The key issue in international e-discovery today is privacy and the conflict between the discovery laws of the United States, which give little or no regard to individual privacy, and that of the rest of the world, which do. In most of the civilized world today, privacy is a fundamental right. It is expressly stated in the government constitutions and other fundamental laws. The United States stands alone in considering privacy as a secondary, implied right, existing somewhere in the penumbra of other fundamental rights. Griswold v. Connecticut 381 U.S. 479 (1965).
Further, the few privacy rights we have are almost all lost when we go to work, especially when we use our employer’s computer systems. Even the privacy right which is arguably the strongest in our common law system, the right to secret attorney-client communications, is lost when you enter the workplace. See Adam C. Losey, Clicking Away Confidentiality: Workplace Waiver of Attorney-Client Privilege, 60 Fla. L. Rev. (2008) (pending publication). (That’s written by my son, not me, and should be available soon.)
Since we have such weak privacy rights, especially for employees, our courts routinely order foreign parties sued here to produce information that is protected from disclosure in their own country. From the perspective of these foreign companies, and their employees, we are the barbarians at the gate bullying away their fundamental rights.
The “Catch-22″of Cross-Border Discovery
The way things stand now, if you want to do business in the U.S., you have to forsake your company’s and your employees’ rights to privacy. You have to allow anyone who sues you, to sift through all of your email and other confidential records. The private communications of your CEO and blue collar workers alike are fair game for any plaintiff to pry into. About the only protection U.S. rules provide are found in our incredibly broad and vague relevancy standard. Here, the information sought only has to be “reasonably calculated to lead to admissible evidence.” The rest of the world finds it incredible (and so too do many in the U.S.) that a plaintiff can read their email, even if it is not relevant, if they can simply argue it might lead to relevant information. Most of the time courts will allow them to do so even before the court has determined that their complaint states a cause of action.
If you, as a foreign litigant, refuse to turn over the information, and instead honor the fundamental rights of your employees and follow the laws of your home country, then U.S. courts are going to punish you with an assortment of sanctions, including adverse inference instructions, fee awards, or even the ultimate sanction of entering a judgment against you. The choice between compliance with the U.S. forum court law, or the law of the country in which the ESI or employees are located, has been called a Hobson’s Choice or Catch 22 situation by the Sedona Conference. They have just completed an excellent publication on international e-discovery entitled: “The Sedona Conference® Framework for Analysis of Cross-Border Discovery Conflicts: A Practical Guide to Navigating the Competing Currents of International Data Privacy and e-Discovery” (August 2008 Public Comment Version). This publication can be downloaded for free at the Sedona Conference website.
Electronic discovery has become the front line of the conflict between the U.S. legal system and the rest of the world. Whenever a foreign company is sued in the U.S., it becomes subject to discovery requests, which today means primarily discovery of the information they keep in their computers (ESI). When the information is kept in computers located in their home country, or involves non-U.S. employees who enjoy fundamental privacy rights that we do not, a conflict of law issue arises. See Cate and Eisenhauer, “Between a Rock and Hard Place: The Conflict Between European Data Protection Laws and U.S. Civil Litigation Document Production Requirements,” Privacy & Security Law Report, Vol. 6, No. 6, 02/25/2007; Leeuw and Wellner, European Data Privacy Laws Pose E-Discovery Problems; New York Law Journal (May 21, 2008).
Litigants, typically plaintiffs, want information that they are entitled to under U.S. law to try to prove their allegations of wrongdoing. But oftentimes the ESI they want and have a right to under U.S. law is located in jurisdictions where they have no right to that information. In fact, in many countries, including all of Europe, it would be a crime for the holders of that information to disclose it without the express permission of the individuals involved.
The rest of the world is getting tired of the U.S. allowing any plaintiff to put their companies into this kind of untenable situation. The U.S., especially certain state courts located in the U.S., is the forum of choice for most class action lawsuits. Often the threat of invasive discovery allows a kind of legal extortion of inflated settlements. The world outside of the U.S. sees our enforcement of no-privacy discovery rules as a kind of legal bullying on our part, and as will be explained here, they are starting to fight back.
U.S. Privacy Laws
There is no express constitutional right to privacy in our legal system. Lee Goldman, “The Constitutional Right of Privacy” 84 Denv. U. L. Rev. 601 (2006). Instead, our unenumerated privacy rights exist as mere shadows of more basic rights that are enumerated in our constitution, such as the right not to have soldiers stationed in your home. I kid you not. Here are the words of Justice Douglas in Griswold where the Supreme Court first articulated this right:
Previous cases suggest that the specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that give them substance. Various guarantees create zones of privacy, such as the First Amendment right of association, the Third Amendment prohibition against quartering soldiers in a home, the Fourth Amendment right to be secure in one’s person, house, papers, and effects, the Fifth Amendment right to not surrender anything to one’s detriment, and the Ninth Amendment right to not deny or disparage any right retained by the people. These cases press for recognition of the penumbral rights of privacy and repose.
Note how even this landmark Supreme Court case, by renowned legal scholar Justice Douglas, mixes the right of privacy with the right of repose, whatever that is – the right to be left alone and go back to sleep I suppose. (This is just what every ruler wants the populace to do!)
There was an active dissent in Griswold that should not be forgotten. Dissenting Justices Hugo L. Black and Potter Stewart argued that a general right to privacy could not be inferred from any part of the Constitution. Further, they criticized the majority for deciding this case according to personal opinion instead of following the text of the Constitution. Justice Black wrote, “I like my privacy as well as the next one, but I am nevertheless compelled to admit that government has a right to invade it unless prohibited by some specific constitutional provision.” In Griswold, Black found no “specific constitutional provision” that prohibited the state government’s regulation of the private behavior at issue in this case.
You may think things have come a long way since Griswold asserted these penumbral privacy rights in 1965. Indeed, there have been advances, but most of the world remains unimpressed. Our zones of privacy are, in my view, quite sketchy, especially in this new century with the widespread collection of personal information databases, online intrusions, the growing problem of identity theft, and the many compromises made since 9/11/01 in the name of the “War on Terror.” See eg. USA PATRIOT Act, 18 USC §2712, 31 USC §5318A (2004).
Politics aside, the power of technology to invisibly encroach upon our privacy is perhaps the most troubling new development. Many people think that the incredible ability of new technologies to intrude upon privacy demonstrates the need to rethink and elevate its legal status. See Susan E. Gindin, “Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet,” 34 San Diego Law Review 1153 (1997); Electronic Privacy Information Center; Open Security Foundation’s Dataloss Report; Electronic Frontier Foundation; U.S. DOJ on Privacy Issues in the High-Tech Context.
The most significant privacy opinion after Griswold by the Supreme Court came just two years later in Katz v. U.S., 389 U.S. 347 (1967). Katz created a two prong “reasonable expectation” of privacy test that has often been criticized as circular and vague. Posner, “The Uncertain Protection of Privacy by the Supreme Court,” 1979 S. Ct. Rev. 173, 188.
The first prong — subjective privacy — is whether the person exhibited a personal expectation to be left alone from government intrusion. Our expectations, in the eyes of the rest of the world, are incredibly low. We appear to be a nation of Gladys Kravitz busy-bodies. We do not seem concerned that a big brother government, especially the judicial branch, can peer into everything you do. In fact, one of the most popular television shows in America is called Big Brother and celebrates that total lack of privacy. We seem to have forgotten the evil Big Brother in George Orwell‘s 1984.
The second prong of the legal test — objective privacy — is whether the personal expectation is one that society is prepared to recognize as reasonable. Again, our personal expectations of privacy are low, especially in the workplace. It is as if we take for granted that every thing we say at work, every email we write, may someday be seized and read to a jury, and thus the newspaper, since trials in the U.S. must be public.
The media and some high tech companies would have us all embrace a paparazzi life style, where we all fancy ourselves a celebrity, at least for fifteen minutes, and gaze trustfully at the ever-more-prevalent Google cameras. A recent Wall Street Journal article “Privacy? We Got Over It” promotes this view. It suggests that Americans and Brits do not really care about privacy anymore. It quotes the advice of Scott McNealy, chairman of Sun Microsystems, who in 1999 said, “You have zero privacy anyway. Get over it.” And the observation by Oracle CEO Larry Ellison: “The privacy you’re concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy.” But see The Privacy Journal by Robert Ellis Smith, an attorney, journalist, and author of several books on privacy; Scientific American editorial, Seven Paths to Regulating Privacy making specific suggestions to improve privacy in the U.S. lost by technological advances.
Robert Ellis Smith, who is cited by the Scientific American editors, traces the roots of America’s privacy deficiency to our Puritan roots. Scientific American quotes Rev. Robert Browne, an influential Anglican minister who said in 1582 “We must all watch one another.” According to Robert Ellis Smith, this quote, and the attitude behind it, originate in a dark puritanical view of the human spirit as weak and prone to wickedness without the constant “support” of a community of spies and informers. Smith contends that this view had enormous influence on the New England Puritans and still lingers with us in today’s voyeuristic society. R.E. Smith, “Ben Franklin’s Web Site: Privacy and Curiosity From Plymouth Rock to the Internet” Privacy Journal (2004). (Think this is ancient history? Think again! City councils in Great Britain have recently begun recruiting unpaid volunteers to spy on their neighbors and report such things as garbage recycling and dog poop violations. According to this London news report: “The ‘environment volunteers’ will also be responsible for encouraging neighbours to cut down on waste.”)
In the U.S. we only seem to think that certain limited types of information about ourselves are entitled to privacy protection, such as our medical records, financial records, and social security numbers. It does not even occur to us, like it does to the average European (excluding the U.K.), that all of our personal information is inherently private, even information in an email identifying whether a particular employee was an author or recipient. Sedona Framework at pg. 9, Fn. 34.
Most employers in the U.S. today make it clear to their employees that they have no right to privacy in anything they do on a computer at work. They monitor their employees’ email and Internet use, and some even go so far as to record every key-stroke they make. The basic rationale is that the computers they use at work belong to the company, so anything an employee writes or does using these computers belongs to the company, regardless of whether they are on a break or after hours. Some courts will also view it as a matter of contract law. The employees “contracted away” any rights they may have had to privacy. Karen Eltis, “The Emerging American Approach to E-Mail Privacy in the Workplace,” 24 Comp. Labor Law & Pol’y Journal 487, 489 (2005) (“employer exercises quasi-absolute sovereignty over employees, having availed himself or herself of their services by virtue of the employment contract”).
American workers seem to accept and submit to this master-servant type of relationship, but in Europe and other countries, it is considered an oppressive violation of basic human dignity. The workers in these countries do not contract away their fundamental human rights, which for them includes a right to privacy. Instead, these rights automatically carry over into the workplace. For instance, in France, it is not legal to inspect an employee’s computer at work, even when the employer has reason to suspect wrongdoing. Philippe K. v. Cathnet-Science, Cour de Cassation, Chambre Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05 (holding that presence of erotic photos on employees desk was not grounds for searching his computer); Societe Nikon France v. M. Onof, Cass. soc., Oct. 2, 2001, Bull Civ. V, No. 291 (finding an employee’s rights violated when the employer searched his computer upon suspicion employee was conducting a side business); Davila, Erica; International E-Discovery: Navigating The Maze, 8 U. Pitt. J. Tech. L. Pol’y 5 at pgs. 4-5 and Fn 35 (Spring, 2008). As Davila observed at page 5 of her excellent article:
[M]any countries view privacy in the workplace differently than the United States does. There is generally no expectation of privacy in workplaces in the United States, and so requesting and receiving e-mail in discovery is commonplace. In the EU, however, there is an expectation of privacy in the workplace, and so e-mail sent and received via work accounts may not be discoverable.
Privacy Laws Outside of the U.S.
Most modern democratic countries today have strong individual privacy rights, including all of the countries of Europe. They consider personal privacy to be an inalienable human right, on the same stature as the right to free speech and assembly. The treaties and law that underlie the European Union embody these privacy principles. The fundamental law in this area is the European Convention on Human Rights of 1950:
Article 8 – Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The European Union clarified that these privacy rights apply to computer data back in 1995 by adoption of the European Union’s Data Protection Directive:
Article 1 – Object of the Directive
1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
Some American apologists have tried to explain the European privacy laws as a kind of over-sensitivity on their part arising out of their WWII experience with Nazi Germany. So what is wrong with learning the lessons of history? Many countries outside of Europe have strong privacy laws, having learned the same lessons from other totalitarian regimes, including communist. See eg. Article 17 of the Korean Constitution which states that all citizens shall enjoy the inviolable right to privacy, and Article 18 which provides that the secrets of all citizens shall be protected.
Do we have to have a federal gestapo reading all of our email before we react? Let us never forget why our own Bill of Rights was formed. It was a lesson our Founding Fathers learned in 1776 from the oppressive rule of the first King George. If our Founding Fathers were alive today, I have no doubt they would access the situation with dismay, and rush to add a new privacy right amendment that at least equaled the laws of France.
The World is Fighting Back
Most of the world has reacted to what they perceive as overly-intrusive American discovery laws by enacting what are called blocking laws. These are laws designed to try to protect their citizens and businesses from our no-privacy legal system; some expressly, and some by implication, such as Swiss banking privacy laws. The Sedona Framework cites to a number of these laws, but let’s focus on what France has done.
In 1980, France enacted a criminal law that outlawed discovery within France by private parties for litigation abroad. French Penal Law No. 80-538 provides:
Subject to international treaties or agreements and laws and regulations in force, it is forbidden for any person to request, seek or communicate, in writing, orally or in any other form, documents or information of an economic, commercial, industrial, financial or technical nature leading to the constitution of evidence with a view to foreign judicial or administrative procedures or in the context of such procedures.
Sedona Cross-Border Framework at pg. 18, Fn. 74.
These blocking statutes, including the French one, have not been enforced. For this and other reasons, when a French company is sued in the U.S., and they oppose discovery on the grounds it would violate French law, the typical reaction of the U.S. Court has been “too bad.” You did business in the U.S., you got sued here, so now you have to follow our discovery rules. Enron v. J.P. Morgan Securities Inc., No. 01-16034 (Bankr. S.D.N.Y. July 18, 2007) (involved a French bank); United States v. Vetco, 691 F.2d 1281 (9th Cir. 1981) (involved a Swiss bank); Hagenbuch v. 3B6 Sistemi Elettronici Industriali S.R.L., 2005 U.S. Dist. LEXIS 20049, at *14 (N.D. Ill. Sept. 12, 2005) (involved an Italian company); Columbia Pictures Industries v. Bunnell, at pgs. 28-30; affirmed at 245 F.R.D. 443 (C.D. Cal. 2007) (involved discovery of RAM memory and a website located in the Netherlands).
As a general rule, U.S. courts do not give much weight to foreign blocking laws because they consider them mere Paper Tigers, and besides, they do not much like the idea of foreign countries trying to interfere with our rules of discovery. Although this reasoning may be morally suspect if you value the right to privacy and comity, it was based in fact. Until recently, the blocking laws were never enforced, even in France.
The foreign prosecutors would recognize that their citizens and businesses were in a Catch 22 situation, and back-down to the U.S. courts. It was like two countries playing a game of legal-chicken. Quite naturally, the U.S. courts would always win that game. The foreign prosecutors and judges would have to back down, because otherwise they would have to punish one of their own. But, as will be explained below, the French appear to have grown weary of losing this game. They tire at watching U.S. courts bully their corporations into disclosing private information to U.S. plaintiffs, even though that directly violates French law. They now appear more than willing to sacrifice one of their own to show that they mean business.
The French Bite the Bullet
After over twenty years of not enforcing their blocking statutes, and observing the near uniform reaction of American courts, it has become obvious to foreign jurisdictions that if they do not start enforcing these laws, they might as well repeal them. For otherwise, the U.S. courts will never take them seriously. If that means a few sacrificial lambs, then so be it.
France has become the first country to so bite the bullet and publicly enforce its blocking laws. It arrested and criminally prosecuted one of its own, a French lawyer no less. In re Advocat “Christopher X”, Cour de Cassation, French Supreme Court, December 12, 2007, Appeal n 07-83228. This is the first such prosecution on record, which was started by a French judge in secret two years ago, and has just recently come to light in this opinion of the Supreme Court of France. Thanks to the Sedona Cross-Border Framework group for discovering this opinion and bringing it to our attention. Sedona touts this decision as ground-breaking and I agree.
The french lawyer, Christopher X, was representing his French corporate client, and complying with an order of a federal court in New York. Strauss v. Credit Lyonnais, 242 F.R.D. 199 (E.D.N.Y. May 25, 2007). The U.S. District court had rejected Credit Lyonnais’ argument that it would face possible criminal prosecution by French banking authorities if it complied with the requested discovery order. The U.S. court held that there was a low likelihood of actual prosecution, and so did not give this factor any weight. The court ordered the defendants to disclose records relating to the case within 30 days. When the French advocate started to do that by interviewing a witness in France, he was arrested and prosecuted.
The French in effect finally did not blink; they carried out their law. Would we have done any less if the shoe was on the other foot? If, for instance, a foreign court (think China) had tried to interfere with a right which we consider important, such as freedom of speech or religion? The foreign court might not consider these rights to be that important, just like we do not consider an employee’s right to privacy to be that important.
Mr. Christopher “X” was convicted and fined €10,000 (about $15,000), and could have been sentenced to six months in jail. I cannot help but suspect that if an American lawyer had gone to France for the information, he would have gone to jail (and we would probably know his last name). In fact, I have heard many stories from e-discovery vendors of being threatened with arrest or having their hard drives confiscated at the border by customs. The e-discovery vendors are easy targets and they are very paranoid about it, and always use local people as far as possible. It would not surprise me to see the next criminal prosecution against one of the major e-discovery vendors and a few of their “just following orders” employees.
The Sedona Cross-Border Framework has a good discussion of the significance of In re Advocat “Christopher X”:
The recently published decision of the French Supreme Court affirming the criminal conviction of a French attorney for violating the French Blocking Statute casts in doubt a great deal of U.S. case law precedent on the issue of cross-border discovery. Prior U.S. court decisions ordering cross-border discovery over the objections such discovery violates foreign blocking statutes is expressly premised on the heretofore absence of any public enforcement of such statutes.
Historically, the attitude of the U.S. Supreme Court and U.S. federal and state courts at all levels has been that the threat of such prosecution is, in reality, just a minor factor in the type of proportionality analysis called for by the Restatements of Law. The U.S. courts in these cases almost uniformly reason that in the absence of enforcement of foreign blocking statutes, the Hague Convention cannot be considered the exclusive means of cross-border discovery. This is, if blocking statutes have teeth but no bite, then cross-border discovery should be ordered, albeit with some restrictions based upon the type of case, and uniqueness and relevance of the information sought. . . .
The circumstances of publication of the French decision almost one year later, and its grand jury-like proceedings begs the question whether there have been prior such unpublished decisions. . . .
Now that the logical syllogism upon which prior U.S. case law is based is broken, the stage is set for U.S. Courts to reconsider . . [and] more thoughtfully than ever weigh the civil and criminal consequences in their jurisdictions . . . The stakes of this “Catch-22” are higher than ever before. And the situation cries out for a collaborative framework in which cross-border legal disputes can effectively be resolved.
Sedona Proposes a Solution to the Catch 22 Conundrum
True to the standard setting traditions of the Sedona Conference, the working group behind the Framework for Analysis of Cross-Border Discovery Conflicts not only identifies the problem, but proposes a solution, namely a framework for analysis. The leaders of this Sedona group are M. James Daley and Kenneth N. Rashbaum. They have been helped by Kenneth J. Withers, Quentin Archer, Moze Cowper, Paul Robertson, Amy H. Chung, and Conor R. Crowley. Here is their proposed seven-fold framework:
Ideally, determining the scope of cross-border discovery obligations should be based on a balancing of the needs, costs and burdens of the discovery with the interests of each jurisdiction in protecting the privacy rights and welfare of its citizens. The following factors should be considered in this balancing:
1. The nature of the data privacy obligations in the jurisdiction where the information is located;
2. The obligations of the responding party to preserve and produce relevant information in the jurisdiction where the dispute is filed and the jurisdiction where the data is located;
3. The purpose and degree of custody and control of the responding party over maintaining the
4. The nature and complexity of the proceedings;
5. The amount in controversy;
6. The importance of the discovery to resolving critical issues; and
7. The ease and expense of collecting, processing, reviewing and producing relevant information, taking into account:
a. the accessibility of the relevant information;
b. the volume of the relevant information;
c. the location of the relevant information;
d. the likelihood that the integrity and authenticity of the information will be impaired by the discovery process; and
e. the ability to identify information that is subject to foreign privilege and work product protection from disclosure.
If you do any work with international e-discovery, you should study this Sedona publication and look for ways to apply this framework to address the serious issues you face. These issues now include a very real threat of arrest and criminal prosecution in a foreign land.
I like this framework and think it will help. I would, however, like to see the cost factor emphasized more and add “specificity of the request” as a consideration. This is just the first public comment draft of the publication and if you have input, including criticisms, they would like to hear them.
Sedona has provided a good conceptual framework for courts and lawyers to use to analyze the international e-discovery issues. This is a good tool to try to fairly address the “Catch-22” conundrum created by the conflict of laws. But it does not address the source of the problem, the imbalance between the U.S. legal system and the rest of the free-world.
Our laws provide relatively weak privacy protection, and this problem is compounded ten-fold by our “let-it-all-hang-out” discovery system. There are virtually no privacy rights granted to employees of companies, domestic or foreign, whose employers are sued in a U.S. court. Their email and private documents will be seized and read, even email kept on their home computers or personal email accounts. The so called limit of “reasonably calculated to lead to the discovery of admissible evidence” is bogus and subjective.
If we are to stop being seen as “Privacy Barbarians” by the rest of the world, we need to address these fundamental concerns. Privacy rights should not be limited to the home and a few zones of interest. We must learn the harsh lessons of history, of Hitler, Stalin, and Mao, in order to avoid their repetition in a high-tech world of constant surveillance. The time has come for us to realize that privacy is an inalienable human right, not a shadowy extension of other rights. Just like the freedom of religion or free speech, we should not allow it to be contracted away as a condition of employment. When we finally elevate privacy to a core right, we will join the ranks of other civilized countries and this conflict of laws will disappear.
The only way out of the current Catch 22 conundrum is for the U.S. to lift its standards up to that of the rest of the free world. We need to greatly strengthen our own privacy laws, especially those pertaining to employees, so that they are roughly equal to that of other democratic countries. Why should the people of France enjoy greater rights and freedoms than Americans?
Since most of the free world has clear privacy rights built into their constitution, in my opinion we must do the same to attain real parity. A new Privacy Amendment to the Constitution should be passed. I know that a Twenty-Eighth Amendment to the United States Constitution would have huge political implications beyond e-discovery, international comity, and employee rights. Privacy rights underlie some of the most controversial issues of our day, including abortion, gay marriage, pornography, assisted suicide, and the de-criminalization of drug use. Still, I think we as a society should at least start talking about it, rather than continue to muddle through with vague laws subject to so much political manipulation and court stacking.
The other Losey who is writing on this general subject takes a different, more conservative view. “Clicking Away Confidentiality,” supra. Adam in his conclusion suggests that a more gradual approach may ultimately rectify the imbalance in employee privacy rights between the U.S. and the rest of the world:
[I]t is possible that employee privacy rights in the United States will broaden over time to the point that workplace waiver is no longer an issue. Most countries outside the United States offer significantly more privacy rights for employees, and the United States may eventually fall into line with the rest of the world and legislatively establish broader privacy rights for employees in the workplace.
The impetus behind this broadening of employee privacy rights may come from upper level management, and other control group employees. Control group employees are often responsible for making decisions regarding employee privacy and employee surveillence, and yet they themselves are employees. Thus, there is a strong incentive for the employee-authors of employee policy manuals to broaden employee privacy rights per the employer’s policies.
These are good insights into corporate culture. I admit that greater privacy rights for employees are probably more likely to come to pass in this manner, than by my fantasy of a new constitutional amendment. After all, the email of senior management is the number one target of every plaintiff’s fishing expedition.
In addition to strengthening privacy rights, a solution to the international e-discovery conundrum requires a significant tightening of our relevancy standards. We need to move away from our current vague standard. It is ideally calculated for intrusive, over-broad document requests and often results in wildly inconsistent interpretations on permissible discovery. We should, instead, only allow discovery of directly relevant information. Moreover, before we start reading emails and other private communications, there should be some kind of good cause showing.
Finally, I think we should start to move slightly towards the European, Civil Code system of discovery, where the judges are far more active and tightly control discovery. I am not suggesting we abandon discovery all-together and adopt the Civil Code system, but I am suggesting a more active bench and better policing of over-reaching discovery abuses. Simply asking counsel to act like professionals and work things out, which is the typical reaction of most judges today on discovery issues, is a non-solution that has been failing for years.
I recognize that our judiciary is now over-worked and under-staffed and is thus unable to take on the kind of active role needed to curb these abuses. So I couple this suggestion with a plea for more judges and much higher pay. Also, I would suggest a move away from elected judges in our state systems. We should instead follow the German system where the best and the brightest are routinely recruited right out of law school into a judicial track.
Ken Withers, Director of Judicial Education and Content of The Sedona Conference, recently discussed some of these issues with me via email, which he has graciously allowed me to quote:
As we said in the Webinar, recent events in the US may move us towards a more European view of privacy that might result in restrictions on the scope of some discovery or lead to greater involvement of the judge in controlling discovery. At the same time, at least in the UK, the strict and overbroad definitions of “personal data” and “processing” may be giving way to a more practical approach that recognizes the need to have some reasonable methods for moving data, while protecting core privacy interests.
The problem in the US is the solution. A much greater role for the managerial judge in narrowing the scope of discovery, as proposed in the Economist article, would mean a complete revamping of our judicial system. Judges simply could not continue to have caseloads between 400 (considered light) to 1000 or more cases (in our border districts) and dramatically increase their personal involvement in civil discovery. We have “party driven” discovery in part because we have a judicial system that is incredibly thin on resources. The inquisitor/case manager model of the European courts requires a large number of judges with specialties, compared to the small number of generalists who cannot afford to get into the details of the case.
The Economist article Ken refers to here is called The Big Data Dump. It reviews the problems the U.S. is experiencing with e-discovery and suggests that the solution lies in a move towards the Civil Law inquisitorial approach where the amount of e-discovery allowed would be tightly controlled. The article also claims that the U.K. and other common law countries are already well along in that direction.
I don’t know what is more unlikely, hiring many more judges and raising their pay so as to follow the inquisitorial approach, or a privacy amendment to the Constitution. Both seem like a long shot right now.
The best temporary fix may be a voluntary strengthening of privacy rights by employers, as Adam suggests, coupled by a revision to the federal and state procedural rules to tighten discovery. For instance, the scope of e-discovery could be limited to relevance, and a showing of good cause could be required before an employee’s email, instant messages, etc., are read without their consent. Congress could also enact legislation short of amending the Constitution which addresses these issues. I would start by providing much stronger privacy protections to all email and other electronic communications and criminalize its seizure and disclosure without all parties’ consent. The only exception should be a court order after a showing of good cause. This should not only apply to restrain the government from secret eavesdropping, but also to restrain parties in litigation from excessive discovery.
I’m a French digital forensic practitioner. I’ve been recently (about one year) involved in some e-discovery processes, of very different sizes. In some cases, the dispute was originating from the USA and then spread over to Europe, both in Common and Civil Law countries.
In order to circumvent as much as possible the “catch-22” problem, a local e-discovery team was setup for France (and I imagine for each Civil Law country). The local team was drawn to comply with the laws of the country and the relevant evidences were not leaving the country. In addition to that, special measures were taken, like the enrollment of sworn digital forensic practitioners, which means recognized by the French legal system.
I’ve read the paper from the Sedona Conference, which is remarkably written and documented, and then your blog articles. I understand that even with a good deal of precautions such e-discovery processes have many flaws. I concur that a change in the privacy protection in the US could solve most of the issues, but I don’t think it likely to happen soon. In the meantime, the use of the legal means proposed in the Hague Convention should be sought.
For those interested (and reading French) the Supreme Court of France is there: http://www.lexinter.net/JPTXT4/JP2005/recherche_de_renseignements_tendant_a_la_constitution_de_preuves_dans_une_procedure_etrangere.htm
I must say that e-discovery is a very challenging topic, and I really like it. And it does not impede me to continue my hard-forensic investigations on small scale devices, which are light-years from e-discovery.
As a final remark, the French system has something similar to e-discovery which is called “assistance huissier”, but it works only for France I think.
[…] Losey, Are we the Barbarians at the Gate? Ralph Losey’s commentary on the Sedona Conference cross-border discovery paper includes […]
Another fascinating post. I realize I’m very late to the table here, but I’m curious about something… You quote Ken Withers as saying that the strict European approach to data privacy “may be giving way to a more pratical approach that recognizes the need to have some reasonable methods for moving data.” Do you know why he believes this to be the case? It would seem to me that one of the major messages of this post is that the “Christopher X” case is a signal that the French, at least, take their rules very seriously and are not planning on compromising them any time soon. Quite the opposite, in fact. Is there something going on in the UK and/or elsewhere in Europe that would suggest otherwise?
A. Rein is quite right that the French take their blocking statute quite seriously, as the Christopher X case demonstrates. However, we need to distinguish between the French court’s enforcement of their criminal statute, on the one hand, and the work that EU data protection officers are doing to find reasonable accommodation with the need for data transfers in the ordinary course of business. I am reminded of a British appellate court decision that reflected practical reality, Durant v. Financial Services Authority,  EWCA Civ 1746 (Supreme Court of Judicature Court of Appeal, Civil Division), in which the court states at Para. 28: “Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data” conferring the rights enumerated in the Act. Two more recent British court decisions involving cross-border electronic discovery issues don’t even mention the Act: Digicel Ltd v. Cable & Wireless Plc,  EWHC 2522 (Ch) (considering the adequacy of a party’s automated search fore relevant documents) and Hedrich v. Standard Ban London Ltd  EWCA Civ 905 (considering the duty of a solicitor to make inquiries into his client’s electronic disclosures). At least one European data protection officer has publicly expressed the view that the Sedona ‘Framework’ paper is a positive step towards a dialogue. So I do not think that the European data privacy bar operate as a per se prohibition on civil discovery, let alone data transfers in the ordinary course of business. That said, there is still a cultural divide between the US and European attitudes toward data protection and privacy that needs to be bridged, as well as tremendous skepticism of the American civil litigation system on the part of Europeans and a tendency of American lawyers and judges to be dismissive of European attitudes.
[…] extremely difficult. I have written about privacy as a core issue in international law before in Are We the Barbarians at the Gate? I am not going to rehash the international e-discovery issues here. Instead, I will explore the […]
[…] that this case raises in the Chapter entitled Are We the Barbarians at the Gate? (pages 364-283 and also on this blog). Quon could, if the Supreme Court wishes, address the growing lack of personal privacy in the […]