Posted on January 19, 2010 by Christopher Wolf

New Guidance on Preservation of Electronically-Stored Information from Zubalake Judge

We regularly advise clients that the starting point for privacy and data security risk management is to understand what data is being held.  Knowing what data is being held (and preserving it) also is a key component of  compliance in litigation.  Indeed, the need for companies to data map their information long before litigation arises has increased urgency in light of a recent ruling.

In Pension Committee , the judge who issued the series of seminal Zubulake opinions, which essentially defined electronic document retention and discovery nation-wide, calls for litigants not only to identify key data keepers but to identify key data very early in litigation. Some of the new holdings described in Hogan & Hartson's Litigation Alert (link below) are likely to become as influential as the discovery-altering Zubulake decisions.

In Pension Committee Judge Scheindlin finds, among other things, that the failure to issue a written litigation hold for relevant individuals and data constituted gross negligence because that failure is likely to result in the destruction of relevant information. Severe sanctions, such as dismissal, monetary sanctions, and adverse inference instructions, were therefore presumptively appropriate absent contrary indications of good faith. Failure to appropriately collect and preserve electronically stored information from all key players may now also be considered gross negligence, and even failure to collect and preserve from less-involved employees may be considered negligent. Additionally, companies must be even more conscious of the fate of, and process in place to handle, former-employee data for fear of being found grossly-negligent if a preservation duty has attached. For more information about this important decision please see the attached Litigation Alert which was drafted by two members of our Electronic Information Group.

Tags: , , ,
  • Email This
  • Print
  • Share Link
Posted on August 21, 2009 by Wim Nauwelaerts

French Data Protection Authority Issues Recommendations in the Context of U.S. Discovery

On August 19, 2009, the French Official Journal published the French Data Protection Authority's (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The CNIL’s Recommendations are particularly useful for companies that find it difficult to reconcile French data protection and blocking statute limitations with U.S. discovery demands.

It is perhaps no surprise that the Recommendations largely echo the views of the Article 29 Working Party, which provided EU-wide guidance on pre-trial discovery for cross-border civil litigation earlier this year. Like the guidance from the Article 29 Working Party, the Recommendations do not apply to investigations by U.S. federal authorities or criminal offenses in the U.S. relating to data destruction.

The Recommendations emphasize that requests for information for U.S. discovery purposes should in principle be made through the standard procedure provided by the Hague Evidence Convention (which requires U.S. courts to deliver a ‘letter of request’ to the designated central authority in France). Non-compliance with the Hague Evidence Convention triggers the application of French criminal law - also referred to as ‘blocking statute’ - which prohibits the disclosure of information for discovery purposes in foreign jurisdictions. In addition, companies transferring personal data for U.S. discovery purposes will need to make sure that they comply with French data protection requirements. To facilitate compliance for companies that are asked to transfer personal data to the U.S. for use in civil litigation, the Recommendations provide an overview of the main data protection requirements (as well as some compliance options) under French law.  

As regards transfer of personal data to the U.S, the CNIL states that in some cases the transfer can be justified on the basis of Article 69-3 of the French data protection law.  Art 69-3 permits transfers necessary for the "meeting of obligations ensuring the establishment, exercise or defense of legal claims." This is good news because our understanding -- based on previous discussions of this issue with the CNIL -- was that article 69-3 could never apply in the case of pretrial discovery.  The new CNIL recommendation also suggest the use of protective orders to ensure that data transferred to another litigation party are protected from disclosure outside the context of the case.  The CNIL recommends using trusted third parties to conduct reviews to ensure that the personal data collected and transferred are not excessive, and that wherever possible, anonymization or pseudonymization is used.
Tags: , , , ,
  • Email This
  • Print
  • Share Link