Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/98265
By Don Cameron, Noelle Engle-Hardy & Jerry Chen; Bereskin & Parr LLP E-discovery and the cloud Jurisdiction can dictate which documents must be produced. T here is no precise definition of cloud computing. Generally, cloud computing refers to software operating on or data stored on someone else���s computer, delivered via the Internet. Cloud computing service is ondemand and elastic; the system can provide or release computer resources dynamically, so the user can have as much or as little of a service as they want. The service is also fully managed by the provider, so the end user typically only needs a personal computer or mobile device with Internet access. Possession, control, or power Where data exists on third party databases, is it within the litigant���s possession, control, or power? As a part of routine discovery, a party may serve on any other party a request to produce certain documents, including electronically stored information. Depending on the jurisdiction, the standard for what documents must be produced may vary. In the United States, the producing party must give over the relevant documents that are within the respondent���s ���possession, custody, or control.��� In Ontario, Rule 30.02(1) provides that: ���Every document relevant to any matter in issue in an action that is or has been in the possession, control or power of a party to the action shall be disclosed as provided in rules 30.03 to 30.10, whether or not privilege is claimed in respect of the document,��� while Federal Court Rule 223 requires, in part, that every party serve an affidavit of documents on the other party within 30 days of the close of pleadings, describing and containing, among other things, all relevant documents that are in the possession, power, or control of the party and for which no privilege is claimed. The case law generally provides that, where documents can be accessed from within the jurisdiction, then they are considered to be within the jurisdiction and are to be produced. Different approaches A tremendous conflict exists between the intensely adversarial nature of North American litigation and European efforts to protect spheres of personal privacy. The 2006 Amendments to the U.S. Federal Rules of Civil Procedure emphasized that electronic discovery is part of almost every significant commercial suit in the United States. The massive growth of electronic information, proliferation of social media, and even cloud computing itself have dramatically altered the concept of a business record, particularly in a world where personal and business documents are intermingled on mobile devices traveling seamlessly between the private and work spheres. EU law, on the other hand, recognizes privacy as a fundamental human right. The EU mandates protection of data subjects��� personal information. EU Directive 95/46/EC establishes uniform provisions for the processing of personal information in the European Union. The directive covers all personal data, and permits ���legitimate��� processing of personal ca na dia nl awy e rm a g . c o m / i n h o u s E information only if necessary for compliance with a legal obligation or if in line with the data controller���s limited interests. The European Union generally regards U.S. discovery as neither a sufficient legal obligation nor a legitimate interest for EU data protection purposes. The EU Directive states that the transfer of data is acceptable where necessary for the establishment, exercise, or defense of legal claims. Thus far this has been narrowly circumscribed such that foreign law is rarely deemed a legal obligation. Conducting an internal investigation pursuant to a U.S. law or at the behest of a U.S. regulatory authority is no more a legal obligation than discovery requests. Litigants should use caution when attempting to obtain corporate records from an EU data storage or cloud facility. Care should be taken to ensure that entities seeking production from the EU provide data subjects with notice of the possibility of litigation in the U.S., and establishing stringent internal privacy protections. Moreover, U.S. litigants may consider on-site review in the country where the data is located; this may help identify only the information that is actually relevant to the U.S. litigation before it is transferred and may minimize the quantity of personally identifiable information at issue. For parties involved in litigation, the most important consideration is to know where your data is. A company may have a data system that is part internal, part external (including in the cloud). Ideally, the most sensitive data will be stored locally and be accessible only locally to minimize exposure to foreign discovery obligations. If you are accessing documents from Europe or other jurisdictions with extensive privacy restrictions, review the data in those foreign jurisdictions to minimize the amount of private data that needs to be transmitted to another jurisdiction. IH Don Cameron, Noelle Engle-Hardy and Jerry Chen are lawyers with Bereskin & Parr LLP. December 2012/January 2013 ��� 13