Litigants navigating the conflict between U.S. discovery
obligations and foreign data protection laws have a new ally, the
American Bar Association ("the ABA"). The ABA
recently passed Resolution 103, which "urges" that:
[W]here possible in the context of the proceedings before them,
U.S. federal, state, territorial, tribal and local courts consider
and respect, as appropriate, the data protection and privacy laws
of any applicable foreign sovereign, and the interests of any
person who is subject to or benefits from such laws, with regard to
data sought in discovery in civil litigation.
The full text of the resolution and accompanying report (the
"Report") can be found here. In supporting its resolution,
the ABA noted that "[l]itigants often face a Hobson's
Choice: violate foreign law and expose themselves to enforcement
proceedings that have included criminal prosecution, or choose
noncompliance with a U.S. discovery order and risk U.S. sanctions
ranging from monetary costs to adverse inference jury instructions
to default judgments." Report at p. 2. As
"U.S. law already provides a clear and workable standard for
resolving the conflict" the ABA believes that Courts should
give more consideration "to the national interests behind the
non-U.S. laws" such that the comity factors are weighed and
applied "in a manner that demonstrates respect for those laws
and the principles of international comity." Report at p.
The ABA's involvement with this issue is particularly
timely, as it has recently become apparent that new data analytic
technologies have weakened the effectiveness and reliability of
anonymization, one of the primary mechanisms available to litigants
to navigate cross border discovery conflicts. See
e.g., The Practice of Law in the Age of Big Data, Nat.
L. J., April 11, 2011.
Despite the apparent strength of this Resolution, it is worth
noting that the ABA appears to have watered down the original
intended language, restricting its statement to data that is
"sought," i.e. affirmatively requested by an opposing
litigant, as compared to the original language, which applied
broadly to data that is subject to preservation, disclosure, or
discovery." The intent of this change is unclear, as the
ABA continues to acknowledge that preservation related-activities
can, by themselves, run afoul of foreign data protection
obligations, even in the absence of actual production or
cross-border transfer. Report at p. 12. For example, the
European Data Protection Directive, defines regulated
"processing" to include mere "storage," and
further provides that data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for
the purposes for which the data were collected." See Directive 95/46/EC, Articles 1 and
6. Such restrictions can be inconsistent with broad U.S.
preservation obligations, and non-compliance would seem to present
many of the same risks that are a concern when it comes to cross
border data transfer.
Regardless of any limited intent, it is hoped that the ABA's
position will be taken to heart by the judiciary, as litigants in
possession of protected data should not have to unnecessarily fear
litigating in U.S. Courts.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage's cyber liability insurance policy.
The Ashley Madison site declares on its home page that "Life is short. Have an affair." The home page goes on to state that "Ashley Madison is the world's leading married dating service for discreet encounters."
Evidence collected by the U.S. Department of Homeland Defense (DHS) shows that cyberattacks on key energy infrastructure – particularly the electric system – are increasing in both sophistication and frequency.
On Friday, July 24, the United States Judicial Panel on Multidistrict Litigation issued an Order consolidating in the D.C. Circuit Court of Appeals three timely petitions for review of a July 10, 2015 Declaratory Ruling and Order of the Federal Communications Commission (FCC).