Outside of the United States, international data transfer laws are governed by regional, local privacy, and data protection laws. Multinational businesses must understand the implications such laws have on e-discovery. The first order of business is understanding the distinctions between laws in the United States and other nations. For example, when we are discussing “personal data” in the US, we are referring to such things as financial and medical data. Within the European Union, such data as email is referred to as “personal data” as well. Each region within the EU has its own rules as to what can be tied directly to a person.

In the US, data transfer is not so unwieldy. There is little in the way of laws regulating the transfer of data over borders. Yet, the E.U. Privacy Directives and enabling legislation hold that personal data (again, all email), may not be sent outside the European Economic Area (the E.U. member states plus Switzerland, Liechtenstein and Norway to any country with lesser data protection than the E.U. There are only a few nations that meet the EU’s standards for data transfer: Canada, Switzerland and Argentina. But such laws are not endemic to the European Union. Countries like Chile and Venezuela have similarly draconian restrictions.

The effect of all this upon in-house counsel trying coordinate collaboration across the enterprise, which often depends, say, on a U.S. engineer obtaining emails between his German colleagues, or a Human Resources manager in Kansas faced with a need to investigate hostile workplace claims between employees in Germany is starkly obvious, but outside counsel in litigation my find herself stymied as well. An attorney’s first instinct will probably be to put into place a global litigation hold as is common place with regards to dealing with e-discovery law within the US. Yet, the European Union’s Privacy Directives again broaden terms U.S. lawyers use commonly, in order to maximize privacy protection. “Processing” of data includes any manipulation of data, including steps taken to protect it from deletion. The Directives also hold that “processing” may only be performed for a permitted purpose, and European Commission opinions have held that U.S. litigation is not a purpose for which processing may be performed.

Blocking Statues, however, may make things worse than they seem Such laws can prevent the transfer of any data that is to be used in foreign judicial proceedings – a possibly devastating prohibition. Blocking statutes in Switzerland and France carries criminal sanctions.

In light of such stringent privacy and data protection provisions, how is a company in which collaboration depends on almost daily international data transfers to function? One method, for data from the European Union, is enrollment in the U.S. Department of Commerce Safe Harbor Program. The program requires the U.S. company to file a Privacy Statement summarizing how it will protect personal data from the E.U., and in which it agrees to adhere to seven principles of confidentiality and data protection. There are also some contractual agreements that can be put together to deal with potential problems with regard to data transfer. Recently, many companies have implemented Binding Corporate Rules, in effect corporate codes of conduct for personal data protection. In Asia, Canada, South America and elsewhere, data transfers require compliance with local data protection laws, or permission from or notification to local data protection authorities. These are complex agreements, and counsel that has a relationship with counsel that is located in the host country is essential.

via International E-Discovery Compliance – Privacy First.