How the EU and China Plan to Deal with Multinational Data

Today, an employee from a London company can wirelessly send emails to customers in New York and China from a Parisian café using cloud servers located in Paris, Shanghai, New York City and London.

The low cost of data storage coupled with high speed global communications increases the odds that some of a corporation’s data are stored outside the geographic borders of their home country. Electronically stored information (ESI) stored outside a company’s home country presents a number of obstacles, in addition to the “normal” challenges regarding the collection, processing and production of eDiscovery. International treaties and agreements concerning cross-border discovery were made before social networking platforms, cloud computing and ultra-fast global network connections – and are now outdated. Efforts such as EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law (CSL) are attempting to fill that gap.

How the EU and China Plan to Deal with Multinational Data

While the GDPR and CSL are not entirely new rules they are rather an evolution of existing and disparate data protection rules that address many of the previous shortcomings through the addition of documentation, risk assessments, breach notification, and data minimization requirements. The EU GDPR (Regulation (EU) 2016/679) is a law set to take effect in May of 2018 that will strengthen, clarify, and provide cohesion within the EU concerning data protection for individuals, (PII or personally Identifiable Information), as well as addressing the export of EU data across borders.

At the end of 2015, China’s president Xi Jinping opened the World Internet Conference with a speech requesting the world to respect “China’s cyber-sovereignty,” which applies China’s physical boundaries to the China internet. That notion was later embodied in China’s Cyber Security Law that went into effect June 2017 and was added to the China constitution during the recent 19th China Congress. Data localization is being enforced.  In-country solutions will be critical to support international customers as they deal with China’s government rules, local regulations and culture. Recognizing this requirement, Apple recently announced they are implementing data centers in China to specifically house China data and Amazon, Microsoft and IBM have all formed partnerships with Chinese companies to offer cloud computing services based in China. As a normal course of business, US and EU data will be in China. The breadth, complexity and ambiguity of China’s State Secrets Law—particularly with regard to the transmission of sensitive material out of the country—creates serious challenges for foreign companies doing business in China.

Arguably the largest hurdles for international business is the new “Consent per purpose” that is mandated by the EU GDPR and China’s CSL. Consent must be unambiguous, informed, and freely given, so no more “by continuing on this site you consent… language. This is why the new GDPR and CSL more than being a technical or an IT challenge, is one of business and the impact on customer and client interaction.

Non-legal “Soft” obstacles to Cross-Border eDiscovery

Litigation in US federal courts involving possibly relevant ESI located in foreign countries faces the obstacles of differing legal systems, conflicting national laws, blocking statutes and international treaties that counsel must navigate in order to comply with Fed. R. Civ. P. 34.

The cultural and legal differences between the U.S. and foreign countries present “soft” obstacles that counsel is well advised to understand and appreciate when dealing with ESI located within a foreign country, in complying with FRCP discovery rules. These differences do not necessarily present any real legal challenge in negotiating cross-border discovery, but they do present the initial mindset and baseline position of foreign parties, which counsel must be prepared to encounter. Despite the myriad of obstacles presented by ESI located in foreign countries, counsel is expected to navigate these obstacles and comply with discovery as governed by the Federal Rules of Civil Procedure (FRCP).

Cultural differences regarding the protection of personal data presents the biggest soft obstacle when
it comes to cross-border litigation with regard to the EU. In the European Union (EU), data privacy protections have traditionally been stronger and more robust than in the U.S. and this has only become more apparent as US organizations begin preparations for the GDPR. The extent and breadth of personal data that the U.S. government has ready access to is shocking to even the most conspiratorially minded global citizens and fuels distrust of American use of private personal data, spurring debate in foreign countries’ legislatures on tightening already restrictive data privacy laws. Contrast that with China where “National Security” is the primary objective for data security and not so much personal data protection.  China views data as an asset to control, monitor and govern.  It is more concerned about the content and not so much about the privacy.  This is their culture.  China and the EU may be on the opposite ends of the same data security continuum but the net effect is the same. It’s all about control.

The recent spate of National Security Agency and data breaches in the news the last two years has not helped this notion. Counsel has to contend with this spiraling distrust towards American collection and use of data when negotiating the cross-border transfer of relevant ESI for litigation  in federal courts.

The common law principle that disputes should be resolved on the merits, which the FRCP discovery rules are based on, is not shared in civil law countries.  Even among other common law countries, the U.S. pretrial discovery rules provide for extremely broad disclosure. Civil law countries don’t recognize blanket requests or “fishing expeditions” and typically require disclosure when requests are specific and particularized. For example, France not only requires that the request be specific and particularized, but that it must also be admissible. For China, where “discovery” does not exist, U.S. legal teams are forced to work with local counsel to reluctantly negotiate disclosure of documents for each case. The basic common law legal principle underlying U.S. pretrial discovery rules and practice are not understood and may not apply abroad.