The United States is, well, different. In America, we play football, other countries they play soccer (which they call football). Soccer for much of the world is more than just a game. Fanaticism over the sport is feverish, even hysterical. Here, professional soccer leagues struggle for audiences. While the rest of the world thinks it a bit barbaric, Americans have stuck steadfast with obscure measurements that the rest of the world long eschewed. We measure in feet and inches while they measure in centimeters and meters. We do things differently in the United States. There’s nothing wrong with that. But when it comes to the law, it’s important to know that the principle applies there as well. With regard to navigating the privacy legislation, the landscape in the US is different than that of the rest of the world. Personal data may be protected form disclosure but, if properly protected, it can be sent anywhere in the world.
Those places to which our data can be sent, though, hardly reciprocate in the burgeoning arena of data transfer. The subject is important to study and understand, especially for businesses that move large amounts of data across borders. International data transfer is mired by its incredible complexity: the issue is so complex and convoluted that it has been known to perplex even the most astute federal judges. They frequently default to U.S. procedural rules, placing the non-U.S. company in the unenviable position of dividing whether to risk criminal sanctions here for violating a U.S. judge’s order to produce data outside the U.S., or to chance a jail sentence for violation of privacy laws in his or her home country.
Outside of the United States, international data transfer laws are governed by regional, local privacy, and data protection laws. Multinational businesses must understand the implications such laws have on e-discovery. The first order of business is understanding the distinctions between laws in the United States and other nations. For example, when we are discussing “personal data” in the US, we are referring to such things as financial and medical data. Within the European Union, such data as email is referred to as “personal data” as well. Each region within the EU has its own rules as to what can be tied directly to a person.
In the US, data transfer is not so unwieldy. There is little in the way of laws regulating the transfer of data over borders. Yet, the E.U. Privacy Directives and enabling legislation hold that personal data (again, all email), may not be sent outside the European Economic Area (the E.U. member states plus Switzerland, Liechtenstein and Norway to any country with lesser data protection than the E.U. There are only a few nations that meet the EU’s standards for data transfer: Canada, Switzerland and Argentina. But such laws are not endemic to the European Union. Countries like Chile and Venezuela have similarly draconian restrictions.
The effect of all this upon in-house counsel trying coordinate collaboration across the enterprise, which often depends, say, on a U.S. engineer obtaining emails between his German colleagues, or a Human Resources manager in Kansas faced with a need to investigate hostile workplace claims between employees in Germany is starkly obvious, but outside counsel in litigation my find herself stymied as well. An attorney’s first instinct will probably be to put into place a global litigation hold as is common place with regards to dealing with e-discovery law within the US. Yet, the European Union’s Privacy Directives again broaden terms U.S. lawyers use commonly, in order to maximize privacy protection. “Processing” of data includes any manipulation of data, including steps taken to protect it from deletion. The Directives also hold that “processing” may only be performed for a permitted purpose, and European Commission opinions have held that U.S. litigation is not a purpose for which processing may be performed.
Blocking Statues, however, may make things worse than they seem Such laws can prevent the transfer of any data that is to be used in foreign judicial proceedings - a possibly devastating prohibition. Blocking statutes in Switzerland and France carries criminal sanctions.
In light of such stringent privacy and data protection provisions, how is a company in which collaboration depends on almost daily international data transfers to function? One method, for data from the European Union, is enrollment in the U.S. Department of Commerce Safe Harbor Program. The program requires the U.S. company to file a Privacy Statement summarizing how it will protect personal data from the E.U., and in which it agrees to adhere to seven principles of confidentiality and data protection. There are also some contractual agreements that can be put together to deal with potential problems with regard to data transfer. Recently, many companies have implemented Binding Corporate Rules, in effect corporate codes of conduct for personal data protection. In Asia, Canada, South America and elsewhere, data transfers require compliance with local data protection laws, or permission from or notification to local data protection authorities. These are complex agreements, and counsel that has a relationship with counsel that is located in the host country is essential.
Unfortunately, not any of these are a panacea for a lawyer who regularly deals with international data transfer issues. None of these solutions lets personal data be transferred onward. Should the data be required for court proceedings, oftentimes, it is required that the attorney obtain permission under the guise of local data protection laws. Should counsel fail, however, they can seek to obtain an Protective order, citing “Hobson’s Choice”, though United States courts have tended not to be very sympathetic to such a line of argument. One solution, then, is to educate the adversary to the issues and negotiate time extensions of other agreements as to the non-U.S. data, perhaps in exchange for e-discovery concessions form the adversary if the litigation is symmetrical. It is up to a good attorney to educate a judge who may find these laws unwieldy, convoluted, and unfamiliar. It is a must otherwise a company will have to decide whether to violate a judge’s order or risk jail time and/or sanctions.