As I have noted elsewhere, I had my own cross-border problems in getting to the Sedona Conference International Programme on Cross-Border eDiscovery, eDisclosure and Data Privacy Conflicts in Barcelona on 10-11 June. I was chairing an edisclosure conference in London the previous day and due in Sydney at the week-end and, in consequence, arrived late in Barcelona and left as soon as the main business ended.
I am spared my usual faithful accounts of the sessions by Sedona’s sensible rule that “what happens at Sedona stays at Sedona”. My mission generally is to get as wide an audience as possible for what is said at conferences, but I am more than happy to submit to the restriction in this context, partly because there is more than enough else to write up and partly because the density of the dialogue (and Sedona is expressly committed to dialogue rather than debate) is such that you would need a book to do justice to its proceedings.
It seems sensible instead to juxtapose some stereotypes against the reality in an attempt to show those new to the subject what the broad picture is. This matters because cross-border issues inevitably involve cross-cultural matters as well as conflicts of laws. The best and most topical summary of the issues is Working Document 1/2009 on pre-trial discovery for cross border civil litigation prepared by a Working Party set up under Article 29 of EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Its introduction recites the problem thus:
There is a tension between the disclosure obligations under US litigation or regulatory rules and the application of the data protection requirements of the EU. There is also the issue of the contrast between the geographical and territorial basis of the EU data protection regime and the multinational nature of business where a corporate body can have subsidiaries or affiliates across the globe. This is of particular relevance to the European affiliates of multinational companies which can be caught between the conflicting demands of US legal proceedings and EU data protection and privacy laws which govern the transfer of personal information. The Working Party recognises that the parties involved in litigation have a legitimate interest in accessing information that is necessary to make or defend a claim, but this must be balanced with the rights of the individual whose personal data is being sought.
That description of the “tension” puts it rather drily, as is appropriate for the authors. To those who are faced with the urgent day-to-day business of handling that tension, the painstaking analysis of the background may seem rather slow and academic. Nevertheless, a reading of the Working Paper’s 14 pages is recommended if you want a description of what is involved.
The reality features a US corporation facing a strict obligation of a US court or regulator to produce all relevant documents in a short timescale, facing fines, sanctions or adverse inferences if it fails to do so. The EU data controller who has those documents may be in breach of both his country’s implementation of EU Directive 95/46/EC and specific blocking statutes such as the French Penal Law No 80-538 referred to on page 5 of the Working Paper. You need read only footnote 3 to see what the problem is: it is forbidden “to request, seek or communicate” documents for foreign proceedings – if a mere request is an offence then learned arguments about the definition of “processing” seem academic as well as technical. The Strauss v Credit Lyonnais case referred to in the footnote dispels any idea that the restrictions are merely theoretical. The conflict is encapsulated in the sentence “The US courts have so far not accepted such provisions as providing a defence against discovery in relation to US litigation” which appears on the same page.
Before one can tackle a problem, one needs to understand it, or at least know it exists. It may seem surprising to find US lawyers still goggling in amazement at all this, thirteen years after the implementation of EU Directive 95/46/EC, but there are many who become aware of the issues only when they send out a bland demand for all the documents and meet a hail of objections. If it is a problem for the skilled and experienced ones who know the ropes, it is a nasty shock for those who find themselves unexpectedly between the Scylla of a US court and the Charybdis of EU restrictions, with the clock running against them and their costs estimates wholly inadequate for the problem.
The technical difficulties are compounded by the cultural ones. American courts are used to being obeyed, and it colours their approach. “I am going to control my side of the pond as much as I can” said an American judge in London last year “and I generally find that the parties manage to sort things out”. That plays well, no doubt, back home. Here it sounds calculated to raise hackles, implying that piddling little European laws can stand aside when mighty America speaks. That was, I am sure, far from the intention, but it illustrates the divide. A continent with a recent history of data misuse by totalitarian powers (civic records were used to fill the Auschwitz trains, for example) is deeply different from one in which the CEO of Sun Microsystems can say, as he did in 2000, “Privacy is dead. Get over it”. I spoke about this at LegalTech in New York last February at a panel organised by LDSI (see How safe is safe harbor?). As I said there, “to approach Brussels as if it were Omaha Beach is a tactical error”.
For its part, Brussels (or at least, those in it responsible for promoting trade, as opposed to the rather too many who love regulation for its own sake) is aware that the US is a market which matters, both because of US ownership of EU-based businesses and because exports are vital – the original purpose of the European Union is to be a competitive trading partner with other world-class economies, and if many of us (me for example) see that as obscured by pettifogging Belgian bureaucrats devising regulations about the shape of bananas and the decibel-count in concert halls, then that is our fault for allowing our politicians to surrender our independence. The upside to that surrender – the reason why we tolerate it – ought to be the trading benefits, and those are too important to be lost in a failure to reconcile conflicting attitudes to privacy.
That does not mean that either side has to concede what really matters and perhaps we are, at last, beginning to focus on what really matters. In our respective domestic litigation we – the US, the UK and every other jurisdiction which requires discovery of documents – are having to grapple with the difficulty of selecting from the mass those documents and other data on which justice turns, and to do so economically and proportionally. That must drive the corporates to take more care about what they keep and how they order and control it, and the separation of personal data from purely business records is a big part of that. This is in part a technology problem, and one which technology is rising to meet, but it is also a matter of tuning the rules and practice to find a compromise on these conflicting standpoints over privacy. The Sedona Conference is perhaps uniquely placed to address these issues at a high level, and at a detailed level, and with the benefit of input from all the interested parties.
There was a strong UK representation both on the panels and amongst the delegates. Senior Master Whitaker spoke about UK-US developments; HHJ Simon Brown QC sat on panels discussing the cross-border conflict problem in litigation and regulatory contexts and in Arbitration and ADR. Quentin Archer of Lovells led the latter panel and spoke also under the heading Potential Solutions to the Dilemma of Cross-Border eDiscovery, eDisclosure and Data Privacy Conflicts.
I was there as part of my wider mission to promote the commonality which exists between all the common law jurisdictions – the UK is part of that group as well as part of the EU and must play its part in both. The tightness of this field is illustrated by the presence of Sandra Potter of Australian-based Potter Farrelly, who was active on more than one panel. Four days later, I heard the other half of that firm, Phil Farrelly, speak in Sydney on the subject of world-wide data collections. Keeping up with this juxtaposition of the local and global is why I spend an increasing amount of my time in aeroplanes.
That gives you the context without revealing anything which was actually said in Barcelona. The venue was the striking Hotel Arts which was about as far removed as you can get from the gloomy Earls Court hotel in which I stayed earlier in the week.
There was a roof-top party on Wednesday evening which was an opportunity to catch up with several people with whom I correspond and to make introductions between them. After that, many of us were guests of Deborah Baron, VP legal and Compliance at Autonomy at the deservedly famed 7 Portes Restaurant. We sang for our supper by writing limericks. All I can remember of mine is that one of them rhymed “Whitaker, he’s Senior Master” with “these cases have got to move faster”.
Most conferences involve an element of de haut en bas didacticism. A gathering of the Sedona Conference is more like a colloquium of professors, but no less practical and commercial for being learned and extremely knowledgeable. Tout compendre c’est tout pardonner is a rather curious proverb to emerge from a nation with short tempers and long memories, but there is no doubt that understanding the respective positions of the US and EU is a good start, and one which has not really been seriously tried amidst the accusations of heavy-handedness (from one side) and the counter-accusations of obstructiveness (from the other) over the years. This conference showed the possibility of a different way forward.