peshkova - Fotolia

Manage Learn to apply best practices and optimize your operations.

Study reveals legal obstacles created by data protection laws

A new study has that found data protection laws and state secrecy rules have created legal obstacles for businesses conducting operations in Asia.

Data protection-specific compliance regulations and state secrecy have become a big concern for multinational corporations and law firms conducting business in Asia, according to a new study. The report, conducted in part by FTI Consulting Inc., found that the combination of numerous regulatory compliance mandates, data privacy/confidentiality rules and broad Chinese state secrecy laws present challenges for businesses as they conduct e-discovery processes in Asia.

In this Q&A, FTI Consulting Senior Managing Director Veeral Gosalia discusses the E-discovery in Asia: Legal, Technical and Cultural Issues study and how it influences compliance and legal management at multinational organizations.

What are the study's key takeaways for multinational corporations and law firms that may struggle with the legal, technical and cultural implications of e-discovery in Asia?

Veeral Gosalia: Much of the e-discovery work that happens in the region is due to regulatory activity. The thing that surprised me a little bit from the survey results was that it's not necessarily because of having to respond to a specific regulatory request from a government agency, it's also when companies are conducting internal investigations and doing compliance work that's driving this as well. When people use the term e-discovery, they think of it immediately in the context of litigation, but in actuality the same services, the same paths and the same work are performed during an internal investigation.

We are seeing a lot of companies conducting these sorts of internal investigations, and some of them are being done simply because the company wants to ensure they are keeping a close eye on what's happening at their overseas operations. There are challenges that are going to come out of that. The first is this idea of conducting the investigation within the context and in recognition of a country's data privacy, confidentiality or state secrecy laws that impact the way in which a company might conduct an investigation.

Some of those laws actually prohibit the transfer of information outside of that region to another region that doesn't have similar protections. That influences how a company might conduct this investigation, and it influences how they might engage in the process.

The study found that 79% of respondents cited privacy or data protection as a big risk emerging from regional laws in Asia. Are there any best practices for international companies to avoid privacy and confidentiality risks when conducting legal matters in Asia?

Gosalia: In a traditional environment, you typically go collect data, you talk to individuals, you then bring that data back to a data center or processing facility, then you conduct your investigation. What's happening now is we've been bringing the technology, the professionals and the process to the data using a mobile processing and review environment. That enables you to conduct the investigation and review without the documents leaving the company's premises or them leaving the business' specific jurisdiction.

The second thing is to have better awareness of the specific issues that impact your ability to interact with and collect data. One way to do that is to use local counsel and representatives who are based in that region. These individuals will understand the local laws and the rules, and understand the concerns that employees might raise. They'll also likely speak the local language, and that will give you the capability to conduct interviews, have conversations and interact with employees in their native language. Companies should also ensure they are informing employees of their rights, and use consents to show they have notified them of any investigation that is going to take place.

How will new laws in China and other Asian countries impact the management of electronic data for legal review?

Gosalia: These laws specifically relate to data protection, data privacy and state secrecy. Those impact cases because you simply can't take the traditional approach to e-discovery. China has state secrecy laws that prohibit the transfer of information that could have economic value or could harm the economic interest of the Chinese government, but they don't have specific guidance on what qualifies as a "state secret" document.

Our opinion is that when you conduct these investigations and discovery, avoid moving the data as much as possible until you have whittled it down to the most relevant corporate information. Instead of going in and taking someone's entire mailbox out of the country, go and do as much of the review and processing in the country as you can to get it down to what is actually responsive to the matter at hand.

What are some new technologies and strategy trends that companies are considering to overcome these potential legal challenges?

Gosalia: As companies move to the cloud, as they continue to outsource IT environments, as they adopt [bring your own device] and other policies, it creates more of a challenge for companies as they conduct these investigations. The profile of data that you can investigate isn't in one or two places. It's in many more places, and the lines are being blurred between employee's personal data and their work data. When you have these issues in a country that has strong data protection laws and privacy rules, it influences how you are going to conduct the investigation and what efforts are going to ensure that you've removed any personal or private information from the information that you are going to use in the investigation.

A trend that we've noticed is that companies tend to want to work with and engage providers who are local to the region. That's something we highly recommend, because you get access to individuals who are aware of the rules that might impact how a company might conduct an investigation, they speak the local language, they know the culture. You'll get a much more positive outcome using that approach than using a provider that has to bring in resources from outside the region.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

Use information governance policy to boost e-discovery

Privacy laws create obstacles to cloud-based legal data discovery

Dig Deeper on Managing governance and compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Has your organization experienced any compliance or legal complications stemming from overseas data protection laws?