In mid-July, the E-Discovery Working Group of the New York City Bar published guidelines for practitioners who face cross-border eDiscovery issues. “Cross-Border E-Discovery: Navigating Foreign Data Privacy Laws and Blocking Statutes in U.S. Litigation” provides a general overview of the circumstances under which a U.S. entity, and its outside counsel, may be subject to discovery obligations that include foreign documents or information; the rules governing cross-border discovery if a U.S. court determines that foreign documents or information fall within the scope of discovery in a U.S. court; foreign laws that restrict discovery of documents or information located abroad; and suggested best practices and guidelines for U.S. entities and practitioners who must navigate foreign laws as part of a U.S. discovery process.
Procedural Events Suggesting Foreign Documents and Information May Be Subject to U.S. Discovery
The Guidelines recommend that practitioners assess soon after their engagement whether foreign documents or information may be within the scope of their client’s discovery obligations. While the Guidelines do not purport to be exhaustive on the topic, the paper does discuss the two most common set of circumstances that give rise to a U.S. party’s being faced with cross-border discovery obligations: a domestic court’s exercise of jurisdiction over a foreign party (or a domestic party with a foreign presence); and when a domestic party has a foreign affiliate that possesses potentially relevant information.
U.S. Court’s Exercise of Jurisdiction Over a Foreign Party
The Guidelines set out a general overview of caselaw regarding a U.S. court’s assertion of personal jurisdiction (both general and case-specific) over a foreign party, including the U.S. Supreme Court holding in Goodyear Dunlop Tires Operations, S.A. v. Brown, 564 U.S. 915 (2011), which limits the scope of personal jurisdiction over foreign parties. The E-Discovery Working Group’s discussion of whether a foreign corporate relative of a domestic entity must produce documents and information in response to discovery requests in a U.S. dispute is more detailed.
A U.S. Entity’s Foreign Affiliate Served With U.S. Discovery Request
Noting that both the New York rules on discovery of documents and things (CPLR 3111, 3120) and the Federal Rules of Civil Procedure (FRCP Rules 34 and 35), a party receiving a subpoena must produce documents and information in their “possession, custody or control.” Noting that New York and federal case law provide an inconsistent patchwork of decisions and rulings, the Guidelines offer general guidance as to courts’ interpretation of whether a party is in “possession, custody or control” and sets out the recommendations of the Sedona Conference, a leading professional organization focused around discovery issues, to establish a uniform standard that would assess the “practical ability” of a domestic party to obtain and produce documents or information held by a foreign corporate affiliate. (See, The Sedona Conference Commentary on Rule 34 and Rule 45 “Possession, Custody, or Control.” 17 Sedona Conf. J. 467, 475 (2016) (the “Sedona Commentary”). Practitioners should find the “possession, custody or control” overview as set out in the Guidelines a solid starting point for assessing whether a client’s foreign affiliates may be required to produce documents or information in a U.S. controversy, and the Sedona Conference’s proposed standard persuasive in responding to discovery requests.
Rules Governing Cross-Border Discovery
U.S. Rules of Civil Procedure
The Guidelines also offer a broad overview of those rules, statutes and agreements that govern the discovery in U.S. courts of data located abroad. Again, the Guidelines do not offer a comprehensive survey of the statutory framework within litigants in and outside the U.S. must work if foreign data is arguably responsive to a U.S. discovery request. Rather, the Guidelines suggest the most salient such laws as a starting point for practitioners. The authors note that the broad sweep of the Federal Rules with respect to information that may be discovered (FRCP Rule 26) is at odds with the data privacy laws of most foreign countries. The Guidelines also discuss service of process on foreign entities the under New York (CPLR 313) and federal rules (FRCP Rule 4(f)). In addition, the Guidelines reference a U.S. statute that a litigant may wish to consider when faced with cross-border discovery issues (28 U.S.C. §1781 – authorizing the U.S. State Department to transmit letters rogatory issued by a U.S Court to a foreign court for a response, provided that the foreign jurisdiction recognizes the service of letters rogatory).
International Discovery Treaties
The Guidelines offer a brief summary of The Hague Convention – arguably the most familiar international treaty for pre-trial discovery disputes. The Hague Convention is useful but limited to its signatory nations and is not necessarily applied uniformly among its member states. Still, practitioners will want to examine the application and scope of the treaty if cross-border discovery disputes arise. In addition to The Hague Convention, litigants should determine whether the Inter-American Convention on Letters Rogatory and Additional Protocol (“IACAP”) provides a method for obtaining discovery from parties in the treaty’s signatory nations.
Agreements Between the Parties
The Working Group encourages the parties to a dispute to negotiate a discovery and confidentiality agreement, if possible, to address discovery procedures, which agreement can be adopted as a discovery order by the court. Although such an agreement may not resolve the data transfer restrictions imposed by data-transfer blocking statutes (e.g. the GDPR), having such an agreement will allow the parties to resolve many otherwise troublesome cross-border issues.
Foreign Laws Restricting Transfer of Discoverable Data to the U.S.
The Guidelines remind practitioners that many nations other than the U.S. treat the transfer of data – particularly data that is personal to its citizens, much differently than the U.S. This heightened protection of personal information has manifested in the implementation of data-privacy laws that may operate to prevent the transfer of discoverable data to a party in a U.S. controversy, even if issues such as jurisdiction, relevance, and service of process are resolved in the discovering party’s favor. Neither the Guidelines nor this summary is intended to provide a comprehensive study of the statutes that restrict the transfer of data to the U.S. practitioners are encouraged to familiarize themselves with the laws of the jurisdictions from which they seek discoverable data and ensure they comply fully with those statutory schemes.
The GDPR/Privacy Shield
By way of example, most of us are now familiar with the European Union’s recently enacted and much-reported on General Data Privacy Regulation. Strategic Legal Solution’s summary of that statute can be found here: The General Data Protection Regulation White Paper. Among other restrictions on the processing of E.U. citizens’ personal information, the GDPR prohibits transfer of such PI outside the E.U. to a nation who does not provide an “adequate level of protection” for the data. The U.S. is not a nation that is deemed to provide such protection. Nevertheless, the GDPR does permit transfers of PI to American entities that are self-certified as compliant with the Privacy Shield arrangement (for an overview of the Privacy Shield, see https://www.privacyshield.gov/Program-Overview).
Other Blocking Statutes
In addition to data transfer restrictions based on data-privacy considerations, many countries have so-called blocking statutes, imposing penalties, sometimes criminal, for transferring data outside the host country in a manner not sanctioned by statute. France (French Penal Code no. 80-538) and China (The Law of the Peoples Republic of China on Guarding State Secrets) are two examples The Guidelines offer to remind litigants to proceed carefully when transferring arguable responsive data outside the country where the data resides.
Best Practices When Addressing Cross-Border Discovery
The Guidelines offer strategies for the practitioner to minimize the obstacles a litigant may face when responsive data is housed outside the U.S.:
- Plan early, plan often: early in a case, connect with the client’s IT department to determine whether any corporate data sources that may house responsive data reside on servers outside the U.S. and with the client’s G.C. to determine whether any of the client’s corporate affiliates may possess relevant, responsive information.
- Be transparent and cooperative: to avoid unduly harsh responsive deadlines, motion practice from an adversary, and a generally contentious discovery process, advise the parties and the court of potential cross-border data issues and incorporate these issues into the discovery calendar and relevant stipulations as early in the case as possible.
- Work with service providers who understand international data-privacy and data-transfer laws and who can access foreign infrastructure to provide in-country services
The NYC Bar Cross-Border E-Discovery Guidelines are a useful starting point for the practitioner who is facing cross-border discovery issues for the first time, as well as the seasoned international discovery litigator who needs a refresher on traditional foreign discovery procedures along with a summary of newly-enacted data transfer laws. The Guidelines are a helpful, well-drafted, and a recommended resource for U.S. entities and their counsel.