The Sedona Conference® recently published the International Principles on Discovery, Disclosure & Data Protection (“International Principles”) through its Working Group 6 on International Electronic Information Management, Discovery and Disclosure. The Sedona Conference® launched Working Group 6 in 2005 to bring the most experienced attorneys, judges, privacy and compliance officers, technology-thought leaders, and academics from around the world to discuss the management, discovery, and disclosure of electronically stored information (“ESI”) involved in cross-border disputes. The publication of the International Principles comes in light of a number of U.S. court decisions over the last two years ordering the disclosure of information in U.S. litigation despite the existence of foreign privacy laws that otherwise would have prohibited such disclosure. See, e.g., EnQuip Technologies Group, Inc. v. Tycon Technoglass, S.R.L., 2010-Ohio-28, 2010 WL 53151 (Jan. 8, 2010).
The International Principles contain best practices and recommendations for addressing the preservation and discovery of “protected data” in U.S. litigation. Protected data broadly includes any information that must be safeguarded pursuant to federal, state, or foreign laws, or through other privacy obligations. Although focused primarily on the relationship between U.S. preservation and discovery obligations and the European Union Directive 95/46/EC, the International Principles are designed to apply whenever data protection laws or other privacy obligations conflict with U.S. preservation and discovery obligations. The International Principles also contain a model protective order for use with protected data as well as a cross-border data safeguarding process and transfer protocol to document the steps taken to comply with applicable privacy laws.
The International Principles encourage parties to examine whether their discovery requests and obligations present a conflict with any data protection laws. If a conflict exists, The Sedona Conference® maintains that the parties should try to avoid or minimize the conflict by limiting the scope of discovery, engaging in phased discovery, or limiting the production of protected data and metadata. The parties also should agree to a protective order or stipulation limiting the use and disclosure of protected data and to a plan setting forth the methodology by which protected data will be preserved, processed, transferred, and produced.
Interestingly, the sixth and final principle addresses how organizations should maintain their data before preservation and discovery obligations arise. This principle reinforces the importance of having strong records management policies in place and stresses that custodians of protected data should retain such information “only as long as necessary to satisfy legal or business needs.” The Comment to the Principle 6 states in part:
Many organizations worldwide have become electronic data hoarders. While the retention of paper-based information had tangible physical consequences and costs, it has become relatively inexpensive and more expedient to expand storage capacity rather than to apply records management lifecycle discipline to ESI. There are numerous direct and indirect costs and risks associated with unbridled accumulation and retention of data. Legal risks may also arise, especially in the context of data protected by Data Protection Laws, in the over-retention of information.
The Comment further encourages organizations to implement data privacy and data protection technologies and procedures and to collect personal data with data protection in mind, e.g., “privacy by design,” to lower the costs and risks relating to data protection.
A copy of the International Principles publication is available here.