Part of the Solution

Idealistic musings about eDiscovery

Category Archives: Case Law

RIP, Safe Harbor

“Decision 2000/520 is invalid.”

Those few words were all it took for the European Union Court of Justice (ECJ) to shoot down the “Safe Harbor” data agreement between the US and EU on October 6. To paraphrase the prolix paragraph that preceded those four words, the ECJ ruled that the Safe Harbor agreement notwithstanding, each EU nation still retained its power to review claims of personal breaches of data privacy rights; thus, the agreement has no effect.

From Hogan Lovells:

Safe Harbor was jointly devised by the European Commission and the U.S. Department of Commerce as a framework that would allow US-based organisations [sic] to overcome the restrictions on transfers of personal data from the EU.  Following a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the [ECJ] was asked to consider whether a data protection supervisory authority was bound by the European Commission’s decision that Safe Harbor provided an adequate level of protection for European data.

Eric Levy summarized the fact situation nicely:

Schrems, an Austrian citizen and a Facebook user since 2008, alleged that Facebook should not be allowed to transfer the personal information of it subscribers from its Irish servers to servers in the US. In the light of revelations made in 2013 by Edward Snowden concerning the activities of United States intelligence services like the NSA, Schrems contended that the law and practices of the United States, including Safe Harbor, offered no real protection against surveillance by the United States of personal data transferred to that country. On October 6, 2015 the ECJ agreed with him.

The New York Times has also written a tight, more complete version of the back story.

According to Hogan Lovells, supra, the death of Safe Harbor means:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorized by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimize data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to be able to engage their services lawfully.

So, instead of a single EU-wide privacy benchmark to apply when companies send foreign citizens’ personal data back to the US, each EU country can now apply its own standards for data privacy. This is likely to mean that some EU countries will suspend transfer of their citizens’ data to the US altogether.

During discovery, US judges had already shown a rather dismissive attitude toward foreign data privacy rights, so long as that data might prove discoverable in the US court. “I don’t care how hard it might be for you to get that data,” some judges had said, “that’s not my problem. It’s your case, and your data, so do it or face sanctions.” Huron Consulting had summarized:

Thus, U.S. courts where a lawsuit is filed and where the parties have appeared are likely to enforce U.S. rules of procedure regarding requests for discovery of information housed overseas, yet the countries where the information is housed may sanction parties who produce information protected by the privacy rules or without complying with the Hague Convention.

That was the best-case scenario under Safe Harbor. Now, the 28 EU nations previously bound by the agreement are free to apply their own data privacy rules to information housed in computers within their borders.

There is no “effective date” specified in the ECJ’s ruling, implying that Safe Harbor is dead as of now. However, Norton Rose Fulbright suggested prior to the ruling that panic is unnecessary:

If the ECJ finds that [Member State Data Protection Authorities (DPAs)] have the authority to make their own determinations as to whether certain types of transfers under the Safe Harbor are valid, there would be no immediate legal effect on the legality of transfers relying on the Safe Harbor. The Irish proceedings that gave rise to Schrems would continue, and other complaints would likely be filed to seek review by the Irish and other DPAs. While these proceedings could ultimately lead to data transfers being found invalid, this process would take months or years. Meanwhile, the European Commission would have more time to reach a new Safe Harbor agreement with the US, offering the DPAs an opportunity to find that the enhanced framework addresses their concerns.

If you have pending litigation involving electronic data that you thought your clients produced in compliance with their Safe Harbor certification, do your own research and reconsider your collection and production strategies in light of the meager guidance provided by the ECJ and in the references quoted here.

This is gonna get interesting.

Advertisements

Proportionality in Discovery: Example #243

Courtesy K&L Gates, this recent opinion from USDC California in which the judge points out that you can’t very well conduct discovery with any sense of proportionality if you don’t know what the damages in question are:

[T]he court indicated that Plaintiff’s “tight-lipped” disclosures regarding damages, including indicating its desire for the defendant to wait for Plaintiff’s expert report, were “plainly insufficient.”  The court went on to reason that “[e]ven if [Defendant] were willing to wait to find out what this case is worth—which it is not—the court still needs to know as it resolves the parties’ various discovery-related disputes.  Proportionality is part and parcel of just about every discovery dispute.” (Emphasis added.)

Moral of the story: Modern discovery is not compatible with a plaintiff mindset of “We won’t specify an amount of damages sought, because then we can’t shortchange our potential recovery.”

If ESI Isn’t Inaccessible, Better Speak Up

I don’t know if I’m more impressed that the author’s name is “Gary Discovery”, or that the ESI_logo[1]wisdom contained in his note is so cogent, but this author cites a new Pennsylvania case in which the judge presumed ESI to be inaccessible where neither party contended otherwise. In this case, the result was that the costs of production shifted to the requesting party.

The requesting party should submit to the court that the ESI sought is accessible to avoid both a presumption of inaccessibility and the possibility of cost-shifting.  Requesting parties should not leave it up to the producing party to bear the burden of showing that the ESI is inaccessible because the courts are now willing to presume this finding if neither party contends otherwise.

New Ruling from Rio Tinto Case: Parties Can Use Keywords with Predictive Coding

Here’s a good post from Philip Favro at Recommind, regarding Judge Peck’s new “hot-button” case dealing with technology-assisted review:

New Ruling from Rio Tinto Case Confirms Parties Can Use Keywords with Predictive Coding.

Like King Solomon’s famous mandate to split the baby, the court’s middle ground decree wisely provided each party with a measure of what they requested while also resolving the dispute. By permitting Vale to cull down the document universe with search terms, the court honored the parties’ predictive coding use agreement as Vale had requested. However, the court placated Rio Tinto’s concerns by allowing it to propose search terms that might capture relevant information that might otherwise have been excluded.

Oh, THIS Ought To Be Fun …

Via Ralph Losey and his e-Discovery Team blawg comes this surprising opinion out of Delaware Chancery Court: EOHB, Inc., et al v. HOL Holdings, LLC, C.A. No. 7409-VCL (Del. Ch. Oct. 15, 2012). The ruling REQUIRES both parties to this case to use technology-assisted review (i.e., “predictive coding”), even though neither party raised the question; and REQUIRES both to use the same vendor.

Interesting.

From the transcript of Vice Chancellor J. Travis Laster’s ruling in open court:

I would like you all to talk about a single discovery provider that could be used to warehouse both sides’ documents to be your single vendor. Pick one of these wonderful discovery super powers that is able to maintain the integrity of both side’s documents and insure that no one can access the other side’s information. If you cannot agree on a suitable discovery vendor, you can submit names to me and I will pick one for you.

Now, there are activist judges … and then there is Chancellor Laster. But as Ralph observes:

The parties will probably suggest in very polite language that it is none of the court’s business how either side goes about producing their own electronically stored information, much less select a vendor for them. There has been no dispute between the parties to justify this kind of intervention, no allegations of unreasonable search and inadequate production. Unlike the Kleen Products case, where the plaintiff tried to force predictive coding on defendants, there is not even a hint of wrongdoing on either side, much less a suggestion by anone that predictive coding be used. See eg. Kleen Products, LLC, et al. v. Packaging Corp. of Amer., et al.Case: 1:10-cv-05711, Document #412 (ND, Ill., Sept. 28, 2012).

While I definitely believe in the power and cost savings of technology-assisted review, isn’t it a bit beyond the pale for a judge to impose, sua sponte, a requirement of predictive coding where nobody has asked for it and neither party may have the tech-savvy personnel or the budget required to be the guinea pigs for this test case? Plus, if Ralph’s recitation of the case is complete, the chancery judge has missed a key point: Technology-assisted review can’t be used completely in lieu of human reviewers. It must work hand-in-hand with real live attorneys in order for the system to be of any valid use whatsoever.

Please read it for yourself, and respond with your thoughts in the comments.