Corporate Counsel’s New Big Risk Factor: International Privacy Law and Compliance with U.S. Discovery and Investigation Requests

The ever-growing, complex web of privacy protection laws around the world directly impacts how multinational corporations can comply with demands to respond to a U.S. discovery request or regulatory investigation. The risk of running afoul of the privacy laws in the name of compliance with a U.S. legal obligation is very real and often unanticipated. Here lies corporate counsel’s new big risk factor.

Today’s multinational corporations are faced with the significant challenge of crafting practical procedures to both comply with U.S. obligations and meet international privacy standards. Before the urgency of an active request hits, in-house counsel can help mitigate the risk of a privacy violation by understanding where the corporation “keeps” all the critical business data. This “data map” will set out the different kinds of systems that exist in the corporation and indicate where key business functions are performed. Armed with this information, counsel can begin to consider the potential cross-border implications of a request.

Without unequivocal direction from the courts, the struggle to balance the risk of privacy violation against the risk of non-compliance becomes an exercise in reasonableness. Incorporating the following considerations into your response plan can help mitigate risk: [1]

  1. Standardized Protections – seek statutory or procedural protections. If your data mapping exercise indicates that information likely to be needed as part of a litigation or regulatory demand is stored in a jurisdiction that affords privacy protection to the personal information of your employees, consider seeking Privacy Shield Certification or using binding corporate resolutions or standard contractual clauses to demonstrate the protection required if the personal information must be transferred. On a case-specific basis, utilize the model protective order provisions recommended by the Sedona Conference.
  2. Privacy Principals – create a path to compliance with privacy principals. Procedurally, establish a process that will allow the company to demonstrate compliance with the major privacy principles:
    1. Legitimate purpose: Document the valid business purpose for the transfer of personal data;
    2. Notice: Inform individuals that their data is being collected and detail how the data will be used;
    3. Opt out: Provide individuals with the option to opt out of the collection or transfer of the data;
    4. Onward transfer: If your case requires transfer of data to third parties, ensure that those third parties also follow adequate data-protection principles; and
    5. Security: Once transferred, ensure that your IT infrastructure has adequate safeguards against the loss or breach of collected information.
  3. Local Datasets – reduce the dataset locally, if possible. Once consent or other “collection” requirements have been met, work in-country to narrow any collected dataset to that which is most likely to be responsive to the request. This can take several forms: from full processing and review for responsive information in-country and export of only responsive information, to basic culling and personal information screening in-country prior to export. The key to selecting the correct protocol for your case will require close collaboration with your counsel and technology consultant. Understanding all your technology options will help ensure that your organization is not incurring avoidable risk. There are many technological approaches, from simple culling to advanced predictive coding analytics, which can be applied in-country to get to the most likely responsive information. These efforts can considerably reduce the dataset to be transferred.
  4. Phased Approach – Consider phased discovery. Be sure to explain to any court or regulator seeking cross-border discovery of personal information that certain procedural steps will be necessary for you to comply with the request. Set appropriate expectations for timing, which might involve phasing production with non-protected data first and protected data in a subsequent phase.
  5. Compliance Culture – Cultivate a culture of compliance. As in any defense of corporate conduct, you will be more effective at persuading courts, data protection agencies and regulators that the company respects and intended to comply with all applicable laws and regulations if you can demonstrate that compliance is top of mind, both in process and policy.

Although it can be difficult to balance production requirements and privacy compliance, these challenges are not insurmountable. With some advance planning, strategic advisors and reliable partners, every company or firm, including yours, can successfully navigate data protection waters to reduce and mitigate potential risk to your discovery projects.

[1] See also The Sedona Conference, International Principles on Discovery, Disclosure & Data Protection; and The Sedona Conference, Practical In-House Approaches for Cross-Border Discovery & Data Protection.

(Please send your comments on this post, or requests for future blog posts, to