Five Best Practices to Ensure Compliance with Cross-Border Data Protection Laws
As data continues to span across the four corners of the globe, lawmakers worldwide strive to keep up the pace with regulations. The European Union has the General Data Protection Regulation (GDPR), which provides comprehensive protections over private consumer data. Japan has the Act on the Protection of Personal Information, which is another comprehensive law with strong privacy protections. China has the Telecommunication Regulations law that applies specifically to electronic data transmission. The U.S. has several laws that apply to data protection and privacy one way or another. These are just a sampling of the several countries that have enacted data privacy laws, all offering varying degrees of protection and apply in different circumstances. Litigation issues and conflicts associated with complying with cross-border data protection laws are more prevalent today due to the expansive reach of data.
The Courts Weigh In
In 2018, two U.S. federal cases provided guidance on the conflicts between complying with both international privacy obligations and production. In Corel Software v. Microsoft Corporation, the court denied the defendant’s request for a protective order to stop production of telemetry data located in countries subject to the GDPR. This ruling was a result of defendant’s lack of evidence showing that the burden of complying with the request was greater than the data’s potential evidentiary value in the case because of the GDPR’s demands.
In Brooks Sports v. Anta (China) Company, the court issued terminating sanctions against defendant because it failed to produce data from the WeChat app stored on their China-based employees’ mobile devices. The court noted that the defendant could have avoided any conflict with Chinese law if it had set up company WeChat accounts for their employees instead of allowing communication on personal devices. Organizations cannot use data protection laws in other countries to avoid U.S. discovery obligations.
These cases demonstrate that U.S. courts will put the domestic lawsuit’s benefit before international privacy obligations. Consequently, this can create several issues for lawyers and their clients such as limited or blocked access to data leading to sanctions, time-consuming tasks costing money and resources, fines from other countries, and client dissatisfaction.
Tips for Dealing with Cross-Border Data Protection Laws in Litigation
Legal practitioners should implement the following practices to make compliance easier and limit the issues noted above:
Research Relevant Data Protection Laws
If a case invokes compliance with another nation’s laws, lawyers should understand what data these laws protect and how they interact with the case’s discovery demands. Becoming educated will help formulate an effective compliance plan. As always, lawyers should keep current on any changes in relevant laws that affect their current or future cases. If the U.S. ever creates a comprehensive federal privacy law, this will impact discovery obligations as well.
Review, Implement, and/or Update Information Governance Programs
An organization should have a detailed information governance program in place so employees can quickly identify the location of data. A strong information governance program will help lawyers comply with both eDiscovery obligations and cross-border data protection laws in an efficient manner. Implementing data retention policies is key so the organization only keeps relevant documents, which in turn reduces search time and data housing costs. Organizations should consider modifying their information systems and structures if they know it could potentially interfere with compliance. This could include making certain data anonymous or redacting it altogether.
Review and/or Update Data Security Measures
As always, an organization should continuously review security programs to ensure data protection and decrease breach risks. Inefficient data security measures can hinder compliance with domestic litigation and international privacy laws.
Review, Implement, and/or Update Litigation Readiness Plans
A litigation readiness plan will prepare lawyers for handling potential cross-border protection law compliance issues in court. An organization may need to change their litigation hold or data preservation practices if these could potentially interfere with relevant obligations under international law.
Prepare Detailed and Researched Arguments for Court
If a cross-border data protection law hinders a lawyer’s ability to produce data in eDiscovery, they should be ready to illustrate the reasons why to the court. Potential examples could include a breakdown of the law, metrics, and a summary of burden versus benefit. If you found this blog informative, you may enjoy reading The Importance of Information Governance in Today’s Regulatory Environment or The Epiq Angle Blog.