US DISCOVERY PROCEEDINGS: IMPLICATIONS FOR FRENCH BUSINESSES May 11, 2012 Bijan E. Eghbal, Paris Browning E. Marean, San Diego Carol A.F. Umhoefer, Paris
Agenda I. Overview of US discovery and document preservation rules II. Overview of French data protection principles III. Issues under French employment and labor laws IV. Issues under the French blocking statute V. US courts' view of French and EU data protection laws and the French blocking statute VI. Solutions for collecting, reviewing and disclosing French and EU data in US litigation 2
I. OVERVIEW OF US DISCOVERY AND DOCUMENT PRESERVATION RULES 3
Overview of US Discovery Discovery is the procedure by which parties to litigation exchange non-privileged information Includes all manner of electronically stored information ( ESI ) The scope of discovery is very broad Includes documents/information relevant to any party's claim or defense 4
Preservation Obligations in US Litigation Parties to litigation have an obligation to preserve information that is potentially relevant to the litigation The obligation arises when a party first learns of the litigation or when it is reasonably anticipated The obligation extends to material over which the party has possession, custody or control A failure to preserve can result in severe consequences including monetary fines, adverse instructions to the jury, or outright dismissal of the party's case It is critical to ensure that deletion of potentially relevant ESI is avoided (e.g., through suspension of automated deletion of email programs/policies, etc.) Parties are required to issue and implement a legal hold instructing employees on preservation requirements 5
Extra-Territorial Reach of US Discovery In discovery, US litigants may request data and documents that exist outside the US US courts frequently order discovery of information located outside the US, even though disclosure may be prohibited by the laws of another country This necessarily implicates non-us data protection laws, employment law, rights to privacy, blocking statutes and international treaties Can place a multi-national organization between a rock and a hard place 6
II. OVERVIEW OF FRENCH DATA PROTECTION PRINCIPLES 7
French Data Protection Principles Law of 1978, amended to transpose 1995 EU Directive (under revision) Data controller determines the purposes and the means of processing personal data.controllers' obligations include: Ensuring processing is fair, proportionate Ensuring that data are secure Informing individuals and, where required, obtaining express consent Ensuring individuals can exercise their rights to access, correct and delete their data Making filings with CNIL Personal data : Any data that directly or indirectly identify a natural person, even in a purely professional context (e.g., employee and consumer data) A business email constitutes personal data if it includes e.g., sender "jane.smith@xyzcorp.com" 8
French Data Protection Principles (cont'd) Processing : Any operation or set of operations in relation to [personal] data, whatever the mechanism used, especially the obtaining, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction". Read-only access to an HR data base on a server in Ireland from a desktop in the US Implicit, and sometimes express, consent is required to process personal data, unless an exception applies Transferring personal data to any country not considered to have an adequate level of data protection (such as US) is prohibited Principal exceptions: transfers (i) to US-EU Safe Harbor certified entity (ii) pursuant to so-called Model Clauses (iii) pursuant to Binding Corporate Rules (iv) if necessary to comply with obligations to defend claims in a court of law 9
Discovery case study #1: A Legal Hold Constitutes Processing The controller is the entity that determines the purposes and means of data processing Data processing includes moving data or merely storing data US preservation rules require that data potentially relevant to litigation be stored, not destroyed Consequently, data preservation is processing: it may involve moving data to a secure server, and it requires storage Generally, the employer is considered the controller of its employees data If the legal hold is issued by the employer s parent company, this would be processing by a different controller, triggering numerous obligations for the parent company 10
III. ISSUES UNDER FRENCH EMPLOYMENT AND LABOR LAWS 11
Employee entitlement to privacy and the legitimate interest of the employer The employer shall respect the individual liberty of the employee, including his/her privacy, which is one of the fundamental rights in the worksite Pursuant to Article L. 1121-1 of the French Labor Code "One may not restrict the rights of people and individual and collective liberties that are not justified by the task pursued nor proportional to the goal sought" The employee delegates have a right to alert in the event of violation of the individual or collective liberties and of the rights of people within the company (L. 2313-2) Consequently, the employee shall be informed of any measure implemented towards investigating, collecting or storing his/her data The works council shall be informed and consulted before any means of controlling the employee's activities are implemented 12
Employee data and the prerogatives of the employer Data stored on the hard drive of the employee, and not identified as "private", may be freely accessed by the employer Data stored but identified as "private" may only be accessed in presence of the employee, or after having invited the employee to be present, unless there is a risk or an event justifying such access There is a presumption that the data stored on company equipment is professional Likewise, there is a presumption that employee e-mails on the employer's equipment are professional, and can be freely accessed E-mails identified as "private" are considered "private correspondence" and cannot be accessed (under penalty of up to one year imprisonment and/or up to 45,000 in fines) Situation of employee representatives enhanced sensitivity 13
Employer's tools and tips The combination of the "consent" requirement under the data protection rules with the labor requirements will be difficult to achieve in the context of a discovery, given the employee is under the subordination of the employer and presumed to not be able to consent Legitimate concern of the employee of being personally exposed Individual information and education of the employee is key Collective information for the employees through an IT policy or charter managed to get the support of the employee representatives Complying timely with all information and consultation requirements Being compliant with all data protection requirements 14
IV. ISSUES UNDER THE FRENCH BLOCKING STATUTE 15
The French Blocking Statute The Law of July 26, 1968, amended by Law of July 16, 1980: Article 1 Subject to treaties or international agreements, it is prohibited for any individual of French nationality or who usually resides on French territory and for any officer, representative, agent or employee of an entity having a head office or establishment in France to communicate to foreign public authorities, in writing, orally or by any other means, anywhere, documents or information relating to economic, commercial, industrial, financial or technical matters, the communication of which is capable of harming the sovereignty, security essential economic interests of France or contravening public policy, specified by the administrative authorities as necessary. Article 1 bis Subject to any treaties or international agreements and the laws and regulations in force, it is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof with a view to foreign administrative or judicial proceedings or as a part of such proceedings. 16
Challenges of the French Blocking Statute Historically, US courts rejected French blocking statute arguments Seminal case: Société Nationale Industrielle Aerospatiale v. Iowa U.S. District Court, 53 U.S. 522, 556 (1987) US Supreme Court ruled that French Blocking Statute does not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute. December 2007: French Cour de Cassation affirms criminal conviction of a French lawyer seeking information in connection with the Executive Life litigation in California Impact on the US courts' view of the blocking statute None! 17
V. US COURTS' VIEW OF FRENCH AND EU DATA PROTECTION LAWS AND THE FRENCH BLOCKING STATUTE 18
US Courts View of French Blocking Statute In re Global Power 418 B.R. 833 (Bankr. D. Del. 2009): Threat of enforcement of blocking statute perceived as minimal In re Air Cargo Shipping Servs. Antitrust Litig., No. 06-MD-1775, 2010 WL 1189341 (E.D.N.Y. Mar. 29, 2010) The legislative history of the blocking statute indicates that it "was never expected or intended to be enforced against French subjects but was intended rather to provide them with tactical weapons and bargaining chips in foreign courts 19
US Courts View of French Blocking Statute (cont d) MeadWestvaco Corp. v. Rexam PLC, no. Civ. A. 1:10-511, 2010 WL 5574325 (Dec. 14, 2010) (quoting Rich v. KISCal. Inc., 121 F.R.D. 254 (M.D.N.C. 1988))... the law [i]s both overly broad and vague[,] and... it need not be given the same deference as a substantive rule of law Trueposition, Inc. v. LM Ericsson Tel. Co., 2012 WL 707012 (E.D. Pa. Mar. 6, 2012) [T]here are other courts [that] have held that the French Blocking Statute does not subject defendant to a realistic risk of prosecution, and cannot be construed as a law intended to universally govern the conduct of litigation within the jurisdiction of a United States court. 20
Hague Convention vs. US FRCP Extra-territorial reach of US courts accomplished by resort to their own rules (Federal Rules of Civil Procedure ( FRCP )) or to the Hague Convention on Taking of Evidence Abroad in Civil or Commercial Matters ( Hague Convention ) A party may seek production under FRCP, however, a party failing to comply with a discovery order under FRCP is subject to sanctions by the court Sanctions can dramatically impact a party s case Courts have broad discretion 21
Hague Convention vs. US FRCP (cont d) Hague Convention Applies between state parties Formal procedures for responding with information requested in foreign legal proceedings Provides for the taking of evidence by: means of letters of request, or diplomatic or consular agents and commissioners Does not contemplate US style discovery, and some state parties preclude discovery as opposed to evidence French reservation: France has specifically reserved the right to refuse letters of request issued for the purpose of obtaining pre-trial discovery of documents unless two conditions are met: the requested documents are enumerated limitatively in the letter of request the requested documents have a direct and precise link with the object of the procedure 22
Hague Convention vs. US FRCP (cont d) Aerospatiale case balances considerations: Significance of the discovery to issues in the case Degree of specificity of request Whether the information originated in the jurisdiction from which it is being requested Availability of alternative means of securing the information sought in the discovery request Extent to which noncompliance with Hague Convention would undermine the foreign sovereign s interest in the information requested Some courts construing Aerospatiale have articulated two additional factors: Good faith of the party resisting discovery Hardship of compliance on the party or witnesses from whom discovery is sought 23
Summary of Current US Law Generally, neither a blocking statute nor the Hague Convention will provide a party within the jurisdiction of a US court a basis to resist US discovery US courts are also faced with data protection arguments when compelling discovery, and courts may not agree to heed data protection requirements Decisions are made after courts carefully balance the relevant considerations on a case-by-case basis Courts must take care to demonstrate due respect for any special problem confronted by the foreign litigant on account of its nationality or the location of its operation, and for any sovereign interest expressed by a foreign state. Aerospatiale, 482 U.S. at 546 Discovery nonetheless most often compelled under FRCP, but there are exceptions 24
VI. SOLUTIONS FOR COLLECTING, REVIEWING AND DISCLOSING FRENCH AND EU DATA IN US LITIGATION 25
Solutions for collecting, reviewing and disclosing French and EU data in US litigation EU data protection authorities ( WP or G29 ) opinion on Pre-Trial Discovery For Cross-Border Civil Litigation (2009) Acknowledges need for understanding between common law and civil law jurisdictions CNIL recommendation on e-discovery (2009) (Deliberation No. 2009-474) The Sedona Conference Framework for Analysis of Cross-Border Discovery Conflicts (2008) (available at www.thesedonaconference.org) 2011 Sedona Conference International e-discovery Best Practices Commentary (in draft) American Bar Association resolution, approved February 6, 2012, urges U.S. courts to consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation. The ABA specifically urged greater respect for international data privacy rules 26
CNIL Recommendation on E-Discovery Blocking statute applies regardless therefore, Hague Convention procedure must be followed Transfers of personal data, even when authorized by a French judicial authority via Hague Convention procedure, must comply with Law of 1978, as amended: Notice to data subject Data subject has right of access Data subject has opportunity to object Security measures when data are transferred to or within the US Use of EU-US Safe Harbor Use of Model Clauses Use of Protective Orders Narrow scope of data to be transferred direct and precise link to the proceeding Cull and filter data within France Third party should assess relevance 27
Proposed Solutions: The Sedona Conference Three-prong approach: Provide safeguards to protected data by stipulations and court orders Permit a reasonable timetable to ensure adequate processing and transfer of protected data Establish a reasonable methodology to be applied for the processing and transfer of protected data 28
Proactive Steps: Pre-Litigation Adopt IT and privacy policies adapted to e-discovery: Inform employees that documents and data may be subject to preservation and collection in response to litigation or other legal requirements Require employees to use non-work email account for personal communications (e.g., private emails) Alternatively, require employees to segregate private emails Prohibit employee use of personal devices for professional purposes Alternatively, require employees to abide by strict segregation and security rules on their personal devices Adopt and enforce document retention policies retaining ESI for only the period deemed necessary Limit access to EU data by non-eu entities 29
Proactive Steps: Pre-Litigation (cont d) Adopt appropriate data management plan, e.g.: Map all IT systems and data flows Document all data bases and applications If private emails are tolerated, segregate all private emails Consider system that permits personal data to be anonymized, or redacted when acceptable Consider implementing specialized software designed for e-discovery Develop strong coordination between EU employees overseeing privacy obligations, and legal department overseeing litigation generally in US 30
Proactive Steps: Managing Discovery Tailor the legal hold notice and scope of retention to local requirements Consider issues of privilege Independently assess each case where EU data is implicated/requested Determine probable litigation value, legal exposure in litigation and other legal risks Evaluate nature and breadth of potentially responsive data Determine which entity has control, custody or possession of data responsive to requests Determine whether data sought are available from non-eu source Assemble legal hold/discovery team: US counsel and local counsel Local IT / HR / Data Protection Officer Local e-discovery vendor 31
Proactive Steps: Managing Discovery (cont d) Raise foreign legal issues (data protection, blocking statute, Hague Convention, etc.) with adversaries and US court early and often (see FRCP 44.1) File submissions explaining legal issues; support with evidence Begin working on narrowing requests and discussing discovery approachand agreements as early as possible Facilitate discussion of Hague Convention procedure Use protective orders and stipulations to protect confidentiality Consider data transfer options (Safe Harbor, etc.) Consider least intrusive measures for responding Consider role of Works Council 32
Proactive Steps: Managing Discovery (cont d) Local processing and review of data Cull personal data in EU as much as possible before any transfer Consider separating all non-personal data first if feasible and begin producing in stages if possible (but production always requires privilege review) Notice to (and obtain consents from?) individuals with relevant data Suggest anonymizing or pseudonymizing data if appropriate Keep track of detailed compliance efforts to prove good faith efforts to comply with personal data requirements Establish what will happen to data upon conclusion of litigation 33
Useful Resources Two useful DLA publications: Data Privacy Laws of 58 Countries Handbook: (link) Attorney-Client Privilege: (link) 34
Merci Bijan.Eghbal@DLAPiper.com Browning.Marean@DLAPiper.com Carol.Umhoefer@DLAPiper.com The information, perspectives and impressions contained in these slides and communicated during their presentation are those of the speaker(s) alone. They are not legal advice and do not represent the legal or business positions of his (their respective) employer(s), partners, firm, clients or customers, and are offered strictly for teaching and instructional purposes in connection with this seminar. 35