parties to seek much broader discovery allowed under the Federal Rules of Civil Procedure ("FRCP ). Many jurisdictions, especially civil law jurisdictions, where discovery is far more limited, did not like the virtually unlimited discovery allowed by the FRCP. In 1980, France enacted a criminal statute prohibiting individuals from cooperating with U.S. discovery requests not made in accordance with The Hague Convention and Christopher X was convicted under that statute. A number of similar so-called blocking statutes have also been enacted by other European jurisdictions. 1 In re Christopher X., Cour d'appel de Paris, 9ème chambre, section B, 06/06272, March 28, 2007, affirmed Cour de Cass., , December 12,

4 Similar conflicts are emerging between the U.S. discovery laws and blocking statutes and data privacy laws and regulations in the Asia-Pacific region in situations where a litigation or an investigation involves discovery of information located in one of the Asia-Pacific jurisdictions in a U.S proceeding. This paper is focused on the Asia-Pacific region and discovery of electronically stored information (ediscovery). Many jurisdictions in the Asia-Pacific region have enacted, or are in the process of enacting, comprehensive data privacy legislation. The broad and liberal scope of the U.S. ediscovery under the FRCP allowing parties to gather relevant information from foreign jurisdiction often directly conflicts with blocking statutes or data privacy laws of those jurisdictions and provide for the imposition of civil and even criminal penalties for violation of such laws. At the same time, non-compliance with the U.S. Court ediscovery orders can result in severe sanctions, including monetary sanctions, adverse inference, and even an adverse judgment. Under the circumstances, a corporation is presented with Hobson s choice, i.e., no choice at all. The conflict also arises as a result of differences in the extent of ediscovery obligations between the common law jurisdictions (such as the U.S.) and the civil law jurisdictions (including many Asia- Pacific jurisdictions, where the extent of ediscovery is far more restrictive). The scope of pre-trial ediscovery under the U.S. law is extremely broad, allowing discovery of data that may never be admitted into evidence. By contrast, in civil jurisdictions, parties exchange electronic data and paper documents in a process known as Disclosure. The Court directs each party to disclose materials that support its case and occasionally, the adversary s case. While a party in the U.S. litigation can seek protective orders from the Court based upon the exposure it faces for civil and criminal penalties in the jurisdiction where the data is located, in practical reality most U.S. courts rarely acknowledge and give effect to such laws to the extent that they limit or deny pre-trial ediscovery. Within the Asia-Pacific region, data-privacy laws vary widely by jurisdiction. Therefore, corporations and their counsel must be familiar with the rules of each jurisdiction and take great care when preserving, collecting, and transferring to the U.S. any electronic data that may be subject to such privacy laws. This paper examines conflict between the U.S. ediscovery laws and the privacy laws and regulations in the Asian-Pacific region, attempts by the U.S. Court to reconcile such conflicts and recommends best practices for navigating the minefield that exists as a result of such conflicts. 4

5 The U.S. Courts Attempt to Resolve the Conflict between U.S. ediscovery and Laws of Other Jurisdictions Litigants with the obligation to comply with both U.S. ediscovery requirements and disclosure restrictions under the laws of other jurisdictions may apply to the U.S. court to limit or excuse compliance with ediscovery obligations or to conduct discovery under alternative procedures, such as the Hague Convention, to which the U.S. is a party. While a majority of cases in this context have arisen from European jurisdiction, they are relevant to the analysis of how the U.S. Courts may resolve the conflict between the U.S. ediscovery laws and Asia-Pacific privacy lawsand blocking statutes. In Société Nationale Industrielle Aerospatiale v. U.S. District Court, 482 U.S. 522 (1987), the U.S. Supreme Court held that The Hague Evidence Convention did not provide exclusive or mandatory procedures for obtaining documents and information located in a foreign signatory country. Rather, it was intended to establish optional procedures for obtaining evidence abroad. The Supreme Court rejected reliance on a French blocking statute by stating that, "[i]t is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence, even though the act of production may violate that statute." The Court further stated: We therefore decline to hold, as a blanket matter, that comity requires resort to Hague Evidence Convention procedures without prior scrutiny in each case of the particular facts, sovereign interests, and likelihood that resort to those procedures will prove effective. The Supreme Court directed the courts to undertake a case-by-case comity analysis to determine whether to limit the discovery to procedure specified by The Hague Convention procedures, noting: American courts, in supervising pre-trial proceedings, should exercise special vigilance to protect foreign litigants from the danger that unnecessary or unduly burdensome discovery may place them in a disadvantageous position.... In addition, we have long recognized the demands of comity in suits involving foreign states, either as parties or as sovereigns with a coordinated interest in the litigation. Aerospatiale identified certain criteria as relevant to this comity analysis, relying on the considerations set out in the Restatement of Foreign Relations Law of the United States (Revised) 437(1)(c). They are: (1) the importance to the... litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which non-compliance with the request would undermine important interests of the United States, or compliance with the 5

6 request would undermine important interests of the state where the information is located. Some U.S. courts have added a factor to this test to address the potential hardship that a producing party might suffer from compliance with the ediscovery requests 2. Despite the Supreme Court s admonition in Aerospatiale that courts should assess carefully the competing interests of the relevant jurisdictions, in practice most U.S. courts have found that parties and non-parties could be ordered to produce documents in the U.S. litigation even though such production would violate foreign laws. Different rationales have been used by different courts in allowing such ediscovery, which include the following: Blocking statutes are overly broad and designed to thwart AmericanStyle ediscovery; There is no realistic likelihood of prosecution in foreign jurisdiction; Christopher X case presented a different set of facts which are not comparable to the facts of the case before the Court; The balancing of competing national interests weighs heavily in favor of unrestricted enforcement of the ediscovery request; Even if production of the information is illegal in a foreign jurisdiction, there is no showing made that hardship would in fact result in that particular case. In conclusion, most U.S. Courts rarely take cognizance of foreign privacy regulationsand blocking statutes so as to limit or deny pre-trial ediscovery. With a few exceptions, the U.S. Courts reject the interests of civil law jurisdictions in protecting their data from production in the U.S. ediscovery. Even when they pay lip service to the need for privacy and confidentiality, the Courts tend to rely upon stipulated confidentiality and protective orders or attorneys eyes only provisions to protect such rights. It is a thorny predicament for most corporations engaged in cross-border business. In some cases, corporations have been forced to accept adverse inference instruction in the U.S. litigation rather than face criminal sanctions in foreign jurisdictions 3. 2 See U.S. v. Vetco, 691 F.2d 1281, (9th Cit. 1981) [setting forth factors taken into account by the 9th Circuit.] 3 See Lyondell-Citgo Refining LP v. Petroleos de Venezuela, S.A., 2005 WL (S.D.N.Y 2005) 6

7 ABA Resolution On February 6, 2012 the American Bar Association s House of Delegates adopted Resolution 103, submitted by the ABA Section of International Law, urging U.S. courts to consider and respect privacy and data protection laws that affect litigants before them in ediscovery. The Resolution states the following: RESOLVED, That the American Bar Association urges that U.S. federal, state, territorial, tribal and local courts consider and respect the data protection and privacy laws of any foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data that is subject to preservation, disclosure, or ediscovery. The Sedona Conference Recently, Working Group VI of The Sedona Conference issued a draft document aimed at addressing this conflict entitled International Principles on ediscovery, Disclosure & Data Protection: Best Practices, Recommendations & Principles for Addressing the Preservation and EDiscovery of Protected Data in U.S. Litigation. The International Principles aim principally at a potential conflict between the U.S. and the EU laws. They are subtitled: European Union Edition. There is currently a draft version of such framework for Asia-Pacific jurisdictions. Nevertheless, these principles will be relevant in resolving such conflicts in other regions of the world. The new Sedona International Principles identify six essential principles for reconciliation of potential conflict between privacy and disclosure in the context of U.S. litigation: 1 With regard to data that is subject to preservation, disclosure or discovery, courts and parties should demonstrate due respect for the data protection laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws. 2 Where full compliance with both data protection laws and preservation, disclosure, and discovery obligations presents a conflict, a party s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness. 7

8 3 Preservation, disclosure and discovery of protected data should be limited in scope to that which is relevant and necessary to support any party s claim or defense in order to minimize conflicts of law and impact on the data subject. 4 Where a conflict exists between data protection laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect protected data and minimize the conflict. 5 A data controller subject to preservation, disclosure or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted. 6 Data controllers should retain protected data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, data controllers should preserve relevant information, including relevant protected data, with appropriate data safeguards. Privacy Statutes in Asia-Pacific Jurisdictions In addition to blocking statutes which tend to restrict disclosure of information of commercial, economic or technical nature, privacy laws seek to protect personal information, which means any information that can identify a particular individual. Privacy laws seek to protect the processing of personal information. The term processing incorporates any action which touches data during its lifecycle and includes collection, use, disclosure to others, and destruction. Accordingly, the recovery of data to be used in the discovery process falls within its ambit. The term personal information generally means any information that can identify a particular individual. For example, s are personal data as they can be traced to an identifiable individual. Certain types of sensitive information about an individual, such as financial, medical, religious, racial or political affiliation is often granted even greater protection against disclosure. Many jurisdictions in Asia-Pacific are common law jurisdictions and others civil code jurisdictions. Data privacy laws and regulations are already in place in many Asia-Pacific jurisdictions including Japan, China, Hong Kong, Australia, New Zealand, Korea Singapore, Taiwan and India. A number of Asia-Pacific nations are also currently working through the Asia-Pacific Economic Cooperation forum 8

9 ("APEC") to develop such rules. The combined effect of such restrictions on the corporations in terms of data they can produce in the U.S. ediscovery could be significant. This paper provides a brief analysis of such laws in some of the key Asia-Pacific jurisdictions. The information provided here is not intended to be exhaustive coverage of such laws in any jurisdiction. Rather, such laws with respect to each jurisdiction should be separately researched and analyzed for compliance with the assistance of local counsel from that jurisdiction. China In transferring data out of the People's Republic of China, one must be familiar with a number of national and local laws, including the State Secrets Law, the Anti-Unfair Competition Law, the Archives Law, and Computer Information System Regulations. The State Secrecy Laws are implicated when any information is deemed by the Chinese government to be a state secret, which may include civil matters when the government is involved (e.g., as an owner). The Unfair Competition Law is for the protection of commercial secrets. A claim based upon the State Secret laws was rejected by the Ninth Circuit and ediscovery compelled in a case in which the defendant Chinese corporation contended that disclosure of certain information will subject it to criminal prosecution in China 4. Japan Privacy concepts are well developed in Japan. The Personal Information Protection Act of 2003 provides a structure of obligations for organizations that collect personal information. The statute requires disclosure to the individual of the purpose of use of data and further requires consent for transfer of personal information. The individual may request to review such data and must be granted an opportunity to correct, supplement or delete it. It also has notice and optout provisions. Currently, a corporation that violates the law may be fined or ordered to take remedial steps, and the corporation head may be imprisoned. As part of an effort to increase penalties for violations of this statute, the authorities in Japan plan to extend liability under that law to individual corporate employees. South Korea The Act on the Protection of Promotion of Information and Communication Network Utilization and Information Protection Act of 2001 protects the personal information of consumers held by certain industries. The number of industries subject to this law is in the process of being greatly expanded by the responsible government ministry. The statute requires deletion of data when it is no longer needed for its intended purpose of processing. The 2011 Act on the Protection of Personal Data requires nearly all businesses and government agencies to 4 Richardmark Corp. v. Timber Falling Constultants, 959 F.2d 1468 (9th Cir. 1992) 9

10 provide data breach protection, mandates the use of privacy assessments before establishing certain new databases, and establishes a right to file class actions in court over alleged violations of the law. The legislative intent behind the Act is to prevent damage caused by leakage and/ or misuse of personal data. Under the new law, covered entities must report incidents of leaked personal data to government privacy and law enforcement authorities and notify affected individuals. Australia Australia Privacy Act 1988 regulates the export of personal information from Australia. National Privacy Principle 9 (NPP 9) covers trans-border data flows and provides that an organization in Australia may lawfully transfer personal information out of Australia where the individual has consented, where similar privacy regimes are believed to exist in the State of import, and in certain other circumstances. Australia also has enacted a statute (Foreign Proceedings Act 1984) under which the Attorney General may by order in writing prohibit production of any document located in Australia to a foreign court or authority and doing of any action in Australia which might facilitate such transfer. New Zealand The New Zealand Privacy Act of 1993 is one of the most comprehensive privacy statutes outside Europe. It applies to the handling of all personal information collected or held by government agencies and most businesses. The legislation identifies 'personal information' as information about an identifiable living person, irrespective of whether it is on a computer or a paper file. The legislation is based on twelve Information Privacy Principles similar to the National Information Principles in the Australian Privacy Act. Taiwan The Computer-Processed Personal Data Protection Law of 1995 protects the processing of personal data in certain kinds of industries, such as the financial industry. Personal data is defined broadly to include the information regarding a natural person's name, birthdate, identification number, physical features, finger print, marital status, family, education, occupation, health, medical history, financial standing, social activities as well as other information sufficient to identify the natural person. It also creates restrictions on cross-border transfer of personal information. There is no single privacy oversight body to enforce the law. The Ministry of Justice enforces the Act for government agencies. Compliance with 10

11 such laws in the private sector is enforced by the concerned government agency for that sector. An example of such enforcement is arrest by the Criminal Investigation Bureau of several people for selling lists of more than 15 million voters and personal data of up to 40 million individuals. Singapore There is a voluntary privacy framework, the Model Data Protection Code for the Private Sector, which applies to any recipient to whom personal data is transferred, in or outside the country. Singapore s Banking Law prohibits disclosure of customer information by any bank. There are other sector-specific laws regulating the protection of personal data, such as the Official Secrets Act and the Infectious Diseases Act. Hong Kong The Personal Data (Privacy) Amendment Bill was introduced into Hong Kong s Legislative council on July 13, 2011 following public outcry from several highly publicized scandals involving the sale of personal data without the knowledge or consent of individuals. The bill seeks to regulate direct marketing and sale of personal data and requires full disclosure of the purpose for which data may be used, the individual may refuse to provide consent to the release of such data, the entity must wait for minimum 30 days after the notice is provided and provide an opt-out mechanism for this purpose. Under the Bill, non-compliance with any of its provisions will be a criminal offense. Personal Data (Privacy) Ordinance (Cap. 486), 1995, has a provision for the onward transfer of personal data that requires that there be a reasonable belief that any personal data transferred outside Hong Kong without consent is transmitted only to a recipient operating under similar privacy laws. India The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, were issued in April 2011 to implement India's 2008 IT Security Act amendment. The rules oblige organizations to notify individuals when their personal information is collected via letter, facsimile, or . They require covered organizations to make a privacy policy available, to take steps to secure personal information, and to offer a dispute resolution process related to the collection and use of personal information. In addition, Article 21 of the Constitution has been interpreted by the Indian courts to include a right of privacy. 11

12 How to Resolve Conflict and Best Practices Based upon the decisions of the U.S. Courts, it is clear that a corporation and its counsel cannot rely on the Courts to limit or deny requested ediscovery of data located overseas on the basis that providing such data may constitute violation of that foreign jurisdiction s laws. While counsel should continue to object on that basis and move for protective orders where so indicated, the corporations should proceed on the assumption that such relief may not be granted and hence they may be required to produce the requested ediscovery. It may not always be practical to obtain the consent of each individual whose personal identifying information may be implicated. Such individuals may include customers and former employees who have little incentive to cooperate. Even with respect to existing employees, it is really debatable whether the consent to disclosure was voluntarily given. Under the circumstances, it is important for each corporation to think about pragmatic and innovative ways to comply with the U.S. ediscovery Laws while at the same time not running afoul of various privacy laws and blocking legislations. Here are some of the steps a corporation and its counsel could take to mitigate the risks arising from the conflicting requirements of the U.S. ediscovery laws and laws of a foreign jurisdiction. Once again, it is not intended to be an exhaustive list of all measures a corporation can take and one size does not fit all. Rather, a corporation should develop facts-specific strategy in each case. Getting Familiar with the Laws of Particular Jurisdiction A corporation and its U.S. counsel should work with counsel from the jurisdiction where the data is located to have complete understanding of appropriate laws in that jurisdiction. In addition, they should fully understand what would constitute sufficient compliance with those laws to collect, retain, and process data before producing it in the U.S. proceedings. Ideally, a corporation should be familiar with such laws of each jurisdiction where it does business before there are any such proceedings. 12

13 Attempt to Limit Discovery Some courts are sympathetic to a corporation s predicament in having to produce data that may subject it to liability under the laws of a foreign jurisdiction. Therefore, it is essential to bring this issue to the Court s and opposing counsel s attention early on in litigation. Most judges will be ignorant of the laws in a foreign jurisdiction and so they will need to be educated. Counsel should proactively suggest solutions which involve discovering alternate information or doing discovery in phases which may obviate the need for getting data located overseas. Counsel should also negotiate the scope of the data to be produced and have it defined as narrowly as possible to limit the amount of data. Recent decisions indicate that a party opposing discovery on the basis of foreign privacy laws or blocking statutes bears the burden of establishing that the laws will be likely enforced and an official objection from the foreign jurisdiction to the proposed disclosure explaining the strong national interest involved 5. Therefore, on any motion to compel discovery or for protective order, it may be helpful to get a declaration or affidavit from local counsel of that jurisdiction regarding the applicable privacy laws and the perils a corporation and its employees face if they were to comply with the U.S. discovery requirements. To the extent practicable, counsel should provide declaration or affidavit from an appropriate authority in foreign jurisdiction asserting the jurisdictions strong national interest in preventing disclosure and export of such information and potential consequences if the data is disclosed and transferred. Controlling Data That May Be Transferred to Foreign Jurisdiction The corporations should try to anticipate the kind of data that may be subject of discovery and to the extent possible, not transfer such data to the concerned jurisdiction. Conducting Review Overseas In some situations, it may be helpful to conduct review of the data in the jurisdiction where it is located so as to minimize and limit the data that would need to be transferred to the U.S. and with respect to which a corporation may need to comply with the privacy laws of that jurisdiction. Redacted and Anonymysed Version of Data An often used technique in the U.S. litigation is redacting personally identifying information from the data before it is transferred to the U.S. Appropriate searches and technology may be used for searching and redacting the documents. That alone may be deemed by local authorities to be sufficient compliance with a party s duty to comply with the privacy laws. There may also be a way to produce data in such a way as to preserve anonymity. 5 In In re Air Cargo Shipping Services Antitrust Litig., 2010 WL (E.D.N.Y Mar. 29, 2010; In Gucci America, Inc. v. Curveal Fashion, 2010 WL (S.D.N.Y. Mar. 8, 2010) 13

14 Obtaining Advance Consent of Employees and Others The corporation should work to develop internal policies and procedures for making appropriate disclosures to their employees and obtaining their advance consent for disclosure of personal information about them in the U.S. litigation and investigation assuming such consent would be adequate under the laws of that particular jurisdiction. As noted above, such consent by employees may not be sufficient because the question remains whether the consent was freely given. Even then, it could be helpful to have it in place. Furthermore, to the extent any thirdparty consent (such as that of a customer or vendor) may be required, the corporation may also consider getting such consent in advance as part of the agreement between the parties. Selection of an Appropriate Vendor If the corporation were to use an outside vendor for any phase of the discovery process, it should preferably hire someone who is not only familiar with the peculiar cultural issues of that jurisdiction but also intimately familiar with the applicable laws and regulations which may come into play as a result of responding to the discovery request. Obtaining Confidentiality Orders from the U.S. Courts A protective or confidentiality order from a U.S. Court, which controls the manner for use of data, its return or destruction after litigation is completed, may be a factor that foreign authorities find relevant in determining whether to allow export of such data. Complying With Requirements of Foreign Jurisdiction The corporation should comply with each and every requirement for processing of data, even if very cumbersome, working with local authorities, to the extent possible. In a given situation, it may involve obtaining free and voluntary consent of the individual before transfer of the data, demonstrating to the local authorities the integrity and security of the collection process for personal data and its subsequent handling and production, including preventing unauthorized transfer or use of such data. 14

15 Conclusion The conflicting requirements imposed by the U.S. ediscovery laws on one hand and by privacy laws and blocking statutes in the Asia Pacific region on the other are beginning to emerge in the recent past. They are expected to continue to grow significantly as new privacy laws and regulations are enacted and the authorities in those jurisdictions become more aggressive in enforcing them. Thus far, the U.S. courts have been far from sympathetic to the no-win situations in which many corporations are finding themselves in. However, counsel representing corporations should continue to seek protective orders to limit discovery. The American Bar Association resolution 103 and the principles being developed by The Sedona Conference should strengthen their arguments in this regard. While corporations should continue to resist ediscovery which could put them in perilous situations in other jurisdictions, they also need to be proactive in developing and implementing policies and procedures and practices in consultation with the U.S. counsel and local counsel from the relevant foreign jurisdiction. Otherwise, they could be subjected to civil and even criminal prosecution and penalties. Failure to comply with the U.S. laws could have equally disastrous consequences, including substantial monetary sanctions, an adverse inference, and even an adverse judgment. 15