Ever since theGDPR went into effect on May 25, 2018, U.S. attorneys have been grappling with the conflict between their domestic ediscovery obligations and the EU’s restrictions on data collection, retention, and transfer.
Now, attorneys have a new resource for navigating the growing thicket of international data privacy laws and data transfer restrictions. This month, the New York City Bar Association’s E-discovery Working Group released its guide to cross-border ediscovery. Recognizing that attorneys in New York are particularly likely to face these challenges through their work with international clients, this guide explains the limits on cross-border data transfers and offers best practices for overcoming them.
Not all cross-border scenarios are obvious; the prevalence of cloud computing means that U.S. company data may be physically stored in a location where data transfers are restricted. The Cross-Border E-discovery: Navigating Foreign Data Privacy Laws and Blocking Statutes in U.S. Litigation guide starts by aiding practitioners in identifying cases where cross-border data transfers may be an issue. As the report notes, “Even disputes that appear on their face to be entirely domestic — e.g., New York parties in a New York court applying New York law to New York conduct — can trigger transnational discovery obligations when potentially relevant documents happen to reside abroad.”
The guide then explains both domestic laws governing ediscovery obligations and the foreign rules and laws that limit the exchange of discoverable information across national borders. It quickly sketches the limits of the GDPR and alerts attorneys to the existence of national blocking statutes and state secrets acts. Rather than spelling out the text of every nation’s statutes, it recounts case law precedent for interpreting those restrictions. It also discusses the application of privilege and offers guidance on creating “strategies and workflows that will minimize, if not completely overcome, th[ose] conflict[s].”
Finally, the guide suggests best practices, such as early planning and transparent communication, to help parties extract discoverable data without running afoul of international restrictions. These practices don’t, unfortunately, guarantee that a party will be able to transfer all relevant data to the U.S. However, they do set up a good-faith argument that the party has made every effort to lawfully obtain and provide as much of the data as allowed.
Our thanks go out to the E-discovery Working Group for creating this helpful, well-organized guide, which can serve as a model for attorneys everywhere who are attempting to safely navigate these treacherous waters. Even if you think the GDPR and other foreign restrictions don’t apply to you, download a copy here — you might be surprised by what you learn.