News Stay informed about the latest enterprise technology news and product updates.

U.S., EU personal data protection laws make e-discovery risky

E-discovery in non-common law countries is fraught with financial risks, Companies can be faced with breaking the law here or running afoul of European data privacy laws.

American companies that do business in European countries need to add cross-border e-discovery to their risk management portfolios.

More e-discovery resources
E-discovery rules double-edged sword for CIOs

Customized e-discovery tool lightens law firm's litigation load

Complying with litigation requests for electronic data is a challenge in any jurisdiction. This problem is compounded by differences between American and non-common law countries over the concept of electronic discovery. Especially problematic is the difference between American and European personal data protection. These differences add to the usual challenges of collecting electronically stored information (ESI).

Companies attempting to use ESI in Europe have a real dilemma: having to choose between paying fines for violating European Union (EU) data privacy laws or being punished in the U.S. courts for failing to execute on an e-discovery request, according to IT and legal experts.

"In Europe, for example, if you execute the e-discovery requests from the U.S. or other common-law jurisdictions, you are basically going to face potentially tens of thousands of Euros in fines," said John Bace, a compliance analyst at Stamford, Conn.-based Gartner Inc. and an attorney. "On the other side, if you play by the rules of the EU Directive, that opens the door for potential sanctions in the U.S. courts for the deliberate destruction of data."

Making matters more complicated, traditional mechanisms for transferring data across borders -- including employee consent, safe harbor provisions, binding corporate rules or model contracts and the Hague Convention -- have proved of limited value in bridging the gap between EU and U.S. demands on the data in e-discovery actions, according to these experts.

"When you have a cross-border issue, the circumstances are almost as unique as a snowflake," Bace said.

Employee consent is a perfectly practical approach to e-discovery in some EU countries, as long as it is not perceived as forced. In France, however, consent from an employee to an employer for collecting personal information is assumed to be coercive. Model contracts, a preferred choice, have proved time consuming. Businesses often give up before getting through all the necessary approvals from the various data privacy commissioners and employee works councils.

Indeed, procedural hurdles are such that many companies faced with U.S. legal holds on data residing in their European offices resort to conducting manual discovery in the country (identifying documents and redacting personal data) before attempting to send it back to the U.S. -- spending a fortune in the process.

On top of all this, e-discovery remains a U.S.-centric concept. "The whole construct that you have to give me evidence that might be bad for you and you have to give it all to me at your costs is a U.S. concept, not a global one. A lot of European-headquartered companies find this an irritation," said Deidre Paknad, CEO of PSS Systems Inc., a Mountain View, Calif.-based maker of e-discovery software.

Risk-based approach

So what should companies be doing to get a grip on cross border e-discovery? Knowing where your data is and who has it is a good first step in minimizing the financial and legal risks in cross-border e-discovery, according to Paknad, Bace and others. Understanding the data protection laws of the countries where you do business is critical.

The construct that you have
to give me evidence that might be bad for you and you have to give it all to me at your costs is a U.S. concept, not a global one.

Deidre Paknad
CEOPSS Systems Inc.

As important? Just because you can do e-discovery doesn't mean you should. Legal experts, IT consultants, analysts and vendors alike stress that companies need to factor in the cost of e-discovery in cross-border cases before deciding whether or not to litigate.

"Ninety-eight percent of cases settle. The vast majority of litigation is a series of negotiations with the adversary," Paknad said. "Knowing what you are up against in collecting this data is important early on in the negotiation."

Sergio Kopelev, a principal at consulting firm LECG LLC, where he specializes in large-scale electronic discovery and computer forensics projects, said companies should take a risk-based approach to e-discovery, treating it as they would any other risk.

"E-discovery becomes a problem when the cost is so prohibitive a company cannot litigate the issues it needs to litigate," Kopelev said. "The bigger picture is that cross-border e-discovery has to be at the forefront of your decision to litigate or settle a case."

Kopelev contends that the problem with e-discovery in non-common law countries is not the difference in approach to privacy or workers councils, but how much it costs to navigate those differences. Even e-discovery in the U.K., a common-law country, he argued, is a problem if the cost to review the documents is three times what is in the U.S. due to the exchange rate.

Managing the balancing act

In order to balance the needs, costs and burdens of e-discovery, Gartner offers the following advice:

  • Know the nature of the privacy obligations where the information is located. "Is it really one of the tough countries, like Italy or France or Spain?" Bace said.
  • Understand the degree of custody and control. "What is the gravity of the matter? Does the information exist only there, or was it originally generated in the U.S.? Can you get it from some other source?"
  • What is the nature and complexity of the proceedings? "Is this a dogfight or a bet-the-enterprise matter? Unfortunately, we've seen people spend over a million in e-discovery on a matter that can be settled for between $100,000 and $500,000," Bace said.

Technologies geared to cross-border e-discovery are starting to spring up, said Brian Hill, who covers e-discovery at Cambridge, Mass.-based Forrester Research Inc.

Paknad's PSS Systems, for example, takes a software approach, mapping data to country laws and developing workflows to best meet the pertinent regulations.

Clearwell Systems Inc. sells an e-discovery appliance that can be shipped to a company's foreign locations and set up on-site to analyze up to a terabyte of data, said Kamal Shah, vice president of marketing at the Mountain View, Calif.-based provider. Enterprise licenses start at $65,000; the company also offers a pay-as-you go pricing model.

But technologies that can help in e-discovery also face hurdles, Paknad pointed out. The internal work councils charged with enforcing the data privacy rules also get to vote on technology purchases. "Work councils are hostile to search technology," she said, because such technology has been used in the past for firing employees in countries where laying off employees is difficult.

Paknad said one of the challenges for U.S. companies is not to underestimate the importance of employee data privacy to Europeans. "The source of the data protection authorities in the EU is World War II," she explains. "No one wants to have personal attributes and characteristics of theirs to be used by a government against them, and they know it is possible for this to happen."


Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Compliance services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.