CEIC 2010 international panel

International International eDiscoveryeDiscovery: Data : Data Protection, Protection, Privacy & CrossPrivacy & Cross--Border IssuesBorder Issues

Red Rock ResortSummerlin, Nevada

May 26, 2010y ,

Agenda

The PanelThe PanelModerator: Patrick Burke, Guidance

SoftwareSoftwareM. James Daley, Esq., Daley & Fey LLPDominic Jaar, Ledjit inc.George Rudoy, Shearman & Sterling LLP

P A G E P A G E 11

M. James DaleyM. James Daley

M. James Daley, Esq., CIPPM. James Daley, Esq., CIPPPartner, Daley & Fey LLP

Partners with clients to contain the costs and reduce the risks of global data privacy, e-discovery and data security challengesp y, y y g

Chair of The Sedona Conference® Working Group on International E-Disclosure and Records Management (WG6)

Co-Editor-in-Chief of The Sedona Conference® Framework for Analysis Of Cross-Border Discovery Conflicts (2008)

P A G E P A G E 22

Certified Information Privacy Professional (CIPP) – International Association of Privacy Professionals

Dominic Jaar

Dominic JaarPresident, Ledjit Consulting inc.

CEO, Canadian Centre for Court Technology

Member of the Sedona Conference Editorial board (Sedona Canada) WG1 WG6 WG6

Guidance Software Strategic Advisory Board

P A G E P A G E 33

George RudoyGeorge Rudoy

George RudoyGeorge RudoyShearman & Sterling, LLP

Director, Global Practice, Information & Knowledge Management

Founding member of the E Discovery Training Academy at Georgetown Founding member of the E-Discovery Training Academy at Georgetown Law Center

Chair of the ALM Law & Business’s Legal Tech Educational Board

Vice President of the International Legal Technology Association (ILTA) Practice Management Peer Group

P A G E P A G E 44

Principles of PrivacyPrinciples of PrivacyM. James Daley, Esq., CIPPM. James Daley, Esq., CIPPDaley & Fey LLPDaley & Fey LLP

The Current LandscapeThe Current Landscape

Cross-border ediscovery is a “Catch 22”Cross-border ediscovery is a Catch 22

U.S. Courts require production or relevant information located outside the U Sinformation located outside the U.S.

Many non-U.S. jurisdictions restrict and/or bl k th i d t f f hblock the processing and transfer of such information to the U.S.

P A G E P A G E 66

Differing notions of privacyDiffering notions of privacy

Privacy is a fundamental right in much of the ldworld

Definitions of personal data subject to privacy t ti t id th U S t lprotection outside the U.S. are extremely

broad

Privacy protections in the U.S. are industry specificPersonal data subject to protection is limited to

specific categories (e.g., Social Security b di l i f ti b ki d t )

P A G E P A G E 77

numbers, medical information, banking data)

Differing Notions of PrivacyDiffering Notions of Privacy

Restrictions on disclosure outside the European Economic Area (E.U. member states plus Norway, Iceland, and Liechtenstein)

Generally, personal data cannot be sent to countries with less privacy/data protection p y pthan in the E.U.

Only a handful of jurisdictions meetOnly a handful of jurisdictions meet standards to allow data transfer

P A G E P A G E 88

Transfers outside the EUTransfers outside the EU

Exceptions and derogations to general principleIssues include necessity for the transfer, y

proportionality (how the truly personal data is culled), and specifics in enabling laws of

b t tmember states.Critical to consult local counselTransmission may require

notification/permission of local Data Protection

P A G E P A G E 99

Agencies

Differing Notions of DiscoveryDiffering Notions of Discovery

Common law: expansive pre-trial discovery yconducted by the parties with judicial supervision as needed to resolve disputes or manage court calendarU S t i di itt d fU.S. most expansive: discovery permitted of

documents which may lead to admissible evidenceCanadian “semblance of relevance” test almost asCanadian semblance of relevance test almost as

expansiveU.K.: parties must produce “documents relied upon p p p

and documents that adversely affect or support litigant’s position” but document request must seek specific documents not broad categories

P A G E P A G E 1010

specific documents, not broad categories

Civil Code jurisdictionsCivil Code jurisdictions

Disclosure is limited to admissible evidenceDisclosure is limited to admissible evidence

Court closely supervises disclosure and determines admissibility and relevance ofdetermines admissibility and relevance of proposed evidence

F l i G liti t d lFor example, in Germany, litigants need only produce those documents which will support their claimstheir claims


The Hague ConventionThe Hague Convention

Hague Convention on the Taking of Evidence Ab d (1972)Abroad (1972) An attempt at compromise: a uniform

d f ll ti f id b tprocedure for collection of evidence between common law and civil law jurisdictions.L f (“ ”) i fLetters of request (“rogatory”) issue from court in one nation to designated central authority (often a court) in another requesting(often a court) in another, requesting assistance in obtaining information


The Hague ConventionThe Hague Convention

Aerospatiale: U.S. courts are not required to resort to the Hague Convention procedures over the Federal Rules of Civil Procedure

Fi f t b l i t t Five-factor balancing test: Importance of the evidence to the litigationR ti i t t f th U S d th f iRespective interests of the U.S. and the foreign

nation where the information is locatedSpecificity of the requestSpecificity of the requestWhether the information originated in the U.S.Availability of alternative means to obtain the


Availability of alternative means to obtain the information

Blocking statutesBlocking statutes

Shields for nationally sensitive dataStatutes which restrict cross-border discovery

of information intended for use in foreign j di i l dijudicial proceedingsNot limited to civil law jurisdictions (Australia

d C d h bl ki )and Canada have blocking statutes)May be general (France and Venezuela) or

industry-specific (e.g., Switzerland re banking information)


Blocking StatutesBlocking Statutes

Contrary to certain U.S. and U.K. judicial decisions, blocking statutes can have severe consequencesVenezuela: In Lynondell-Citgo Refining LP v.

Petroleos de Venezuela, defendant accepted d i f i t ti th than adverse inference instruction rather than

turn over board minutes and related documentsFrance: In January, 2008, the French Supreme

Court affirmed a criminal conviction for speaking to a potential witness about a U S


speaking to a potential witness about a U.S. lawsuit

TrendsTrends

The French Supreme Court decision, related t U S f St C dit L ito U.S. case of Straus v. Credit Lyonnais, may tip the balancing test in favor of recognition of the significance of blocking statutes andof the significance of blocking statutes and result in more recourse to the Hague Convention

Some U.S. courts had already required recourse to the Hague Conventionrecourse to the Hague Convention (Connecticut District Court, In Re Perrier Bottled Water Litigation; New Jersey State


Court, Husa v. Labatoires Servier S.A.)

TrendsTrends

Potential narrowing of the definition of “ l d t ” i U K“personal data” in U.K.Durant v. Financial Services Authority, Court of

A l (Ci il Di i i ) 2003 “O lAppeal (Civil Division), 2003: “Only information that names the (the individual) or refers to him” qualifies for protection under therefers to him qualifies for protection under the Directives and U.K. enabling lawsCourt described its holding as a “a narrowCourt described its holding as a a narrow

interpretation of personal data” and is not universally followed


u e sa y o o ed

U.S. Data Privacy & Security: A U.S. Data Privacy & Security: A Patchwork QuiltPatchwork Quilt

18


The Surveillance SocietyThe Surveillance Society

19


TrendsTrends

Increased attention to privacy in the United StatesMedia coverage of compromises of personal data

through loss of laptops and backup tapesSecurity breaches of large public and private

databasesdatabases Increasing incidence of identity theftRecent (and first) HIPAA civil monetary penaltyRecent (and first) HIPAA civil monetary penalty

proceeding to result in penalties, revamped electronic privacy plan and compliance reports


Ways to Mitigate RiskWays to Mitigate Risk

Dialogue with Data Protection Authorities on gcommon interests

In-country collection processing and cullingIn-country collection, processing and culling and possibly review

Development of a uniform confidentialityDevelopment of a uniform confidentiality designation, i.e., “EU Confidential,” for personal data involved inpersonal data involved in discovery/disclosure cross borders


Ways to Mitigate RiskWays to Mitigate Risk

Development of specific E.U. (and perhaps A i P ifi d S th A i ) i iAsia- Pacific and South America) provisions for U.S. court protective orders and case management ordersmanagement ordersAddition of cross-border discovery and

conflicts training to judicial education curriculaconflicts training to judicial education curriculaDevelopment of approved protocols for

processing and pre filtering of personal data inprocessing and pre-filtering of personal data in the host country to assure only relevant personal data is transferred for discovery


pe so a data s t a s e ed o d sco e ypurposes

A way forwardA way forward

Education and Awareness:Legal RestrictionsRecords Management – Cultural DivideRecords Management Cultural DivideTechnology Realities

Ri k B fit A l iRisk Benefit Analysis

Efforts to Mitigate Risk

Continued Communication and Collaboration


Framework for Cross-Border Discovery


Upcoming eventUpcoming event

The Sedona Conference®

I t ti l PInternational Programon Cross-Border eDiscovery, eDisclosure & Data PrivacyeDisclosure & Data Privacy

15-17 September 2010pWashington, D.C.


Think Globally, Act LocallyThink Globally, Act Locally


Principles of ProportionalityPrinciples of ProportionalityDominic Dominic JaarJaarPresident,LedjitPresident,Ledjit Consulting Consulting inc.inc.

CanadaThe State of E-Discovery

Ontario GuidelinesSedona Canada PrinciplesRules of Civil Procedure Nova Scotia Ontario

Practice Directions British Columbia Alberta Alberta

Quebec Code of Civil Procedure


ProcedureFederal

PrivacyCanada as the Safest Harbour

Principles Purpose Purpose Consent Limited

C ll ti— Collection— Use— Disclosure

Retention— Retention

Accuracy

Canadian Charter of Rights and Freedom

Personal Information Protection and Electronic Documents Act (PIPEDA)

P i i l L i l ti


Provincial Legislation

Sedona Canada White Paper on Privacy (To be published)

Blocking StatutesReacting to USA’s Extraterritorial LawsLaws

Cuban Policy

Asbestos

UraniumUranium

National and Provincial Politics and EconomicsPolitics and Economics

FederalForeign Extraterritorial Measures ActForeign Extraterritorial Measures Act

ProvincialQuebec Business Concerns Records Act


Ontario Business Records Protection Act

Privileges (Solicitor-Client and Litigation)Quasi-Constitutional Rights

Canadian Charter of Rights and Freedoms

WaiverExplicitp Implicit

Cross-Border ProductionCross-Border Production


ProportionalityA Reality, not a Mere Principle

Rules of Civil ProcedureNature of the caseValueBurdenAccessibilityRelative RelevanceConfidentiality

—Privacy—Privileges—Intellectual Property


p y—Commercial/Industrial Secrets

International E-DiscoveryPractical Challenges

Language Identification Identification Processing ReviewReview Presentation

Technologicalg Standards Legacy systems Multinational enterprise-

wide content search

Criminal/Penal charges


Criminal/Penal charges Jurisdiction over act

Principles of Language & CulturePrinciples of Language & CultureGeorge RudoyGeorge RudoyShearman & Sterling LLP Shearman & Sterling LLP

Non English Language Documents

ASCII vs. Unicode

l d d• Computers only understand numbers—0’s and 1’s..

ASCII d i d t ll h• ASCII designed to allow humans to communicate with computers.

• Invented for teletypes• Invented for teletypes

• Original ASCII character set limited to 127 characters.limited to 127 characters.

A -> 0100 0001



Printable ASCII Characters

0 1 2 3 4 5 6 7 8 9 a b c d e f g gh I j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

! @ # $ % ^ & * ( ) + ` =~ ! @ # $ % ^ & * ( ) _ + -= [ ] \ { } | ; ’ : ” , . / < > ?



ASCII vs. Unicode

• Other languages needed additional• Other languages needed additional characters.

• Extended ASCII added ramped to• Extended ASCII added ramped to 256 characters.

• Special encoding developed to reachSpecial encoding developed to reach beyond extended ASCII.

• Result: multiple coding sets emerged p g gusing the same byte sequences.



The bottom line…• Chinese language has 65,000+ g g ,

symbols

• Unicode assigns numbers to every possible character set.

• UTF-8 has become defacto Unicode standard to represent multi-byte languages.

E-Discovery processing software must support Unicode!



Non English Language Tokenisation

• Western search based on spaces and punctuation.




l f d• Some languages often don’t use spaces or punctuation.




Thedogatemydinnerbeforeicouldstophimnexttimeiwillputhimoutbeforeieatp

The dog ate my dinner before I could stop him. Next time I will put him out before I eat.

裁判所はどこにありますか?

Next time I will put him out before I eat.

Where is the courthouse?




d i f

Chinese

• Words may consist of one or more symbols中國人

Middle country persony p

中國

China

中國

Middle countryy


Cultural Guide to

Conducting E-Discovery in the International Conducting E Discovery in the International

Settings Selected countries and regions


European Union


EU

Location: Europe between the North Atlantic Ocean in the west and Russia, Belarus, and Ukraine to the east, ,

Legal System: comparable to the legal systems of member states; first supranational law systemP liti l t t h b id i t t l d ti lPolitical structure: a hybrid intergovernmental and supranational organization

Population: 491,018,683Languages: Bulgarian, Czech, Danish, Dutch, English, Estonian,

Finnish, French, Gaelic, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovene, Spanish, Swedish


EU

Be aware of balance and possible conflict of individual country rules vs. EU rulesrules vs. EU rules

Transport and use of data is highly guarded and restricted

Prepare schedule of annual holidays and observancesp y

Polite direct requests Take the time to clarify project purpose and planClarify vernacular for technology (Services v. Share)Establish client-side project liaison

C id l l l b lConsider local labor laws


EU

Minimal experienced local vendor support, most located in UK

I l IT i i i id if l h l Involve IT in interview process to identify relevant technology landscape

Explain discovery process in detail with the support of visual p y p ppdiagrams and documentation Local Counsel IT Personnel IT Personnel Interview process

Translate project requirements and scopeTranslate project requirements and scope


Former USSR


Former USSR

English not widely spoken, even less so in non-capital citiesRemaining xenophobia of foreigners especially AmericansRemaining xenophobia of foreigners, especially AmericansLocal customs are unique and expected to be followedVery little regard for privacyMany layers of authority and managementBorder security varies and customs can be negotiated withNo local vendorsNo local vendorsLimited familiarity with litigation requests “Government secrets” still an issuePersistent refusal to sign any documents (chain of custody

form, privacy waiver, etc)


Collecting ESI in Russia

Privacy Rights in Russia Article 23 of the Constitution of the Russian Federation Article 23 of the Constitution of the Russian Federation

— Everyone has the right to privacy, personal and family secrets, protection of one’s honor and good name.

— Right to privacy of correspondence, telephone communications, mail, cables and other communications.

— Any restriction of these rights require a court order.

Federal law “on information”— Each person has the right to search and receive any information in any forms

and from any sources subject to specific limitations.— Limitations provide only for data related to a state secret, commercial secret,

official or other secret (e.g. tax secret), professional secret, privacy or family ( g ), p , p y ysecrets which are regulated by separate federal laws.


Penalties

Penalties can be disciplinary, civil, administrative or criminal. Specifically criminal liability for violation of the immunity of private life Specifically, criminal liability for violation of the immunity of private life,

violation of secrecy of communications and infringement of home involiability, as well as liability for unauthorized access to legally protected computer information.

Civil liability if an individual suffers physical or moral damages by violation of his or her non-property rights or any other non-material welfare rights. A court can force financial compensation.


Russian law on transferring data through data telecommunications networks

Article 15(5) of the Federal law “On Information” provides that data can be transferred through data telecommunications gnetworks without any limitations subject to the protection of intellectual property except “On personal data” (Article 7) requires the operator ensure for the p ( ) q p

confidentiality of received personal data with two exceptions:— Instances involving depersonalization of personal data, and— Publically available personal data.— Most importantly, the operator can process personal data only with a person’s

consent (Article 6) subject to certain exceptions.— Personal data is broadly defined to include “any information related to an

individual…or information on the basis of which an individual may beindividual…or information on the basis of which an individual may be identified.” Examples include surname, birthdate, address, family status, income and education.


Consent

On the one hand, consent is required “when directed by law” such as collection and transborder transfer of personal data.

On the other hand, in practice, where a company puts employees on written notice by policy or specific notice that their email and documents are company property and can be accessed for business uses at any time, written consent can be made by the company.uses at any time, written consent can be made by the company.

Written consent is prudent – the burden of proof is on the operator and Russian courts usually require documentation. No standard consent form, but lists six criteria to include: ,

— full name of person giving consent including address, passport number, date of issue and issuing authority.

— Name and address of operator to whom consent is given.— List of personal data that may be processed.— List of operations to be performed with personal data, and general description of the

processing methods.— Term of validity of the consent and the procedure for its revocation.


Exceptions to Consent

Personal data process on the basis of federal law (primarily supporting law enforcement).

Personal data processed to perform an agreement to which such individual is a party (e.g. employment agreement).

Personal data processed for scientific or statistical purposes, and it is iti dsanitized.

Personal data processed to protect life, health or important individual interests and it’s not possible to obtain consent.

Personal data processed to deliver mail or telecommunications customer settlements.

Processed for professional activity of a journalist or for scientific literature or creative activityliterature or creative activity.

Data subject to publication in compliance with federal laws such as state officials or candidates to elective posts.


Australia

Land Mass: Slightly smaller than the US contiguous 48 states Legal System: Based on English common law; acceptsLegal System: Based on English common law; accepts

compulsory ICJ jurisdiction, with reservations Population: 21,007,310Ethnicity: Caucasian 92% Asian 7% aboriginal and other 1%Ethnicity: Caucasian 92%, Asian 7%, aboriginal and other 1% Languages: English or strine spoken


Australia – Cultural

Highly regulated environmentLegal compliance is accepted and valuedLegal compliance is accepted and valuedPolite direct requests Informal business environmentHigh use of technology, mobile technology and emailDue to “listing” requirements objective data and metadata

integrity is importantThe Legal Hold concept loosely translatesVigilant customs and securityL l dLocal vendorsFamiliar with litigation requests


China

Land Mass: Slightly smaller than the USLegal System: Based on civil law system; derived from SovietLegal System: Based on civil law system; derived from Soviet

and continental civil code legal principles; legislature retains power to interpret statutes; constitution ambiguous on judicial review of legislation; has not accepted compulsory ICJ jurisdictionjurisdiction

Population: 1,330,044,544Ethnicity: Han Chinese 91.5%, Zhuang, Manchu, Hui, Miao,

Uyghur Tujia Yi Mongol Tibetan Buyi Dong Yao Korean andUyghur, Tujia, Yi, Mongol, Tibetan, Buyi, Dong, Yao, Korean, and other nationalities 8.5%

Languages: Standard Chinese or Mandarin (Putonghua, based on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese),on the Beijing dialect), Yue (Cantonese), Wu (Shanghainese), Minbei (Fuzhou), Minnan (Hokkien-Taiwanese), Xiang, Gan, Hakka dialects, minority languages


China - Cultural

Dispute resolution process not alignedNot familiar with litigation requestsNot familiar with litigation requestsMany layers of authority and management “Party” plays a roleTitles and formality is importantTitles and formality is importantTimeframes may slipCan be difficult getting hardware in and outPayment customs can be misunderstoodExceptions based on relationshipsLabour cost and efficiencyySelf serviceVendor selection and testing


Privacy in China

China lacks comprehensive privacy legislation. A draft Personal Data Protection Law has been submitted to the State A draft Personal Data Protection Law has been submitted to the State

Council, China’s executive branch. It is not unusual for searches to be undertaken on company computers

without an employee’s consent.p y

Nonetheless, obtaining written consent is a prudent practice.


Privacy in Hong Kong

Two sources of privacy protection Personal Data (Privacy) Ordinance Common law (generally applies only to information which has the necessary quality of

confidence, was imparted in confidence, and used without authorization to the detriment of the party communicating it (Coco v AN Clark (Engineers) Ltd. [1969] RPC 41).

Under Personal Data (Privacy Ordinance), “personal data” is defined as any data (a) relating directly or indirectly to a living individual, (b) from which it is practicable for the identity of the individual to be directly or indirectly

ascertained, and (c) in a form in which access to or processing or use of the data is practicable.

The use of personal data (including collection, processing and transfer) must be consistent with the purpose for which the data were originally collected or directly related to it, otherwise the prior consent of the employee must be sought and obtained.

Beware a newly enacted section 33 of the Privacy Ordinance – which may not yet be in force – which prohibits the transfer of personal data outside Hong Kong and unclear if consent overcomes that.


CEIC 2010 international panel

Education

Transcript of CEIC 2010 international panel