I had the pleasure of attending a terrific breakout session run by Amor Esteban (bio) and William Kellermann (bio). My words would not do their presentation on Cross-Border Discovery and Data Privacy justice. So please forgive me for borrowing the words of John Cleese from The Meaning of Life to summarize:
Before we begin your lesson, would those of you playing in the match this afternoon move your clothes down onto the lower peg, immediately after lunch. before you write your letter home, if you're not getting your hair cut, unless you've got a younger brother going out this weekend as the guest of another boy, in which case collect his note before lunch put it in your letter after you get your haircut and make sure he moves your clothes down to the lower peg for you. (Age restricted Python video clip on Youtube)
Yes it's perfectly simple!
This blog post was a challenge to write. I blogged about one of Amor's presentations on the same subject in 2008 (link to post) so I was looking forward to hearing updates and finally getting a little more clarity on the conflicts in the rules between the U.S.A. and other countries. The result? There has been progress and evolution but there still are so many conflicts and "what-ifs" that even experienced attorneys have to be careful and weigh the risk of each matter before offering the best option. Instead of giving what could only be incomplete tips that potentially cause more harm than good, or a workflow that ends up sounding like John Cleese, here is a list of considerations that can affect how and when you can or cannot preserve, review, and/or collect data. If you understand why all these options are important, and how to navigate through the various "what-ifs," then congratulations, you are probably qualified to be an international data expert.
- Is your US based legal or investigative matter sufficient justification to collect the data?
- Is this personal or business data, or, both?
- Could this data be considered a State Secret?
- Do you know the country of origin of the data?
- Do you know where the data is stored?
- Is the data stored in multiple locations?
- Is the data on a laptop that might be in a country other than where it originated?
- Does your computer usage policy protect you?
- Do you need to get consent from the Union to collect or use the data?
- Is the data encrypted?
- Does the data need to be encrypted to move it?
- Do you need to use a special encryption key?
- Do you need local counsel?
- Are your clothes on the lower peg?
Just kidding with that last one but hopefully this list helps you understand why a simple workflow is not possible. This is one of those areas of law that is extremely complicated, and what's worse? It is constantly changing and evolving. The only "best practices" advice I can offer is:
- If you have the chance to listen to Amor or William speak on this subject, do so. You will learn the reasons behind all the above considerations.
- Review the 57 page Sedona Conference report on the subject (available here).
- Retain experienced legal counsel to advise you on these types of matters before you get yourself into real trouble!