Understanding local customs is crucial to the success of cross-border e-disclosure exercises, say Alex Dunstan-Lee and Kathy Taylor
Electronic data does not recognise geographical or jurisdictional boundaries, which presents an interesting challenge for any legal framework that attempts to control it, such as the e-disclosure system.
Lawyers often focus on data protection rules alone when attempting to move data out of a country back to the UK or the US, but cultural, environmental and logistical differences can be equally daunting.
So what are these challenges and how can they be overcome?
While the right to data privacy is heavily regulated and increasingly enforced in the EU, not all jurisdictions have corresponding legislation. According to EU Directive 95/46/EU, personal data may only be transferred to countries outside the EU if the country in question provides an adequate level of data privacy protection.
The US’s so-called ’safe harbour’ framework attempts to address inconsistencies between its own data privacy laws and those of the EU, but the situation is rarely clear-cut and usually involves some risk assessment.
Even within the EU, under the same directive, approaches can vary dramatically, with civil law jurisdictions such as France and Germany taking a more restrictive view than the UK, for example.
Every case will be different and local legal advice needs to be sought. Factors to consider include whether the case has criminal implications, how targeted the data collection is and where data will be stored.
It may be that data needs to be collected at locations where there are problems on the ground such as stringent visa controls, an absence of electricity, poor transport links, extreme weather conditions, security concerns or even social unrest.
Furthermore, data collectors should ensure they are sensitive to local cultural issues. Does the collections team speak the local language? Are there religious or cultural concerns that might affect the composition of the collections team?
Is a certain type of collections technology required to deal with the local script, or type of technology or encryption commonly used in the country? To avoid delays these and other such questions should be addressed in a project’s planning phase.
Indeed, planning is the key to all successful e-disclosure exercises. Not only should the collections team liaise with the instructing lawyers to identify data privacy issues but it should also consider potential cultural, socio-economic and environmental issues. This will dictate the composition of the team, equipment selection, the location of any processing phase and the estimated timescale of the project.
Detailed questions should be asked of the client’s IT department. For example, where is the data backed up? Many companies have data storage centres in far-flung locations – there is little point arguing the finer points of data protection rules in Germany only to find later that the data is stored in a cheap centre near Atlanta.
Clients should consider the use of mobile technology to provide processing, analysis and review capabilities that can be dropped in at a client’s site, allowing the legal team to filter data before it leaves the jurisdiction and reducing the risk of challenge.
Switzerland is generally considered to have a restrictive data protection regime, but with many large banks and other companies headquartered there the need to get data to other countries is common. Mobile technology can be employed at a client’s Swiss office so that data filtering, searching and review can take place on-site, with only the most relevant data leaving the country.
Many jurisdictions permit the collection and cross-border transfer of data if the affected individual gives consent. The collections team should therefore work closely with the client and onsite employees.
Finally, a good relationship with the client will lead to smoother data collection. Find out whether IT personnel are knowledgeable and supportive. Can they help with transport, security or other concerns?
This issue arose in Azerbaijan. When leaving the country with data, our team was detained by customs officials. On production of a letter from the client granting permission for data to be taken out of the jurisdiction, the team was permitted to proceed.
As data protection rules get more support from the courts and data itself flows more freely and internationally than ever before, the challenges are set to intensify. Many legal departments have little knowledge of where their companies’ data actually resides – a trend that may continue with cloud computing. Lawyers need to work with IT staff to understand these challenges, ideally before litigation occurs, and thus be prepared in advance for e-disclosure.
Alex Dunstan-Lee is a director and Kathy Taylor is a legal consultant at KPMG