In a digital environment where access to information is faster, communication is more reliable, and logistics are more sophisticated than ever before, today’s companies are increasingly operating on a truly global scale. However, accompanying this trend in globalisation is the rise in cross-border litigation, arbitration and regulatory investigations. Companies must now litigate and respond to regulatory matters in multiple jurisdictions, each with its own unique legal requirements and cultural nuances. Drew Macaulay, Director of Business Development at First Advantage Litigation Consulting, examines the hurdles involved with the retrieval, review and production of electronic information in cross-border matters and the potential solutions that corporations and their advisors can employ to overcome these challenges.
Understanding The Jurisdictional Hurdles
Legal and regulatory requests for information may be in the form of a disclosure exercise in UK or U.S. litigation, an exchange of relevant documents in arbitration, or a formal request for information from a regulatory body such as the European Commission. Responding to such requests often involves moving large quantities of data quickly from one location to another. However, the need to transport information for these purposes often conflicts with the legal restrictions on the movement of personal data at both national and supra-national levels, which are imposed by such regulations as the European Data Privacy Directive and the Japanese Personal Information Act of 2003. Some legal instruments concerned with the protection of corporate information, including the French Blocking Statute of 1968, even criminalise data movement in particular circumstances.
Internal corporate data restrictions may also arise, for instance, where companies responding to information requests have contractual obligations to protect their clients’ data. Also applicable may be state data restrictions – for example, the Law of the People’s Republic of China on Guarding State Secrets – which can require the state to review certain classes of documents before their movement outside the original jurisdiction.
Key implications of these hurdles include requirements to notify the individuals concerned, to obtain consent and to minimise the amount of personal data moved prior to review by using filtering technology, either in the country of origin or in another approved jurisdiction. In some cases it may be a requirement to keep data in the jurisdiction of origin throughout the review process.
Where Do You Start?
Often the first course of action is to seek advice from local counsel, particularly those with specialised experience in responding to information requests. They will be able to provide practical, “on the ground” guidance on the application of local data privacy laws and may even be able to provide a first-level review for privacy issues prior to any data export.
A specialised technological service provider based in (or capable of travelling to) the particular country can help filter the data efficiently to reduce the number of irrelevant documents before they need to be moved. For countries such as France, where the Blocking Statute is an issue, companies may consider using procedures under The Hague Convention to obtain the requisite permissions for the movement of data. However, it is important to be aware that document requests will need to be very specific and that approval time may be lengthy.
In cases where a state needs to review certain documents prior to their export, a service provider can set up limited access to a review platform to allow efficient access to the relevant documents without incurring significant delay or cost.
Where the company has an obligation to its clients to retain possession of data, it is possible to instruct a technology service provider to operate from the corporation’s premises, processing and hosting the documents to be reviewed onsite.
Understanding Where To Look And Identifying Potential Stumbling Blocks
Frequently, the most time-consuming task is simply locating potentially relevant data. Documents may be stored in a variety of locations, formats and file types, often on servers in a physical location far from the individual who created them.
The use of outsourced data storage providers adds further complexity, as such providers may not host the company’s data in the same country as the users, may not grant access to their systems by independent data collection technicians and may not be able to provide data in a reasonable timescale. Providers may even store the data of multiple companies on one physical storage device, leading to further delays and complications in collecting an individual company’s data.
The use of databases to house corporate information can also be problematic. Although database storage makes it easier for users to view and access information, once the data is removed from the database application, it may become inaccessible. Furthermore, as many databases do not contain “documents” but, rather, discrete pieces of information in database fields, it can be difficult to define what should be handed over to the opposing party or regulator.
Other common issues include files that have been created in rare or custom-made applications, which may prevent reviewers and opposing parties from opening the files. Documents in certain languages – for example Korean, Mandarin and Japanese – can also be problematic as they need special handling to avoid corruption of the content and the metadata of the document, which may compromise the reliability of any searches undertaken further down the line. This is particularly an issue with documents in pre-Unicode character encoding.
Through The Maze – Practical Solutions
There are few easy solutions to the challenges of locating relevant data across multiple countries, but research and preparation in advance of receiving an information request can take some pressure off the process. First, in order to improve response times, it is essential to identify where the company stores its data and create a network map showing the physical locations of storage devices and classes of information stored.
If the firm uses outsourced or “cloud” data storage, the provider should be contacted to establish the physical locations of servers used to house the company’s data, the process and notice required to retrieve information from those servers, and the existence of data on the servers belonging to other companies as well as its own.
For information housed in databases, including those in certain Asian languages, companies need to ensure the service provider employed has specific experience with undertaking this type of work. Such provider will understand the different approaches and challenges and will have in place the relevant expertise and technical solutions to effectively complete the required tasks.
Avoiding Cross-Cultural Bottlenecks
Information requests are more common in certain jurisdictions than in others. In those where discovery or disclosure requests are commonplace, management is more likely to be aware of the importance of collecting the required information quickly and efficiently and will provide resources to assist in the effort. In countries where information requests are rare, the process may seem intrusive or a drain on resources and may be seen as an invasion of privacy by the individuals concerned.
Cross-cultural communication can also cause complications. If employees use company systems for personal business, and it is not possible to explain in the local language the way in which personal information will be protected, a confrontation may ensue. This can lead to the withdrawal of employee consent to the process, which could negatively impact the company’s ability to respond to the information request.
An often-overlooked point is that some countries have workweek schedules different from the standard Monday-to-Friday routine. For instance, the workweek is Sunday to Thursday in the UAE and Saturday to Wednesday in Saudi Arabia. These differences, as well as the logistical impact of religious festivals such as Ramadan, Eid and Diwali, should be considered and factored into any data collection plan to avoid delays and additional costs.
Ensuring Local Cooperation
Education, local support and sensitivity are the keys to a smooth data collection exercise. It is vital that local management understand the process in general and the importance of compliance. This is usually best achieved by educating key management and IT stakeholders in advance, ensuring that if a request arises, adequate IT resources and management attention can be secured.
Where necessary, obtaining and maintaining cooperation from employees can be a challenge. A clear explanation of the process is vital, and it should encompass the business need for compliance while assuring employees that their personal data is not the focus of the request. A data collection vendor able to provide a team that is fluent in local language(s) will also be able to overcome misunderstandings as the team will be able to explain, in non-technical terms, how data is retrieved and processed. In certain countries, such as Germany, consent to data collection and processing may be facilitated by engaging with the local labour union and (if there is one) the corporation’s data privacy officer.
Early Intervention
If challenges arising from cross-border information requests are not addressed early in the lifecycle of a matter, significant risk, delays and cost may be added to the process. Risk mitigation can include researching and documenting the nature and locations of data held by the company as well as notifying relevant stakeholders in operations and IT departments of the input required from them and their staff should a matter arise. The criteria for selecting external advisors such as local counsel and technical consultants should include experience in working on similar projects, resources in the relevant jurisdictions and flexibility. Ultimately, careful planning and advance consideration of the legal, technical and cultural hurdles will help to mitigate risks and minimise cost and disruption to the business.
Published November 18, 2011.