Recent Cases Spotlight the Challenges of Cross-Border Data Protection Laws in E-Discovery
While several recent cases exemplify the Hobson's Choice seemingly facing many companies, the Corel Software, v. Microsoft and Brooks Sports v. Anta decisions are particularly instructive on these issues.
June 17, 2019 at 07:00 AM
7 minute read
Cross-border data protection laws are increasingly affecting domestic U.S. discovery proceedings. Globalization has placed discoverable information beyond the boundaries of the U.S. and has often forced litigants to satisfy those laws in order to produce or obtain such information.
To meet the challenges of foreign data protection laws, organizations will need to be prepared. As two recent cases make clear, this includes more effective information governance programs and litigation readiness measures, along with better advocacy on the issues in court.
|Cross-Border Data Protection Laws Create Complexity in Discovery
The prevalence of data protection and privacy laws around the globe has substantially increased over the past several years. Not surprisingly, this trend corresponds with the growth of sensitive and confidential information about individuals that is now available on electronic devices. As the U.S. Supreme Court observed in Riley v. California, electronic devices such as mobile phones “hold for many Americans 'the privacies of life.'”
Data protection laws—such as the European Union (EU) General Data Protection Regulation (GDPR)—are designed to protect individual privacy rights over such information. With those rights, however, come various responsibilities, particularly for organizations that collect and store personal information. Included among those responsibilities is the need to safeguard that information in litigation. Under some data protection laws such as the GDPR, appropriate safeguards may include anonymizing or pseudonymizing personal information before it is transferred across international borders. Some privacy laws—such as China's Telecommunication Regulations—may forbid the transfer of personal information if an individual refuses to authorize its disclosure.
With relevant electronic information being available in any number of foreign countries, data protection laws can create complexity in discovery for clients, counsel, and the courts. This is particularly the case for responding parties, who can face burdensome or conflicting demands in litigation when asked to produce personal information and satisfy applicable laws. The menu of problematic options includes addressing weighty production burdens to comply with cross-border privacy strictures, disobeying a U.S. court's production order, or violating a foreign data protection law. While several recent cases exemplify the Hobson's Choice seemingly facing many companies on these issues, the Corel Software, LLC, v. Microsoft Corporation and Brooks Sports, Inc. v. Anta (China) Co., Ltd. decisions are particularly instructive on these issues.
|Corel Software v. Microsoft Corporation
In Corel Software, defendant Microsoft sought a protective order to stave off a burdensome production of telemetry data. In its motion papers, Microsoft argued that plaintiff's request for telemetry data—a type of “usage data” that individuals generate when they use Microsoft products and services—was disproportionate to the needs of the case. In particular, Microsoft asserted that the request created “tension” with the GDPR and “would require additional burdensome steps to anonymize the data.”
In response, the court found the requested telemetry data was “directly relevant to the claims and defenses” in the action and ordered Microsoft to produce it in discovery. In so doing, the court rejected Microsoft's argument regarding disproportionality and the GDPR. Finding the telemetry data was important to resolving the issues at stake in the litigation, the court observed that Microsoft also had sufficient resources to shoulder the production burden. Implicit in this observation was the fact that Microsoft did not provide metrics or other information that would substantiate the alleged challenges and burdens of complying with the GDPR. As a result of this production order, Microsoft was forced to produce approximately 14 terabytes of relevant telemetry data and anonymize personal information within the production, a process it characterized as “complex and time consuming.”
|Brooks Sports v. Anta (China) Co.
While Corel Software involved the challenge of an onerous cross-border production, the Brooks Sports case concerned discovery of relevant WeChat communications from mobile devices belonging to defendant Anta's executives and employees. Anta declined to produce those WeChat discussions, arguing that “Chinese privacy law” forbade the company from turning over messages from China-based employees who refused to consent to their production. Anta relied on provisions from the Constitution of the People's Republic of China and Chinese Telecommunication Regulations, which respectively guarantee “privacy of correspondence” and “freedoms to use telecommunications and communication secrecy of telecommunication users” (though not from the Chinese government).
After Anta failed to obey multiple production orders for the messages (and made several misrepresentations to the court), the court imposed terminating sanctions against Anta. In reaching its decision, the court observed disapprovingly that Anta declined to establish an official communication system within the enterprise. Anta had instead allowed its employees and executives to use WeChat messages on their personal mobile devices to seemingly circumvent obligations in discovery:
Anta should not be able to conveniently use Chinese law to shield production of communications responsive to discovery requests when it could have set up Anta-controlled WeChat accounts for its employees' use which would not have the same issues regarding Chinese privacy laws.
Looking at defendant's communication system in the context of its overall discovery misconduct, the court found that defendant's reliance on “Chinese privacy law” was merely a pretext to stymie its production duties.
|Getting Prepared to Address Cross-Border Data Protection Laws
Corel Software and Brooks Sports both spotlight challenges with cross-border data protection laws that litigants should expect to confront in U.S. litigation. To be prepared for these challenges in future lawsuits, organizations can take action now on a variety of fronts.
Companies should first examine their information governance programs. Mapping corporate data, streamlining information retention policies, and minimizing company information are proactive, upstream measures that can better facilitate compliance with data protection laws in the reactive, downstream process of e-discovery.
Businesses should also consider the manner in which their information systems generate, exchange, and store data. Like the defendant in Brooks Sports, the structure of those systems may impact an organization's ability to comply with either cross-border privacy laws or U.S. discovery obligations. By undertaking such an analysis, an enterprise can determine if its information systems are appropriate for addressing cross-border data protection laws in connection with legal disputes.
Companies should additionally review their litigation readiness programs to determine whether litigation hold policies, along with measures for preservation, collection, and review, satisfy applicable cross-border data protection laws.
Finally, enterprises should ensure they can demonstrate to a court the heightened burdens of compliance with cross-border data protection laws. As suggested by Corel Software, a court's decision on the issues may turn on how thoroughly the party has substantiated those burdens. For example, Microsoft could have demonstrated more effectively its production burdens under the GDPR with appropriate metrics that would have reflected its investment of resources (including time, manpower, and costs) in producing the requested telemetry data. By so doing, the company could have more readily established the disproportionality of producing the telemetry data.
Philip Favro is a consultant for Driven, Inc. where he advises organizations and their counsel on issues relating to the discovery process and information governance. He also serves as a member of The Sedona Conference WG1 Steering Committee.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Del. Court Holds Stance on Musk's $55.8B Pay Rescission, Awards Shareholder Counsel $345M
- 2Another Senior Boeing Attorney Exits, This One for CLO Post at Jet-Maintenance Company
- 3Bridge the Communication Gap: The Benefits of Having (and Being) a Bilingual Mediator
- 4CFIUS Is Locked and Loaded, but What Lies Ahead for CFIUS Enforcement Activity?
- 5Deluge of Trump-Leery Government Lawyers Join Job Market, Setting Up Free-for-All for Law Firm, In-House Openings
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250