International and Cross Border Discovery:
When a litigant in the Unites States requests electronically stored information (ESI) from another country, several legal and practical issues are raised. For several years, litigants have depended on the Privacy Shield to transfer ESI across borders. The Privacy Shield is a series of agreements between the United States, European Union, and Switzerland that allows cross-border data transfers. The US Federal Trade Commission managed the agreements and required anyone who used the Privacy Shield to adhere to seven data protection principles and sixteen self-certification principles.
In July of 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield. The Swiss data protection authorities followed suit about a month later. The CJEU ruled in Data Protection Commissioner v. Facebook Ireland and Maximillan Schrems (“Schrems II”) that the Privacy Shield did not sufficiently protect the privacy citizens in the European Union.
But what happens if ESI needs to move across borders? It the ESI requested is located outside the United States, it first must be determined if that information is within the possession, custody, or control of the party receiving the request. If the receiving party is in possession, it is their responsibility to determine how the data should be transferred to the United States. Litigants in the United States must be aware of the differing law, legal rights, and obligations in other jurisdictions.
Luckily, there are ways to overcome cross-border data transfer restrictions. These are a few:
- Remove Personal Data Sets – If the ESI does not contain personal data, it is generally considered outside the scope of data protection laws.
- Consent from the Data Subject – Some jurisdictions will allow the transfer of personal data if consent from the individual is given. Consent must be given voluntarily and can be revoked.
- Binding Corporate Rules (BCR) – BCR allows the cross-border transfer of ESI to countries that may not have sufficient data protections. These policies allow companies to transfer personal data outside of the European Union within an organization. BCR is used in daily business for larger international companies that regularly transfer personal data to their offices around the globe.
It is imperative to understand that the rest of the world does not view discovery in the same way as the United States. When dealing with international and cross border discovery, understanding the local rules of where the data resides is most important.
For more Tidbits & Thoughts, please click here.