eDiscovery around the globe
Transcription
eDiscovery around the globe
Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare eDiscovery around the globe Dear friends: Welcome to Norton Rose Fulbright’s Global eDiscovery 2015 white paper. As a global legal practice representing clients in disputes across the world, we recognize that it’s important for litigators to understand how discovery impacts cases both at home and abroad. The articles in this collection address four different aspects of discovery: mobile devices, the cloud, cross-border discovery, and preservation. • The firstRose article addresses the growing trend toward using mobile devices in discovery procedures Norton Fulbright and the unique challenges and burdens parties face when attempting to preserve and collect that digital information. Norton Rose Fulbright is a global legal practice. We provide the world’s preeminent • The second article addresses the preservation and collection of data in the cloud and how those corporations and financial institutions with a full business law service. We have more than practices change from jurisdiction tothan jurisdiction. 3800 lawyers and other legal staff based in more 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia. • The third article examines the practical ways to address cross-border discovery from four different Recognized for our industry focus, are strong across all the keyand industry sectors:solutions financial for processing and perspectives, focusing onweextrajudicial discovery practical institutions; energy; infrastructure, mining and commodities; transport; technology and transferring data to be used in litigation. innovation; and life sciences and healthcare. • The fourth article addresses the question of whether a party may rely on its employees as the Wherever we are, we operate in accordance with our global business principles of quality, primary tools to conduct preservation and when that may not be reasonable. unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact. We hope that considering these discovery issues from a global perspective will not only help you solve in your individual butLLP, willNorton give Rose you valuable information to help you manage Nortonproblems Rose Fulbright US LLP, Norton Rosecases Fulbright Fulbright Australia, Nortonglobal Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate your litigation portfolio. legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not Best regards, itself provide legal services to clients. David J. Kessler Chair, e-Discovery and Information Governance Practice Group More than 50 locations, including Houston, New York, London, Toronto, Hong Kong, Singapore, Sydney, Johannesburg and Dubai. Attorney advertising References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). The principal office of Norton Rose Fulbright US LLP in Texas is in Houston. Save that exclusively for the purposes of compliance with US bar rules, where James W. Repass will be responsible for the content of this publication, no individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not eDiscovery around the globe A Norton Rose Fulbright white paper December 2015 Global contributors If you would like further information, please contact David Kessler, chair of the e-Discovery practice. United States Canada David Kessler Partner, New York Tel +1 212 318 3382 [email protected] Christine Carron Senior Partner, Montreal Tel +1 514 847 4404 [email protected] Andrea D’Ambra Senior Counsel, New York Tel +1 212 318 3015 [email protected] Kelly Moffet-Burima Associate, Calgary Tel +1 403 267 8215 [email protected] Alex Altman Associate, New York Tel +1 212 318 3230 [email protected] Sojourner King E-Discovery Counsel Tel +1 416 216 2327 [email protected] Australia Europe Grant Bonner Partner, Sydney Tel +61 2 9330 8382 [email protected] Peter Scott Partner, London Tel +44 20 7444 3834 [email protected] Abigail McGregor Partner, Melbourne Tel +61 3 8686 6632 [email protected] Marta Giner Partner, Paris Tel +33 1 56 59 52 72 [email protected] Carolyn Wyatt National Applied Legal Technology Operations Manager Tel +61 8 6212 3229 [email protected] Michel Pflieger Associate, Paris Tel +33 1 56 59 52 74 [email protected] Contents Global key contact page 04 Chapter 1: Discovery and mobile devices 06 Chapter 2: Discovery in the cloud 14 Chapter 3: What are the intricacies of cross-border discovery? 20 Chapter 4: Is it reasonable to rely on employees to preserve documents? 25 Chapter 1 Discovery and mobile devices With the explosion in mobile data usage, we expect to see a growth in discovery from mobile devices in civil litigation. 01 Discovery and mobile devices According to Cisco Systems, global mobile data traffic is expected to quadruple in the next three years, from 2.6 to 10.8 exabytes per month.1 For most companies, it is expected that some, most, or all work will be conducted over a mobile device that may be owned by the company or an employee. With this explosion in mobile data usage, we expect to see a growth in discovery from mobile devices in civil litigation. Mobile devices, however, present unique challenges and increased burdens for parties attempting to preserve and collect information. What are “mobile devices”? In short, a mobile device is any portable electronic device capable of communicating data through a mobile network. The most commonly thought of mobile devices are cell phones, smartphones, e-readers, and tablets (e.g., iPads). However, the oldest and most common mobile device is the laptop. Furthermore, many companies have customized mobile devices that have been developed for their businesses, such as portable barcode scanners and pipe-testing equipment. Moreover, a new generation of mobile devices (socalled “wearables”) is coming of age and will exponentially increase the volume of mobile data traffic and potential data stores. Wearables include Google Glass, the Apple Watch and FitBit. Whatever the format, each of these devices is capable of storing and transmitting data that may be relevant to litigation. It is important, therefore, to understand how current laws are equipped to manage discovery for mobile devices. The United States perspective I. Are mobile devices even discoverable? Yes. There is no special exclusion for data generated from or stored on mobile devices under U.S. discovery law. Even where the data on mobile devices may be considered ephemeral that does not per se exclude the data from discovery.2 That does not, however, mean that litigants must preserve, collect, and produce all data on mobile devices used by their employees. To determine the extent of its discovery duties, a party needs to consider three sub-questions: 1 Cisco VNI Global Mobile Data Traffic Forecast, 2013 – 2018 (available at http://www. cisco.com/c/en/us/ solutions/collateral/service-provider/visual-networking- index-vni/ white_paper_c11-520862.html). To illustrate the scope of this figure, an exabyte is equal to 1 billion gigabytes (GB) of data, or more than 75 trillion pages of text. 2 See, e.g., Columbia Pictures v. Bunell, 245 F.R.D. 443, 447 (C.D. Cal. 2007) (holding that server logs stored on a computer’s RAM were properly discoverable because “Rule 34 requires no greater degree of permanency from a medium than that which makes obtaining the data possible.”). 1. Is there unique, relevant information on the mobile device? 2. Is the mobile device (or the specific data at issue) in the possession, custody and control of the party? 3. Would discovery of the mobile device data be reasonable and proportionate? Like any other data source, a mobile device only need enter the fray of discovery if it contains relevant information. Thus, before needlessly expending time and resources to preserve and collect mobile device data, it is usually wise to conduct a prompt investigation to determine whether information on the device will actually matter. That being said, as mobile devices become a dominant tool in business, it will become harder and harder to avoid conducting discovery on them. II. Whose iPad is this, really? Whether a party must preserve or produce data from a mobile device in a given litigation often will turn on Fed. R. Civ. P. 34(a)(1), which states that a party to litigation may request discovery of information that is “in the responding party’s possession, custody, or control.” There is little doubt that a party may be compelled to produce data from a mobile device, or even a device itself, when the party has actual possession of the relevant device.3 The law is murkier, however, when a company does not have physical possession of the mobile device. At present, there are two standards for Rule 34 “control” in Federal Courts: (1) the “Legal Right” test4; and (2) the increasingly prominent “Practical Ability” test.5 3 See, e.g., Bailey v. Scoutware, LLC, No. 12–10281, 2014 WL 1118372 (E.D. Mich. Mar. 21, 2014) (holding that plaintiff could forensically inspect defendant’s cellphone after defendant already undertook such an inspection). 4 See, e.g., DL v. District of Columbia, 251 F.R.D. 38, 46 (D.D.C. 2008) (“[I]t has been well established that the test for control is not defined as mere possession, but as the legal right to obtain such documents on demand”). 5 See, e.g., Bank of New York v. Meridien BIAO Bank Tanzania Ltd., 171 F.R.D. 135, 146 (S.D.N.Y. 1997) (“[D]ocuments are considered to be under a party’s control when that party has the right, authority, or practical ability to obtain the documents from a non-party to the action.”). Norton Rose Fulbright – December 2015 07 eDiscovery around the globe Under the “Legal Right” test, a company would be obligated to preserve and produce data from a mobile device only to the extent that it has the legal right to demand such data. For example, an employee may agree to allow retrieval of litigation-related data as a pre-condition of the company placing its data on the employee’s personal device (a classic reason for a bring-your-own-device, or “BYOD” policy). Under the broader “Practical Ability” test, on the other hand, a court may require a party to produce data from mobile devices outside the possession of the party if the court believes that the party simply has the means to request or obtain the relevant data from the individual with direct possession. Certain judges have commented that if employees have used mobile devices for work, even without authorization and against specific prohibition, an employer still has “possession, custody, or control” over the data because the employer can always fire the employee if he or she will not turn over the mobile device. III. Why can’t my opponent just go to the provider? When considering the relative control that a responding party and its mobile service providers have over data from a mobile device, a company may wish to argue that a requesting party should simply obtain certain forms of data (particularly text messages) directly from the service provider through a Rule 45 subpoena. This approach is not likely to succeed. First, not all relevant data will be in the control of the service provider. Unique photos, voice recordings and other files may exist only on the device itself. Second, even for data that may be stored by a service provider – such as text messages and personal email – most courts will not make an opposing party subpoena a third party when a party to the dispute has possession or control of the data. Third, even if a court required such a subpoena, it would be doomed absent the consent of the account owner, given the limitations imposed by the Stored Communications Act (18 U.S.C. § 2701, et seq.) (“SCA”). The SCA prohibits a service provider (e.g., a telecommunications carrier) from disclosing to any person or entity the contents of an electronically stored communication while in storage by that service provider. However, because a service provider may disclose the communications with authorization of the service subscriber, courts have ordered litigants to grant authority to mobile service providers to disclose their mobile data when such data is relevant and not stored in the mobile device any longer.6 6 See, e.g., Flagg v. City of Detroit, 252 F.R.D. 346, 355 (E.D. Mich. 2008) (holding that the SCA did not alleviate defendant of the duty to produce text messages because it could “permit the disclosure of [archived text messages] by granting its consent. This acknowledged power readily qualifies as a ‘legal right to obtain’ the messages held by [the service provider], and hence constitutes ‘control’ within the meaning of Rule 34(a)(1).”). 08 Norton Rose Fulbright – December 2015 IV. How easy is it to produce data from a mobile device? Despite the ease of use and ubiquity of mobile devices, preserving and collecting data from such devices can be a complicated affair. One commentator has observed that “in the text message environment, the ability to save messages, and how many can be saved, is largely device- and carrierdependent; there is no one answer” to preservation and production.7 Mobile devices are decentralized, disconnected and can be widely distributed, making preservation and collection labor-intensive and, therefore, expensive. Moreover, most companies are not equipped to preserve or produce data from their mobile devices, thus necessitating the use of vendors with specialized expertise. For the most fulsome preservation and collection, mobile forensic technology is typically two generations behind current smartphones. This means that, for example, while a company may issue an iPhone 6 to an employee, many vendors can only create full forensic copies with an iPhone 4. Sometimes a party will have to collect and preserve a device and purchase new devices for employees because forensic technology has not yet caught up with newer devices, and user data from such devices would need to be examined forensically at some point in the future depending on the nature of the litigation. Conversely, some forensic examination software does not support older smartphone models and alternative collection methods would require consultation with experts. The costs for collection and preservation of data from mobile devices can vary widely depending on the device and the level of preservation required. V. Do I always have to produce data from mobile devices? Even in cases where data from a mobile device may be relevant to a litigation, a company may not need to preserve and produce it because of the burden of doing so. Currently, Fed. R. Civ. P. 26(b)(2)(C)(iii) requires the court to limit discovery where it finds that “the burden or expense of the proposed discovery outweighs its likely benefit, considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake in the action, and the importance of the discovery in resolving the issues.” Notably, this Rule is in the process of being incorporated almost entirely within the scope of discovery under Rule 26(b)(1) to make it even more prominent. To illustrate, when a party pushes email out to mobile devices but also replicates the email on a server, it is generally easier and more cost-effective to collect the data from the server unless a party knew unique emails had only 7 Jonathan M. Redgrave, Keltie Hays Peay, Mathea K.E. Bulander, Understanding and Contextualizing Precedents in E-Discovery: The Illusion of Stare Decisis and Best Practices to Avoid Reliance on Outdated Guidance, 20 Rich. J.L. & Tech. 8, para. 38 (2014). Discovery and mobile devices been saved on the mobile device.8 Of particular relevance to data stored on employee-owned mobile devices is Principle 2: “Discovery should generally be obtained from the most convenient, least burdensome and least expensive sources.”9 Although a litigant may be able to avail himself of proportionality arguments, it can be dangerous for a litigant to unilaterally fail to preserve evidence based on proportionality because an opponent or the court can disagree with how a litigant weighs the costs and benefits of the information at issue. Summarizing this tension, Magistrate Judge James Francis has observed: Reasonableness and proportionality are surely good guiding principles for a court that is considering imposing a preservation order or evaluating the sufficiency of a party’s efforts at preservation after the fact. Because these concepts are highly elastic, however, they cannot be assumed to create a safe harbor for a party that is obligated to preserve evidence but is not operating under a court-imposed preservation order. Proportionality is particularly tricky in the context of preservation. It seems unlikely, for example, that a court would excuse the destruction of evidence merely because the monetary value of anticipated litigation was low.10 Therefore, unilateral decisions to not preserve relevant information from mobile devices should be made conservatively and cautiously. scope of discovery. In Federal Court litigation12 and in Victoria, a document is deemed discoverable if the party intends to rely on it or the document adversely affects the party’s own case, supports another party’s case or adversely affects another party’s case. Furthermore, in these jurisdictions, a party is required to undertake a reasonable search only for discoverable documents, which requires an assessment of the ease and cost of retrieving a document.13 In Queensland, the document must be directly relevant to an allegation in issue in the pleadings. The test for relevance is different in other Australian jurisdictions. In New South Wales, the document must be relevant to a fact in issue – that is, it could rationally affect the assessment of the probability of the existence of that fact (other than relating to the credibility of a witness), regardless of whether the document would be admissible in evidence. In the ACT, the document must relate directly or indirectly to a matter in issue in the proceeding. In Western Australia, a party is required to discover all documents relating to any matter in question. The majority of Australian courts have implemented practice guidelines in relation to discovery of documents stored electronically. In the Federal Court, parties are expected to have agreed upon a practical and cost-effective discovery plan, taking into consideration the issues in dispute and the likely number, nature and significance of the electronic documents that might be discoverable. Discovery of mobile devices must be considered when complying with the practice guidelines and formulating discovery plans. The Australian perspective As noted above, a party is obliged to discover documents that are in the party’s control. The test for control varies slightly in each jurisdiction. Generally speaking, in most Australian jurisdictions, a party to litigation is obliged to discover relevant documents that are in the party’s possession, custody or power.14 A party is said to be in possession of a document The jurisdictional tests for relevance vary. In some jurisdictions, the direct relevance test applies to narrow the 12 This applies where the Court has ordered “standard discovery” as opposed to “non-standard discovery.” A mobile device – and any data stored on a mobile device – is a “document” for the purposes of discovery in each Australian jurisdiction.11 Generally, the extent of a party’s discovery obligations is determined by a relevance test and whether the document (the mobile device or the specific data at issue) is in the party’s control. 8 See The Sedona Conference, Commentary on Proportionality in Electronic Discovery, p. 2 (2013). 9 Id. 10 Orbit One Communications v. Numerex Corp., 2010 WL 4615547, *6 n. 10 (S.D.N.Y. Oct. 26, 2010). 11 In Palavi v Radio 2UE Sydney Pty Ltd [2011] NSWCA 264, Allsop P found that mobile phones and iPhones were “documents” within the Interpretation Act 1987 (NSW) and the Evidence Act 1995 (NSW). Other Australian jurisdictions have similar definitions. 13 In deciding what is a reasonable search, a party must take into account the nature and complexity of the proceedings, the number of documents involved, the ease and cost of retrieving a document, the significance of any document likely to be found, and any relevant matter. 14 The obligation to discover documents in the Federal Court applies to documents in a party’s “control,” which is defined as “possession, custody or power.” In Victoria, NSW and Western Australia, the obligation similarly applies to documents within the disclosing party’s possession, custody or power. In the ACT it is slightly different – possession is defined to include custody and power. In Queensland, the obligation is to discover documents in the possession or under the control of the disclosing party. The limited authority on this point in Queensland suggests that control may be a more stringent requirement than power, meaning an ability to direct or command the production of the document. Norton Rose Fulbright – December 2015 09 eDiscovery around the globe where it owns and holds the document, whereas custody refers to physical holding of the document, irrespective of ownership. “Power” refers to an enforceable legal right to inspect the document, or obtain possession or control of the document, without the need to obtain the consent of anyone else.15 Provided that the right to inspect or obtain the documents is presently enforceable, the fact that for physical reasons it may not be possible for the party to obtain immediate inspection does not prevent the document from being within the party’s power.16 Where the mobile device is owned by the employer, the device will be in the employer’s power, even if it is not physically held by the employer. Where discovery is required, a direction from the employer to an employee to return the device would be a reasonable and lawful one. The employee would be required to comply with any such direction and the employer could consider potential disciplinary action against an employee who did not comply with the direction and return the device. The employer would also be said to be in control of any of its data stored on the employer-owned device, and anything created by the employee using that data. Depending on the terms of the employer’s workplace policies, the employer is also likely to have control over the employee’s personal information17 stored on the employer’s device. Where the employee owns the device, the question of control over data on the device may depend on where the data originated from (e.g., is it the employer’s information or intellectual property), the basis on which any employer data was provided to the employee, and the scope of the employer’s workplace policies regulating use of the device for work purposes and return of the employer’s data. The Canadian perspective The explosion in the use of mobile devices over the past several years presents unique challenges and increased production obligations for parties attempting to preserve and produce information from mobile devices in Canada. As electronic discovery is a relatively new concept in Canada, there is limited jurisprudence available on the subject. The traditional rules for document production codified by each province’s rules of civil procedure apply to electronic discovery, including all information found on mobile devices. Additionally, the Sedona Canada Principles18 and Ontario’s Guidelines for the Discovery of Electronic Documents19 were created to assist lawyers and clients with the production of electronic documents. In the absence of Canadian jurisprudence, these two sources, as well as American jurisprudence and provincial practice directives, are relied upon frequently in determining best practices for the preservation and production of electronic information from mobile devices in Canada. The current best practices are set out below. I. Discoverability and preservation The rules of civil procedure in most Canadian provinces require the production of all relevant documents in the power, possession and control of litigating parties. Electronic data that has been generated from, or stored on, mobile devices is now included in the broad definition of “document” and, as such, an obligation to preserve and produce electronic documents from mobile devices arises.20 Generally speaking, a prudent company should have document retention policies requiring the retention of electronic files for a reasonable period of time beyond the applicable limitation period.21 If a company knowingly allows employees to create business documents on their own devices, it follows that these same retention policies should cover those devices and include consent to monitor, access and retrieve documents from the device, including access to passwords and remote access for these purposes, subject to appropriate limitations to ensure privacy of personal information. Document retention policies must strike the right balance and include criteria that establish what information and documents can be destroyed and what must be kept for later reference based on potential relevance. Such policies, however, do not require corporations to take every conceivable step to preserve all electronically stored information that may be of potential relevance as such action would paralyze the corporation’s ability to conduct ongoing business. Accordingly, the general obligation to preserve evidence must be balanced against the 18 The Sedona Canada Principles Addressing Electronic Discovery, January 2008 (“Sedona Canada Principles”). 15 Lonrho Ltd v Shell Petroleum Co Ltd [1980] 1 WLR 627, 635 per Lord Diplock. 19 Guidelines for the Discovery of Electronic Documents in Ontario, November 2005. 16 Id. 20 Baldwin Janzen Insurance Services (2004) Ltd. v Janzen, 2006 BCSC 554 at para 28; An Act to Establish A Legal Framework for Information Technology, CQLR, c.C-1.1. 17 Subject to complying with any relevant limitations on the handling of personal information imposed by the Privacy Act 1988 (Cth). 10 Norton Rose Fulbright – December 2015 21 Alvi v YM Inc. Sales 2003 CarswellOnt 3386 at para 48. Discovery and mobile devices party’s right to continue to manage its electronic information in an economically-reasonable manner, including overwriting electronic information stored on mobile devices in accordance with general business practices in appropriate cases.22 II. Production Once litigation is contemplated, a proportionality exercise must be undertaken in order to determine whether potentially relevant information must be collected and produced from mobile devices. A “practical and efficient approach” should be taken, and the burden of production on the parties should remain “proportionate to the issues, interests and money at stake.”23 There must be a balance of considerations, including the value of the evidence, and the time and expense involved in preserving the documents, prior to production. The costs of producing electronic information should never outweigh the likely probative value of the information since, if such a proportionate approach is not taken, the overwhelming costs associated with electronic discovery may prevent the fair resolution of litigation disputes. As relevant information from mobile devices might be contained in the metadata associated with the producible documents, electronic information obtained from mobile devices should be produced in an electronic format.24 Despite the added requirement to produce electronic documents in an electronic format, however, parties are expected to disclose only information that is reasonably accessible. 25 This typically means that parties are not required to produce deleted or residual information not accessible except through the help of forensic means, barring exceptional circumstances such as fraud. These principles ensure that only what is reasonably expected to be produced is, in fact, produced as part of the “practical and efficient approach” to electronic discovery currently in place in Canada. The European Union Perspective In the frame of its Digital Agenda For Europe which aims to help Europe’s citizens and businesses to get the most out of digital technologies, the European Commission also recalled Cisco Forecast for 2013–2018 according to which the mobile data traffic in Western Europe amounted to 253,679 terabytes per month in 2013 and is projected to reach almost 2,000,000 terabytes per month in 2018. To a broader and more expressive extent, according to this forecast, the number of mobileconnected devices exceeded the number of people on earth by the end of 2014. The exponential use of mobile devices, especially for professional purpose, raises new ways of working and sometimes changes users’ behaviors. For example, the BYOD policy has become commonplace in many companies, where workers are allowed to use their personal smartphones and tablets on the company network.26 This explains why – on the one hand – companies are becoming increasingly concerned about security issues related to mobile devices, and – on the other hand – regulators throughout Europe, starting with the European Commission, are becoming increasingly interested in information processed by and contained in mobile devices. Even if there is generally no special treatment for data produced by mobile devices under Europe law, there are specific challenges linked to the use of such devices. These challenges are particularly vexing in the area of discovery, even if the legal systems of most EU Member States, as well as law at the EU level, are not discovery-based – the main exception being the UK: • Even in non-discovery countries, issues relating to data availability and retention policies may also be key within the frame of litigation; • Law enforcement agencies, and in particular the Commission, have extensive investigative powers, which may result in a de facto discovery, in which procedural rules are less clearly defined than in a discovery-based country. In both situations, the main difficulty, from a practical point of view, will be to ascertain whether the mobile devices contain information that does not exist in other places. For example, a mobile device may allow accessing the email account of an employee. However, such access will, in most cases, also be possible through, for example, a laptop or access to a company’s network. Similarly, information stored on the cloud via the mobile device will also be accessible through other 22 Sedona Canada Principles, Comment 3.e. 23 Sedona Canada Principles, Principle 2; Quebec Code of Civil Procedure, Section 4.2. 24 Information printed as a hard copy does not contain potentially relevant metadata. 26 “Companies increasingly concerned on staff using personal devices”, Financial Times of October 6, 2013 http://www.ft.com/intl/cms/s/0/0ff3241c-2cfb-11e3-a0ac-00144feab7de. html#axzz3Q11VkLlL. 25 Sedona Canada Principles, Principles 5 and 6. Norton Rose Fulbright – December 2015 11 eDiscovery around the globe means. There may be cases, however, where certain files have been stored exclusively on the device itself; or, for example, there may be relevant information in certain applications mainly used on mobile devices (such as chat applications like Google Hangouts or WhatsApp, or social networks). In this respect, conversations through social media may constitute electronic evidence which a company would have to produce or on which regulators would be able to base proceedings. Litigation and mobile devices The main issue in the context of litigation will therefore consist of assessing the opportunity of requesting the disclosure of information generated or stored on mobile devices. UK: Discovery obligations Like US Law, UK discovery law provides for no special exclusion for such data. In addition, there is no UK courtapproved guidance on handling and conducting discovery on mobile devices. In civil proceedings, Civil Procedure Rule (CPR31.8(1)) provides that a party is required to disclose documents which are or have been in its “control”. This is the case if : • the document is or was in the party’s physical possession, • the party has or has had a right to possession of it, or • the party has or has had a right to inspect or take copies of it. In addition, Practice Direction 31B of the CPR, which governs electronic disclosure in civil proceedings, expressly pertains to mobile devices. One of its key considerations is the reasonableness of any search from which any disclosure is made. The best approach would have to be determined in 12 Norton Rose Fulbright – December 2015 each case, depending on the company’s rules and the users’ habits. In some cases, however, it may be reasonable to attempt to obtain all electronic data (or at least all data for the relevant period). Subsequent review prior to disclosure can be negotiated by the parties to ensure cost and time efficiencies, as required by the Practice Direction. Non-discovery countries In other Member States, parties have, in principle no legal obligation to identify and disclose documents within litigation procedures. In most Member states, however, judges have the power to request the disclosure of documents, including electronic data. Although the extent of this disclosure obligation may be less important than in a discovery system, it is likely that a refusal to disclose documents based on technical reasons linked to the storage of information on mobile devices would not be acceptable to a judge. The question arises as to whether a judge could order an entity to produce data stored on employees’ mobile devices, particularly in companies implementing a BYOD policy. This should be ascertained on the basis of employment laws applicable in each country. In France, for example, the possibility to retrieve data from the mobile device would, to a large extent, depend on the BYOD rules as defined in the company’s internal regulations and labor contracts. Chapter 2 Discovery in the cloud The rise of cloud computing has created numerous challenges for lawyers who wish to counsel corporations on best practices especially in discovery, where document preservation and collection can run up against significant hurdles. 02 eDiscovery around the globe The United States perspective The rise of cloud computing has created numerous challenges for lawyers who wish to counsel corporations on best practices. Nowhere is this more evident than in the area of discovery, where a litigant’s efforts to preserve and collect relevant data from the cloud may run into substantial turbulence. I. Solidifying the Cloud The bench and bar often struggle with understanding emerging technologies. It behooves anyone delving into the legal implications of cloud computing to learn what it actually is, how it works and why organizations are adopting it. The National Institute of Standards and Technology, a division of the US Department of Commerce, defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, p. 2 (September 2011). To put it in simpler terms, cloud computing provides access to electronic resources (e.g., data. data storage or even software) via the Internet. This means an individual can use increasingly smaller mobile platforms to access and utilize increasingly larger pools of data and more sophisticated software applications. Although the term “cloud computing” has only come into fashion in the past few years, the technology has been present since the early days of the internet. For example, Hotmail, a web-based email application was introduced in 1995. As it exists, cloud computing consists of three broad types or “flavors”: public, private and hybrid. Public clouds are services that are open for use by virtually anyone. Examples include Dropbox, Google Drive and Hotmail (recently rebranded “Outlook” by Microsoft). Private clouds are established by and for the sole use of private individuals or organizations. For less than $100 total, an individual consumer can plug a small server into his home internet connection, creating a private cloud which allows them to access to data from virtually anywhere. Large corporations, of course, deploy private clouds on a much broader scale. Some organizations use hybrid clouds use both public and private clouds in combination, to enable them to meet their storage and delivery needs. For example, a pharmaceutical company might store 14 Norton Rose Fulbright – December 2015 HIPAA-compliant clinical study data in a public cloud while processing and developing study reports using a private cloud. For a large organization, cloud computing offers a number of advantages. Public clouds allow a company to effectively outsource much of its IT operations. The cloud supplier maintains and upgrades the infrastructure, thereby reducing the investment the company must make to keep up with current technology. Scalability and flexibility in pricing is another advantage; a company need only pay “per seat” or for the storage it actually uses. In a private cloud or traditional storage model, the company must constantly maintain a reserve level of storage that often goes unused. Of course, private and hybrid clouds allow a company to benefit from “access-anywhere” data storage while retaining a greater level of control and security. II. Harnessing the Cloud: Discovery obligations for cloud subscribers. Some companies may assume that placing data in the cloud would somehow alter their duty to preserve, collect and produce relevant information from that data. In the United States, however, that is not the case. Under Rule 34 of the Federal Rules of Civil Procedure, a party may be asked to produce data that is under its “possession, custody, or control.” As one court succinctly summarized “‘[c]ontrol’ has been construed broadly by the courts as the legal right, authority, or practical ability to obtain the materials sought on demand.” Steele Software Systems, Corp. v. DataQuick Information Systems, Inc., 237 F.R.D. 561,564 (D. Md. 2006). Because a company has a legal right to obtain its own data from a third-party cloud service provider, it is effectively in “control” of the data and may be compelled to collect and produce it. Furthermore, the Stored Communications Act (18 U.S.C. § 2701, et seq.) (“SCA”) prohibits a service provider (e.g. telecommunications company, cloud service provider, etc.) from disclosing to any person or entity the contents of an electronically stored communication while in storage by that service provider. The service provider may, however, disclose the communications with authorization of the service subscriber. See, e.g., Mintz v. Mark Bartelstein & Assocs., 885 F. Supp. 2d 987,994 (C.D. Cal. 2004) (holding that under the limitations of the SCA the proper means for a requesting party to obtain text messages held by a service provider was to “serv[e] a request for production of documents . . . pursuant to Rule 34.”). Therefore, it is generally incumbent on the party, not its service provider, to preserve, collect and produce information. Discovery in the cloud III. Stabilizing the Cloud: Preservation Of course, there are some challenges that accompany cloud computing. First, complying with preservation obligations for data stored in the cloud can raise concerns because many corporations do not have the same level of visibility into or control of cloud data as they do with data behind their firewall. The same methods that a company might use to preserve data stored completely internally on the laptops, internal mail severs and shared network drives might not work when this data moved to the cloud, particularly if the company employs public or hybrid cloud models. In typical litigation for a typical company with a mature approach to e-discovery, a company will often issue a litigation hold notice to employees who create or manage relevant data, instructing them to refrain from deleting or altering potentially relevant data. The company may also leverage internal IT resources to ensure that potentially relevant data (often email subject to autodeletion) is not inadvertently destroyed. Once that company moves its data to the cloud, however, preservation may become more complicated, and a company will have to answer certain questions to ensure that it meets its duty to preserve. Does the company have administrative rights to the cloud? Where is the company’s data stored geographically? Does the cloud provider (or private cloud server) keep or alter metadata? How does the cloud provider manage disaster recovery systems and are these under the control of the corporate subscriber? Does the cloud provider employ any auto-purge functionality? Can the data be “locked down” so that it remains unchanged throughout preservation and collection? Ideally, an organization will ask these questions before settling on a cloud storage method or choosing a cloud provider and will ensure that any cloud service agreement addresses these concerns. In fact, one of the first issues a corporation that has entered the cloud may unexpectedly face is that their cloud provider might start charging them for preservation tasks that, in the past, had been “free” because they were handled by internal IT. If this issue is not addressed in the cloud contract, preservation costs could skyrocket and the move to the cloud may not be as costeffective as originally expected. and “off the grid”, the legal and IT departments are then deprived of knowledge of an important data store that may contain information that should be preserved. A litigator who finds out about such a trove of data in a custodian interview will have to take swift measures to ensure that any relevant data is preserved. An advantage of public cloud computing is the ease with which anyone can procure storage and bandwidth. One problem that may beset a large organization as a result of this ease, regardless of its official cloud policy, is “credit card IT.” One need only go to Dropbox.com and enter a company-issued credit card number to gain access to a terabyte of storage for under $20 a month, all without going through the company’s standard provisioning mechanisms and the safeguards that those mechanisms employ. Once that data goes into the cloud Generally speaking, in most Australian jurisdictions, a party to litigation is obliged to discover relevant1 documents that are in the party’s possession, custody or power.2 IV. Bringing the Cloud down to Earth: Collection Cloud computing may also confound collection efforts in litigation. Because the cloud subscriber has reduced its control of the data, it may not have all the same tools and access points to pull and secure the data it has stored in the cloud. For example, when a company owns and operates its data storage internally, its collection efforts are subject only to its own resources and technical limitations. If the same data is stored in a public cloud, however, that company’s collection efforts may be hindered by bandwidth limitations, resource constraints, and the possibility that the company’s data is being stored on the same hardware as other clients of the cloud service provider. This last point implies another challenge: ensuring the integrity of the collected data. Will the company be able to perform integrity checks between the collected data and the original data remaining in the cloud? Unless a company can confirm to some degree that the collected information is accurate, it may be unprepared for an opponent’s challenges down the road. Similarly, encryption methods used by the cloud service provider may hinder efficient collection. With respect to bandwidth, a company may need to rely on its cloud provider (using its people and its tools) to collect the data. The cloud provider may not have the same priorities or schedule as the subscriber and this can cause unexpected delays. Collection can also lead to unexpected costs, if prices have not been outlined in the contract. The Australian perspective The practical considerations surrounding discovery in the cloud in the U.S. are similar to those that apply in Australia. 1 As discussed in chapter 1, the tests for relevance vary slightly across Australia. 2 The obligation to discover documents in the Federal Court applies to documents in a party’s “control,” which is defined as “possession, custody or power”. In Victoria, NSW and Western Australia, the obligation similarly applies to documents within the disclosing party’s possession, custody or power. In the ACT it is slightly different – possession is defined to include custody and power. In Qld the obligation is to discover documents in the possession or under the control of the disclosing party. There is some authority in Queensland that control may be a more stringent requirement than power. Norton Rose Fulbright – December 2015 15 eDiscovery around the globe A party is said to be in possession or custody of a document where the party physically holds the document, which would not be the case with documents stored in a cloud server. By contrast, “power” refers to an enforceable legal right to inspect the document, or obtain possession or control of the document, without the need to obtain the consent of anyone else.3 Provided that the right to inspect or obtain the documents is presently enforceable, the fact that for physical reasons it may not be possible for the person to obtain immediate inspection does not prevent the document from being within the party’s power.4 This concept of power appears similar to the concept of “control” discussed in Steele Software Systems, Corp. v. DataQuick Information Systems, Inc., 237 F.R.D. 561, 564 (D. Md. 2006). This issue has not yet been tested in an Australian court. However, if the agreement with the cloud service provider gives the party the right to retrieve its data without the need to obtain the service provider’s consent, a court would most likely consider the documents to be in the party’s power and would require them to be discovered. Where the cloud is located outside Australia, there may be additional matters that require consideration during the discovery process, such as whether the data can be removed from that jurisdiction without breaching local data privacy laws. The Canadian perspective The same practical considerations apply to cloud discovery in Canada as in Australia. In both Australia and Canada, there is a paucity of jurisprudence considering whether a litigant is in “possession or control” of information stored in the cloud. The case law that does exist proceeds on the assumption that a litigant who has stored its data in the cloud is in possession or control of that data and focuses on other issues and, in particular, the proportionality of the discovery request. For example in Velsoft Training Materials Inc. v. Global Courseware Inc.5, the court issued an Anton Piller award to seize and make mirror images of all electronic devices and servers, including cloud servers. While the order was ultimately set aside because the plaintiff could not meet the criteria otherwise applicable to those types of orders, the right to search data in the cloud was not seriously questioned. The reason for the lack of jurisprudence on the issue might well be that courts will not entertain arguments which would allow litigants to escape their discovery obligations by storing data in a cloud pursuant to contracts that do not ensure the same degree of retrievability as when they are stored on servers owned and run by the company. This is particularly true in Quebec where the law provides that a “technological” document is equivalent to a paper version, provided it can be readily retrieved and reconstructed in a reliable manner that ensures the document’s integrity.6 Indeed, courts in Canada seem to be more preoccupied with ensuring that e- discovery is proportional. In Siemens Canada Limited v. Sapient Canada Inc.7, for example, the Master was demonstrably determined to reverse the “default rule” for e-discovery, namely that everything “relating to” the litigation is discoverable and to replace it with a “proportionality rule” where only documents “relevant” to the facts pleaded are to be the object of e-discovery. The Master emphasized the need for a cost-benefit analysis to be performed when determining which custodians and key words to target for e- discovery. Similarly, he underscored the need to take into account the effect that an overly broad reach may have on the privacy of individuals. While information stored in the cloud outside Canada raises issues relating to the export of data, as is the case in Australia, the privacy considerations around the legality of the storing and inter-jurisdictional exchange of such data should, in theory, have been considered in the light of privacy legislation at the time the decision was made to store the data in the cloud. Where these issues have not been so considered, they must be so at the time of discovery. The European perspective Cloud computing is developing exponentially in the European Union, and the European Commission has identified the key importance for the European economy of implementing a cloud computing EU strategy (Unleashing the Potential of Cloud Computing in Europe, September 2012, MEMO/12/7/13). Cloud storage is indeed essential for companies struggling with the management of “big data” as a result of the exponential development of email and electronic documents. 3 Lonrho Ltd v Shell Petroleum Co Ltd [1980] 1 WLR 627, 635 per Lord Diplock. 4 ibid. 6 An Act to Establish A Legal Framework for Information Technology, CQLR, c.C-1.1. 5 2011 NSSC 274 (CanLII). 7 2014 ONSC 2314 (CanLII). 16 Norton Rose Fulbright – December 2015 Discovery in the cloud Yet the use of the cloud may amplify certain aspects of this struggle, and create new and unforeseen pitfalls to avoid. The Commission itself recognizes the challenges arising from cloud development, especially the fact that “the patchwork of different rules at Member State level increases companies’ uncertainty about their legal obligations, thus delaying the adoption of cloud computing.” These challenges may be particularly important in the area of discovery, even if the legal systems of most EU Member States, as well as law at the EU level, are not discovery- based – the main exception being the UK: • Even in non-discovery countries, issues relating to data availability and retention policies may also be key within the frame of private litigation; • Law enforcement agencies, and, in particular, the Commission, have extensive investigative powers, which may result in a de facto discovery, in which procedural rules are less clearly defined than in a discovery-based country. I. Private litigation and the cloud The difficulties arising from companies storing data in the cloud essentially result from the fact that data is stored away from the company’s premises, most of the times in different and unknown locations. However, in most cases, this will not change – and clearly not alleviate – disclosure or retention obligations or needs, both in discovery and non-discovery countries. UK: Discovery Obligations Remain in the Cloud The lack of proximity makes it less easy to know whether the conditions for a discovery obligation are fulfilled. In the UK, the applicable Civil Procedure Rule (CPR 31.8(1)) provides that a party is required to disclose documents which are or have been in its “control”. This is the case if: • the document is or was in the party’s physical possession • the party has or has had a right to possession of it or • the party has or has had a right to inspect or take copies of it. The Electronic Disclosure Questionnaire provides guidance on how these rules should be interpreted; however, instead of expressly referring to the cloud, it references “off-site storage” in general. Whether the courts will consider that documents stored in the cloud fulfill these conditions, remains to be seen, considering that the concerned company no longer has physical possession. However, in most cases, a right to possession should result from the contractual documents with the cloud services provider, which is usually held by an availability obligation. This means that the documents are in the party’s control and that there is a disclosure obligation. Having document retention obligations in place as soon as litigation is possible may also raise issues, since imposing a hold policy may be made more difficult from a practical point of view. Nevertheless, a party trying to justify the breach of this obligation by the fact that data is stored on the cloud would be likely to find little success in front of a judge. Non-discovery countries In other Member states, parties have, in principle, no legal obligation to identify and disclose documents within litigation procedures. However, in most Member States judges have the power to request the disclosure of documents, including electronic data. Although the extent of this disclosure obligation may be less important than in a discovery system, it is likely that a refusal to disclose documents based on technical reasons related to the cloud would not be acceptable by the judge. In addition, parties must be able to access the data they plan to use to support their claims. II. Governance measures Most of the pitfalls identified in this white paper may be avoided through a careful review and negotiation of the cloud service agreement. The European Commission and most Member States data protection agencies have published practical guidelines concerning service level agreements in cloud services contracts, which may prove useful when negotiating these contracts. Companies should be particularly attentive to the provisions relating to the availability of data, the time periods provided for the data to be made available, and the obligation of the service provider to inform the company of any access request received from a court or a governmental body. Norton Rose Fulbright – December 2015 17 Chapter 3 What are the intricacies of cross-border discovery? In order to conduct discovery effectively, parties in litigation may be challenged to consider relevant data protection, disclosures, and other regulations across jurisdictions. These sometimes competing regulations may add an additional layer of complexity which should be addressed early in the discovery process. 03 What are the intricacies of cross-border discovery? Companies may face potential legal hurdles when the discovery process crosses borders. In order to conduct discovery effectively, parties in litigation may be challenged to consider relevant data protection, disclosure and other regulations across jurisdictions. These sometimes competing regulations may add an additional layer of complexity which should be addressed early in the discovery process. The United States perspective Understanding IT systems and how and where they store potentially relevant information is an important and necessary step in conducting discovery effectively and efficiently. This is even more important when discovery crosses borders and we need to preserve, collect and produce information and documents from other countries. This process may add a level of technical complexity as well as potential legal hurdles, as data protection, state secret, surveillance and telecommunications laws can restrict the client’s ability to process and transfer data. Determine, as early as possible, whether documents that are potentially relevant to the litigation exist in foreign jurisdictions. Norton Rose Fulbright is fortunate to have a considerable breadth of subject matter experts on data protection and other relevant regulations in many jurisdictions where documents may need to be obtained. Two useful resources are Norton Rose Fulbright’s Global Data Privacy Directory and the Sedona Conference’s International Principles on Discovery, Disclosure and Data Protection. In order to plan and implement cross-border discovery effectively and efficiently, the following issues should be considered: 1. Where is the data physically located? In what countries and jurisdictions is the data located? Certain laws may restrict the ability to collect, process and transfer the data. 2. Where are the employees (whose data is at issue) physically located and where are their employers legally established? Both will be relevant to determining applicable law for data-related restrictions. 3. What is the data that is relevant and does it contain personal information or other sensitive information? Over-preservation and over-collection can be more significant issues outside the US because they not only increase costs, but can also lead to liability. Focus on the data that is important and determine whether it contains personal information, state secrets or other sensitive information. 4. W hat is the company’s organizational structure and what is the relationship between the US entity and the foreign affiliates? These facts can have several significant effects on discovery. Does the US entity have possession, custody and control of the foreign data? Is the US entity the data controller or responsible for the data overseas or is it an affiliate? 5. Who is running the litigation and what claims have been made against which entities? If another member of the organizational family or retained counsel is running the litigation, this can complicate the ability to search and review the documents. 6. Does the company have data protection/privacy policies and/or a data protection/privacy officer? It is crucial to know what the company has in place to protect the privacy and confidentiality of personal and proprietary information. In certain jurisdictions, the company may have made filings with local regulators and/or may need to make additional filings. By implementing policies and providing notice to employees, the company may have given itself latitude to do certain discovery, but it may have also tied its hands. 7. Does the company have Binding Corporate Rules (BCRs), intra-company data transfer agreements or is it “Safe Harbored” and do these arrangements include the transfer of information required in litigation? Likewise, to the extent that the company intends to transfer and review data across the organizational family, it is important to understand what agreements are in place that allow for compliant intra-company transfer and disclosure. Norton Rose Fulbright – December 2015 19 eDiscovery around the globe 8. Does the company have Workers Councils (or unions) and, if so, do any agreements address the information and do local employment laws impose any further consultation prerequisites or prior approval rights (even without collective or workers council agreements)? To the extent that employees are members of or protected by Workers Councils or unions, the agreements between the company and these organizations and local employment law can further limit a company’s ability to preserve, search and disclose employee documents. 9. Does the company believe any relevant data exists on BYOD personal devices or personal e-mail? In the US, courts are taking an expansive view of a corporations obligation to obtain data from personal devices and e-mail. Many privacy-focused jurisdictions, like the member states of the European Union, take an even harsher view of this intrusion. 10. Where does the data need to be produced? Determining to whom and where the data needs to eventually go (including intermediate review stages by the company and other foreign attorneys) is critical because a plan needs to be developed that will allow the appropriate transfers and minimize the risk to the company. The Canadian perspective Global organizations and their counsel are often confronted with collecting, processing, reviewing and producing documents that reside outside of their respective jurisdictions, often in the case of separate, but affiliated entities. This adds an additional layer of complexity to an already complicated process. When attempting to obtain documents that exist beyond the Canadian border, it is important to plan ahead. It is necessary to consider (a) whether local laws in the home state allow for the collection and processing of data; (b) whether technology can assist with cross-border discovery and (c) which laws – data, privacy or other – are implicated if data is moved from the foreign jurisdiction to Canada. If the request to export data to Canada is with a member country of the European Union (“EU”), there is a presumption that Canadian domestic law provides “adequate protections” for the export of personal information, except in the case of employees who are not federally regulated or personal 20 Norton Rose Fulbright – December 2015 information exported to a non-commercial entity.1 To determine whether a court or entity in a foreign jurisdiction is entitled to obtain documents in the course of discovery from a Canadian entity, existing privacy policies should be considered. Some global entities will have privacy policies that have been properly communicated and designed to obtain valid employee consent to the sharing of information across borders and affiliates. In such a case, a foreign affiliate may already have legal access to personal information of Canadian employees in which case nothing further is required. Absent such a policy, the foreign jurisdiction will likely have to submit a Letter of Request and Application to a Canadian court. This Letter of Request must outline why the evidence is (a) relevant (b) necessary for trial (c) not otherwise obtainable (d) not contrary to public policy (e) reasonably specified and (f) not unduly burdensome.2 In conclusion, cross-border discovery should be conducted with the assistance of knowledgeable local privacy litigation counsel and various threshold questions should be considered to ensure legality. The English perspective The practical considerations surrounding cross-border e-disclosure in the US also apply to English proceedings. In addition, the recent procedural reforms in England have impacted upon the disclosure (discovery) process and require parties to start thinking about these practical considerations early in proceedings. Key changes to the disclosure process went into effect on 1 April 2013. Each party must now file and serve a disclosure report at an early stage of the proceedings - 14 days before the case management conference (CMC). The report must describe the relevant documents that exist, where they are, how electronic documents are stored and it must provide for an estimate of costs of standard disclosure. Parties are also required to meet at least seven days before the CMC to discuss and try to agree the scope of disclosure. Although disclosure is expansive in terms of the definition of “document” and “control,” covering documents outside the jurisdiction, the parties are encouraged to agree to limit its scope to promote the overriding principle of proportionality 1 General Counsel of Seventh Day Adventists v. Tiffin (2001) Carswell Ont. 660. 142 O.A.C. (386) C.A. 2 2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC. What are the intricacies of cross-border discovery? (Civil Procedure Rule 1.1(2)(c)) and the court will have regard to this overriding principle in its case management. The parties may also be ordered to exchange an electronic documents questionnaire if the court considers the agreement reached between the parties in relation to the disclosure of electronic documents to be inappropriate or insufficient. This sets out information as to the scope, extent and most suitable format for disclosure of electronic documents, including those outside the jurisdiction. Further reforms have introduced additional rules on cost budgets and the need for accurate estimates of costs. Given that the disclosure process usually accounts for a significant proportion of total costs of a case, there is now even more need for practitioners to give proper thought to planning and costing the disclosure process. Any budget should consider the practicalities of accessing and reviewing documents from outside the jurisdiction and must do so as accurately as possible. If the budget is wrong, a formal application can be made to court to approve a revision but there must be good reason for this. A mere mistake or miscalculation in the amounts of data in other jurisdictions is unlikely to be sufficient. Disclosure (and particularly e-disclosure) necessitates careful planning and management in all cases, but the recent reforms to the procedural rules make it clear that parties also have to consider the practicalities of disclosure and discuss the scope and cost with each other early on in proceedings. The Australian perspective Just as in the US, cross-border discovery and disclosure in Australia requires counsel to consider a number of sometimes competing concerns before committing to a course of action. Whether an Australian Court can make discovery orders affecting an entity overseas Several Australian cases have held that an Australian court has power to order the disclosure of documents held by an overseas entity that is a party to the litigation. The prevailing view is that as discovery is a matter of procedure, the law of the forum (i.e., Australia) governs matters of practice and procedure.3 The fact that compliance with an order for disclosure might render a party subject to the risk of 3 See Michael Wilson & Partners Ltd v Robert Colin Nicholls & Ors (2008) 74 NSWLR 218 per Brereton J. Brereton J noted that where foreign obligations of confidentiality are involved, the Court may limit or dispense with discovery or production as a matter of discretion, taking into account whether the party is the plaintiff or defendant, and the identity of the third parties whose confidentiality is at stake. a prosecution under foreign law is relevant to the Court’s discretion as to whether to make a discovery order but is not a reason in itself not to make the order.4 In ACCC v Prsymian Cavi E Sistemi Energia SRL (No 7)5, Besanko J refused to dismiss a Federal Court discovery order made against a French company. Besanko J held that while describing the documents in a list and producing them may result in a breach of the French “blocking statute,” it was unlikely that the French company would be prosecuted if it complied with the Australian discovery order. In ACCC v Prsymian Cavi E Sistemi Energia SRL (No 8)6, Besanko J observed that foreign law, showing the impossibility of compliance with a discovery order of the Court, may be relevant to whether the Court would make orders in respect of non-compliance with a discovery order. Does the party have control over documents held overseas? Broadly speaking, in Australia, a party to litigation is only required to disclose relevant documents over which it has control.7 Where the litigation is between Australian resident companies, documents which are in an overseas jurisdiction may not be held by the litigating party but may well be held by a related entity. The issue that arises then is whether those documents can be said to be in the control of the litigating party. Assuming that a “regular” corporate structure exists, an Australian court will usually be reluctant to pierce the corporate veil to rule that documents held by an overseas parent company are within the control of an Australian subsidiary and order the disclosure of those documents.8 Different considerations may arise if the companies are not 4 ACCC v Prsymian Cavi E Sistemi Energia SRL (No 7) [2014] FCA 5. Leave to appeal against this decision was denied by White J in Nexans SA RCS Paris v ACCC (2014) FCA 255. White J dismissed an argument that Besanko J failed to have regard to the principle of comity as stated in Hua Wang Bank Berhard v Cmr of Taxation (2013) FCAFC 28, namely the need for caution where there is intrusion on the sovereignty of a foreign state, and where enforcing Australian laws may infringe legislative policies of other countries. 5 Ibid. 6 [2014] FCA 376. 7 Control is defined in the Federal Court Rules as meaning possession, custody or power. The discovery obligation in Victoria, NSW and Western Australia applies to documents within the disclosing party’s possession, custody or power. In the ACT it is slightly different - possession, custody and power. In Qld it is limited to documents in the possession or under the control of the disclosing party. The terms “possession”, “custody” and “power” refer to three alternative states – “possession” refers to ownership, “custody” refers to the physical holding of the document, irrespective of ownership, and “power” refers to a presently enforceable legal right to inspect the document or obtain possession or control of the document without the need to obtain the consent of anyone else 8 Gambro v Fresenius Medical [2002] FCA 1359 per Tamberlin J. Tamberlin J noted that documents which may be possibly be relevant and that are in the possession of the subsidiary company, depending on the corporate structure, may not be even within the control or power of the parent company (citing Lonrho Ltd v Shell Petroleum Co Ltd [1980] 1 WLR 627; DouglasHill v Parke Davis Pty Ltd (1990) 54 SASR 346 at 350-2). See also ACCC v Prsymian Cavi E Sistemi Energia SRL (No 8) where Besanko J declined to order a subsidiary company to disclose documents held by another subsidiary in the corporate group . Norton Rose Fulbright – December 2015 21 eDiscovery around the globe truly operating as separate legal entities or where company documents are stored on shared computer platforms. In some cases, it may be necessary to disclose the documents for either tactical or pleading reasons. Although a party that does not have present control over a document is not obliged to take reasonable steps to obtain control over the document9, the Federal Court10 may, however, order a party to take reasonable steps to obtain access to and discover documents which are in the possession, custody and power of a third party, where there is a real likelihood that the party would be given access to the documents upon request (termed a Sabre order11). In Psalidis & Anor v Norwich Union Life Australia Ltd12, Cavanough J of the Victorian Supreme Court noted that in most cases where a Sabre order has been sought, there has been a real difficulty in using the usual processes of partyparty discovery, third-party discovery or subpoenas. A typical example is where the documents are overseas and are in the possession of some entity that is not readily amenable to the ordinary processes of the jurisdiction.13 Is it reasonable to search for documents held overseas? In Federal Court litigation, a party is only required to disclose documents of which it is aware after a reasonable search.14 To determine whether a search is reasonable, a party must take into account the nature and complexity of the proceedings, the number of documents involved, the ease and cost of retrieving a document, the significance of any document likely to be found, and any other relevant matter. were held only in paper copy in a remote location), and where those documents are unlikely to be of significance. Whether an Australian company can resist disclosure to an overseas entity on privacy or data protection grounds The Australian Privacy Act of 1988 regulates the collection, use and disclosure of personal information15 by entities that have a turnover of more than $3 million, and by government bodies. An entity covered by the Privacy Act can only disclose personal information about an individual to overseas recipients, if it takes reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles16 in relation to the information.17 There are some exceptions: (1) If the entity reasonably believes that: (i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and (ii) there are mechanisms that the individual (whose personal information has been disclosed) can access to take action to enforce that protection of the law or binding scheme; or (2) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order. In the case of documents held overseas, after making reasonable efforts to search for documents, a party may be able to argue that it was not reasonable to continue searching, if it would be difficult and costly for the party to retrieve the documents (for example, if the documents 9 Gambro Pty Ltd v Fresenius Medical Care Australia Pty Ltd [2002] FCA 581, Dorajay Pty Ltd v Aristocrat Leisure Ltd [2006] FCA 335 (NB: in the context of compliance with a subpoena) . 10 Some state Courts have also held that they have similar power to make such an order. This will depend on the applicable court rules in each case . 11 In Sabre Corporation Pty Ltd v Russ Kalvin’s Hair Care Co (1993) 46 FCR 428 the applicants, who had the exclusive right to distribute Joico hair products in Australia, brought proceedings alleging that the respondent had engaged in misleading and deceptive conduct by selling a generic version of Joico hair products. The documents containing the formulation of the Joico hair products were not in the control of the applicant. Lockhart J ordered the applicant to request those documents from the United States manufacturer of Joico products, with whom the applicant had a close business relationship . 12 (2009) 29 VR 123. 13 At [124], citing Sabre, Bova v Avati [2009] NSWSC 921 at [370] – [374], compare SPI Spirits (Cyprus) Ltd v Diageo Australia Ltd (No 2) (2006) 155 FCR 150. 14 Victoria has a similar limitation regarding reasonable searches. 22 Norton Rose Fulbright – December 2015 15 Personal information is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and, (b) whether the information or opinion is recorded in a material form or not. 16 Other than Australian Privacy Principle 1. 17 Australian Privacy Principle 8. Chapter 4 Is it reasonable to rely on employees to preserve documents? Preserving and protecting electronically stored information that may be relevant in potential or actual litigation is a trending area that affects both in-house and outside litigation counsel. 04 eDiscovery around the globe The United States perspective Generally, a party in litigation with pre-trial discovery must take reasonable steps to prevent the destruction or modification of relevant information. This preservation duty can be broken into two key components: (1) identifying the relevant information (or at least where it is stored); and (2) preventing its modification or deletion. Is it reasonable for a party to rely on its employees to accomplish these two tasks? Usually, the general answer is YES, but there are some important qualifications. The entire point behind a legal hold notice is to notify employees of the duty to preserve and to stop them from deleting or modifying relevant information. Legal hold notices have been the core of preserving documents in the United States for more than a decade. See e.g. Zubulake v. UBS Warburg LLC, 229 F.R.D. 422, 434 (SDNY 2004) (“Zubulake V”). Legal hold notices are reasonable because the cost of issuing them is relatively low and the benefit received from them is high. Most companies have highly decentralized data management systems and employees are in the best position to know their data (identification) and have the most direct control (preservation). The other preservation options – either the complete collection of an entire data source (e.g. hard drive, e-mail account, or server) or some type of search – can lead to even greater overpreservation and are more expensive. However, relying on employees is not without risk and requires more active participation by IT and external and in-house counsel to (1) provide clear instructions and guidance to the employees; (2) support the employees and answer questions; and (3) oversee and monitor their progress to ensure that they are fulfilling their obligations. See id. at 432. It is best practice to interview and communicate with the most important players to make sure they understand what is relevant and what they need to be doing to preserve information. See id. at 433. Where a company’s IT systems automatically delete information, such as a janitor system on e-mail, the duty to monitor and engage with employees is greater because the employees need to take affirmative steps to identify and preserve information. See Apple, Inc. v. Samsung Elecs. Co. Ltd., No. C 11-1846 LHK (PSG) (N.D. Cal. July 25, 2012). Depending on the case, you may consider temporarily suspending an automatic delete process, or taking a “snapshot” in time of certain or all e-mail boxes, until more details are known about the scope of discovery. 24 Norton Rose Fulbright – December 2015 In certain cases, a legal hold notice may be insufficient or considered unreasonable: (1) An employee may be in conflict with his employer or accused of malfeasance (sending a whistleblower or someone accused of embezzlement a hold notice is unlikely to be effective); (2) Some courts may consider an individual with a direct stake in the litigation (e.g. an officer with personal liability or an individual plaintiff) unreliable, as their definition of relevant may be too narrow or biased; (3) Legal holds to employees will likely be ineffective in preserving data that the employees do not directly control (e.g., deleted data on their hard drives, the company website, enterprise databases, or disaster recovery tapes). Finally, issuing legal holds and relying on employees are important steps in a legal team’s attempts to preserve relevant information and they can be used with other tools depending on value and risk (forensically image certain drives, snap shot some data sources, and rely on employees for others). Remember, perfection is not the standard. Act in good faith and make reasonable, conservative, timely, and informed decisions to find and preserve data, and you will make reasonable preservation decisions. The Canadian perspective In common law jurisdictions in Canada, as in the United States, a party to a litigation or a party that reasonably anticipates litigation should take reasonable steps to preserve relevant documents. Sedona Canada Principle 3 provides that “as soon as litigation is reasonably anticipated, parties must consider their obligation to take reasonable and good faith steps to preserve potentially relevant electronically stored information.”1 The Ontario e-Discovery Guidelines provide that the obligation to preserve relevant electronic documents arises when litigation is “contemplated or threatened.”2 In the civil law jurisdiction of Quebec, discovery allows for the communication of documents “relating to the issues.” The question then becomes whether it is reasonable, in both common and civil law jurisdictions in Canada for a party to rely on its employees to preserve relevant documents.3 1 The Sedona Conference Working Group 7 (WG7) The Sedona Canada Principles Addressing Electronic Discovery (Jan. 2008). 2 Ontario Bar Association Discovery Task Force Sub- Committee, Guidelines for the Discovery of Electronic Documents in Ontario at 5. 3 “Section 397.1 et seq of the Code of Civil Procedure. Is it reasonable to rely on employees to preserve documents? As in the US, the answer is YES, with limitations. A legal hold notice which sufficiently describes the nature of the case and what should be preserved should be sent to key individuals as soon as litigation is imminent. It is imperative that in-house counsel and IT are involved at each stage of the preservation process. Employees should be educated on the perils of selective collection efforts and the legal ramifications of intentionally or unintentionally destroying documents. Finally, in Canada, the principle of proportionality should be considered. Common law courts have opined that “the obligation to preserve relevant electronic documents must be balanced against other considerations, including the value of the evidence, the time and expense involved in preserving the documents, as well as privacy and confidentiality considerations.”4 A similar principle of proportionality applies to all Quebec proceedings.5 Even though Canadian jurisprudence on preservation, selfcollection and litigation holds are not as developed as in the US, these issues should not be ignored by Canadian practitioners or thought to be limited to complex commercial lawsuits. A thorough understanding of these concepts is critical to Canadian litigation and requires the “universal understanding of the Canadian bar.”6 As the guidance in CPR Part 31 (dealing with the disclosure of documents more generally) goes on to suggest, it is not enough simply to give instructions that documents be preserved; steps should be taken to ensure that documents are preserved. In the case of Infabrics Ltd v Jaytex Ltd [1985] F.S.R. 75, the maxim omnia praesummuntur contra spoliatorem (everything is presumed against he who destroys) was applied against a defendant who had not preserved documents affecting the quantum of damage notwithstanding instructions from the defendant company’s director to preserve such records. In practice, should a party with the engagement of in-house counsel and IT, suspend any routine document destruction policy and adhere to the detailed instructions provided by its solicitors in relation to the preservation of documents, including educating key employees on the legal ramifications of intentionally or unintentionally destroying documents, the question of reliance on employees for such document preservation should not necessarily be an issue. Australia Although the formal “litigation hold” concept does not apply in England as such, Practice Direction 31B (paragraph 7) of the Civil Procedure Rules (CPR) (dealing with the disclosure of electronic documents) does state that “as soon as litigation is contemplated, the parties’ legal representatives must notify their clients of the need to preserve disclosable documents…which would otherwise be deleted in accordance with a document retention policy or in the ordinary course of business.” This is done by way of a detailed letter to the client explaining its disclosure obligations and the rules as to spoliation, including important instructions about the creation, destruction and amending of documents. As in England, there is no formal requirement in Australia to issue a “litigation hold” when litigation is anticipated. However, there is an obligation under the general law to preserve documents of potential relevance to anticipated litigation. The obligation is articulated in each Australian jurisdiction where it is a criminal offence to intentionally destroy, conceal, alter or falsify evidence. The Victorian legislation sets the benchmark as it most clearly applies to evidence which might be required in a future proceeding.7 In NSW, regulation 177 of the Legal Profession Regulation 2005 expressly prohibits legal practitioners from destroying or moving a document from the place where it is kept or from the person who has possession or control of it, and from advising a client to do the same, if legal proceedings are likely to be commenced and the document may be required. Given these provisions, it is prudent practice to issue a litigation hold once proceedings are anticipated or likely. Therefore, in common with the position in the US and Canada, the answer, in broad terms, is YES - it is reasonable to rely on employees to preserve documents – but the party (and, to an extent, their solicitor) must take positive steps to ensure that such document preservation is being carried out effectively. Where a party alleges that the destruction of documents before the commencement of proceedings is prejudicial, the criterion for court intervention “...(other than by drawing adverse inferences, and particularly if the sanction sought is striking out of the pleading) is whether that conduct of the other party The English perspective 4 McCaffrey v. Paleolog, 2006 BCSC 69 (CanLII). 5 Section 4.1 of the Code of Civil Procedure. 6 The Sedona Canada Principles, supra. 7 This legislation, and the NSW regulation discussed in the following sentence, was introduced following the Victorian Court of Appeal decision in British American Tobacco Australia Services Limited v Cowell (as representing the estate of Rolah McCabe, deceased) (2002) 7VR 524. Norton Rose Fulbright – December 2015 25 eDiscovery around the globe amounted to an attempt to pervert the course of justice or, if open, contempt of court occurring before the litigation was on foot.”8 Once proceedings are commenced, Australian solicitors have a duty to explain to their clients the requirement to disclose relevant documents in litigation and to ensure that clients comply with disclosure requirements. In a number of Australian jurisdictions, solicitor are also required to certify to the relevant court that they have explained to their client the duty of disclosure. Solicitors should consider ceasing to act if they consider that their client is not complying with their disclosure obligations or has destroyed relevant evidence.9 Is it reasonable for a party to rely on its employees to preserve relevant documents? As is the case within other jurisdictions, a party to litigation must ensure that its employees understand the directions given, and that employees comply with the directions. In some cases it may be necessary to consider whether external parties should be involved in implementing the litigation hold (especially where the case involves 8 British American Tobacco Australia Services Limited v Cowell (as representing the estate of Rolah McCabe, deceased) (2002) 7 VR 524. 9 Court procedure legislation in a number of Australian jurisdictions now imposes express duties on parties to litigation to further the overarching purpose of the courts to resolve disputes in a just, efficient and cost-effective way (e.g. s37N Federal Court of Australia Act (Cth), s56 Civil Procedure Act (NSW), s10 Civil Procedure Act (Vic)). In Palavi v Radio 2UE Sydney Pty Ltd, [2011] NSWCA 264 Allsop P of the NSW Court of Appeal noted that the duty imposed by the NSW Civil Procedure Act, to act responsibly and honestly in court proceedings should form the framework of the exercise of the court’s power to strike out proceedings, where a party deliberately destroys discoverable material. 26 Norton Rose Fulbright – December 2015 allegations against the employees who would otherwise be asked to implement the litigation hold). In Victoria, a corporation that is accused of destroying evidence may rely on a defense of due diligence, but if its corporate culture is such that the destruction was encouraged or tolerated, then its representatives may face a significant fine. Our global offices Canada Calgary Montréal Ottawa Québec Toronto Europe Amsterdam Athens Brussels Frankfurt Hamburg London Milan Moscow Munich Paris Piraeus Warsaw Kazakhstan Almaty USA Austin Dallas Denver Houston Los Angeles Minneapolis New York PittsburghSouthpointe San Antonio St Louis Washington DC Latin America Bogotá Caracas Rio de Janeiro Africa Bujumbura** Cape Town Casablanca Dar es Salaam Durban Harare** Johannesburg Kampala** Middle East Abu Dhabi Bahrain Dubai Riyadh* Asia Bangkok Beijing Hong Kong Jakarta* Shanghai Singapore Tokyo Australia Brisbane Melbourne Perth Sydney *associate office **alliance Norton Rose Fulbright – December 2015 27 eDiscovery around the globe 28 Norton Rose Fulbright – December 2015 2014 in review Norton Rose Fulbright Norton Rose Fulbright is a global legal practice. We provide the world’s preeminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia. Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare. Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact. Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. More than 50 locations, including Houston, New York, London, Toronto, Hong Kong, Singapore, Sydney, Johannesburg and Dubai. Attorney advertising References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). The principal office of Norton Rose Fulbright US LLP in Texas is in Houston. Save that exclusively for the purposes of compliance with US bar rules, where James W. Repass will be responsible for the content of this publication, no individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. © Norton Rose Fulbright US LLP 12/15 (US/mo/im) Extracts may be copied provided their source is acknowledged. Norton Rose Fulbright – December 2015 29 Law around the world nortonrosefulbright.com