HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Thanks to Eric Bukstein in the Hogan Lovells privacy group for providing this report.

On May 3, 2010, in Arista Records v. Doe 3, a Second Circuit panel issued an opinion finding that an Internet user’s right to remain anonymous is not sufficient to prevent an ISP from revealing his identity in a copyright infringement dispute. The court held that a record label may subpoena information about Internet users connected to IP addresses if there is sufficient evidence that the IP addresses had been used to illegally share music. 

• Email This
• Print
• Share Link

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print
• Share Link

We regularly advise clients that the starting point for privacy and data security risk management is to understand what data is being held.  Knowing what data is being held (and preserving it) also is a key component of  compliance in litigation.  Indeed, the need for companies to data map their information long before litigation arises has increased urgency in light of a recent ruling.

In Pension Committee , the judge who issued the series of seminal Zubulake opinions, which essentially defined electronic document retention and discovery nation-wide, calls for litigants not only to identify key data keepers but to identify key data very early in litigation. Some of the new holdings described in Hogan & Hartson's Litigation Alert (link below) are likely to become as influential as the discovery-altering Zubulake decisions.

In Pension Committee Judge Scheindlin finds, among other things, that the failure to issue a written litigation hold for relevant individuals and data constituted gross negligence because that failure is likely to result in the destruction of relevant information. Severe sanctions, such as dismissal, monetary sanctions, and adverse inference instructions, were therefore presumptively appropriate absent contrary indications of good faith. Failure to appropriately collect and preserve electronically stored information from all key players may now also be considered gross negligence, and even failure to collect and preserve from less-involved employees may be considered negligent. Additionally, companies must be even more conscious of the fate of, and process in place to handle, former-employee data for fear of being found grossly-negligent if a preservation duty has attached. For more information about this important decision please see the attached Litigation Alert which was drafted by two members of our Electronic Information Group.

• Email This
• Print
• Share Link

In Ethics Opinion 2009-1, Vermont has taken its place in line behind several other states that have found that a lawyer who produces electronic documents has a duty of reasonable care to avoid disclosing confidential metadata.  This is a straightforward approach that translates easily to a lawyer’s everyday practice.

The same cannot be said of the lawyer on the receiving end of the electronic document production.  The Vermont Bar Association found that:

"to insert an obligation into the Vermont Rules of Professional Conduct that would prohibit a lawyer from thoroughly reviewing documents provided by opposing counsel, using whatever tools are available to the lawyer to conduct this review.”  

Vermont’s ethics rules also mandate that the receiving lawyer must notify the producing party “if he knows or reasonably should know that the document was inadvertently sent.”

Okay, fine. But how would this work in practice?  Metadata is in a special class of data/documents because it often reveals corrections, deletions, comments, etc. that reveal attorney-client communications or attorney work product.  If the receiving party does not have the consent of the producing party to review metadata but is permitted to do so any way, doesn’t the Vermont rule amount to an invitation (if not an obligation) to mine for privileged data and then speak up later?  Vermont’s substantive state law may limit how or whether such data may be used, but still, isn’t this an unreasonable intrusion into the attorney-client relationship? 

Other states’ (e.g., Arizona, Florida, New Hampshire) ethics rules disincentive such mischief by prohibiting a lawyer receiving electronic communications from examining it for the purpose of discovering embedded metadata absent special circumstances (consent, accident).  Isn’t this bright-line rule more consistent with a lawyer’s ethical obligations of honesty and forthrightness?

• Email This
• Print
• Share Link

 Within four days of each other, courts in D.C. and New York issued opinions setting forth the standard necessary to compel the discovery of the identity of anonymous speakers in cases in which the plaintiffs alleged that the anonymous speech defamed them. While they considered identical issues, the courts came to different conclusions regarding the strength of a plaintiff’s case required to unmask an anonymous speaker.

 In the New York case, an anonymous blog entitled “Skanks of NYC” posted suggestive pictures of Manhattan-based model Liskula Cohen with captions using the words “skank,” “skanky,” “ho,” and “whoring.” Cohen wanted to sue for defamation, and requested that the blog’s owner, Google, provide the blogger’s identity. When Google refused, Cohen sued to compel it to release the identity so she could proceed with her suit.

On August 17, in Cohen v. Google, New York trial judge Joan Madden granted Cohen’s motion, citing precedent stating that a petition for pre-trial discovery is warranted when “the petitioner demonstrates that he or she has a meritorious cause of action and that the information sought is material and necessary to the actionable wrong.” Noting that the use of the disparaging terms in context with the suggestive images carried “a negative implication of sexual promiscuity,” Madden held that the blog was “reasonably susceptible of a defamatory connotation” and thus was actionable. Since Cohen could not sue for defamation without the blogger’s identity, Madden deemed the identity “material and necessary to the actionable wrong” and ordered Google to disclose it. (The blogger turned out to be an acquaintance of Cohen’s whom Cohen reportedly disparaged to her ex-boyfriend, and is now planning to sue Google for revealing her identity. After determining the acquaintence’s identity, Cohen dropped her lawsuit.)

• Email This
• Print
• Share Link

On August 19, 2009, the French Official Journal published the French Data Protection Authority's (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The CNIL’s Recommendations are particularly useful for companies that find it difficult to reconcile French data protection and blocking statute limitations with U.S. discovery demands.

It is perhaps no surprise that the Recommendations largely echo the views of the Article 29 Working Party, which provided EU-wide guidance on pre-trial discovery for cross-border civil litigation earlier this year. Like the guidance from the Article 29 Working Party, the Recommendations do not apply to investigations by U.S. federal authorities or criminal offenses in the U.S. relating to data destruction.

• Email This
• Print
• Share Link