eDiscovery around the globe

Transcription

Financial institutions
Energy
Infrastructure, mining and commodities
Transport
Technology and innovation
Life sciences and healthcare
Dear friends:
Welcome to Norton Rose Fulbright’s Global eDiscovery 2015 white paper. As a global legal practice
representing clients in disputes across the world, we recognize that it’s important for litigators to
understand how discovery impacts cases both at home and abroad.
The articles in this collection address four different aspects of discovery: mobile devices, the cloud,
cross-border discovery, and preservation.
•
The firstRose
article addresses
the growing trend toward using mobile devices in discovery procedures
Norton
Fulbright
and the unique challenges and burdens parties face when attempting to preserve and collect that
digital information.
Norton Rose Fulbright is a global legal practice. We provide the world’s preeminent
•
The second article addresses the preservation and collection of data in the cloud and how those
corporations and financial institutions with a full business law service. We have more than
practices
change
from
jurisdiction
tothan
jurisdiction.
3800
lawyers and
other legal
staff
based in more
50 cities across Europe, the United
States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
• The third article examines the practical ways to address cross-border discovery from four different
Recognized
for our industry
focus,
are strong across
all the keyand
industry
sectors:solutions
financial for processing and
perspectives,
focusing
onweextrajudicial
discovery
practical
institutions;
energy;
infrastructure,
mining
and
commodities;
transport;
technology
and
transferring data to be used in litigation.
innovation; and life sciences and healthcare.
• The fourth article addresses the question of whether a party may rely on its employees as the
Wherever we are, we operate in accordance with our global business principles of quality,
primary tools to conduct preservation and when that may not be reasonable.
unity and integrity. We aim to provide the highest possible standard of legal service in each of
our offices and to maintain that level of quality at every point of contact.
We hope that considering these discovery issues from a global perspective will not only help you
solve
in your
individual
butLLP,
willNorton
give Rose
you valuable
information to help you manage
Nortonproblems
Rose Fulbright
US LLP,
Norton Rosecases
Fulbright
Fulbright Australia,
Nortonglobal
Rose Fulbright
Canada
LLP and Norton Rose Fulbright South Africa Inc are separate
your
litigation
portfolio.
legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein.
Norton
Rose Fulbright Verein helps coordinate the activities of the members but does not
Best
regards,
itself provide legal services to clients.
David J. Kessler
Chair, e-Discovery and Information Governance Practice Group
More than 50 locations, including Houston, New York, London,
Toronto, Hong Kong, Singapore, Sydney, Johannesburg and Dubai.
Attorney advertising
References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their
respective affiliates (together ‘Norton Rose Fulbright entity/entities’). The principal office of Norton Rose Fulbright US LLP in Texas is in Houston.
Save that exclusively for the purposes of compliance with US bar rules, where James W. Repass will be responsible for the content of this publication,
no individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not
A Norton Rose Fulbright white paper
December 2015
Global contributors
If you would like further information, please contact
David Kessler, chair of the e-Discovery practice.
United States
Canada
David Kessler
Partner, New York
Tel +1 212 318 3382
[email protected]
Christine Carron
Senior Partner, Montreal
Tel +1 514 847 4404
[email protected]
Andrea D’Ambra
Senior Counsel, New York
Tel +1 212 318 3015
[email protected]
Kelly Moffet-Burima
Associate, Calgary
Tel +1 403 267 8215
[email protected]
Alex Altman
Associate, New York
Tel +1 212 318 3230
[email protected]
Sojourner King
E-Discovery Counsel
Tel +1 416 216 2327
[email protected]
Australia
Europe
Grant Bonner
Partner, Sydney
Tel +61 2 9330 8382
[email protected]
Peter Scott
Partner, London
Tel +44 20 7444 3834
[email protected]
Abigail McGregor
Partner, Melbourne
Tel +61 3 8686 6632
[email protected]
Marta Giner
Partner, Paris
Tel +33 1 56 59 52 72
[email protected]
Carolyn Wyatt
National Applied Legal Technology
Operations Manager
Tel +61 8 6212 3229
[email protected]
Michel Pflieger
Associate, Paris
Tel +33 1 56 59 52 74
[email protected]
Contents
Global key contact page
04
Chapter 1: Discovery and mobile devices
06
Chapter 2: Discovery in the cloud
14
Chapter 3: What are the intricacies of
cross-border discovery?
20
Chapter 4: Is it reasonable to rely on
employees to preserve documents?
25
Chapter 1
Discovery and mobile devices
With the explosion in mobile data usage, we expect to see a
growth in discovery from mobile devices in civil litigation.
01
According to Cisco Systems, global mobile data traffic is expected to quadruple in
the next three years, from 2.6 to 10.8 exabytes per month.1 For most companies, it
is expected that some, most, or all work will be conducted over a mobile device that
may be owned by the company or an employee. With this explosion in mobile data
usage, we expect to see a growth in discovery from mobile devices in civil litigation.
Mobile devices, however, present unique challenges and increased burdens for parties
attempting to preserve and collect information.
What are “mobile devices”?
In short, a mobile device is any portable electronic device
capable of communicating data through a mobile network.
The most commonly thought of mobile devices are cell
phones, smartphones, e-readers, and tablets (e.g., iPads).
However, the oldest and most common mobile device is the
laptop. Furthermore, many companies have customized
mobile devices that have been developed for their businesses,
such as portable barcode scanners and pipe-testing
equipment. Moreover, a new generation of mobile devices (socalled “wearables”) is coming of age and will exponentially
increase the volume of mobile data traffic and potential data
stores. Wearables include Google Glass, the Apple Watch
and FitBit. Whatever the format, each of these devices is
capable of storing and transmitting data that may be
relevant to litigation. It is important, therefore, to
understand how current laws are equipped to manage
discovery for mobile devices.
The United States perspective
I. Are mobile devices even discoverable?
Yes. There is no special exclusion for data generated from
or stored on mobile devices under U.S. discovery law.
Even where the data on mobile devices may be considered
ephemeral that does not per se exclude the data from
discovery.2 That does not, however, mean that litigants must
preserve, collect, and produce all data on mobile devices used
by their employees. To determine the extent of its discovery
duties, a party needs to consider three sub-questions:
1
Cisco VNI Global Mobile Data Traffic Forecast, 2013 – 2018 (available at http://www.
cisco.com/c/en/us/ solutions/collateral/service-provider/visual-networking- index-vni/
white_paper_c11-520862.html). To illustrate the scope of this figure, an exabyte is equal to
1 billion gigabytes (GB) of data, or more than 75 trillion pages of text.
2
See, e.g., Columbia Pictures v. Bunell, 245 F.R.D. 443, 447 (C.D. Cal. 2007) (holding that
server logs stored on a computer’s RAM were properly discoverable because “Rule 34
requires no greater degree of permanency from a medium than that which makes obtaining
the data possible.”).
1. Is there unique, relevant information on the mobile device?
2. Is the mobile device (or the specific data at issue) in the
possession, custody and control of the party?
3. Would discovery of the mobile device data be reasonable
and proportionate?
Like any other data source, a mobile device only need enter
the fray of discovery if it contains relevant information. Thus,
before needlessly expending time and resources to preserve
and collect mobile device data, it is usually wise to conduct
a prompt investigation to determine whether information on
the device will actually matter. That being said, as mobile
devices become a dominant tool in business, it will become
harder and harder to avoid conducting discovery on them.
II. Whose iPad is this, really?
Whether a party must preserve or produce data from a mobile
device in a given litigation often will turn on Fed. R. Civ. P.
34(a)(1), which states that a party to litigation may request
discovery of information that is “in the responding party’s
possession, custody, or control.” There is little doubt that
a party may be compelled to produce data from a mobile
device, or even a device itself, when the party has actual
possession of the relevant device.3
The law is murkier, however, when a company does not have
physical possession of the mobile device. At present, there
are two standards for Rule 34 “control” in Federal Courts: (1)
the “Legal Right” test4; and (2) the increasingly prominent
“Practical Ability” test.5
3
See, e.g., Bailey v. Scoutware, LLC, No. 12–10281, 2014 WL 1118372 (E.D. Mich. Mar.
21, 2014) (holding that plaintiff could forensically inspect defendant’s cellphone after
defendant already undertook such an inspection).
4
See, e.g., DL v. District of Columbia, 251 F.R.D. 38, 46 (D.D.C. 2008) (“[I]t has been well
established that the test for control is not defined as mere possession, but as the legal right
to obtain such documents on demand”).
5
See, e.g., Bank of New York v. Meridien BIAO Bank Tanzania Ltd., 171 F.R.D. 135, 146
(S.D.N.Y. 1997) (“[D]ocuments are considered to be under a party’s control when that
party has the right, authority, or practical ability to obtain the documents from a
non-party to the action.”).
Norton Rose Fulbright – December 2015 07
Under the “Legal Right” test, a company would be obligated
to preserve and produce data from a mobile device only to
the extent that it has the legal right to demand such data.
For example, an employee may agree to allow retrieval of
litigation-related data as a pre-condition of the company
placing its data on the employee’s personal device (a classic
reason for a bring-your-own-device, or “BYOD” policy). Under
the broader “Practical Ability” test, on the other hand, a court
may require a party to produce data from mobile devices
outside the possession of the party if the court believes that
the party simply has the means to request or obtain the
relevant data from the individual with direct possession.
Certain judges have commented that if employees have used
mobile devices for work, even without authorization and
against specific prohibition, an employer still has “possession,
custody, or control” over the data because the employer can
always fire the employee if he or she will not turn over the
mobile device.
III. Why can’t my opponent just go to the provider?
When considering the relative control that a responding party
and its mobile service providers have over data from a mobile
device, a company may wish to argue that a requesting party
should simply obtain certain forms of data (particularly text
messages) directly from the service provider through a Rule
45 subpoena. This approach is not likely to succeed. First, not
all relevant data will be in the control of the service provider.
Unique photos, voice recordings and other files may exist only
on the device itself. Second, even for data that may be stored
by a service provider – such as text messages and personal
email – most courts will not make an opposing party subpoena
a third party when a party to the dispute has possession or
control of the data. Third, even if a court required such a
subpoena, it would be doomed absent the consent of the
account owner, given the limitations imposed by the Stored
Communications Act (18 U.S.C. § 2701, et seq.) (“SCA”). The
SCA prohibits a service provider (e.g., a telecommunications
carrier) from disclosing to any person or entity the contents of
an electronically stored communication while in storage by
that service provider. However, because a service provider may
disclose the communications with authorization of the service
subscriber, courts have ordered litigants to grant authority to
mobile service providers to disclose their mobile data when
such data is relevant and not stored in the mobile device
any longer.6
6
See, e.g., Flagg v. City of Detroit, 252 F.R.D. 346, 355 (E.D. Mich. 2008) (holding that the SCA
did not alleviate defendant of the duty to produce text messages because it could “permit
the disclosure of [archived text messages] by granting its consent. This acknowledged power
readily qualifies as a ‘legal right to obtain’ the messages held by [the service provider], and
hence constitutes ‘control’ within the meaning of Rule 34(a)(1).”).
08 Norton Rose Fulbright – December 2015
IV. How easy is it to produce data from a mobile device?
Despite the ease of use and ubiquity of mobile devices,
preserving and collecting data from such devices can be a
complicated affair. One commentator has observed that “in
the text message environment, the ability to save messages,
and how many can be saved, is largely device- and carrierdependent; there is no one answer” to preservation and
production.7 Mobile devices are decentralized, disconnected
and can be widely distributed, making preservation and
collection labor-intensive and, therefore, expensive. Moreover,
most companies are not equipped to preserve or produce
data from their mobile devices, thus necessitating the use
of vendors with specialized expertise. For the most fulsome
preservation and collection, mobile forensic technology is
typically two generations behind current smartphones. This
means that, for example, while a company may issue an
iPhone 6 to an employee, many vendors can only create full
forensic copies with an iPhone 4. Sometimes a party will have
to collect and preserve a device and purchase new devices for
employees because forensic technology has not yet caught
up with newer devices, and user data from such devices
would need to be examined forensically at some point in the
future depending on the nature of the litigation. Conversely,
some forensic examination software does not support older
smartphone models and alternative collection methods would
require consultation with experts. The costs for collection
and preservation of data from mobile devices can vary widely
depending on the device and the level of preservation required.
V. Do I always have to produce data from mobile devices?
Even in cases where data from a mobile device may be relevant
to a litigation, a company may not need to preserve and
produce it because of the burden of doing so. Currently, Fed.
R. Civ. P. 26(b)(2)(C)(iii) requires the court to limit discovery
where it finds that “the burden or expense of the proposed
discovery outweighs its likely benefit, considering the needs
of the case, the amount in controversy, the parties’ resources,
the importance of the issues at stake in the action, and the
importance of the discovery in resolving the issues.” Notably,
this Rule is in the process of being incorporated almost entirely
within the scope of discovery under Rule 26(b)(1) to make it
even more prominent. To illustrate, when a party pushes email
out to mobile devices but also replicates the email on a server,
it is generally easier and more cost-effective to collect the data
from the server unless a party knew unique emails had only
7
Jonathan M. Redgrave, Keltie Hays Peay, Mathea K.E. Bulander, Understanding and
Contextualizing Precedents in E-Discovery: The Illusion of Stare Decisis and Best Practices to
Avoid Reliance on Outdated Guidance, 20 Rich. J.L. & Tech. 8, para. 38 (2014).
been saved on the mobile device.8 Of particular relevance to
data stored on employee-owned mobile devices is Principle
2: “Discovery should generally be obtained from the most
convenient, least burdensome and least expensive sources.”9
Although a litigant may be able to avail himself of
proportionality arguments, it can be dangerous for
a litigant to unilaterally fail to preserve evidence based
on proportionality because an opponent or the court can
disagree with how a litigant weighs the costs and benefits
of the information at issue.
Summarizing this tension, Magistrate Judge James Francis
has observed:
Reasonableness and proportionality are surely good
guiding principles for a court that is considering imposing
a preservation order or evaluating the sufficiency of a
party’s efforts at preservation after the fact. Because
these concepts are highly elastic, however, they cannot
be assumed to create a safe harbor for a party that is
obligated to preserve evidence but is not operating under
a court-imposed preservation order. Proportionality is
particularly tricky in the context of preservation. It seems
unlikely, for example, that a court would excuse the
destruction of evidence merely because the monetary
value of anticipated litigation was low.10
Therefore, unilateral decisions to not preserve relevant
information from mobile devices should be made
conservatively and cautiously.
scope of discovery. In Federal Court litigation12 and in Victoria,
a document is deemed discoverable if the party intends to
rely on it or the document adversely affects the party’s own
case, supports another party’s case or adversely affects
another party’s case. Furthermore, in these jurisdictions,
a party is required to undertake a reasonable search only
for discoverable documents, which requires an assessment
of the ease and cost of retrieving a document.13 In Queensland,
the document must be directly relevant to an allegation in
issue in the pleadings.
The test for relevance is different in other Australian
jurisdictions. In New South Wales, the document must be
relevant to a fact in issue – that is, it could rationally affect
the assessment of the probability of the existence of that fact
(other than relating to the credibility of a witness), regardless
of whether the document would be admissible in evidence.
In the ACT, the document must relate directly or indirectly
to a matter in issue in the proceeding. In Western Australia,
a party is required to discover all documents relating to any
matter in question.
The majority of Australian courts have implemented practice
guidelines in relation to discovery of documents stored
electronically. In the Federal Court, parties are expected to
have agreed upon a practical and cost-effective discovery plan,
taking into consideration the issues in dispute and the likely
number, nature and significance of the electronic documents
that might be discoverable. Discovery of mobile devices must
be considered when complying with the practice guidelines
and formulating discovery plans.
The Australian perspective
As noted above, a party is obliged to discover documents that
are in the party’s control. The test for control varies slightly
in each jurisdiction. Generally speaking, in most Australian
jurisdictions, a party to litigation is obliged to discover relevant
documents that are in the party’s possession, custody or
power.14 A party is said to be in possession of a document
The jurisdictional tests for relevance vary. In some
jurisdictions, the direct relevance test applies to narrow the
12 This applies where the Court has ordered “standard discovery” as opposed to
“non-standard discovery.”
A mobile device – and any data stored on a mobile device – is
a “document” for the purposes of discovery in each Australian
jurisdiction.11 Generally, the extent of a party’s discovery
obligations is determined by a relevance test and whether the
document (the mobile device or the specific data at issue) is in
the party’s control.
8
See The Sedona Conference, Commentary on Proportionality in Electronic Discovery, p. 2 (2013).
9
Id.
10 Orbit One Communications v. Numerex Corp., 2010 WL 4615547, *6 n. 10 (S.D.N.Y. Oct. 26,
2010).
11 In Palavi v Radio 2UE Sydney Pty Ltd [2011] NSWCA 264, Allsop P found that mobile phones
and iPhones were “documents” within the Interpretation Act 1987 (NSW) and the Evidence
Act 1995 (NSW). Other Australian jurisdictions have similar definitions.
13 In deciding what is a reasonable search, a party must take into account the nature and
complexity of the proceedings, the number of documents involved, the ease and cost of
retrieving a document, the significance of any document likely to be found, and any
relevant matter.
14 The obligation to discover documents in the Federal Court applies to documents in a party’s
“control,” which is defined as “possession, custody or power.” In Victoria, NSW and Western
Australia, the obligation similarly applies to documents within the disclosing party’s
possession, custody or power. In the ACT it is slightly different – possession is defined to
include custody and power. In Queensland, the obligation is to discover documents in the
possession or under the control of the disclosing party. The limited authority on this point in
Queensland suggests that control may be a more stringent requirement than power, meaning
an ability to direct or command the production of the document.
where it owns and holds the document, whereas custody refers
to physical holding of the document, irrespective of ownership.
“Power” refers to an enforceable legal right to inspect the
document, or obtain possession or control of the document,
without the need to obtain the consent of anyone else.15
Provided that the right to inspect or obtain the documents is
presently enforceable, the fact that for physical reasons it may
not be possible for the party to obtain immediate inspection
does not prevent the document from being within the party’s
power.16
Where the mobile device is owned by the employer, the device
will be in the employer’s power, even if it is not physically held
by the employer. Where discovery is required, a direction from
the employer to an employee to return the device would be a
reasonable and lawful one. The employee would be required
to comply with any such direction and the employer could
consider potential disciplinary action against an employee who
did not comply with the direction and return the device. The
employer would also be said to be in control of any of its data
stored on the employer-owned device, and anything created by
the employee using that data. Depending on the terms of the
employer’s workplace policies, the employer is also likely to
have control over the employee’s personal information17 stored
on the employer’s device.
Where the employee owns the device, the question of control
over data on the device may depend on where the data
originated from (e.g., is it the employer’s information or
intellectual property), the basis on which any employer data
was provided to the employee, and the scope of the employer’s
workplace policies regulating use of the device for work
purposes and return of the employer’s data.
The Canadian perspective
The explosion in the use of mobile devices over the past several
years presents unique challenges and increased production
obligations for parties attempting to preserve and produce
information from mobile devices in Canada. As electronic
discovery is a relatively new concept in Canada, there is
limited jurisprudence available on the subject.
The traditional rules for document production codified by
each province’s rules of civil procedure apply to electronic
discovery, including all information found on mobile
devices. Additionally, the Sedona Canada Principles18
and Ontario’s Guidelines for the Discovery of Electronic
Documents19 were created to assist lawyers and clients with
the production of electronic documents. In the absence
of Canadian jurisprudence, these two sources, as well as
American jurisprudence and provincial practice directives, are
relied upon frequently in determining best practices for the
preservation and production of electronic information from
mobile devices in Canada. The current best practices are set
out below.
I. Discoverability and preservation
The rules of civil procedure in most Canadian provinces
require the production of all relevant documents in the power,
possession and control of litigating parties. Electronic data that
has been generated from, or stored on, mobile devices is now
included in the broad definition of “document” and, as such,
an obligation to preserve and produce electronic documents
from mobile devices arises.20
Generally speaking, a prudent company should have document
retention policies requiring the retention of electronic files for
a reasonable period of time beyond the applicable limitation
period.21 If a company knowingly allows employees to create
business documents on their own devices, it follows that these
same retention policies should cover those devices and include
consent to monitor, access and retrieve documents from the
device, including access to passwords and remote access for
these purposes, subject to appropriate limitations to ensure
privacy of personal information.
Document retention policies must strike the right balance and
include criteria that establish what information and documents
can be destroyed and what must be kept for later reference
based on potential relevance. Such policies, however, do not
require corporations to take every conceivable step to preserve
all electronically stored information that may be of potential
relevance as such action would paralyze the corporation’s
ability to conduct ongoing business. Accordingly, the general
obligation to preserve evidence must be balanced against the
18 The Sedona Canada Principles Addressing Electronic Discovery, January 2008 (“Sedona
Canada Principles”).
15 Lonrho Ltd v Shell Petroleum Co Ltd [1980] 1 WLR 627, 635 per Lord Diplock.
19 Guidelines for the Discovery of Electronic Documents in Ontario, November 2005.
16 Id.
20 Baldwin Janzen Insurance Services (2004) Ltd. v Janzen, 2006 BCSC 554 at para 28; An Act to
Establish A Legal Framework for Information Technology, CQLR, c.C-1.1.
17 Subject to complying with any relevant limitations on the handling of personal information
imposed by the Privacy Act 1988 (Cth).
21 Alvi v YM Inc. Sales 2003 CarswellOnt 3386 at para 48.
party’s right to continue to manage its electronic information
in an economically-reasonable manner, including overwriting
electronic information stored on mobile devices in accordance
with general business practices in appropriate cases.22
II. Production
Once litigation is contemplated, a proportionality exercise
must be undertaken in order to determine whether potentially
relevant information must be collected and produced from
mobile devices. A “practical and efficient approach” should
be taken, and the burden of production on the parties should
remain “proportionate to the issues, interests and money at
stake.”23 There must be a balance of considerations, including
the value of the evidence, and the time and expense involved
in preserving the documents, prior to production. The costs
of producing electronic information should never outweigh
the likely probative value of the information since, if such a
proportionate approach is not taken, the overwhelming costs
associated with electronic discovery may prevent the fair
resolution of litigation disputes.
As relevant information from mobile devices might be
contained in the metadata associated with the producible
documents, electronic information obtained from mobile
devices should be produced in an electronic format.24 Despite
the added requirement to produce electronic documents
in an electronic format, however, parties are expected to
disclose only information that is reasonably accessible. 25
This typically means that parties are not required to produce
deleted or residual information not accessible except through
the help of forensic means, barring exceptional circumstances
such as fraud. These principles ensure that only what is
reasonably expected to be produced is, in fact, produced as
part of the “practical and efficient approach” to electronic
discovery currently in place in Canada.
The European Union Perspective
In the frame of its Digital Agenda For Europe which aims to
help Europe’s citizens and businesses to get the most out of
digital technologies, the European Commission also recalled
Cisco Forecast for 2013–2018 according to which the mobile
data traffic in Western Europe amounted to 253,679 terabytes
per month in 2013 and is projected to reach almost 2,000,000
terabytes per month in 2018. To a broader and more expressive
extent, according to this forecast, the number of mobileconnected devices exceeded the number of people on earth
by the end of 2014.
The exponential use of mobile devices, especially for
professional purpose, raises new ways of working and
sometimes changes users’ behaviors. For example, the BYOD
policy has become commonplace in many companies, where
workers are allowed to use their personal smartphones and
tablets on the company network.26 This explains why – on the
one hand – companies are becoming increasingly concerned
about security issues related to mobile devices, and – on the
other hand – regulators throughout Europe, starting with the
European Commission, are becoming increasingly interested in
information processed by and contained in mobile devices.
Even if there is generally no special treatment for data
produced by mobile devices under Europe law, there are
specific challenges linked to the use of such devices. These
challenges are particularly vexing in the area of discovery, even
if the legal systems of most EU Member States, as well as law
at the EU level, are not discovery-based – the main exception
being the UK:
• Even in non-discovery countries, issues relating to data
availability and retention policies may also be key within
the frame of litigation;
• Law enforcement agencies, and in particular the
Commission, have extensive investigative powers, which
may result in a de facto discovery, in which procedural rules
are less clearly defined than in a discovery-based country.
In both situations, the main difficulty, from a practical point of
view, will be to ascertain whether the mobile devices contain
information that does not exist in other places. For example,
a mobile device may allow accessing the email account of
an employee. However, such access will, in most cases, also
be possible through, for example, a laptop or access to a
company’s network. Similarly, information stored on the cloud
via the mobile device will also be accessible through other
22 Sedona Canada Principles, Comment 3.e.
23 Sedona Canada Principles, Principle 2; Quebec Code of Civil Procedure, Section 4.2.
24 Information printed as a hard copy does not contain potentially relevant metadata.
26 “Companies increasingly concerned on staff using personal devices”, Financial Times of
October 6, 2013 http://www.ft.com/intl/cms/s/0/0ff3241c-2cfb-11e3-a0ac-00144feab7de.
html#axzz3Q11VkLlL.
25 Sedona Canada Principles, Principles 5 and 6.
means. There may be cases, however, where certain files have
been stored exclusively on the device itself; or, for example,
there may be relevant information in certain applications
mainly used on mobile devices (such as chat applications like
Google Hangouts or WhatsApp, or social networks). In this
respect, conversations through social media may constitute
electronic evidence which a company would have to produce
or on which regulators would be able to base proceedings.
Litigation and mobile devices
The main issue in the context of litigation will therefore consist
of assessing the opportunity of requesting the disclosure of
information generated or stored on mobile devices.
UK: Discovery obligations
Like US Law, UK discovery law provides for no special
exclusion for such data. In addition, there is no UK courtapproved guidance on handling and conducting discovery
on mobile devices. In civil proceedings, Civil Procedure Rule
(CPR31.8(1)) provides that a party is required to disclose
documents which are or have been in its “control”. This
is the case if :
• the document is or was in the party’s physical possession,
• the party has or has had a right to possession of it, or
• the party has or has had a right to inspect or take copies
of it.
In addition, Practice Direction 31B of the CPR, which
governs electronic disclosure in civil proceedings, expressly
pertains to mobile devices. One of its key considerations is
the reasonableness of any search from which any disclosure
is made. The best approach would have to be determined in
each case, depending on the company’s rules and the users’
habits. In some cases, however, it may be reasonable to
attempt to obtain all electronic data (or at least all data for the
relevant period). Subsequent review prior to disclosure can be
negotiated by the parties to ensure cost and time efficiencies,
as required by the Practice Direction.
Non-discovery countries
In other Member States, parties have, in principle no legal
obligation to identify and disclose documents within litigation
procedures. In most Member states, however, judges have
the power to request the disclosure of documents, including
electronic data. Although the extent of this disclosure
obligation may be less important than in a discovery system, it
is likely that a refusal to disclose documents based on technical
reasons linked to the storage of information on mobile devices
would not be acceptable to a judge.
The question arises as to whether a judge could order an
entity to produce data stored on employees’ mobile devices,
particularly in companies implementing a BYOD policy.
This should be ascertained on the basis of employment
laws applicable in each country. In France, for example, the
possibility to retrieve data from the mobile device would, to
a large extent, depend on the BYOD rules as defined in the
company’s internal regulations and labor contracts.
Chapter 2
Discovery in the cloud
The rise of cloud computing has created numerous
challenges for lawyers who wish to counsel corporations
on best practices especially in discovery, where
document preservation and collection can run up
against significant hurdles.
02
The rise of cloud computing has created numerous
challenges for lawyers who wish to counsel corporations
on best practices. Nowhere is this more evident
than in the area of discovery, where a litigant’s
efforts to preserve and collect relevant data from
the cloud may run into substantial turbulence.
I. Solidifying the Cloud
The bench and bar often struggle with understanding emerging
technologies. It behooves anyone delving into the legal
implications of cloud computing to learn what it actually is,
how it works and why organizations are adopting it.
The National Institute of Standards and Technology, a division
of the US Department of Commerce, defines cloud computing
as “a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources
(e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal
management effort or service provider interaction.” Peter Mell
and Timothy Grance, The NIST Definition of Cloud Computing,
NIST Special Publication 800-145, p. 2 (September 2011). To
put it in simpler terms, cloud computing provides access to
electronic resources (e.g., data. data storage or even software)
via the Internet. This means an individual can use increasingly
smaller mobile platforms to access and utilize increasingly
larger pools of data and more sophisticated software
applications. Although the term “cloud computing” has only
come into fashion in the past few years, the technology has
been present since the early days of the internet. For example,
Hotmail, a web-based email application was introduced
in 1995.
As it exists, cloud computing consists of three broad types or
“flavors”: public, private and hybrid. Public clouds are services
that are open for use by virtually anyone. Examples include
Dropbox, Google Drive and Hotmail (recently rebranded
“Outlook” by Microsoft). Private clouds are established by
and for the sole use of private individuals or organizations.
For less than $100 total, an individual consumer can plug
a small server into his home internet connection, creating
a private cloud which allows them to access to data from
virtually anywhere. Large corporations, of course, deploy
private clouds on a much broader scale. Some organizations
use hybrid clouds use both public and private clouds in
combination, to enable them to meet their storage and delivery
needs. For example, a pharmaceutical company might store
HIPAA-compliant clinical study data in a public cloud while
processing and developing study reports using a private cloud.
For a large organization, cloud computing offers a number
of advantages. Public clouds allow a company to effectively
outsource much of its IT operations. The cloud supplier
maintains and upgrades the infrastructure, thereby reducing
the investment the company must make to keep up with
current technology. Scalability and flexibility in pricing is
another advantage; a company need only pay “per seat” or for
the storage it actually uses. In a private cloud or traditional
storage model, the company must constantly maintain a
reserve level of storage that often goes unused. Of course,
private and hybrid clouds allow a company to benefit from
“access-anywhere” data storage while retaining a greater level
of control and security.
II. Harnessing the Cloud: Discovery
obligations for cloud subscribers.
Some companies may assume that placing data in the cloud
would somehow alter their duty to preserve, collect and
produce relevant information from that data. In the United
States, however, that is not the case. Under Rule 34 of the
Federal Rules of Civil Procedure, a party may be asked to
produce data that is under its “possession, custody, or
control.” As one court succinctly summarized “‘[c]ontrol’
has been construed broadly by the courts as the legal right,
authority, or practical ability to obtain the materials sought
on demand.” Steele Software Systems, Corp. v. DataQuick
Information Systems, Inc., 237 F.R.D. 561,564 (D. Md. 2006).
Because a company has a legal right to obtain its own data
from a third-party cloud service provider, it is effectively in
“control” of the data and may be compelled to collect and
produce it. Furthermore, the Stored Communications Act (18
U.S.C. § 2701, et seq.) (“SCA”) prohibits a service provider
(e.g. telecommunications company, cloud service provider,
etc.) from disclosing to any person or entity the contents of
an electronically stored communication while in storage by
that service provider. The service provider may, however,
disclose the communications with authorization of the service
subscriber. See, e.g., Mintz v. Mark Bartelstein & Assocs., 885
F. Supp. 2d 987,994 (C.D. Cal. 2004) (holding that under
the limitations of the SCA the proper means for a requesting
party to obtain text messages held by a service provider was
to “serv[e] a request for production of documents . . . pursuant
to Rule 34.”). Therefore, it is generally incumbent on the
party, not its service provider, to preserve, collect and produce
information.
III. Stabilizing the Cloud: Preservation
Of course, there are some challenges that accompany cloud
computing. First, complying with preservation obligations
for data stored in the cloud can raise concerns because many
corporations do not have the same level of visibility into or
control of cloud data as they do with data behind their firewall.
The same methods that a company might use to preserve
data stored completely internally on the laptops, internal
mail severs and shared network drives might not work when
this data moved to the cloud, particularly if the company
employs public or hybrid cloud models. In typical litigation for
a typical company with a mature approach to e-discovery, a
company will often issue a litigation hold notice to employees
who create or manage relevant data, instructing them to
refrain from deleting or altering potentially relevant data. The
company may also leverage internal IT resources to ensure
that potentially relevant data (often email subject to autodeletion) is not inadvertently destroyed. Once that company
moves its data to the cloud, however, preservation may become
more complicated, and a company will have to answer certain
questions to ensure that it meets its duty to preserve. Does the
company have administrative rights to the cloud? Where is the
company’s data stored geographically? Does the cloud provider
(or private cloud server) keep or alter metadata? How does the
cloud provider manage disaster recovery systems and are these
under the control of the corporate subscriber? Does the cloud
provider employ any auto-purge functionality? Can the data
be “locked down” so that it remains unchanged throughout
preservation and collection? Ideally, an organization will ask
these questions before settling on a cloud storage method
or choosing a cloud provider and will ensure that any cloud
service agreement addresses these concerns. In fact, one of
the first issues a corporation that has entered the cloud may
unexpectedly face is that their cloud provider might start
charging them for preservation tasks that, in the past, had
been “free” because they were handled by internal IT. If this
issue is not addressed in the cloud contract, preservation costs
could skyrocket and the move to the cloud may not be as costeffective as originally expected.
and “off the grid”, the legal and IT departments are then
deprived of knowledge of an important data store that may
contain information that should be preserved. A litigator who
finds
out about such a trove of data in a custodian interview will
have to take swift measures to ensure that any relevant
data is preserved.
An advantage of public cloud computing is the ease with
which anyone can procure storage and bandwidth. One
problem that may beset a large organization as a result of this
ease, regardless of its official cloud policy, is “credit card IT.”
One need only go to Dropbox.com and enter a company-issued
credit card number to gain access to a terabyte of storage for
under $20 a month, all without going through the company’s
standard provisioning mechanisms and the safeguards that
those mechanisms employ. Once that data goes into the cloud
Generally speaking, in most Australian jurisdictions, a party to
litigation is obliged to discover relevant1 documents that are in
the party’s possession, custody or power.2
IV. Bringing the Cloud down to Earth: Collection
Cloud computing may also confound collection efforts in
litigation. Because the cloud subscriber has reduced its
control of the data, it may not have all the same tools and
access points to pull and secure the data it has stored in the
cloud. For example, when a company owns and operates its
data storage internally, its collection efforts are subject only
to its own resources and technical limitations. If the same
data is stored in a public cloud, however, that company’s
collection efforts may be hindered by bandwidth limitations,
resource constraints, and the possibility that the company’s
data is being stored on the same hardware as other clients
of the cloud service provider. This last point implies another
challenge: ensuring the integrity of the collected data. Will
the company be able to perform integrity checks between
the collected data and the original data remaining in the
cloud? Unless a company can confirm to some degree that the
collected information is accurate, it may be unprepared for an
opponent’s challenges down the road. Similarly, encryption
methods used by the cloud service provider may hinder
efficient collection. With respect to bandwidth, a company may
need to rely on its cloud provider (using its people and its tools)
to collect the data. The cloud provider may not have the same
priorities or schedule as the subscriber and this can cause
unexpected delays. Collection can also lead to unexpected
costs, if prices have not been outlined in the contract.
The practical considerations surrounding discovery in
the cloud in the U.S. are similar to those that apply
in Australia.
1
As discussed in chapter 1, the tests for relevance vary slightly across Australia.
2
The obligation to discover documents in the Federal Court applies to documents in a party’s
“control,” which is defined as “possession, custody or power”. In Victoria, NSW and Western
Australia, the obligation similarly applies to documents within the disclosing party’s
possession, custody or power. In the ACT it is slightly different – possession is defined to
include custody and power. In Qld the obligation is to discover documents in the possession
or under the control of the disclosing party. There is some authority in Queensland that control
may be a more stringent requirement than power.
A party is said to be in possession or custody of a document
where the party physically holds the document, which would
not be the case with documents stored in a cloud server.
By contrast, “power” refers to an enforceable legal right to
inspect the document, or obtain possession or control of
the document, without the need to obtain the consent of
anyone else.3 Provided that the right to inspect or obtain the
documents is presently enforceable, the fact that for physical
reasons it may not be possible for the person to obtain
immediate inspection does not prevent the document from
being within the party’s power.4 This concept of power appears
similar to the concept of “control” discussed in Steele Software
Systems, Corp. v. DataQuick Information Systems, Inc., 237
F.R.D. 561, 564 (D. Md. 2006).
This issue has not yet been tested in an Australian court.
However, if the agreement with the cloud service provider
gives the party the right to retrieve its data without the need to
obtain the service provider’s consent, a court would most likely
consider the documents to be in the party’s power and would
require them to be discovered.
Where the cloud is located outside Australia, there
may be additional matters that require consideration
during the discovery process, such as whether the data
can be removed from that jurisdiction without breaching
local data privacy laws.
The same practical considerations apply to cloud discovery in
Canada as in Australia.
In both Australia and Canada, there is a paucity of
jurisprudence considering whether a litigant is in “possession
or control” of information stored in the cloud. The case law
that does exist proceeds on the assumption that a litigant who
has stored its data in the cloud is in possession or control of
that data and focuses on other issues and, in particular, the
proportionality of the discovery request.
For example in Velsoft Training Materials Inc. v. Global
Courseware Inc.5, the court issued an Anton Piller award
to seize and make mirror images of all electronic devices
and servers, including cloud servers. While the order was
ultimately set aside because the plaintiff could not meet
the criteria otherwise applicable to those types of orders, the
right to search data in the cloud was not seriously questioned.
The reason for the lack of jurisprudence on the issue might
well be that courts will not entertain arguments which would
allow litigants to escape their discovery obligations by storing
data in a cloud pursuant to contracts that do not ensure the
same degree of retrievability as when they are stored on
servers owned and run by the company. This is particularly
true in Quebec where the law provides that a “technological”
document is equivalent to a paper version, provided it
can be readily retrieved and reconstructed in a reliable manner
that ensures the document’s integrity.6
Indeed, courts in Canada seem to be more preoccupied with
ensuring that e- discovery is proportional. In Siemens Canada
Limited v. Sapient Canada Inc.7, for example, the Master was
demonstrably determined to reverse the “default rule” for
e-discovery, namely that everything “relating to” the litigation
is discoverable and to replace it with a “proportionality rule”
where only documents “relevant” to the facts pleaded are to be
the object of e-discovery. The Master emphasized the need for a
cost-benefit analysis to be performed when determining which
custodians and key words to target for e- discovery. Similarly,
he underscored the need to take into account the effect that an
overly broad reach may have on the privacy of individuals.
While information stored in the cloud outside Canada raises
issues relating to the export of data, as is the case in Australia,
the privacy considerations around the legality of the storing
and inter-jurisdictional exchange of such data should, in
theory, have been considered in the light of privacy legislation
at the time the decision was made to store the data in the
cloud. Where these issues have not been so considered, they
must be so at the time of discovery.
The European perspective
Cloud computing is developing exponentially in the European
Union, and the European Commission has identified the key
importance for the European economy of implementing a
cloud computing EU strategy (Unleashing the Potential of Cloud
Computing in Europe, September 2012, MEMO/12/7/13).
Cloud storage is indeed essential for companies struggling with
the management of “big data” as a result of the exponential
development of email and electronic documents.
3
Lonrho Ltd v Shell Petroleum Co Ltd [1980] 1 WLR 627, 635 per Lord Diplock.
4
ibid.
6
An Act to Establish A Legal Framework for Information Technology, CQLR, c.C-1.1.
5
2011 NSSC 274 (CanLII).
7
2014 ONSC 2314 (CanLII).
Yet the use of the cloud may amplify certain aspects of this
struggle, and create new and unforeseen pitfalls to avoid.
The Commission itself recognizes the challenges arising from
cloud development, especially the fact that “the patchwork
of different rules at Member State level increases companies’
uncertainty about their legal obligations, thus delaying the
adoption of cloud computing.”
These challenges may be particularly important in the area of
discovery, even if the legal systems of most EU Member States,
as well as law at the EU level, are not discovery- based – the
main exception being the UK:
• Even in non-discovery countries, issues relating to data
availability and retention policies may also be key within
the frame of private litigation;
• Law enforcement agencies, and, in particular, the
Commission, have extensive investigative powers, which
may result in a de facto discovery, in which procedural rules
are less clearly defined than in a discovery-based country.
I. Private litigation and the cloud
The difficulties arising from companies storing data in the
cloud essentially result from the fact that data is stored away
from the company’s premises, most of the times in different
and unknown locations. However, in most cases, this will
not change – and clearly not alleviate – disclosure or
retention obligations or needs, both in discovery and
non-discovery countries.
UK: Discovery Obligations Remain in the Cloud
The lack of proximity makes it less easy to know whether the
conditions for a discovery obligation are fulfilled. In the UK,
the applicable Civil Procedure Rule (CPR 31.8(1)) provides that
a party is required to disclose documents which are or have
been in its “control”. This is the case if:
• the document is or was in the party’s physical possession
• the party has or has had a right to possession of it or
• the party has or has had a right to inspect or take copies
of it.
The Electronic Disclosure Questionnaire provides guidance
on how these rules should be interpreted; however, instead of
expressly referring to the cloud, it references “off-site storage”
in general.
Whether the courts will consider that documents stored in the
cloud fulfill these conditions, remains to be seen, considering
that the concerned company no longer has physical
possession. However, in most cases, a right to possession
should result from the contractual documents with the cloud
services provider, which is usually held by an availability
obligation. This means that the documents are in the party’s
control and that there is a disclosure obligation.
Having document retention obligations in place as soon as
litigation is possible may also raise issues, since imposing a
hold policy may be made more difficult from a practical point
of view. Nevertheless, a party trying to justify the breach of this
obligation by the fact that data is stored on the cloud
would be likely to find little success in front of a judge.
Non-discovery countries
In other Member states, parties have, in principle, no legal
obligation to identify and disclose documents within litigation
procedures. However, in most Member States judges have
the power to request the disclosure of documents, including
electronic data. Although the extent of this disclosure
obligation may be less important than in a discovery
system, it is likely that a refusal to disclose documents based
on technical reasons related to the cloud would not be
acceptable by the judge.
In addition, parties must be able to access the data they plan to
use to support their claims.
II. Governance measures
Most of the pitfalls identified in this white paper may be
avoided through a careful review and negotiation of the
cloud service agreement. The European Commission and
most Member States data protection agencies have published
practical guidelines concerning service level agreements
in cloud services contracts, which may prove useful when
negotiating these contracts. Companies should be particularly
attentive to the provisions relating to the availability of data,
the time periods provided for the data to be made available,
and the obligation of the service provider to inform the
company of any access request received from a court or a
governmental body.
Chapter 3
What are the intricacies of
cross-border discovery?
In order to conduct discovery effectively, parties in litigation
may be challenged to consider relevant data protection,
disclosures, and other regulations across jurisdictions.
These sometimes competing regulations may add an
additional layer of complexity which should be addressed
early in the discovery process.
03
What are the intricacies of cross-border discovery?
Companies may face potential legal hurdles when the discovery process crosses
borders. In order to conduct discovery effectively, parties in litigation may be
challenged to consider relevant data protection, disclosure and other regulations
across jurisdictions. These sometimes competing regulations may add an additional
layer of complexity which should be addressed early in the discovery process.
Understanding IT systems and how and where they store
potentially relevant information is an important and necessary
step in conducting discovery effectively and efficiently. This
is even more important when discovery crosses borders
and we need to preserve, collect and produce information
and documents from other countries. This process may add
a level of technical complexity as well as potential legal
hurdles, as data protection, state secret, surveillance and
telecommunications laws can restrict the client’s ability to
process and transfer data.
Determine, as early as possible, whether documents that
are potentially relevant to the litigation exist in foreign
jurisdictions. Norton Rose Fulbright is fortunate to have
a considerable breadth of subject matter experts on data
protection and other relevant regulations in many jurisdictions
where documents may need to be obtained. Two useful
resources are Norton Rose Fulbright’s Global Data Privacy
Directory and the Sedona Conference’s International Principles
on Discovery, Disclosure and Data Protection.
In order to plan and implement cross-border discovery
effectively and efficiently, the following issues should be
considered:
1. Where is the data physically located? In what countries
and jurisdictions is the data located? Certain laws may
restrict the ability to collect, process and transfer the data.
2. Where are the employees (whose data is at issue)
physically located and where are their employers
legally established? Both will be relevant to determining
applicable law for data-related restrictions.
3. What is the data that is relevant and does it contain
personal information or other sensitive information?
Over-preservation and over-collection can be more
significant issues outside the US because they not only
increase costs, but can also lead to liability.
Focus on the data that is important and determine
whether it contains personal information, state secrets or
other sensitive information.
4. W
hat is the company’s organizational structure and
what is the relationship between the US entity and the
foreign affiliates? These facts can have several significant
effects on discovery. Does the US entity have possession,
custody and control of the foreign data? Is the US entity
the data controller or responsible for the data overseas or
is it an affiliate?
5. Who is running the litigation and what claims have
been made against which entities? If another member of
the organizational family or retained counsel is running
the litigation, this can complicate the ability to search and
review the documents.
6. Does the company have data protection/privacy
policies and/or a data protection/privacy officer? It is
crucial to know what the company has in place to protect
the privacy and confidentiality of personal and proprietary
information. In certain jurisdictions, the company may
have made filings with local regulators and/or may need
to make additional filings. By implementing policies and
providing notice to employees, the company may have
given itself latitude to do certain discovery, but it may have
also tied its hands.
7. Does the company have Binding Corporate Rules
(BCRs), intra-company data transfer agreements or is
it “Safe Harbored” and do these arrangements include
the transfer of information required in litigation?
Likewise, to the extent that the company intends to
transfer and review data across the organizational family,
it is important to understand what agreements are
in place that allow for compliant intra-company
transfer and disclosure.
8. Does the company have Workers Councils (or
unions) and, if so, do any agreements address the
information and do local employment laws impose any
further consultation prerequisites or prior approval
rights (even without collective or workers council
agreements)? To the extent that employees are members
of or protected by Workers Councils or unions, the
agreements between the company and these organizations
and local employment law can further limit a company’s
ability to preserve, search and disclose employee
documents.
9. Does the company believe any relevant data exists on
BYOD personal devices or personal e-mail? In the US,
courts are taking an expansive view of a corporations
obligation to obtain data from personal devices and
e-mail. Many privacy-focused jurisdictions, like the
member states of the European Union, take an even
harsher view of this intrusion.
10. Where does the data need to be produced? Determining
to whom and where the data needs to eventually go
(including intermediate review stages by the company and
other foreign attorneys) is critical because a plan needs to
be developed that will allow the appropriate transfers and
minimize the risk to the company.
Global organizations and their counsel are often confronted
with collecting, processing, reviewing and producing
documents that reside outside of their respective jurisdictions,
often in the case of separate, but affiliated entities. This adds
an additional layer of complexity to an already complicated
process.
When attempting to obtain documents that exist beyond the
Canadian border, it is important to plan ahead. It is necessary
to consider (a) whether local laws in the home state allow for
the collection and processing of data; (b) whether technology
can assist with cross-border discovery and (c) which laws –
data, privacy or other – are implicated if data is moved from
the foreign jurisdiction to Canada.
If the request to export data to Canada is with a member
country of the European Union (“EU”), there is a presumption
that Canadian domestic law provides “adequate protections”
for the export of personal information, except in the case
of employees who are not federally regulated or personal
information exported to a non-commercial entity.1
To determine whether a court or entity in a foreign jurisdiction
is entitled to obtain documents in the course of discovery
from a Canadian entity, existing privacy policies should be
considered. Some global entities will have privacy policies that
have been properly communicated and designed to obtain
valid employee consent to the sharing of information across
borders and affiliates. In such a case, a foreign affiliate may
already have legal access to personal information of Canadian
employees in which case nothing further is required. Absent
such a policy, the foreign jurisdiction will likely have to submit
a Letter of Request and Application to a Canadian court. This
Letter of Request must outline why the evidence is (a) relevant
(b) necessary for trial (c) not otherwise obtainable (d) not
contrary to public policy (e) reasonably specified and (f) not
unduly burdensome.2
In conclusion, cross-border discovery should be conducted
with the assistance of knowledgeable local privacy litigation
counsel and various threshold questions should be considered
to ensure legality.
The English perspective
The practical considerations surrounding cross-border
e-disclosure in the US also apply to English proceedings.
In addition, the recent procedural reforms in England have
impacted upon the disclosure (discovery) process and require
parties to start thinking about these practical considerations
early in proceedings.
Key changes to the disclosure process went into effect on 1
April 2013. Each party must now file and serve a disclosure
report at an early stage of the proceedings - 14 days before
the case management conference (CMC). The report must
describe the relevant documents that exist, where they are,
how electronic documents are stored and it must provide for
an estimate of costs of standard disclosure. Parties are also
required to meet at least seven days before the CMC to discuss
and try to agree the scope of disclosure.
Although disclosure is expansive in terms of the definition of
“document” and “control,” covering documents outside the
jurisdiction, the parties are encouraged to agree to limit its
scope to promote the overriding principle of proportionality
1
General Counsel of Seventh Day Adventists v. Tiffin (2001) Carswell Ont. 660. 142 O.A.C.
(386) C.A.
2
2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC.
What are the intricacies of cross-border discovery?
(Civil Procedure Rule 1.1(2)(c)) and the court will have regard
to this overriding principle in its case management.
The parties may also be ordered to exchange an electronic
documents questionnaire if the court considers the agreement
reached between the parties in relation to the disclosure of
electronic documents to be inappropriate or insufficient. This
sets out information as to the scope, extent and most suitable
format for disclosure of electronic documents, including those
outside the jurisdiction.
Further reforms have introduced additional rules on cost
budgets and the need for accurate estimates of costs. Given
that the disclosure process usually accounts for a significant
proportion of total costs of a case, there is now even more
need for practitioners to give proper thought to planning and
costing the disclosure process. Any budget should consider
the practicalities of accessing and reviewing documents
from outside the jurisdiction and must do so as accurately
as possible. If the budget is wrong, a formal application can
be made to court to approve a revision but there must be
good reason for this. A mere mistake or miscalculation
in the amounts of data in other jurisdictions is unlikely
to be sufficient.
Disclosure (and particularly e-disclosure) necessitates careful
planning and management in all cases, but the recent reforms
to the procedural rules make it clear that parties also have to
consider the practicalities of disclosure and discuss the scope
and cost with each other early on in proceedings.
Just as in the US, cross-border discovery and disclosure in
Australia requires counsel to consider a number of sometimes
competing concerns before committing to a course of action.
Whether an Australian Court can make
discovery orders affecting an entity overseas
Several Australian cases have held that an Australian court
has power to order the disclosure of documents held by an
overseas entity that is a party to the litigation. The prevailing
view is that as discovery is a matter of procedure, the law
of the forum (i.e., Australia) governs matters of practice
and procedure.3 The fact that compliance with an order
for disclosure might render a party subject to the risk of
3
See Michael Wilson & Partners Ltd v Robert Colin Nicholls & Ors (2008) 74 NSWLR 218 per
Brereton J. Brereton J noted that where foreign obligations of confidentiality are involved, the
Court may limit or dispense with discovery or production as a matter of discretion, taking into
account whether the party is the plaintiff or defendant, and the identity of the third parties
whose confidentiality is at stake.
a prosecution under foreign law is relevant to the Court’s
discretion as to whether to make a discovery order but is not a
reason in itself not to make the order.4
In ACCC v Prsymian Cavi E Sistemi Energia SRL (No 7)5,
Besanko J refused to dismiss a Federal Court discovery order
made against a French company. Besanko J held that while
describing the documents in a list and producing them may
result in a breach of the French “blocking statute,” it was
unlikely that the French company would be prosecuted if it
complied with the Australian discovery order.
In ACCC v Prsymian Cavi E Sistemi Energia SRL (No 8)6,
Besanko J observed that foreign law, showing the impossibility
of compliance with a discovery order of the Court, may be
relevant to whether the Court would make orders in respect of
non-compliance with a discovery order.
Does the party have control over documents held overseas?
Broadly speaking, in Australia, a party to litigation is only
required to disclose relevant documents over which it has
control.7 Where the litigation is between Australian resident
companies, documents which are in an overseas jurisdiction
may not be held by the litigating party but may well be held
by a related entity. The issue that arises then is whether those
documents can be said to be in the control of the litigating
party. Assuming that a “regular” corporate structure exists,
an Australian court will usually be reluctant to pierce the
corporate veil to rule that documents held by an overseas
parent company are within the control of an Australian
subsidiary and order the disclosure of those documents.8
Different considerations may arise if the companies are not
4
ACCC v Prsymian Cavi E Sistemi Energia SRL (No 7) [2014] FCA 5. Leave to appeal against
this decision was denied by White J in Nexans SA RCS Paris v ACCC (2014) FCA 255. White J
dismissed an argument that Besanko J failed to have regard to the principle of comity as stated
in Hua Wang Bank Berhard v Cmr of Taxation (2013) FCAFC 28, namely the need for caution
where there is intrusion on the sovereignty of a foreign state, and where enforcing Australian
laws may infringe legislative policies of other countries.
5
Ibid.
6
[2014] FCA 376.
7 Control is defined in the Federal Court Rules as meaning possession, custody or power. The
discovery obligation in Victoria, NSW and Western Australia applies to documents within the
disclosing party’s possession, custody or power. In the ACT it is slightly different - possession,
custody and power. In Qld it is limited to documents in the possession or under the control of
the disclosing party. The terms “possession”, “custody” and “power” refer to three alternative
states – “possession” refers to ownership, “custody” refers to the physical holding of the
document, irrespective of ownership, and “power” refers to a presently enforceable legal right
to inspect the document or obtain possession or control of the document without the need to
obtain the consent of anyone else
8 Gambro v Fresenius Medical [2002] FCA 1359 per Tamberlin J. Tamberlin J noted that
documents which may be possibly be relevant and that are in the possession of the subsidiary
company, depending on the corporate structure, may not be even within the control or power
of the parent company (citing Lonrho Ltd v Shell Petroleum Co Ltd [1980] 1 WLR 627; DouglasHill v Parke Davis Pty Ltd (1990) 54 SASR 346 at 350-2). See also ACCC v Prsymian Cavi E
Sistemi Energia SRL (No 8) where Besanko J declined to order a subsidiary company to disclose
documents held by another subsidiary in the corporate group .
truly operating as separate legal entities or where company
documents are stored on shared computer platforms. In some
cases, it may be necessary to disclose the documents for either
tactical or pleading reasons.
Although a party that does not have present control over a
document is not obliged to take reasonable steps to obtain
control over the document9, the Federal Court10 may, however,
order a party to take reasonable steps to obtain access to and
discover documents which are in the possession, custody and
power of a third party, where there is a real likelihood that the
party would be given access to the documents upon request
(termed a Sabre order11).
In Psalidis & Anor v Norwich Union Life Australia Ltd12,
Cavanough J of the Victorian Supreme Court noted that in
most cases where a Sabre order has been sought, there has
been a real difficulty in using the usual processes of partyparty discovery, third-party discovery or subpoenas. A typical
example is where the documents are overseas and are in the
possession of some entity that is not readily amenable to the
ordinary processes of the jurisdiction.13
Is it reasonable to search for documents held overseas?
In Federal Court litigation, a party is only required to disclose
documents of which it is aware after a reasonable search.14 To
determine whether a search is reasonable, a party must take
into account the nature and complexity of the proceedings, the
number of documents involved, the ease and cost of retrieving
a document, the significance of any document likely to be
found, and any other relevant matter.
were held only in paper copy in a remote location), and
where those documents are unlikely to be of significance.
Whether an Australian company can resist disclosure to
an overseas entity on privacy or data protection grounds
The Australian Privacy Act of 1988 regulates the collection, use
and disclosure of personal information15 by entities that have a
turnover of more than $3 million, and by government bodies.
An entity covered by the Privacy Act can only disclose personal
information about an individual to overseas recipients, if it
takes reasonable steps to ensure that the overseas recipient
does not breach the Australian Privacy Principles16 in relation
to the information.17
There are some exceptions:
(1) If the entity reasonably believes that: (i) the recipient of the
information is subject to a law, or binding scheme, that has the
effect of protecting the information in a way that, overall, is at
least substantially similar to the way in which the Australian
Privacy Principles protect the information; and (ii) there are
mechanisms that the individual (whose personal information
has been disclosed) can access to take action to enforce that
protection of the law or binding scheme; or
(2) the disclosure of the information is required or authorised
by or under an Australian law or a court/tribunal order.
In the case of documents held overseas, after making
reasonable efforts to search for documents, a party may
be able to argue that it was not reasonable to continue
searching, if it would be difficult and costly for the party
to retrieve the documents (for example, if the documents
9 Gambro Pty Ltd v Fresenius Medical Care Australia Pty Ltd [2002] FCA 581, Dorajay Pty Ltd v
Aristocrat Leisure Ltd [2006] FCA 335 (NB: in the context of compliance with a subpoena) .
10 Some state Courts have also held that they have similar power to make such an order. This will
depend on the applicable court rules in each case .
11 In Sabre Corporation Pty Ltd v Russ Kalvin’s Hair Care Co (1993) 46 FCR 428 the applicants,
who had the exclusive right to distribute Joico hair products in Australia, brought proceedings
alleging that the respondent had engaged in misleading and deceptive conduct by selling a
generic version of Joico hair products. The documents containing the formulation of the Joico
hair products were not in the control of the applicant. Lockhart J ordered the applicant to
request those documents from the United States manufacturer of Joico products, with whom
the applicant had a close business relationship .
12 (2009) 29 VR 123.
13 At [124], citing Sabre, Bova v Avati [2009] NSWSC 921 at [370] – [374], compare SPI Spirits
(Cyprus) Ltd v Diageo Australia Ltd (No 2) (2006) 155 FCR 150.
14 Victoria has a similar limitation regarding reasonable searches.
15 Personal information is defined as information or an opinion about an identified individual, or
an individual who is reasonably identifiable: (a) whether the information or opinion is true or
not; and, (b) whether the information or opinion is recorded in a material form or not.
16 Other than Australian Privacy Principle 1.
17 Australian Privacy Principle 8.
Chapter 4
Is it reasonable to rely on employees
to preserve documents?
Preserving and protecting electronically stored information
that may be relevant in potential or actual litigation is a trending
area that affects both in-house and outside litigation counsel.
04
Generally, a party in litigation with pre-trial discovery
must take reasonable steps to prevent the destruction or
modification of relevant information. This preservation duty
can be broken into two key components: (1) identifying the
relevant information (or at least where it is stored); and (2)
preventing its modification or deletion.
Is it reasonable for a party to rely on its employees to
accomplish these two tasks? Usually, the general answer is
YES, but there are some important qualifications. The entire
point behind a legal hold notice is to notify employees of the
duty to preserve and to stop them from deleting or modifying
relevant information. Legal hold notices have been the core
of preserving documents in the United States for more than
a decade. See e.g. Zubulake v. UBS Warburg LLC, 229 F.R.D.
422, 434 (SDNY 2004) (“Zubulake V”). Legal hold notices are
reasonable because the cost of issuing them is relatively low
and the benefit received from them is high. Most companies
have highly decentralized data management systems and
employees are in the best position to know their data
(identification) and have the most direct control (preservation).
The other preservation options – either the complete collection
of an entire data source (e.g. hard drive, e-mail account, or
server) or some type of search – can lead to even greater overpreservation and are more expensive.
However, relying on employees is not without risk and requires
more active participation by IT and external and in-house
counsel to (1) provide clear instructions and guidance to the
employees; (2) support the employees and answer questions;
and (3) oversee and monitor their progress to ensure that they
are fulfilling their obligations. See id. at 432. It is best practice
to interview and communicate with the most important players
to make sure they understand what is relevant and what they
need to be doing to preserve information. See id. at 433. Where
a company’s IT systems automatically delete information, such
as a janitor system on e-mail, the duty to monitor and engage
with employees is greater because the employees need to take
affirmative steps to identify and preserve information. See
Apple, Inc. v. Samsung Elecs. Co. Ltd., No. C 11-1846 LHK (PSG)
(N.D. Cal. July 25, 2012). Depending on the case, you may
consider temporarily suspending an automatic delete process,
or taking a “snapshot” in time of certain or all e-mail boxes,
until more details are known about the scope of discovery.
In certain cases, a legal hold notice may be insufficient or
considered unreasonable:
(1) An employee may be in conflict with his employer or
accused of malfeasance (sending a whistleblower or someone
accused of embezzlement a hold notice is unlikely to be
effective);
(2) Some courts may consider an individual with a direct stake
in the litigation (e.g. an officer with personal liability or an
individual plaintiff) unreliable, as their definition of relevant
may be too narrow or biased;
(3) Legal holds to employees will likely be ineffective in
preserving data that the employees do not directly control
(e.g., deleted data on their hard drives, the company website,
enterprise databases, or disaster recovery tapes).
Finally, issuing legal holds and relying on employees are
important steps in a legal team’s attempts to preserve relevant
information and they can be used with other tools depending
on value and risk (forensically image certain drives, snap
shot some data sources, and rely on employees for others).
Remember, perfection is not the standard. Act in good faith
and make reasonable, conservative, timely, and informed
decisions to find and preserve data, and you will make
reasonable preservation decisions.
In common law jurisdictions in Canada, as in the United States,
a party to a litigation or a party that reasonably anticipates
litigation should take reasonable steps to preserve relevant
documents. Sedona Canada Principle 3 provides that “as
soon as litigation is reasonably anticipated, parties must
consider their obligation to take reasonable and good faith
steps to preserve potentially relevant electronically stored
information.”1 The Ontario e-Discovery Guidelines provide
that the obligation to preserve relevant electronic documents
arises when litigation is “contemplated or threatened.”2 In
the civil law jurisdiction of Quebec, discovery allows for the
communication of documents “relating to the issues.” The
question then becomes whether it is reasonable, in both
common and civil law jurisdictions in Canada for a party to rely
on its employees to preserve relevant documents.3
1
The Sedona Conference Working Group 7 (WG7) The Sedona Canada Principles Addressing
Electronic Discovery (Jan. 2008).
2
Ontario Bar Association Discovery Task Force Sub- Committee, Guidelines for the Discovery of
Electronic Documents in Ontario at 5.
3
“Section 397.1 et seq of the Code of Civil Procedure.
Is it reasonable to rely on employees to preserve documents?
As in the US, the answer is YES, with limitations. A legal
hold notice which sufficiently describes the nature of the
case and what should be preserved should be sent to key
individuals as soon as litigation is imminent. It is imperative
that in-house counsel and IT are involved at each stage of the
preservation process. Employees should be educated on the
perils of selective collection efforts and the legal ramifications
of intentionally or unintentionally destroying documents.
Finally, in Canada, the principle of proportionality should
be considered. Common law courts have opined that “the
obligation to preserve relevant electronic documents must be
balanced against other considerations, including the value
of the evidence, the time and expense involved in preserving
the documents, as well as privacy and confidentiality
considerations.”4 A similar principle of proportionality applies
to all Quebec proceedings.5
Even though Canadian jurisprudence on preservation, selfcollection and litigation holds are not as developed as in
the US, these issues should not be ignored by Canadian
practitioners or thought to be limited to complex commercial
lawsuits. A thorough understanding of these concepts is
critical to Canadian litigation and requires the “universal
understanding of the Canadian bar.”6
As the guidance in CPR Part 31 (dealing with the disclosure of
documents more generally) goes on to suggest, it is not enough
simply to give instructions that documents be preserved; steps
should be taken to ensure that documents are preserved.
In the case of Infabrics Ltd v Jaytex Ltd [1985] F.S.R. 75, the
maxim omnia praesummuntur contra spoliatorem (everything
is presumed against he who destroys) was applied against a
defendant who had not preserved documents affecting the
quantum of damage notwithstanding instructions from the
defendant company’s director to preserve such records.
In practice, should a party with the engagement of in-house
counsel and IT, suspend any routine document destruction
policy and adhere to the detailed instructions provided by
its solicitors in relation to the preservation of documents,
including educating key employees on the legal ramifications
of intentionally or unintentionally destroying documents,
the question of reliance on employees for such document
preservation should not necessarily be an issue.
Australia
Although the formal “litigation hold” concept does not apply
in England as such, Practice Direction 31B (paragraph 7) of
the Civil Procedure Rules (CPR) (dealing with the disclosure of
electronic documents) does state that “as soon as litigation is
contemplated, the parties’ legal representatives must notify their
clients of the need to preserve disclosable documents…which
would otherwise be deleted in accordance with a document
retention policy or in the ordinary course of business.” This is
done by way of a detailed letter to the client explaining its
disclosure obligations and the rules as to spoliation, including
important instructions about the creation, destruction and
amending of documents.
As in England, there is no formal requirement in Australia
to issue a “litigation hold” when litigation is anticipated.
However, there is an obligation under the general law to
preserve documents of potential relevance to anticipated
litigation. The obligation is articulated in each Australian
jurisdiction where it is a criminal offence to intentionally
destroy, conceal, alter or falsify evidence. The Victorian
legislation sets the benchmark as it most clearly applies to
evidence which might be required in a future proceeding.7 In
NSW, regulation 177 of the Legal Profession Regulation 2005
expressly prohibits legal practitioners from destroying or
moving a document from the place where it is kept or from the
person who has possession or control of it, and from advising
a client to do the same, if legal proceedings are likely to be
commenced and the document may be required. Given these
provisions, it is prudent practice to issue a litigation hold once
proceedings are anticipated or likely.
Therefore, in common with the position in the US and Canada,
the answer, in broad terms, is YES - it is reasonable to rely on
employees to preserve documents – but the party (and, to an
extent, their solicitor) must take positive steps to ensure that
such document preservation is being carried out effectively.
Where a party alleges that the destruction of documents before
the commencement of proceedings is prejudicial, the criterion
for court intervention “...(other than by drawing adverse
inferences, and particularly if the sanction sought is striking
out of the pleading) is whether that conduct of the other party
The English perspective
4
McCaffrey v. Paleolog, 2006 BCSC 69 (CanLII).
5
Section 4.1 of the Code of Civil Procedure.
6
The Sedona Canada Principles, supra.
7
This legislation, and the NSW regulation discussed in the following sentence, was introduced
following the Victorian Court of Appeal decision in British American Tobacco Australia Services
Limited v Cowell (as representing the estate of Rolah McCabe, deceased) (2002) 7VR 524.
amounted to an attempt to pervert the course of justice or,
if open, contempt of court occurring before the litigation
was on foot.”8
Once proceedings are commenced, Australian solicitors
have a duty to explain to their clients the requirement to
disclose relevant documents in litigation and to ensure that
clients comply with disclosure requirements. In a number of
Australian jurisdictions, solicitor are also required to certify to
the relevant court that they have explained to their client the
duty of disclosure. Solicitors should consider ceasing to act
if they consider that their client is not complying with their
disclosure obligations or has destroyed relevant evidence.9
Is it reasonable for a party to rely on its employees to preserve
relevant documents? As is the case within other jurisdictions,
a party to litigation must ensure that its employees understand
the directions given, and that employees comply with the
directions. In some cases it may be necessary to consider
whether external parties should be involved in implementing
the litigation hold (especially where the case involves
8
British American Tobacco Australia Services Limited v Cowell (as representing the estate of
Rolah McCabe, deceased) (2002) 7 VR 524.
9
Court procedure legislation in a number of Australian jurisdictions now imposes express
duties on parties to litigation to further the overarching purpose of the courts to resolve
disputes in a just, efficient and cost-effective way (e.g. s37N Federal Court of Australia Act
(Cth), s56 Civil Procedure Act (NSW), s10 Civil Procedure Act (Vic)). In Palavi v Radio 2UE
Sydney Pty Ltd, [2011] NSWCA 264 Allsop P of the NSW Court of Appeal noted that the duty
imposed by the NSW Civil Procedure Act, to act responsibly and honestly in court proceedings
should form the framework of the exercise of the court’s power to strike out proceedings,
where a party deliberately destroys discoverable material.
allegations against the employees who would otherwise
be asked to implement the litigation hold). In Victoria, a
corporation that is accused of destroying evidence may rely
on a defense of due diligence, but if its corporate culture is
such that the destruction was encouraged or tolerated, then its
representatives may face a significant fine.
Our global offices
Canada
Calgary
Montréal
Ottawa
Québec
Toronto
Europe
Amsterdam
Athens
Brussels
Frankfurt
Hamburg
London
Milan
Moscow
Munich
Paris
Piraeus
Warsaw
Kazakhstan
Almaty
USA
Austin
Dallas
Denver
Houston
Los Angeles
Minneapolis
New York
PittsburghSouthpointe
San Antonio
St Louis
Washington DC
Latin America
Bogotá
Caracas
Rio de Janeiro
Africa
Bujumbura**
Cape Town
Casablanca
Dar es Salaam
Durban
Harare**
Johannesburg
Kampala**
Middle East
Abu Dhabi
Bahrain
Dubai
Riyadh*
Asia
Bangkok
Beijing
Hong Kong
Jakarta*
Shanghai
Singapore
Tokyo
Australia
Brisbane
Melbourne
Perth
Sydney
*associate office
**alliance
2014 in review
Norton Rose Fulbright
Norton Rose Fulbright is a global legal practice. We provide the world’s preeminent
corporations and financial institutions with a full business law service. We have more than
3800 lawyers and other legal staff based in more than 50 cities across Europe, the United
States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial
institutions; energy; infrastructure, mining and commodities; transport; technology and
innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality,
unity and integrity. We aim to provide the highest possible standard of legal service in each of
our offices and to maintain that level of quality at every point of contact.
Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia,
Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate
legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein.
Norton Rose Fulbright Verein helps coordinate the activities of the members but does not
itself provide legal services to clients.
More than 50 locations, including Houston, New York, London,
Toronto, Hong Kong, Singapore, Sydney, Johannesburg and Dubai.
Attorney advertising
References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their
respective affiliates (together ‘Norton Rose Fulbright entity/entities’). The principal office of Norton Rose Fulbright US LLP in Texas is in Houston.
Save that exclusively for the purposes of compliance with US bar rules, where James W. Repass will be responsible for the content of this publication,
no individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not
such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication.
Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose
Fulbright entity. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the
law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any
particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright.
© Norton Rose Fulbright US LLP 12/15 (US/mo/im)
Extracts may be copied provided their source is acknowledged.
Law around the world
nortonrosefulbright.com

eDiscovery around the globe

Transcription

Similar documents

PDF - Inside Africa

iPPlus Sales Sheet - IP Plus Consulting, Inc.

Open Cloud Initaitive http://www.opencloudinitiative.org/ Sam

January 2015 - ZATIS TECHNOLOGY GROUP

Cloud Identification Guide

AppRiver - Franchise services Inc.

Oh My! Rose - Tagawa Gardens

Ziptech January 2015 Newsletter v 1 1 2

Black Baccara Rose - Green Haven Garden Centre