Litigants navigating the conflict between U.S. discovery
obligations and foreign data protection laws have a new ally, the
American Bar Association ("the ABA"). The ABA
recently passed Resolution 103, which "urges" that:
[W]here possible in the context of the proceedings before them,
U.S. federal, state, territorial, tribal and local courts consider
and respect, as appropriate, the data protection and privacy laws
of any applicable foreign sovereign, and the interests of any
person who is subject to or benefits from such laws, with regard to
data sought in discovery in civil litigation.
The full text of the resolution and accompanying report (the
"Report") can be found here. In supporting its resolution,
the ABA noted that "[l]itigants often face a Hobson's
Choice: violate foreign law and expose themselves to enforcement
proceedings that have included criminal prosecution, or choose
noncompliance with a U.S. discovery order and risk U.S. sanctions
ranging from monetary costs to adverse inference jury instructions
to default judgments." Report at p. 2. As
"U.S. law already provides a clear and workable standard for
resolving the conflict" the ABA believes that Courts should
give more consideration "to the national interests behind the
non-U.S. laws" such that the comity factors are weighed and
applied "in a manner that demonstrates respect for those laws
and the principles of international comity." Report at p.
The ABA's involvement with this issue is particularly
timely, as it has recently become apparent that new data analytic
technologies have weakened the effectiveness and reliability of
anonymization, one of the primary mechanisms available to litigants
to navigate cross border discovery conflicts. See
e.g., The Practice of Law in the Age of Big Data, Nat.
L. J., April 11, 2011.
Despite the apparent strength of this Resolution, it is worth
noting that the ABA appears to have watered down the original
intended language, restricting its statement to data that is
"sought," i.e. affirmatively requested by an opposing
litigant, as compared to the original language, which applied
broadly to data that is subject to preservation, disclosure, or
discovery." The intent of this change is unclear, as the
ABA continues to acknowledge that preservation related-activities
can, by themselves, run afoul of foreign data protection
obligations, even in the absence of actual production or
cross-border transfer. Report at p. 12. For example, the
European Data Protection Directive, defines regulated
"processing" to include mere "storage," and
further provides that data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for
the purposes for which the data were collected." See Directive 95/46/EC, Articles 1 and
6. Such restrictions can be inconsistent with broad U.S.
preservation obligations, and non-compliance would seem to present
many of the same risks that are a concern when it comes to cross
border data transfer.
Regardless of any limited intent, it is hoped that the ABA's
position will be taken to heart by the judiciary, as litigants in
possession of protected data should not have to unnecessarily fear
litigating in U.S. Courts.
In an instructive opinion on how intangible harms can cause injuries sufficient to confer standing on plaintiffs—and a rare example of the U.S. Supreme Court's latest ruling on standing aiding plaintiffs—a West Virginia federal court ruled June 30 that computer-dialed telemarketing calls caused concrete, particularized privacy invasions.
The headlines are out there. You've seen them. On one hand, government agencies are ramping up enforcement efforts and dishing out heavier fines. On the other hand, data breaches are occurring at an exponential rate.
The European Commission formally adopted the EU-US Privacy Shield on Tuesday, ending months of legal uncertainty with a new framework for governing transatlantic data transfers after the Privacy Safe Harbor framework was invalidated in 2015.
The first European Union-wide rules on cybersecurity have been adopted by the European Parliament. Approved on July 6, 2016, the Directive on Security of Network and Information Systems (NIS Directive) creates new risk management and incident reporting obligations for both digital service providers and operators of essential services such as banking or transportation.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).