Strategist - The FindLaw Law Firm Business Blog

8 Tips for Cross-Border Discovery and International Privacy Laws

Many of us are perfectly happy to practice in a limited geographic area. But, given the increasingly interconnected nature of today's world (the Internet, cheap airfare, free trade), it's not uncommon for attorneys to be faced with cross-border issues. We're not talking state lines here. This is international.

Cross-border disputes can soon be followed by cross-border discovery. And despite the "flattening" of the world, there are major differences between American-style discovery and international systems, particularly when it comes to data protection and privacy. Thankfully, plenty of international adventurers, or just lawyers, have gone before you and left some tips behind to help guide your way.

Differing Views of Private and Public Data, Role of Discovery

The U.S. system often allows extensive, wide-ranging discovery. Europe? Not so much. European states have much more restrictive pre-trial discovery rules and greater protections on personal data. In the U.S., private data only includes particularly sensitive information -- things like Social Security numbers, medical records, and financial information. The EU Data Protection Directive, in contrast, defines personal data as any personally identifiable information and protects it against unauthorized use.

If that doesn't complicate things, the EU is currently overhauling its data privacy regulations. Of course Europe isn't everything. There are almost as many non-American privacy regimes as their are non-American countries. And don't forget that many of the world's legal systems don't operate on an adversarial basis. In Germany, for example, parties are only required to produce documents that support their assertions; there's no requirement to hand over "non-beneficial" information to the other party.

Practice Tips for Cross-Border Discovery

The Sedona Conference, a nonprofit legal research and educational institute, has assembled eight "practice points" to help guide lawyers dealing with international and cross-border discovery issues implicating data protection and data privacy. Here's a quick summary, though interested counsel should check out their full report.

1. Balance the urgency in preserving information with complying with data protection laws. Some countries may prohibit "processing" of personal data in discovery and preservation methods. When faced with cross-border data issues, identify international data sources, research applicable laws, and consult specialized counsel. Adopting split U.S. and international legal hold notices may be necessary.

2. Meet with key stakeholders to set common expectations. Quickly meeting with stakeholders regarding relevant documents can help you identify which data protection laws may govern the transfer of data outside the country.

3. Identify and define privacy issues with opposing counsel or regulators. This could include seeking a stipulation or protective order to help minimize conflicts involving personal data use.

4. Check in regularly to make sure you haven't lost consent to transfer personal information. Under the EU's privacy protection directive, the consent to transfer can be revoked at any time.

5. Study foreign systems in advance. In-country collection of information can be simplified by researching stakeholders, customs, and systems unique to a foreign country early on in your process.

6. The processing stage of discovery can be tricky. As the Sedona Conference says, early discussions should address both data protection and discovery requirements, along with local procedures, in order to "demonstrate due respect to any Data Subject with rights under applicable Data Protection Laws."

7. Consider ways to limit production of protected data. If using protected data is necessary, institute safeguards to protect those privacy interests.

8. Get rid of data when you're done. Release legal holds and return or dispose of protected data when a matter is fully concluded.

Related Resources: