It is pouring with rain here in Orlando. Every so often, a flash of lightning illuminates the large plastic elephants which stand in the pool beside me. Even the most assiduous English official, never stuck for something to put up a notice about, could not come up with a sign reading “Rocks frighten the elephants. Please do not throw rocks”.
The Loews Royal Pacific Resort at Universal is, as its name implies, a holiday destination as well as a conference centre and you have to choose your bar with care. The one we sat in as we finalised our presentations lies between the pool and the bedrooms, and a stream of near-naked beauties dripped their way past us. If that sounds distracting, it is much better than being approached by Shrek and Princess Fiona, who occupy one of the other bars. We don’t get this sort of thing at London conferences.
I am here for CEIC 2009. The Computer and Enterprise Investigations Conference is run annually by Guidance Software to bring a mixture of technical, legal and business events together for people from corporations, law enforcement and other areas with an interest in data preservation, identification and capture. There are about 800 people here, nearly as many as last year. There are not many conferences which can claim that in 2009. Here you can do anything from polishing up your EnCase certification at one extreme to listening to e-discovery seminars at the other. The East Coast location makes it easier for those from Europe, but does not, alas, guarantee the weather.
One of the reasons why I came was to sit on a panel with the title International eDiscovery – The Asia Pacific, European Union and United Kingdom Comparative. That was followed immediately by a another session called EU Data Protection: Meeting eDiscovery Challenges. Both panels were moderated by Patrick Burke, Assistant General Counsel at Guidance, we decided to merge the two teams to cover both of these distinct but overlapping topics.
In addition to Patrick and me we had Seamus Byrne and Dominic Jaar from Australia and Canada respectively, so we were four lawyers from four jurisdictions, each with a slightly different set of discovery rules. Seamus Byrne is both an Australian solicitor and EnCase-certified. Dominic Jaar combines running his own e-discovery consulting practice Ledjit with the role of Chief Executive of the Canadian Centre for Court Technology. The latter involves raising awareness of courts and judges about the problem and solutions which technology brings to litigation, so his role and mine overlap to some extent. Dominic is also a native French speaker, which meant that our coverage of French data protection law at least had an authentic accent.
The eDiscovery Comparative was a tour of the world. Since relatively few people in my own jurisdiction have a clear idea of the UK rules and practice, my own section was much the same as it it is back home. That begins with the definition of a disclosable document – relevant is irrelevant for Standard Disclosure as one my core posts puts it, because Rule 31.6 of the Civil Procedure Rules limits the scope to documents which support or are adverse to your own or another party’s case. We still use the everyday word “relevant” as a synonym for “disclosable”, but the difference is more than a matter of semantics.
One of Lord Justice Jackson’s findings in his recent interim report on litigation costs was that UK judges and practitioners routinely ignore this – indeed, his list of possible developments for the future was a return to pre-1999 Peruvian Guano discovery “on the basis that this appears to be the test applied by many practitioners anyway”. Such apparent defeatism defeatism owes more (I very much hope) to Sir Rupert Jackson’s wish to show that all options are open rather than any serious thought of winding back to 1892 when the Peruvian Guano case settled the scope of disclosure for the paper age. Those of us who write and speak about the subject for international audiences would, however, be deeply grateful if we could ditch the faddy term “disclosure” and revert to the term used by every other jurisdiction. Think how much typing time I could save if spared having to say “disclosure / discovery” every time.
After my lightning survey of the UK, Dominic Jaar and Seamus Byrne covered the rest of the world outside the US – Canada and Europe from Dominic, and Australia and the Asia-Pacific Region from Seamus. I do not propose to summarise the summary which such a tour d’horizon must inevitably be. If the audience was left with the impression that electronic discovery is a beast whose core elements are the same everywhere but whose fine differences in practice are at least as great as the similarities, then we did our job adequately. If the word “relevant” means something different depending on your time-zone, then the certainties are few. When we cannot even get judges in the same building in the Strand, London WC2 to apply broadly the same principles to disclosure then how can the lawyers plan their disclosure strategies?
The shades and variations between discovery jurisdictions seem quite transparent when you come on to consider the data protection and privacy considerations which arise between jurisdictions. As before we toured the world, giving a quick summary of the differences between the apparently absolute bars on data transfers in the EU and the complete absence of any concept of protection or privacy in some other places. In practice, the EU bars are seldom as absolute as they appear, but it takes time, patience, planning and no little expense to achieve transfer of data which complies with the regulations. You can, of course, decide to skip over the formalities, making an assessment that the risk is small compared with the costs to be saved. If you find as a result that your stay in France is longer than you expected it to be – well, at least the coffee and bread is better there, as Dominic wryly pointed out. Unlawful export of data from some other places we could name might leave the exporter no longer in need of coffee, bread or anything else.
All this is quite hard to convey in the Land of the Free where they are quite protective of financial data but distinctly cavalier, to European eyes, about personal data. To understand the cultural roots of this, I say, you need to appreciate that there are people still alive in Europe who saw their friends and relatives rounded up and sent to death camps on the basis of municipal records.
Just as our first session’s ambition was to give merely the flavour of the differences between jurisdictions, so our second one really aimed no higher than to flag up the existence of problems which are unlikely to be resolved by approaching them like a bull at a gate. Allow plenty of time, take good advice and set aside your assumption that Uncle Sam’s writ cuts ice in Madrid or Peking. If that leaves you between a rock and a hard place then you need to build that into your plans. And say “please”. And don’t call their language “foreign”. These are not data protection points, but they help oil the wheels.
We got some good feed-back from the sessions. The only complaint which I heard was that they were too short. That is the usual reaction to privacy sessions, which suggests that we really need to offer two-tier seminars, one as an introduction and one which dives deeper. Those truly qualified to speak at the latter are few and far between – and that itself points up how difficult this area is.
So discovery and privacy are like the elephants outside the window beside me – you could describe one to a blind person, but their impression, though broadly accurate in outline, would inevitably be hazy on detail. We won’t throw rocks at the elephants but it is good to have the chance to cast the occasional shaft of lightning over them.