A new approach to cross-border discovery: the Sedona conference's international principles.

• Author: Haston, Tripp

This article originally appeared in the February 2012 International Committee Newsletter.

Of all issues in modern litigation, discovery of electronically stored information (ESI) remains one of momentous and ever-growing significance. Collection, processing and production of ESI can be time-consuming, and its cost crushing. It is no surprise, then, that the scope of e-discovery is often a central point of contention between parties. But those challenges grow exponentially when international entities are involved. It is then that parties and American courts must contend not only with liberal American discovery rules but also with data privacy laws like those implemented in the European Union. In view of these unique challenges, the Sedona Conference--an organization "dedicated to the advancement of law and policy in the areas of antitrust law, complex litigation and intellectual property rights" (1)--has proposed a framework to help American courts and their multinational litigants successfully navigate these often conflicting obligations.

This article proceeds in three parts. First, we offer a brief overview of EU data protection laws and how they can conflict with U.S. discovery rules. Second, we briefly survey how U.S. courts have applied data privacy laws. Finally, we provide a glimpse of the Sedona Conference's new, innovative suggestions for the complexities of cross-border discovery--the International Principles. (2) Published in December 2011, the International Principles advocate cooperation between parties not only to avoid any potential conflicts but also to resolve them when they arise and propose a number of specific suggestions for cross-border discovery.

1. The Conflict

   EU Data Protection Laws

   Three sources of international law, in particular, can create conflicts when a company with an EU-presence must respond to discovery in American litigation.

   First, the EU Data Protection Directive has led many countries to enact data privacy laws. (3) Directive 95/46/EC cements data privacy as a fundamental human right. In relevant part, it requires EU-member States to protect their citizens' "right to privacy with respect to the processing of personal data." Data privacy laws do that by specifically restricting the ways in which personal information can be stored, used, and disseminated.

   Even applying the Directive--and the data privacy laws that it has spawned--can be challenging for U.S. courts because terms like "personal data" and "processing" do not have common meanings between the EU and U.S. legal systems. "Personal data," for example, as used in the Directive, references more than a social security number, national identification number or medical records. Instead, it much more broadly includes "any information relating to an identified or identifiable natural person." (4) And the term "processing" includes not only common functions like formatting conversions, de-duplication, filtering, and indexing, but also any collection or manipulation of data, including the storage of data as required in a routine litigation hold. (5)

   As a practical matter, the Directive prohibits the transfer of a broad range of data. No personal data may be transferred to a non-EU State

   unless that country "ensures an adequate level of protection" for the data. (6) There are some exceptions. Data that is "necessary or legally required on important public interest grounds" may be transferred, as can any data that a party needs "for the establishment, exercise or defence of legal claims." (7) But still, local laws may preclude transfer, and even though there are some "safe harbor" principles that the EU and the U.S. have developed, those safe harbors are limited in scope and often fail to facilitate discovery.

   Second, although the Hague Convention on the Taking of Evidence provides a procedure to facilitate the discovery of information sought in transnational litigation, its application is fraught with problems. Fifty-four countries, including the United States, have agreed that judicial authorities in the contracting states "may ... request the competent authority of another Contracting State ... to obtain evidence, or to perform some other judicial act." (8) But the Convention contains an important opt-out: a State can "declare that it will not execute letters of request issued for the...