E-Discovery and EU Data Protection laws

Robert Bond robert.bond@speechlys.com Alexander Carter-Silk alexander.carter-silk@speechlys.com IP, Technology & Data Group E-Discovery and EU Data Protection laws

Alex Carter-Silk, Partner, IP, Technology & Data Alex specialises in international litigation, intellectual property and technology matters. "a real ideas man who is excellent on litigation strategy, "recommended for his financial savvy and intellectual property acumen" Alexander s clients include brand owners, suppliers and insurers from a diverse range of industries including technology, marketing and the media. He is renowned as a litigation heavyweight specialising in the resolution of complex high value disputes, many of which have an international flavour, and has particular expertise in the recovery of failing technology projects. Alex has 25 years experience of advising on contentious and noncontentious IP and technology matters. During that period he has developed a reputation for rigorously promoting and defending his clients interests in a number of high profile cases and transactions. Alex is a market leader in the licensing, sponsorship and franchising of IP rights, as well as the protection of copyright design rights and trade marks. He also advises on advertising and marketing regulation and reputation management, including privacy and defamation. alexander.carter-silk@speechlys.com Tel +44 (0)20 7427 6507

Robert Bond, Partner, IP, Technology & Data Robert specialises in intellectual property, technology and commercial law and his particular areas of specialist knowledge include legal issues for the computer games and digital media sectors as well as data protection and information security. From regulatory compliance to practical advice on data security issues, Robert s expertise in this field and the creativity of the advice that he provides has ensured that he stands head and shoulders above the competition. A Certified Compliance & Ethics Professional, Robert has specialised in data protection since 1983 and is listed in the top 20 Best Privacy Advisers in a recent survey published in Computer World. He has advised many multinationals on trans border data flows and global data protection compliance since 1997, and co-authored the ICC BCR Report in 2006 and the ICC Guidelines on Basel II and Data Protection in 2007. Robert is the author of many books, including most recently for Sweet & Maxwell who publish his book Negotiating International Software Licenses and Data Transfer Agreements. Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Study and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. He is chairman of the ICC (UK) E- Business, IT & Telecoms Committee and Chairman of the IT & E-Commerce Committee of the Licensing Executives Society. Robert is listed in Legal Experts 2011 and The Who s Who of International Internet & E-Commerce Lawyers and is also recognised as a Legal Expert by Euromoney s Guide to the World s Leading Technology Telecommunications Lawyers. He is also a frequent speaker at industry events and conferences. Robert is listed as Tier 1 for Data Protection in Chambers UK 2011 and 2010 describing him as an esteemed figure in the field. He has an impressive reputation for his work on cross-border data compliance and cutting-edge IT data privacy issues within the digital, online and social media spheres. He is listed as a data protection expert in Chambers (2009) and in Chambers (2008) where clients describe him as a brilliant lecturer, a meticulous lawyer and responsive if you contact him, you know he ll get back to you within the hour and authoritative he really knows his stuff, and he has so many contacts within the EC he can predict trends and what s coming further down the line, which is very useful for forward planning. robert.bond@speechlys.com Tel +44 (0)20 7427 6660

Topics Overview of the current and future ESI landscape US approach UK approach EU Data Protection issues Data management issues

Overview of the current and future ESI landscape What information is not discoverable? Preservation Collection Review Production by the year 2013, 50% of all companies will have been asked to produce material from social media websites for e-discovery. Gartner 2010

US UK AND CIVIL LAW Overview US Depositions All relevant documents Lines of enquiry allowed UK No discovery by witness No fishing expeditions Standard disclosure means proportionate CIVIL Up to the judge Very limited documents required to prove the case. Codified

UK DISCLOSURE LAW UK Duty to disclose documents which support or are adverse to either party s case The digital age has changed the disclosure landscape. The starting point: CPR 32 and the practice direction thereto. PROPORTIONALITY is the key. A proportionate search for documents is adequate, even if it is too narrow to catch a smoking gun. Digicel, reviewed in the May 2009 Review of Civil Litigation Costs. Goodale confirmed the position. What is proportionate? Consider the period of time relevant to the dispute, the key custodians of documents, how the documents should be managed and analysed. CASE STUDY: SAS Institute Inc v. World Programming Limited.

Use of documents in related proceedings NOT THE SAME IN ALL JURISIDCITONS CPR 31.22: the contents of a disclosed document may only be used for the purposes of the proceedings in which it has been disclosed. CPR 32.12: documents prepared in the course of litigation should only be used for the purpose of the proceedings in respect of which it has been prepared. This is the corollary to the invasion of privacy caused by the process of disclosure. There must be special circumstances, the release must not occasion injustice to the person giving disclosure and the interests of justice must favour disclosure; per Lord Oliver, Crest Homes v. Marks [1987] AC 829. Permission has been granted where there are two sets of proceedings in different legal systems but between the same parties concerning related issues; Apple Corp v. Apple Computer.

The life-cycle of a dispute Right to sue Chronology and facts Jurisdiction Interim applications Experts Witnesses Disclosure and privilege Trial Remedies Appeals

Fed. R. Civ.Pro. 26 & 34 Parties may obtain discovery regarding any matter, not privileged, that is relevant to the claim or defence of any party, including the existence, description, nature, custody, condition, and location of any books, documents, or other tangible things and the identity and location of persons having knowledge of any discoverable matter. Rule 26(b)(1) Any party may serve on any other party a request to produce and permit the party making the request, or someone acting on the requestor s behalf, to inspect, copy, test, or sample any designated documents or electronically stored information including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained. Rule 34(a)

What are Common E-Discovery Scenarios? Pre-emptive document preservation - the duty to preserve Information likely to be requested or lead to admissible evidence (Zubulake) Pre-trial discovery requests Document production in criminal or regulatory investigations US crimes prohibiting document destruction

Why is the US approach challenged by the EU laws? Disclosure required where US litigant has possession, custody or control US case law confirms it applies to foreign affiliates Conflicting foreign law not a defence for non-preservation/production US courts can compel production European data protection law Fair processing/obtaining consents Questionable legitimate basis Proportionality concerns Retention periods International transfers of data Member states have local views under civil law

The Eight Data Protection Principles Data must be fairly and lawfully processed with the consent of the individual Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected Data must be accurate and, where necessary, kept up to date Data must not be kept longer than necessary Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct data) Security measures must be taken against unauthorized or unlawful processing, and against accidental loss, destruction, or damage of data Data must not be transferred outside EEA unless recipient country provides adequate data protection

What Has Europe Done? Working Document 1/2009 (WP 158) (Feb. 2009) An initial consideration of the issue WP 29 sees the need for reconciliation WP 29 proposes guidelines for compliance Guidance contains Pros and Cons

Pros Retention where mere possibility of litigation improper Legitimacy exists where a legitimate interest Interest re. foreign disputes a legitimate interest But treatment of sensitive data left slightly unclear (e.g., consent or legal claims basis) International transfers can be based on legal claims provision, or involve other methods Encourages use of protective orders

Cons Individual rights to access, and amend, data Undermine integrity of evidence Use of trusted third parties to filter data Antithetical to basic US discovery principles Use of anonymization techniques prior to disclosure Unrealistic given realities of modern litigation Subjecting court services to sufficient security measures and verifying compliance by service providers Difficult to imagine working in practice

Hague Convention Reliance upon the Hague Convention Convention establishes a cumbersome, letters rogatory (letters of request) process for disclosure Two fatal flaws: US law does not accept exclusivity of Convention (Aerospatiale) European countries may invoked Art. 23 reservations excluding application to pre-trial discovery

The Sedona Conference International Principles on Discovery, Disclosure & Data Protection With regard to data that is subject to preservation, disclosure, or discovery, courts and parties should demonstrate due respect to the Data Protection Laws of any foreign sovereign and the interests of any person who is subject to or benefits from such laws Where full compliance with both Data Protection Laws and preservation, disclosure, and discovery obligations presents a conflict, a party s conduct should be judged by a court or data protection authority under a standard of good faith and reasonableness Preservation or discovery of Protected Data should be limited in scope to that which is relevant and necessary to support any party s claim or defense in order to minimize conflicts of law and impact on the Data Subject Where a conflict exists between Data Protection Laws and preservation, disclosure, or discovery obligations, a stipulation or court order should be employed to protect Protected Data and minimize the conflict A Data Controller subject to preservation, disclosure, or discovery obligations should be prepared to demonstrate that data protection obligations have been addressed and that appropriate data protection safeguards have been instituted Data Controllers should retain Protected Data only as long as necessary to satisfy legal or business needs. While a legal action is pending or remains reasonably anticipated, Data Controllers should preserve relevant information, including relevant Protected Data, with appropriate data safeguards.

American Bar Association position 2012 Recent call for US courts to recognise data privacy laws of other countries which may conflict with disclosure orders

Guidance Put in place a data retention and data destruction policy Ensure that e-discovery procedures are built into information or asset protection policies Amend Privacy Notices to include disclosure or transfer of personal data in pre-trial discovery Ensure that use of 3 rd party service providers for e-discovery are subject to EU model clauses where they are in third countries Audit current systems to understand where personal data resides

QUESTIONS? Construction & Engineering 1 November 2006