What is "data privacy"? It is a lot like asking what "food" is. The answer depends on where you are, who you are, what time it is and how hungry you are. Breakfast in Japan often comprises miso soup, grilled fish and white rice. In America it might be eggs, bacon, toast or Rice Krispies. Menu items leading up to Medieval times would turn your stomach. Ask today's food editor at TheNew York Times®and an 18th century native of the South Pacific and you will get wildly different answers. Let's skip specifics.
While not nearly as stomach-turning, the same elements of time, place, circumstance and need come into play when defining data privacy.
EDRM co-founder George Socha recently teamed up with LexisNexis® Litigation Services to produce four educational sessions designed to "demystify e-discovery" during a full day at LegalTech®. One of those sessions was titled "International Privacy: The Impact on Cross Border Litigation," and Socha began with a search for a definition-certainly knowing what he was getting into.
Baker Hostetler attorney Gonzalo Zeballos, a seasoned international litigator whose experience spans five continents and more than 30 global jurisdictions, took the first shot at a definition. "In the international context, how you define data-what's personal data, what's sensitive data-can vary tremendously from jurisdiction to jurisdiction. As American lawyers, we bring our preconceptions to what this means to how we handle litigation events to litigation events abroad. We focus on breach in the United States. That's the way our society works. It's an open society, a very transparent society. In the rest of the world they worry about collection. A lot of this is due to historical problems where governments have abused things like religious information, sexual preference and political affiliations. When you ask 'what is data?,' the answer really depends on where you are and the nature of the activity you're looking at. A lot of jurisdictions will define personal information as anything that identifies anyone as an individual. In other parts of the world it is defined as race, sexual preference, religion, or trade union membership. And in the United States these are things you collect as a matter of course and don't really worry about."
Linda Clark, who acts as lead counsel to the Reed Elsevier Privacy, Security and Compliance Organization, said "the concept of privacy in the U.S. is very consumer-protection-centric, and in the UK, for example, it's a right." The concept of privacy, especially as you get into the international litigation context, will vary depending on who the individual is and what the expectations of government regulators are. "So the lawyer's answer for me," she said, "is 'it depends.'"
Edward H. Rippey, a patent litigator and head of Covington & Burling LLP's E-Discovery Practice Group, agreed that "data" means different things in different contexts. "At Covington & Burling, the privacy practice group is concerned about giving advice to multinationals about how to move certain bits of information, and certain blocking statutes and where there have been breaches of privacy." In e-discovery, "we're more concerned with privacy in the context of litigation and what kind of protective orders to use." He said when attorneys team up at his firm they have a privacy person and an e-discovery person in the discussion "because we are looking at the case through a different prism."
When it comes to international privacy, Socha said, people tend to talk about Germany, France, the UK and the U.S. "But what else are we looking at?"
Zeballos said that is only the beginning. "Even in Europe there is the EU Directive on privacy which told the member states 'you have to implement laws that meet these minimum standards.' I would say that Europe is probably one of the easiest places to go to. Where it gets complicated is when you don't have a statutory framework. Look at Brazil, which has a statute in the works. You will find no breach notification requirement - and if you have a stolen laptop there, you would be wrong to assume you don't have a problem because there are other laws, like consumer protection laws, which require you to notify consumers when you put their name in a database that they didn't ask to be put in. Whether or not there is a statutory notice requirement, you may be significantly mitigating your exposure if you notify. Then you have a country like Japan which has a law on data protection and doesn't make a distinction between personal data and sensitive data. But there is another regulation for financial services companies which tells you that personal or sensitive data cannot be transferred across border without consent. So it is more complicated than looking at a statute and the basic framework."
Map and Classify
Socha asked about what practices or resources are out there to help firms and companies track all of this.
Clark emphatically endorsed company-wide data audits. "You must have a data inventory and apply a classification to that inventory in a matrix or some other fashion which maps those laws to that data so that you can start planning for the eventuality of litigation." This way, she says, when a situation arises "you will already know how the laws apply to these sets of data, as opposed to getting a litigation demand from the U.S. dropped on you requesting what Germany might consider a repeated and massive transfer and not knowing what's there." She added that, within the classification, you should apply the policies and procedures you have already in-house for managing information, whether it is data destruction, data security, redaction and the consent of people whose information you maintain.
Noting that his firm's clients are multinational global corporations, Rippey said, "Those [companies] who are ahead of the curve have done this mapping and they know what countries' laws apply and where that data is. So that when they get hit with a lawsuit or subpoena they are already ahead of the curve. Conducting an audit like this is money well spent," he said. Clark added that it also helps demonstrate to a regulator what you have done to protect data.
Zeballos cautioned attendees that "following the rules here [in the U.S.] doesn't mean you have followed the rules abroad," and advises companies to get local representation. In addition to being in tune with changing regulations, Clark said local counsel also has relationships with the governing authorities.
The cost of such audits is driven by many variables, but it was put in the range of between $5,000 and $100,000. "Companies that come out losers in this are the ones who don't do this work ahead of time and spend an amount that is small in relation to their overall litigation budget," Rippey said.
Zeballos said a challenge arises when you receive data in multiple jurisdictions with conflicting laws. He noted a case in which data was transferred from one country to the U.S. in order to satisfy the U.S. breach notification obligations, but because the country in which the data resided was a cross border consent jurisdiction, the company created a second breach event by transferring the data. Socha recalled a situation where a lawyer had a choice between going to jail in the U.S. or in France.
One Country's Criminal . . .
Illustrating how different the laws can be, Zeballos said France has an anti-pretrial blocking statute which criminalizes compliance with U.S. pretrial discovery rules. "You could be the American lawyer of a French client and you're in a terrible situation because, either to vindicate your cause of action or to defend, you don't put in those documents [then] you're going to get at best, a negative inference or at worst, sanctions. You may lose your case because of it. As an American lawyer, ethically, you can't advise your client to break the law. It has to be a business level decision at the corporation."
Socha asked, "Is there a difference between privacy and data transfer?"
"If you are in the position where you have privacy concerns and a transfer obligation," Clark responded, "the in-house perspective is to make sure everything is as narrowly tailored and narrowly responsive as possible, whether it means doing an in-country review to redact information prior to providing it; or getting consent of individuals; or objecting and having a court order; or whatever makes you more comfortable. The privacy expectations of the country where the information resides are a very serious concern. If you don't respond as narrowly as possible and provide the least information, you're going to have a problem. It's a fundamental paradigm shift from the U.S. model of mass production and then deciding what's responsive. Even using keyword searches on an international basis presents a problem because you are creating a set of information that is part of that review that might not need to be in that pool to begin with."
Rippey said narrowing responses, teaming with local counsel and having a good rapport with opposing counsel are ways to deal with these issues.
Clark said, internationally, there is a perception that U.S. courts are arrogant. "That comes from the perception that our data protection is not adequate. Take that into account before you respond with documents -- take steps to combat that perception, by doing such things as getting an outside auditor, so when someone expresses concern about a transfer you can try to demonstrate that you have taken steps to ensure that the data is safe."
Dueling Investigations
An audience member commented that when you are dealing with courts, at least vis-à-vis with the EU Privacy Directive, you have much more of a chance to get things through. Plus, she said, you have the Hague Convention and a court order so there are the derogations in the various country laws that allow for the transfer of data. Where you run into problems, she said, is when you have the SEC or FTC asking for documents where it's not a court and you cannot transfer the data.
"You're stuck between a rock and a hard place," she said.
Rippey said this is a problem not just in the data transfer context but in every context where there is an investigation. "The SEC wants their information and they want it now," he said. "Their requests can be overly broad and you can't negotiate with them because they are passing judgment on you. It is a problem inherent in the process where they are your opponent and your judge, basically. It is a problem in the investigation world, not just in this context specifically."
"The problem you have," Zeballos said, is this: "In a civil investigation the pre-trial blocking statutes often eliminate the legal obligation exception to the transfer of data across border without consent. The other problem you have within the context of investigations . . . where you have to get documents abroad and they are sitting on someone's desk. Normally what you do in the U.S. when you have an internal investigation is you lock down the guy's office, you go through his laptop, you go through his files, you issue a litigation hold on the entire department. No one touches anything this guy wrote or anything thing this guy said. The problem is, you do that and in some jurisdictions you have violated the data privacy statute, you've violated the anti-tipping-off statute, and in some cases just the issuing of a litigation hold has been held to violate the anti-tipping-off statute, which criminalizes letting a person who's being investigated know that they are being investigated. And if the SEC is investigating a trader sitting at a desk in London he might also be being investigated by the Financial Services Authority in London at the same time. And if you tip that guy off you might be creating a huge problem for your client. But it's very difficult to negotiate under those circumstances because they want the information."
As for a possible solution when faced with competing investigations by various regulators, Zeballos said he has had some success in having those regulators speak directly to one another-that is, he said, "if you happen to be lucky enough to know there is a simultaneous investigation." He added that approach works best if the European investigator comes in first and the SEC comes in later. "If the SEC comes in first, they want what they want," he said.
Privilege
The panel turned to the subject of attorney-client privilege, which Rippey said is a big issue in international disputes. The challenge is knowing the various global privilege rules.
Illustrating this point, Zeballos pointed out that in Luxembourg there is no attorney-client privilege between employees and in-house counsel. If you ask an in-house attorney to discuss an issue with his CEO, you have now created a discoverable communication, perhaps an admission, where your in-house lawyer might say "we're in trouble" or our guy "broke every law in the book."
He pointed to a case where French in-house lawyer communications were held to be discoverable in a U.S. case in which everyone agreed U.S. law applied. The court held there was a prima facie requirement that, for attorney-client privilege to attach, an attorney has to be admitted to the bar. "But a French in-house lawyer can't be admitted to the bar because salaried employees cannot be members of the bar in France," Zeballos explained.
Key Takeaways
- Understand the various definitions of private data across the world.
- Don't assume U.S. privacy regulations are the same as global regulations.
- Secure local counsel in international matters.
- Map your data to international rules so you are ahead of the curve when litigation ensues.
- Connect regulators who are heading up completing investigations.
- Understand attorney-client privilege rules in local jurisdictions.