Close
Enter your
text here

International eDiscovery

eDiscovery and the GDPR: Ready or Not, Here it Comes: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Here’s the first part.

Part One: What is the GDPR? A Primer for Understanding

Europe’s General Data Protection Regulation (GDPR) is set to take effect in less than 200 days.  It is important to understand the changes this new set of regulations will impose, but it is also important to understand that even if you don’t have a physical business presence in Europe, the GDPR may apply to you. Any organization that retains personal information of any EU individuals must act to comply with the GDPR.

HOW DID WE GET HERE?

To put the provisions of the GDPR in context, we should first point out the differing concepts of privacy between the United States and Europe.  The US tends to place a high emphasis on the concept of free speech more so than privacy and this emphasis is carried over into the litigation arena.

In the US, we view privacy rights as constitutional in nature, but there is actually no right to privacy enumerated in either the body of the Constitution itself or the Bill of Rights. In fact, it wasn’t until 1965 that the US Supreme Court set out an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.

In Europe however, privacy is considered a fundamental right. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). And Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.”

The seven principles governing the OECD’s recommendations for protection of personal data were:

  1. Notice: data subjects should be given notice when their data is being collected;
  2. Purpose: data should only be used for the purpose stated and not for any other purposes;
  3. Consent: data should not be disclosed without the data subject’s consent;
  4. Security: collected data should be kept secure from any potential abuses;
  5. Disclosure: data subjects should be informed as to who is collecting their data;
  6. Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  7. Accountability: data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe.  In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

But the European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and since privacy rights were declared in article 8 of the EU Charter of Fundamental Rights, acted to propose a Data Protection Directive. All seven of the OECD principles were incorporated into the EU Data Protection Directive (officially the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data) which was adopted in 1995.

However, European directives are guidelines which propose certain results but leave each Member State free to decide how to transpose them into national laws The EU currently has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). Over the years, they have made different laws that sometimes contradict each other.

A regulation, on the other hand, is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Since the 1995 Directive was only able to provide overall guidance in this area, the GDPR is designed to effectively harmonize European data protection laws. It was adopted in April 2016, and will officially supersede the Data Protection Directive and be enforceable starting on May 25, 2018.

The United States, however, while endorsing the OECD’s recommendations, did nothing to implement them within the United States. Part of the issues is the diversity of laws in our federalist structure of government. With 50 states, 94 federal judicial districts, including at least one district in each state, the District of Columbia and Puerto Rico and additional territorial courts and courts of special jurisdiction such as bankruptcy, having a unified privacy directive similar to the GDPR is problematic here.

IMPACT BEYOND THE EU

First, we should note that the GDPR affects more than merely the EU. The regulation applies not just to the 28 member states of the EU but is also being integrated into the 1992 EEA Agreement and thus applies to the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein.

Second, as noted above, you do not have to have a physical presence in Europe to be covered by the GDPR. It applies to not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals, regardless of the organization’s location.

PREPARATION TRAJECTORY

Activities to deal with the upcoming implementation of the GDPR have been slowly building momentum. Groups such as The Sedona Conference and the EDRM have been studying best practice principles for US attorneys but numerous questions remain on how to proceed.

The important point is to be prepared.  The GDPR demands, not requests, data privacy compliance and places strong emphasis on organizations to act more responsibly in their data governance practices. More than ever, you need to identify what privacy-related content you possess, why it’s there, and who has access to it.

Failure to adequately prepare for the changes can have severe ramifications, including much higher fines than under the current regulatory environment. These include penalties of up to 4% of the organization’s global gross revenue for non-compliance, a point we will discuss in more detail in following parts of this overview.

For the remainder of the overview, we will highlight key elements, evaluations, and events in the planned implementation of the GDPR. Key elements to be covered will include:

  • Discuss definitions for common terms used in the GDPR
  • Discuss changes in practice to be made under the GDPR
  • Set out distinctions to be made between obligations for a specific company as opposed to service providers
  • Discuss steps to take to insure compliance with the GDPR

So, what do you think?  Are you ready for the GDPR? Read more about this important event in the following parts of our GDPR series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

If You’re a Cloud Provider or Consumer, Consider These Guidelines on How to Conduct Yourself in Europe: eDiscovery Best Practices

While we were preparing to eat turkey and stuff ourselves with various goodies last week, the Cloud Security Alliance (CSA) provided an important guideline for compliance with the European Union General Data Protection Regulation (GDPR).

The CSA, a world leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, last week announced the release of the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the GDPR.  As part of the release, the CSA also launched the CSA GDPR Resource Center, a new community-driven website with tools and resources to help educate cloud service providers and enterprises on the new GDPR.

“Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement (PLA) Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair.

“With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”

The new CSA Code of Conduct for GDPR Compliance is designed to meet both actual, mandatory EU legal personal data protection requirements (i.e., Directive 95/46/EC and its implementations in the EU member states) and the forthcoming requirements of the GDPR and specifies the application of the GDPR in the cloud environment, primarily with regard to the following categories:

  • Fair and transparent processing of personal data;
  • Information provided to the public and to data subjects (as defined in Article 4 (1) GDPR);
  • Exercise of data subjects’ rights;
  • Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR;
  • Notification of personal data breaches to supervisory authorities (as defined in Article 4 (21) GDPR) and the communication of such personal data breaches to data subjects; and
  • Transfer of personal data to third countries.

The CSA Code of Conduct for GDPR Compliance also contains mechanisms that enable the body referred to in Article 41 (1) GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR.

With GDPR adoption looming in less than six months, you can expect to hear more about GDPR on this blog and other publications in the coming months.  Click here to access the CSA Code of Conduct for GDPR Compliance (after completing a short survey).

So, what do you think? Is your organization preparing for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Rob Robinson and his excellent Complex Discovery blog for coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Google Requests Contempt Order For $10,000 Sanctions Per Day Against…Google: eDiscovery Case Law

But first, a reminder that Relativity Fest starts this Sunday and CloudNine will be there.  As part of the team, I will be there covering the conference for eDiscovery Daily and will speaking(!) on Tuesday.  Click here to see our post on some of the anticipated highlights from the conference.

Last month, we wrote that Google went 0 for 2 in August in its request for review of warrant cases related to the Stored Communications Act of 1986 (SCA) and the order to produce ESI stored internationally that is subject to warrants was upheld in both cases, including a ruling in the Northern District of California on August 14.  Now, Google has filed an instant motion asking the Court to: “a) hold Google in civil contempt of the August 14 order; b) impose sanctions of $10,000 for every day that Google fails to comply; c) stay those sanctions until seven business days after the Ninth Circuit affirms the Court’s order; and d) require Google to preserve any information in its possession that is subject to the search warrant.” As noted in California District Judge Richard Seeborg’s order, “the The terms of the proposed sanctions are similar to the terms of stipulations that Google and other companies have entered into with the government in similar cases in other jurisdictions.”

So, why did Google ask the Court to impose a daily sanction of $10,000 against Google?  Evidently, while the government and Google “agree that Google should be held in contempt of the August 14 order”, they “disagree, however, about the appropriate way to devise a sanction that will ensure Google’s compliance and about whether an evidentiary hearing is needed to conduct that inquiry effectively.”  The government argued that “an evidentiary hearing is needed to assess the equities at stake in this case properly and to devise an appropriate sanction”, while Google contended that there is “no need to develop a more substantial evidentiary record or to devise a more severe sanction than the $10,000 per day fine that Google has proposed.”  Google also noted that “this Court already found in the August 14 order that, ‘[i]n light of the Second Circuit decision in Microsoft and the absence of relevant Ninth Circuit precedent, Google’s diligent, good faith efforts to comply with current law do not warrant contempt at this stage of the proceedings.’”

In ruling on the dispute, Judge Seeborg stated: “Of the two sides, Google’s arguments are more persuasive…The government acknowledges that Google has a right to press its appeal; it is not arguing that Google must turn over the information now. Neither is it arguing—at least at present—that Google should be held in criminal contempt for its past behavior. Thus, the only question currently in need of answer is what sanction will secure Google’s prompt compliance with the August 14 order should its appeal fail.”  Judge Seeborg also noted that “Should Google prevail on appeal, the issue will be moot. If Google loses, it will be required to comply with the August 14 order or be subject to the sanctions imposed by this order. If, at that time, Google fails to turn over data the government believes Google previously possessed but did not preserve, the government can raise the issue and seek an appropriate remedy.”

Tip of the hat to ACEDS for the link to the latest order in this case.

So, what do you think?  Will Google win its appeal?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Also, I’m excited to report that eDiscovery Daily has been nominated to participate in The Expert Institute’s Best Legal Blog Contest in the Legal Tech category!  Thanks to whoever nominated us!  We’re fading fast, but if you enjoy our blog, you can vote for it and still help it win a spot in their Best Legal Blogs Hall of Fame.  You can cast a vote for the blog here.  Thanks!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

SCOTUS to Take On Microsoft Ireland Case: eDiscovery Trends

A few months ago, we reported that the Department of Justice had asked the U.S. Supreme Court to overturn that landmark appeals court decision handed down last summer in favor of Microsoft Corp. that put their company data stored overseas mostly out of reach of U.S. law enforcement.  Yesterday, SCOTUS, at the urging of a whopping thirty-three states, agreed to take the case.

According to The Washington Post (Supreme Court to consider major digital privacy case on Microsoft email storage, written by Robert Barnes), the Supreme Court of the United States yesterday agreed to hear a dispute between the federal government and Microsoft about emails stored overseas.

The case that SCOTUS accepted on Monday began in 2013 when U.S. prosecutors got a warrant to access emails in a drug-trafficking investigation. It was served on Microsoft in Redmond, Wash. But the data sought was stored on its servers in Ireland. (The company has more than 100 centers in 40 countries.)

Microsoft turned over information it had stored domestically but contended that U.S. law enforcement couldn’t seize evidence held in another country. It said that if it was forced to turn over such information, it would lead to claims from other countries about data stored here.  A judge upheld the warrant, but a panel of the U.S. Court of Appeals for the Second Circuit overturned the ruling. The full circuit then split evenly on whether that decision was correct, and one judge wrote that the Supreme Court needed to provide the ultimate answer.

Thirty-three states also urged the court to take the case, U.S. v. Microsoft. They said that the decision has implications for other technology giants such as Google and Yahoo and that it was “remarkable” that the Second Circuit had held “that a private company has unfettered discretion to shield evidence of crime from law enforcement, simply by electronically sending that evidence out of the jurisdiction.”

Microsoft contended that the Stored Communications Act of 1986 (the law considered for this case and also the Google cases earlier this year where Google was ordered to comply with search warrants) did not imagine a world in which “a technician in Redmond, Washington, could access a customer’s private emails stored clear across the globe.”  “The current laws were written for the era of the floppy disk, not the world of the cloud,” Microsoft president and chief legal officer Brad Smith wrote.  He has a point there.

At Relativity Fest next week, I’m sure the topic will come up during our session e-Discovery in the Cloud, on Tuesday, October 24 at 11:00 am, moderated by David Horrigan, e-Discovery Counsel and Legal Content Director at Relativity where we will be joined by Rachi Messing, Senior Program Manager at Microsoft, Ari Kaplan, Principal at Ari Kaplan Advisors and Kelly Twigger, Founder of ESI Attorneys.  If you’re going to be there, you won’t want to miss that!

So, what do you think?  Should a 31 year old law determine whether data stored overseas (but accessed here) should be subject to subpoena?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Also, I’m excited to report that eDiscovery Daily has been nominated to participate in The Expert Institute’s Best Legal Blog Contest in the Legal Tech category!  Thanks to whoever nominated us!  We’re fading fast, but if you enjoy our blog, you can vote for it and still help it win a spot in their Best Legal Blogs Hall of Fame.  You can cast a vote for the blog here.  Thanks!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Google Goes 0 For 2 in its Request for Review of SCA Warrant Cases: eDiscovery Case Law

As Tom O’Connor and I discussed last week in our ACEDS webinar Key eDiscovery Case Law Review for First Half of 2017 (here’s a link if you missed it), Google was ordered earlier this year to produce foreign stored emails by judges in California and Pennsylvania in response to government warrants.  Last month, Google’s request for review on the two cases (and interpretation of Section 2703 of the Stored Communications Act of 1986) didn’t change the results.

With regard to In re Search Warrant No. 16-960-M-1 to Google; In re Search Warrant No. 16-1061-M to Google, MJ Nos. 16-960, 16-1061 (E.D. Pa. Aug. 17, 2017), Pennsylvania District Judge Juan R. Sànchez considered Pennsylvania Magistrate Judge Thomas J. Rueter’s February ruling which ordered Google to comply with a search warrant to produce foreign-stored emails, disagreeing with the Second Circuit’s ruling in the Microsoft Ireland warrant case, where Microsoft was not ordered to provide access to emails in that ruling.  In considering Google’s request to review Judge Rueter’s order, Judge Sànchez stated:

“The issue in this case is whether enforcing the SCA warrants in question to require Google to produce communications and other subscriber data stored on servers located outside the United States constitutes an extraterritorial application of the statute. In analyzing this issue, the Court starts with the presumption against extraterritoriality, “a longstanding principle of American law ‘that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States.’””

With that in mind, Judge Sànchez, in upholding the Magistrate Court decision, ruled that “Even if the steps taken by a provider to search for, access, and retrieve subscriber communications for eventual disclosure to the government were conduct relevant to § 2703’s focus, this Court has considerable difficulty with Google’s assertion that, where the communications in question are stored in foreign data centers, the ‘vast majority’ of this conduct occurs outside of the United States…By Google’s own account, the search and retrieval process consists of a series of queries initiated by Google personnel in the United States to which servers in the targeted data centers respond….While these queries may be run on servers in Google’s foreign data centers, it is difficult to see how this amounts to conduct by Google at the location of the data center, given that the United States-based employees direct the search and retrieval process remotely, without involvement by any personnel located abroad…That the subscriber’s communications are accessed only by—and can be accessed only by—Google personnel in the United States, and are produced by such personnel in the United States, reinforces the conclusion that the only conduct involved in the search and retrieval process occurs domestically.”

With regard to In the Matter of the Search of Content Stored at Premises Controlled by Google Inc. and as Further Described in Attachment A, No. 16-mc-80263-RS (N.D. Cal. Aug. 14, 2017), Google moved for de novo review of California Magistrate Judge Laurel Beeler ‘s determination “the disclosure is a domestic application of the SCA.”  California District Judge Richard Seeborg, in considering the same issues, ruled:

“As to the question of whether Google is undertaking essential aspects of compliance with section 2703 outside the United States, the answer is no. As a factual matter, the information sought by the government is easily and lawfully accessed in the United States, and disclosure of that content would likewise take place in the United States. Indeed, only personnel in Google’s Legal Investigations Support team are authorized to access the content of communications in order to produce it in response to legal process and all such Google personnel are located in the United States…Accordingly, the conduct relevant to the SCA’s focus occurs in the United States.”

I’m sure we haven’t heard the last of either of these cases yet, just like it appears we haven’t heard the last of the Microsoft Ireland warrant case yet either.

So, what do you think?  Should the location of the data or the location of the searches for the data determine whether it is subject to foreign data privacy considerations? Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion links courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Think That Your Firm Isn’t Subject to GDPR? You May Be Wrong About That: eDiscovery Trends

We’re getting closer and closer to the implementation of the General Data Protection Regulation (GDPR) standard designed to strengthen and unify data protection for all individuals within the European Union (EU).  It goes into effect in about eight months (May 25th of next year, to be exact).  Do you think GDPR doesn’t apply to your firm?  You may be wrong about that.

This JD Supra article (GDPR Applies to US Firms, written by Stanislaw Kastory)* discusses instances where GDPR can apply to firms and companies that are not established in the European Union.  According to the author, the GDPR applies to processing of personal data of data subjects who come from the European Union, by a controller or processing entity not established in the European Union if the processing activities relate to:

  1. a) the offering of goods or services to such data subjects in the European Union and
  2. b) the monitoring of their behaviour. (or “behavior”, depending on who’s reading it) – :o)

Oh, behave!

Here are examples of US companies that may be subject to GDPR requirements:

  • A US insurance company not based in the EU will be subject to the GDPR (and all the requirements thereunder) if it offers its insurance products to entities in EU countries.
  • The new GDPR will also apply to all companies offering “suggestions” used for example on YouTube, Instagram or Spotify. Suggestions that you may like someone’s profile or music are based on processing of personal data. If a US company makes such suggestions to EU citizens, it will automatically fall under the ambit of the GDPR.
  • Even if you’re just a local whisky producer in Kentucky and you send 10 bottles to a client in France, you’re still subject to the rules of GDPR.

So, it’s not just cloud providers, it impacts any organization that might have a market of customers in the EU.  According to the article, more than 50% of US companies will be required to implement the GDPR requirements, including having to process personal data in compliance with the EU regulation. They will therefore be directly required to ensure they have the appropriate legal basis for data processing, to meet the requirement of informing data subjects and to implement new procedures and documents under the GDPR.

Fines can reach up to EUR 20,000,000 or 4% of global turnover, so failing to comply could be costly.  For those that are fined at some level, I’ll bet the “GD” in GDPR may no longer stand for “General Data”.  :o)  Anyway, it’s clear that GDPR will be a big topic of discussion in our industry in the coming months and I expect that we’ll have quite a bit more coverage of it during that time.

BTW, just a reminder that, on Wednesday, August 30 at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast On Premise or Off Premise? A Look at Security Approaches to eDiscovery.  This one-hour webcast will discuss different on-premise and off-premise eDiscovery solution options and considerations for each. I’ll be presenting the webcast, along with eDiscovery thought leader Tom O’Connor.  To register for it, click here.

So, what do you think?  Is your organization preparing for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

*Hat tip to Rob Robinson’s Complex Discovery site for the tip on the article.  Here’s two other articles he has covered in just the past two weeks on the topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Denies Defendant’s Motion to Overrule Plaintiff’s Objections to Discovery Requests

Google Again Ordered to Produce Internationally Stored Data: eDiscovery Case Law

In the case In re: Search of Content that is Stored at Premises Controlled by Google, Case No. 16-80263 (N.D. Cali., Apr. 19, 2017), California Magistrate Judge Laurel Beeler, noting that the “SCA regulates disclosure of data in a service provider’s possession” ordered Google to “produce all content responsive to the search warrant that is retrievable from the United States, regardless of the data’s actual location”.

Case Background

A search warrant was issued in June 2016 that authorized production of information from specific Google email accounts regarding subscriber information, evidence of specified crimes, and information about the account holders’ true identities, locations, and assets.   Google did produce data “confirmed to be stored in the United States” including emails, but did not include the attachments for emails because they were not “confirmed” to be stored in the United States.  Google also moved to quash or amend the search warrant, which the government opposed, countering that the SCA authorizes production of data retrievable from the United States.

The court held a hearing in February 2017 and directed (1) the parties to submit a joint stipulation of undisputed facts relevant to the extraterritoriality analysis and (2) Google to provide information about its current ability to identify whether information is stored in the United States, given its representation at the hearing that it was finalizing a tool to identify whether or not content was stored in the United States.  The parties provided additional information in March.

Judge’s Ruling

As in the previous ruling against Google, Judge Beeler reviewed the Second Circuit ruling (Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016)), where the Second Circuit denied the government’s efforts to compel Microsoft to provide emails in that case.  However, Judge Beeler noted that “the parties stipulate that the only place to access the information is in the United States” and stated that “the conduct relevant to the focus — and what the SCA seeks to regulate — is disclosure of the data in the service provider’s possession…The service provider — Google — is in the district and is subject to the court’s jurisdiction; the warrant is directed to it in the only place where it can access and deliver the information that the government seeks.”

Judge Beeler, in denying Google’s motion to quash the warrant for content that it stores outside the United States and ordering it to produce all content responsive to the search warrant that is retrievable from the United States, regardless of the data’s actual location, concluded that “the disclosure is a domestic application of the SCA”.

So, what do you think?  Should the location of the data or the location of the searches for the data determine whether it is subject to foreign data privacy considerations?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

78 is Great! eDiscovery Daily Is Seventy Eight! (Months Old, That Is)

A new record!  (Get it?)  Seventy eight months ago today (a.k.a., 6 1/2 years), eDiscovery Daily was launched.  It’s hard to believe that it has been 6 1/2 years since our first three posts debuted on our first day, September 20, 2010.  Now, we’re up to 1,656 lifetime posts, and so much has happened in the industry that we’ve covered.

Twice a year, we like to take a look back at some of the important stories and topics during that time.  So, here are just a few of the posts over the last six months you may have missed.  Enjoy!

Thanks, once again, for your support!  Our subscriber base and daily views continue to grow, and we owe it all to you!  Thanks for the interest you’ve shown in the topics!  We will do our best to continue to provide interesting and useful eDiscovery news and analysis.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

New Survey Says 75 Percent of Respondents Unfamiliar with China’s New Cybersecurity Law: eDiscovery Trends

Are you familiar with it?

According to a survey conducted by Consilio and released earlier this week, 75 percent of legal technology professionals responding to the survey indicated that they are not familiar with China’s new Cybersecurity Law, which was passed by the Standing Committee of the National People’s Congress, China’s top legislature, in November 2016.  The new law is set to go into effect on June 1.

China’s new Cybersecurity Law will require foreign companies conducting business in the country to localize their data within mainland China which may contain sensitive privacy data or state secrets. Organizations that do not adhere to this provision will face potential financial penalties, including the possible loss of their ability to conduct business in mainland China. Individuals can face civil and criminal penalties, up to and including imprisonment and the death penalty for particularly egregious cases.

For more on China’s Cybersecurity Law, you can read Understanding China’s Cybersecurity Law, by Chris Mirasola on the LawFare blog here.  An unofficial translation of the law can be found on the China Law Translate site here.

Consilio’s survey of 118 legal technology professionals, from in-house law departments, law firms and government affiliated entities, was conducted at the Legalweek | Legaltech® New York 2017 conference held January 31 – February 2.  Some key findings of the survey include:

  • 75 percent of legal technology professionals cited that they are not familiar with China’s new Cybersecurity Law;
  • Only 14 percent of respondents indicated that they are “very concerned” about the new law;
  • Yet, 57 percent of respondents indicated having at least one legal matter that touched China within the last two years (i.e. internal or government investigations, litigation, M&A, etc.), with 27 percent indicating that they knew of at least ten Chinese legal matters that their organizations were involved in during that time.

“China is now the world’s second largest economy, and for global corporations and those that aspire to be global, it is critical for them to have a full understanding of the data requirements and regulatory landscape of that region,” said Dan Whitaker, Managing Director of Consilio’s China operations, headquartered in Shanghai. “Since 2012, cyber walls have been going up in multiple regions around the world, and as countries continue to create new regulations, organizations must continually educate themselves on the quickly evolving nuances of data privacy laws in every jurisdiction, specifically as it relates to the ability to move data in and out of the countries in question.”

In addition to China’s new Cybersecurity Law, when polled about other international compliance laws their organizations are most concerned about, respondents identified the Foreign Corrupt Practices Act, or FCPA as the most concerning (40 percent), with the General Data Protection Regulation, or GDPR (22 percent) and the UK Bribery Act (8 percent) as other regulations respondents are concerned about.

Consilio has prepared a summary infographic to illustrate the results, which can be found here.

So, what do you think?  Are you familiar with China’s new Cybersecurity Law?  Are you concerned about it?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Google Required to Hand Over Foreign Stored Emails to Justice Department: eDiscovery Case Law

In the ruling In re Search Warrant No. 16-960-M-01 to Google, Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with a search warrant to produce foreign-stored emails, disagreeing with the U.S. Court of Appeals for the 2nd Circuit’s ruling in the Microsoft Ireland warrant case, where Microsoft was not ordered to provide access to emails in that ruling.

In August 2016, the court issued two search warrants, pursuant to section 2703 of the Stored Communications Act (SCA), which required Google to disclose electronic data held in the accounts of targets in two separate criminal investigations to agents of the FBI.  Each account holder resided in the US, the crimes they are suspected of committing occurred solely in the US, and the electronic data at issue was exchanged between persons located in the United States.

Google partially complied with the warrants by producing data that is within the scope of the warrants that it could confirm is stored on its servers located in the US, but refused to produce other data required to be produced by the warrants that was stored on servers located out of the US, relying on the recent decision of a panel of the US Court of Appeals Second Circuit, Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016), where the Second Circuit denied the government’s efforts to compel Microsoft to provide emails in that case.

In ruling that Google has to comply with the warrant in full, Judge Rueter stated that “Under the facts before this court, the conduct relevant to the SCA’s focus will occur in the United States. That is, the invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania. These cases, therefore, involve a permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”

Judge Rueter also indicated that he “agrees with the Second Circuit’s reliance upon Fourth Amendment principles, but respectfully disagrees with the Second Circuit’s analysis regarding the location of the seizure and the invasion of privacy”, noting that “[e]lectronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a ‘seizure’ because there is no meaningful interference with the account holder’s possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer’s knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data.”

Judge Rueter also noted that the searches would occur in the US, stating that “Even though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.”  As a result, Judge Rueter granted the Government’s motions to compel Google to comply with the search warrants.

So, what do you think?  Should the location of the data or the location of the searches for the data determine whether it is subject to foreign data privacy considerations?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.