Posted on: 5/7/2012
Carl H. Poedtke III, Stephen W. Schwab, Kathy J. Owen
View Latest Articles
A chance meeting between a seasoned partner of a large law firm and a young associate, Jagger, in a similarly sized firm, takes place in the airport lounge at New York’s Kennedy Airport. Both are relaxing. The partner of 20 years tells Jagger she is heading on vacation with her husband (who is also a lawyer, and is typing away at an aspiring first novel nearby, a seemingly common habit for lawyers these days). When the partner asks Jagger where he is headed, she learns he is leaving for Europe to gather documents and emails for discovery, and interview client and third-party witnesses for a case pending in the Southern District of New York. Clearly Jagger is excited about his upcoming journey, for it is his first foray to the continent. He is especially looking forward to his several days in Paris—“the City of Light”—where by a stroke of luck his client maintains substantial operations, and many of the relevant events took place.
A quizzical look from the partner followed quickly by a raised eyebrow results in a question: “Have you checked the laws in Europe?” Jagger responds with utter silence. “I’ll take that as a no” replies the partner. “What I would do immediately upon landing—if not before you board the plane—is research the local laws where you are visiting, especially those in France. Do you know it has data privacy laws you may need to consider, as well as a criminal statute that applies to discovery, with requirements to comply with the Hague Convention? They even prosecuted a lawyer a few years back.” A look of sheer stress appeared on Jagger’s face, as blood quickly drained away (an altogether not unfamiliar experience for a young lawyer). As Jagger thanked the partner for the tip, and wished her a pleasant trip, he fired up his computer to begin researching “cross border discovery” issues.
While jail time might not be in the offing, and while the above scenario may not be played out with regularity, the necessity of dealing with the challenges posed by, for example, EU data privacy and other laws remains very real. Litigants, especially those dealing with electronically stored information (ESI) in foreign countries, face a unique challenge when responding to U.S. discovery requests. U.S. courts generally permit broad discovery, forcing parties and non-parties to produce documents subject to fairly narrow exceptions. See, e.g., Fed. R. Civ. P. 26, 45. Many foreign countries, however, enforce privacy laws prohibiting the handling of data, including “personal data.” Fortunately, black coffee and WiFi availability in the lounge and on the flight will offer Jagger the opportunity to dig down into these issues before he sets foot overseas and can seek the advice from French counsel expert in the issues.
Jagger’s research will quickly confirm that storing foreign data in countries within the European Union (EU) presents particular concerns for those subject to U.S. discovery. In 1995, the EU passed the European Council Directive 95/46, Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, 38 (EC) (hereinafter “EU Directive”), available at http://eur-lex.europa.eu/ LexUriServ/ LexUriServ.do?uri=CELEX:31995L0046:EN:HTML. The EU Directive outlines principles of privacy and data protection, and instructs member states to pass legislation in satisfaction of these principles. EU Directive, Art. 2(b), 6. Currently, privacy laws exist in every EU member state. The laws in Germany, France and Italy are often described as much more protective than the minimum standards.
Surprising to Jagger will be the broad scope of the term “personal data,” which is closely regulated in the EU. Jagger has always known “personal data” to reference a social security number, medical information, or certain financial data. The EU’s notion of “personal data” is much broader than that in the U.S. Although there is variance within the EU, “personal data” is defined in the EU Directive as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly indirectly, in particular by reference to an identification number or to one or more factors specified to his physical, physiological, mental, economic, cultural or social identity . . ..” EU Directive, supra, art. 2(a). As further described by the Article 29 Data Protection Working Party (“Working Party”), an independent advisory board established under the EU Directive, “personal data” amounts to any data that permits identification of an individual, directly or indirectly, through methods “likely reasonably” to be used by a data controller or a third party. See Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of Personal Data (012480/07/EN WP 136), at 15 (June 20, 2007). This is a very broad category of data, which implicates most email transmissions and communications in the EU, even when they are strictly business-related.
By the time Jagger gets through the EU Directive and related information, his head will be spinning. But he will have an idea; in light of the complexity related to personal data in the EU, perhaps the best thing to do is simply refer the US court to the relevant EU laws, and advise the court of the potential problem, if not impossibility, of production. Moreover, even if the information might be produced, if it is in Europe, does not some kind of treaty, such as the Hague Convention the partner mentioned, apply so that discovery issues will be moot? Jagger’s old civil procedure teacher would glow with pride.
Alas, Jagger's brief search into U.S. case law will reveal that U.S. courts acknowledge the privacy concerns of producing foreign data, but often refuse to make exceptions to its broad and established discovery regime. In SociétéNationaleIndustrielleAérospatiale v. United States Dist. Court for the S. Dist. of Iowa, 482 U.S. 522 (1987), for example., the U.S. Supreme Court decided what regime governs the discovery of foreign data in U.S. courts: the Federal Rules of Civil Procedure (FRCP) or The Hague Convention on the Taking of Evidence in Civil or Commercial Matters (Hague Convention). Id. at 524.
Aérospatiale involved two French plane manufacturers sued in the U.S. for negligence and breach of warranty in connection with an allegedly defective aircraft. Id. at 524–25. After conducting initial discovery under the FRCP, the plaintiffs served document requests, interrogatories, and requests for admissions on the French defendants. Id. at 525 & n.4. The defendants moved for a protective order, on the grounds that the Hague Convention controls the process of discovering the documents because the requests encompass documents located in France. Id. at 525–26. However, the Court noted the Convention prescribes more cumbersome methods for obtaining evidence, such as formal letter requests for foreign authorities. See id. at 542 (describing the letter procedure as “unduly time consuming and expensive”). The defendants further asserted that production of documents not in accordance therewith would subject them to criminal liability in France. Id. at 526 & n.6.
The Court held that the Hague Convention provides a supplementary set of rules for discovery of foreign data, and explained that interests of “international comity” govern whether the Convention applies. Id. at 543–44 & n.28. These interests are expressed in a five-part balancing test, adopted from the Restatement of Foreign Relations Law of the United States (Revised) § 437(1)(c) (Tent. Draft No. 7, 1986).
In the wake of Aérospatiale, lower courts undertake the “delicate task” of discovery involving foreign data without clear guidance. Dangers abound for those forced to participate in discovery in the U.S. with responsive data abroad. Foreign companies, individual litigants, and non-parties may all be compelled to produce data stored abroad, despite objections that doing so violates foreign laws.
Additionally, some countries, notably France, have enacted criminal blocking statutes which prohibit compliance with U.S. discovery requests, absent compliance, for example, with the Hague Convention. Despite the fact that producing foreign data in U.S. litigation may lead to the violation of privacy laws and blocking statutes in the country where the data is stored, U.S. courts have generally shown little sympathy. The result is often an impossible decision: refuse to produce in violation of court orders, or produce in violation of foreign laws.
An upcoming article in For The Defense by the authors will further reveal what Jagger’s trans-Atlantic research will uncover about the issues and suggest practical approaches to the apparent conflict between such laws. With ever-increasing obligations in respect of e-discovery in the U.S., the legal and cultural differences in the Old World need to be understood and addressed from the onset of litigation—if not before. Litigants who fail to fully understand the various laws at play in such circumstances may find themselves in peril, and truly “between a rock and a hard place.” After summarizing the laws and issues, and then focusing on recent developments in France, Jagger’s research and advice from French counsel will suggest a way through the legal quagmire to best protect international clients and the information they possess. Needless to say, cross-border discovery, particularly e-discovery, is an ambiguous arena rich in unsolved issues and dangers. Rather than curse the darkness, the article will attempt to light a candle to reveal a footpath toward a sound practice.
Carl H. Poedtke III
DLA Piper LLP (US)
Stephen W. Schwab
DLA Piper LLP (US)
Kathy J. Owen
DLA Piper LLP (US)
DLA Piper UK LLP
+33 1 40 15 24 34