The civil law jurisdictions of mainland Europe have no discovery tradition as it is understood in common law countries like the US and UK. The IQPC Information Retention and eDiscovery Exchange in Munich was an opportunity for corporate counsel to find out what matters, why it matters and what to do about it, as well as to meet service providers who can help them. The “adequate procedures” defence given by the UK Bribery Act sets a target which acts as a spur to the initiation of pre-emptive measures regarding information management.
Any discussion about electronic discovery in common law jurisdictions comes freighted with history, not all of it helpful. Common law discovery rules require the exchange of documentary evidence between parties to litigation. Our definitions vary, and our rules, case law and practice can produce different results; there may be more (the US) or less (the UK) skirmishing in advance as to the proper scope of discovery, and different jurisdictions have different ways of measuring compliance and of punishing defaults. The end result, however, is that a lot of documents are handed over. I may have strong views on how we should go about this and about how we can reduce the volumes in play without any risk to justice, but I will fight to defend the principles of common law discovery.
Civil jurisdictions, such as those in Europe, have none of this. I simplify for the sake of brevity, but the general approach in these jurisdictions is that the court decides what documents it needs to reach a conclusion. Those who seek other documents must specify them with a degree of particularity which effectively requires that they can say exactly what they are looking for.
The privacy and data protection laws which limit what you may hand over are less onerous when viewed in the context of this civil framework, for the fairly obvious reason that the discoverable volumes are smaller. It becomes easier to understand the EU Commission’s attitude to the impact of privacy restrictions once you appreciate how little is exchanged. This is the world for which the data protection and privacy laws were invented – Europe not only has incentives for minimising document exchange derived from its political history, but has no tradition anyway of handing over documents in civil proceedings.
US lawyers tend to see an obstructive Europe standing in the way of legitimate demands for information. It looks rather different from the perspective of a French or German company which, with no discovery tradition, finds itself under siege. Its links with US companies, whether as a parent, a subsidiary, sister company, or as just as a business or trading partner, bring demands for US-style discovery which appears to recognise no jurisdictional limits. A range of US authorities claim both regulatory and criminal rights over their documents. The EU has its own regulatory authorities and an unquenchable zeal for interference. There is proactive assertion of the rights of the individual against the state and against corporations. On top of all these external pressures comes the recognition that we cannot just go on collecting information at the rate at which we can now create it – a business incentive added to the external factors.
All this gives a different flavour to e-discovery conferences in mainland Europe, even where the organiser (in this case IQPC) has a well-established London conference with almost the same title, and where many of the speakers are the same as those I meet everywhere else. The Munich event was, in IQPC parlance, an “Exchange” rather than a “Summit”, which means that the corporate counsel (who are the main audience) have pre-arranged meetings with suppliers whose offerings have been pre-matched to their expressed needs. The impression I got from speaking to both providers and delegates was that there was a high compatibility rate. The Exchange format also provides conventional speaker and panel sessions plus the opportunity to mingle and talk in the gaps and over meals. If my primary reason for going to these events is to speak at them, I am equally interested in meeting informally with delegates and suppliers, with as much emphasis on listening as talking.
Managing eDiscovery as a core business process
The first session was aimed squarely at the in-house lawyers who were the conference’s main audience. Sanjay Bhandari of Ernst & Young and Jonathan Peddie, Director of Litigation and Special Investigations in the Global Retail and Commercial Banking arm of Barclays Bank PLC spoke about how law departments are driving proactive change. Having processes in place to anticipate the management of information for litigation should now be part of corporate strategy and an in-house e-discovery team is a necessary strategic resource. There were several of those good one-liners which stick in the memory – “distinguish between ownership of the project and ownership of the risk” and “litigation is everything which can go wrong”. Both of these mean that information management is a board level matter because too many departments are potentially affected (legal, security, IT, HR etc) for any one of them to assess the ratio of risk being faced to resource required to meet it.
The guts of the session lay in the mathematics which underpins the business case, and specifically the cost of getting it wrong. This foreshadowed a point to be made later by the Serious Fraud Office in connection with the Bribery Act – see below. Jonathan Peddie said “the regulator asks what happened and what are you doing about it?” The SFO is a prosecutor not a regulator, but the same principle applies – having the appropriate systems in place will not necessarily relieve you of penalties, but you will come out better than if you had no systems at all – quite apart from the overriding pre-emptive element which may steer you away from trouble in the first place.
The View from the Bench: the latest discovery decisions and case law
There is much more to such readiness than preservation, but the duty to preserve documents recurred in the next session, moderated by Patrick Burke and featuring two UK judges (Senior Master Whitaker and HHJ Simon Brown QC), one US judge (US Magistrate Judge Elizabeth LaPorte) and one from the Netherlands (Judge Dory Reiling, Vice-President of the Amsterdam District Court). Master Whitaker took us through the new e-Disclosure Practice Direction and Electronic Documents Questionnaire. Whilst that has a particular purpose for civil litigation, he said, it also serves as a check-list for regulatory purposes and for investigations, and many lawyers welcomed it as bringing structure to litigation readiness for companies which anticipated litigation. The new Practice Direction moves the discussion obligations from the moment when litigation begins to the moment when it was contemplated. Judge LaPorte referred to the continuum from carelessness through to bad faith and the conflict between the strict application of preservation obligations and the “the just, speedy, and inexpensive determination of every action” required by Rule 1 of the FRCP. Judge Reiling said that there was no common law duty to preserve in the Netherlands but that lawyers were now advising their clients about being ready to produce documents, with all which that entailed.
Judge Brown emphasised that parties who expect litigation should be ready for it. This creates no new law, merely reinforces an obvious (and a commercial rather than a narrowly legal) point which (as I would put it) means that clients cannot hand their lawyers an unsorted, unfiltered electronic jumble and then whine about the cost of litigation. Similarly, they cannot complain if a regulator or a prosecutor concludes that their systems were inadequate for compliance with regulatory obligations or for the detection of criminal activities.
The Bribery Act and US and EU regulatory investigations and prosecutions
This last point ties in with a discussion run by Vivian Robinson QC, General Counsel for the Serious Fraud Office and Jean-Bernard Schmid, Deputy Prosecutor General in Geneva. Vivian Robinson said that the Bribery Act was one of the most draconian acts of its kind, which aimed to put organisations in the dock along with individuals. The present law requires that someone at or near board level is implicated in the illegal act. The new rules cover failure to prevent it and is, he said, a form of strict liability. It is one with a wide territorial scope – if any part of an organisation’s business is in the UK, the organisation falls within the act.
It is a defence that at the time the bribery took place the organisation had adequate procedures in place to prevent such conduct, and it is there that we find the direct connection with electronic discovery in civil litigation and the readiness required by a regulator. “You never know when it may be your turn”, Vivian Robinson said, referring back to something which Jonathan Peddie had said earlier. This warning has much wider application than the preparation of a defence under the Bribery Act and may be both a spur to action and a yardstick for measuring the effectiveness of existing systems and procedures.
The act requires the government to offer guidance, which is to be published in the New Year. There was already a “mass of constructive advice” out there, Vivian Robinson said, much of it to do with uniformity and common sense.
There is a crossover between the AkzoNobel decision given by the European Court in September and part of the intent behind the Bribery Act. The SFO’s aim is to encourage voluntary self-reporting; whilst it expects to see all relevant facts, it does not expect to see the advice of internal lawyers – that would limit a company’s ability to assess whether it ought to report itself. AkzoNobel had established that in-house lawyers do not enjoy the same level of professional independence as do external lawyers. Documents containing legal advice given by internal lawyers are therefore excluded from privilege and are not confidential. The SFO will need to reconsider its approach in the light of this decision.
Vivian Robinson was alert to the connection between the earlier discovery sessions and the SFO’s remit. Companies should, he said, be able to re-purpose their e-discovery systems and processes to help with the Bribery Act defence about “adequate procedures”. Such preparations were not, he said, “fundamental prerequisites” but they might evidence adequacy. It was, he said, like keeping one’s accounts up to date, which promotes the perception that your house is in order.
Jean-Bernard Schmid said that civil law countries were “on another planet in respect of the role of the state” relative to the US and other common law jurisdictions. The Swiss were particularly distrustful of people who looked into their lives and businesses whilst being happy to accept the privacy loss implications of being on FaceBook or collecting bonus points at the supermarket.
Blocking statutes prohibit the gathering of evidence for foreign proceedings, and the existence of a foreign disclosure order is no excuse for breach of the blocking statute. Fishing was not allowed – so no “do they do business, do they have a bank account?” type questions would be answered in the absence of agreements such as those between tax authorities. “I am not to trust lawyers”, he said “they are paid to fool me”
Critical Considerations for International Privacy, Security, Disclosure and Discovery
Blocking statutes and other impediments to foreign data collections came up again in a session which I moderated on global data protection with Denise Backhouse of Morgan Lewis and Senior Master Whitaker. Denise Backhouse carried the main theme: the EU and other jurisdictions had severe restrictions not just on exporting private data, but on storing it and processing it, and almost any touching of the data fell within the definition of “processing”. Denise’s advice was to plan ahead, take advice, factor it into your timetables and manage expectations of opponents and courts. Master Whitaker explained how the document requests under the Hague Convention worked – a over-broad demand made late and without the help of a local lawyer was probably doomed to failure. A request which took account of the UK’s (and EU’s) more restrictive discovery rules and which was made in good time by a local agent who knew the ropes stood a good chance of being dealt with promptly and favourably – that does not guarantee success, but the opposite approach makes failure certain.
I finished the session with an explanation of the cultural differences. Privacy is a fundamental human right in Europe for sound historical reasons. It inevitably clashes with the US commitment to full discovery. We need on both sides to see ourselves as the other side sees us and many apparently insoluble problems could be resolved by compromise and by a more realistic assessment of the very real difficulties. Many US lawyers to the EU for data seem either ignorant that the restrictions exist at all or assume that they can kick the doors down. Equally, those responsible for the data in the EU have to recognise that doing business with the US brings some obvious implications. I will not repeat here what I have covered so recently in a recent post (see International Discovery, sanctions, ethics and US-UK comparisons at Georgetown.
Best Practice for Managing Information and Improving eDiscovery with Archiving
Annie Goranson and a colleague from Symantec began their session with the results of Symantec’s recent survey of companies large and small across Europe. 100% of respondents said that a case had been lost or delayed or involved sanctions or fines from courts or regulators. 90%, on the other hand, said that search technology had played an integral part in the success of a project.
Even though Symantec is a storage company, Annie said, it advocated reduction of volumes by the removal of unnecessary and redundant data. That data may hold something useful but, generally speaking, keeping masses of data increases risk as well as the cost of review
She also pointed out that, whilst storage itself is cheap, the cost is not just of the space – equipment must be housed securely, and electricity, air-conditioning and other costs must be considered, all of which had to be set against the investment in document retention policies and the means of executing them which would reduce the volumes to be kept.
Addressing E-Discovery and privacy challenges in the cloud
Discussions about cloud computing often involve conflicting theories without obvious roots in practice. Pamela Roberts, Head of Legal Data Services at Novartis Pharmaceuticals Corporation, and Julie Kudyba, Global Privacy Officer at Novartis Pharmaceuticals AG have actually got their hands dirty examining both the technology and the legal and security risks which must be set against the undoubted financial benefits of moving processes as well as data to the cloud. There is no point in saving money at the technical end if you incur three times the saving in legal and compliance costs.
This session was spoken of highly by those who attended it – I put it that way because I had to miss most of it thanks to a conflicting assignation with a video camera. I heard enough, however, to be clear that we must get Pam Roberts on to other panels if she is willing to come.
The decision to build an in-house e-discovery process
This was the title of the last session which I attended before setting off through the snow to the airport. The speakers were Patrick Burke of Guidance Software and Denise Backhouse of Morgan Lewis, both of whom had carried more than their fair share of this conference.
If everything which had gone before related to the reasons why European organisations should develop information retention policies and e-discovery strategies, this session was strong on how that should be achieved. If I were to pick just a couple of points out of the torrent of good advice given in this session, they would be as much to do with personal relationships as with the technology assessments. The latter are obviously critical, and we heard about assembling the business case and building up the RFI (Request for Information) and RFP (Request for Proposal). Much of it, however, concerned the need to build relationships between the various departments and business units which have an interest in the outcome which, properly managed, will not only reduce risk for the organisation and save it money but will make everybody’s life easier. The proponents of new technology and new processes must get buy-in from everybody – IT, security, information management, legal, HR – anyone whose work would be adversely affected by investigation, prosecution or regulatory intervention; these arguments go hand in hand with the cost-benefit and risk analysis relating to the organisation.
Denise Backhouse, whose firm regularly advises on such implementations, suggested that one might research past costs and break them down under various headings (with legal fees separated from discovery provider costs, for example) so that a clear picture emerged of where the money had been spent over the last two years. Patrick Burke suggested identifying someone holding an equivalent position in another company so that experiences and learning could be shared.
There are obvious themes running through this account of the wide-ranging sessions. In-house counsel are accustomed to generalised advice about risk and savings, and to continual warnings that the pressure is increasing – that has been a recurring theme for years. This last year, however, has seen tangible evidence that the screw is turning harder, not least in Germany where the conference was held. The UK Bribery Act is significant not just because of that word “draconian” but because of its territorial reach and because of the express defence about adequate procedures. That spells out that the corollary – inadequate procedures – does not just increase the risk that illegal activity will go unnoticed but actually forms part of the battle-ground when prosecution is brought. That is, in fact, true of many regulatory investigations – that regulator’s question summarised by Barclays’ Jonathan Peddie as “what happened and what are you doing about it?”
If one wanted a single sentence to encourage delegates to take action, it is another one from Jonathan Peddie: “You never know when it is going to be your turn”.
There was a good turn-out of the well-known providers of software and services. In addition to those mentioned above as providing speakers – Guidance Software, Ernst & Young and Symantec – I came across people I know from AccessData, Clearwell, FTI, IBM, KPMG, Merrill Corporation, Recommind and Trilantic. If you cannot find someone amongst that lot to help, it would be very surprising. Where were the law firms on the expert advisory side – or does Morgan Lewis have that field to itself?
Thanks to IQPC for organising the Exchange with their usual competence, and to Patrick Burke of Guidance Software who ran the show on his own and took a party of us to dinner at the top of the revolving Olympia Tower Restaurant.