Cross-border discovery and privacy gaps widen thanks to PRISM and trolls

The eDiscovery world was not gracious enough to take a break while I was travelling recently, and I come back to a mass of things to write about. Having cleared out the things with deadlines – webinar notices and the like – I can pick what comes up first from the stinking pile which has gathered in EverNote in my absence. Privacy and eDiscovery will clear a good few source articles out of the pending folder.

eDiscovery people tend to see the difficulties of cross-border discovery as a series of logistical problems, additional hurdles to be jumped when the already difficult task of data collection involves foreign jurisdictions. There are privacy laws to observe, and practical difficulties of language, time zones and culture to face. It is easy to overlook the relationship between these hurdles and wider issues of personal privacy.

The latter have been in the headlines recently. The PRISM revelations should have come as no great surprise – the US has the resources, the motive and an historic indifference to the sanctity of private information. More surprising, perhaps, is the discovery that France and Germany (and others) operate surveillance systems at least as comprehensive and intrusive as those of the US. I heard someone say recently how Germany’s Chancellor Merkel is affected by her upbringing under the Stasi, but we now see that Erich Honecker was a mere amateur when it comes to data collection about citizens, and hopelessly ill-equipped in technology terms; France postures unhelpfully against other countries with its blocking statutes, while itself aggressively collecting and using private information.

At the same time, the UK is facing up to a conflict between privacy and free expression on the one hand, and protection – protection from crime and terror, from porn and from internet abuse by “trolls” – on the other. Prime Minister David Cameron proposes porn filters, whilst apparently having no idea of either the technical or the democratic implications of closing off a section of Internet content.

The road which begins by blocking offensive pornographic content leads very quickly to control of other things. Restrictions designed to protect children from bare flesh turn very quickly to restraints on comment about a government department. Who decides where the line lies between justified restraint of offensive things and the suppression of democratic views?

We have seen a spate of particularly vile abuse directed by tweeters, mainly at women. It has provoked an outcry which is perfectly justifiable, but which includes demands for controls and for the ability to identify offenders and to bring them to punishment. That is all well and good, but it again raises democratic issues – the controls and punishments designed to restrain personal abusers are easily turned to control of fair comment, either by the state or (and this is easily overlooked) by well-marshalled squadrons of trolls who will very quickly learn to use the control mechanisms to close down those who oppose them.

There is some amusement, albeit slightly grim amusement, in seeing people argue simultaneously for the democratic ideal of free speech and for restraint on abusers. As the English legal commentator @JackOfKent said,

JackOfKent_PRISM_Abuse

The prime minister, like all politicians, suppresses common-sense and rational thought in favour of an attempt to satisfy almost everyone (I have seen no Cameron support for the trolls, however, who are presumably not seen as having the voting-power to matter).

The politicians spot that a pro-control approach will give the security services – ever-eager to fill political ears with bogyman stories – the powers they have demanded from successive governments for years, and will please a majority of the electorate too dumb to spot the contradiction between demands for control and freedom of expression. The Daily Mail, meanwhile, never slow to have its hypocritical cake and eat it, applauds Cameron’s stance on porn control in a headline juxtaposed with the traditional Daily Mail fare of starlet’s bottoms and C-Listers’ breasts.

The subject warrants more serious discussion than almost any other at the moment, but rational discourse has become drowned in aggressive shrieking in which the only sensible reaction is to keep your head down – another example of discussion being stifled by strongly-held views expressed in terms which allow no room for debate. There have been many articles about all this in the last few days. Paul Bernal’s Twitter abuse: one click to save us all? is perhaps the best summary of the issues which I have seen.

The wider data privacy picture

Meanwhile, on a wider stage, the EU’s proposed Data Privacy Regulation was already in difficulties before the PRISM revelations raised the temperature. Those who promote the Regulation are well-meaning, no doubt, but an approach aimed mainly at internet giants like Google can easily sweep up everyday personal and commercial activities, imposing restraints and expense whose effect is to close down businesses as well as discussion. The outcry brought about by PRISM includes a new focus on Safe Harbor and and an apparently blanket clampdown on data transfers by Germany. Between the privacy-above-all advocates and those with nefarious reasons for wanting your data (and “nefarious” is itself a wide term, embracing not just real crooks but the shysters who collect our data the better to market their products to us), lie millions who just want to run their businesses and conduct their personal relationships. As with the porn and internet trolls, any attempt to resolve the conflicts will merely generate attacks from both sides. The language may be diplomatic and legal, rather than abusive and hysterical, but the gap is similar.

traincrash2My friend Browning Marean of DLA Piper US has long said of the existing conflicts that “there is going to be a train wreck”; I include this as a quotation on my cross-border slides, along with a picture of a train wreck. He sent me a message this week which read simply “looks like the train wreck approaches!”

In amongst all this, we have another US judicial Opinion on the balance between US eDiscovery requirements and the privacy and data protection regimes of other jurisdictions.

Much of this came up at the Sedona Conference Cross-Border Programme in Zürich, a gathering of those most interested in and influential on cross-border privacy implications. Fortunately for me, the Sedona rule that everything said at Sedona stays at Sedona protects me from having to give you a full summary of what was covered. Nevertheless, some broad principles are worth pulling out.

There has been much good comment on all of this, as well as the usual hysteria. Where possible, I will cover these subjects by brief summaries or by referring you to useful articles by others.

The Sedona Conference Programme on Cross-Border Discovery

Let’s start with the Sedona Conference Cross-Border Programme in Zürich, two-and-a-half days of intensive and focused discussion about every aspect of cross-border discovery. I will reduce my pages of notes to a handful of points:

There is the growing significance of privacy and data protection in Asia-Pacific jurisdictions. If anything, the issues there appear even more intractable than they do between the US and the EU and, whilst the economic and trade data is sending mixed messages, there is no doubt that foreign interests (and not just those of the US) are forcing a focus on the ease or otherwise with which data can be collected, particularly in China. The broad answers are the same everywhere, however, not least in the easily-stated truism that companies must include prospective cross-border issues in their risk assessments when embarking on ventures involving Asia-Pacific trade.

Sedona’s own International Principles on Discovery, Disclosure and Data Protection deserve wider attention than they are getting. The six principles which are summarised at the beginning really boil down to a practical approach which shows respect for other jurisdictions’ laws, factors them into the discussions as to scope, time and cost with opponents and with the court, and focuses at a very early stage on the question “what do we really need here?”. If you start arguing about them in US proceedings (or in front of a regulator for that matter) at a late stage, then you are likely to be seen as evasive at worst and ignorant at best. If there are problems, identify them promptly and bring them to the table so that they can be factored into the discussions. Let’s see the International Principles cited more often in US cross-border motions; we might then see judges take formal notice of them – more formal notice, I should say, because they have been cited already.

The proper use of technology is critical, and technology improves all the time; it is increasingly possible to pick out personally identifiable information and to assess the time and cost implications, as well as the wider discovery implications, in an informed way. The undue burden argument without more is useless – what is that burden, and what positive suggestions do you have for reconciling the obligations owed on one side with the restrictions imposed on the other?

The Draft EU Regulation and PRISM

Even as we were discussing all this in Zürich, the NSA/PRISM story was tumbling out. Whilst the US was complaining that the draft EU Data Privacy Regulation would deprive courts and regulators of information critical to licensing or to the administration of justice, EU authorities were threatening to close down the existing mechanisms designed to aid compromise because of PRISM.

The best article I have seen on this is one by Hunton & Williams of 25th July. Its heading is German DPAs Halt Data Transfer Approvals and Consider Suspending Transfers Based on Safe Harbor, EU Model Clauses. The article includes a link to a press release from the Conference of the German Data Protection Commissioners which amply supports the title. Those of us who had hoped that we were moving forward in resolving data protection issues find that a combination of the proposed regulation and the PRISM revelations is sending us fast backwards.

Another US cross-border eDiscovery sanctions case

A conflict of a more traditional kind, often covered by me, emerged when a judge of the US District Court for Eastern District of New York imposed eDiscovery sanctions on Arab Bank for refusing to produce payment records and account information. The Kingdom of Jordan has applied to the US Supreme Court to overturn this finding.

It is easy to be critical (I often am) of American courts whose weighing of the Aérospatiale factors seem to equate “American interests” with “the interests of the American party”. Even I, however, accept that doing business in the US has certain implications, and that allegations of involvement in terrorism (which is what is pleaded) give US courts more justification for sanctions orders than would arise in a purely civil dispute. The point arose also in Judge Scheindlin’s Opinion in Wulz v Bank of China (see article Judge Scheindlin Weighs Comity Concerns and Orders Production of Documents from Bank of China Despite Violation of Chinese Laws by Gibbons here) where the court ordered discovery, despite a conflict with banking secrecy laws, because of that same allegation of involvement in terrorism. The arguments in the Arab Bank case are well set out in Victor Li’s article on Law Technology News called Supreme Court urged to overturn discovery sanctions against Jordan bank.

Don’t think that I have gone native, incidentally – US foreign discovery requests continue to look like elephants trampling a flower-garden, but one can occasionally see a rationale behind them, by their lights if not by ours.

There are some questions to which there are no easy answers, and those involving conflicts between privacy on the one hand and security and the openness required by justice on the other will always raise difficulties. My view has generally been that nearly all such conflicts could be resolved by a strategy of informed openness. If the EU’s draft Data Protection Regulation raised a few hackles, the lines for discussion did at least stay open. The NSA/PRISM implications go much deeper.

They do not, however, affect the basic advice which should be given to every party seeking cross-border discovery – find out what the problem is, assess the costs and risks which it raises, consider how technology can at least narrow the scope of the problem, and be open with opponents, courts and regulators. This show will run and run. Meanwhile, those of us who prefer to see rational debate, the enforcement of existing laws, and the operation of cool common sense, wait nervously to see what knee-jerk reactions, and with what consequences, the politicians of the UK and the EU come up with in relation to recent events.

Home

About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Cross-border eDiscovery, Data privacy, Data Protection, Discovery, eDisclosure, eDiscovery, Electronic disclosure. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s