E-Discovery in Asia/Pacific: U.S. litigation exposure for Asian companies

This is the second article in a three-part series exploring litigation exposure and readiness for Asian companies. Here, Thomas Shaw explores how Asia/Pacific-based companies can analyze and deal with the risks of U.S. litigation exposure to pre-trial discovery data requests. Part three will review the principles of the APEC Privacy Framework, comparing Asian countries’ privacy laws to those principles and suggesting a model set of corporate privacy principles. Due to expansive rules on discovery, jury trials and the size of damage awards, plaintiffs worldwide would choose to bring their claims, if possible, in U.S. courts. As such, when non-U.S. companies are performing their periodic risk analyses, they must consider their exposure to U.S. litigation, either directly or through their U.S. subsidiaries. Having such exposure means being potentially subject to liability for damages but even more likely subject to pre-trial discovery requests for paper documents and electronically stored information (ESI) (collectively “data”) under the control of the non-U.S. company. This article focuses on how non-U.S. companies, particularly those based in the Asia/Pacific region, can analyze and deal with the risks of U.S. litigation exposure to pre-trial discovery data requests. Non-U.S. parent corporations should already understand that their subsidiaries operating inside the U.S. have exposure to U.S. litigation, either through the well-established principles of personal jurisdiction or through forum selection clauses in contracts. What is not as well understood is that non-U.S. parents themselves may also have exposure to U.S. litigation pre-trial discovery requests. The U.S. Federal Rules of Civil Procedure (FRCP) used to guide U.S. civil litigation only give the responding party about 100 days to be able to fully describe their data that is responsive to a lawsuit. As such, non-U.S.-based parent corporations need to proactively evaluate their litigation exposure risks and if so exposed, prepare themselves well in advance to be able to respond quickly and fully to pre-trial discovery requests for the production of responsive corporate data. When performing such a risk analysis for U.S. litigation discovery exposure, a non-U.S. corporate parent with U.S subsidiaries must answer the following four questions:

• Will U.S. pre-trial discovery take place under U.S., international, or local rules?
• Will U.S. courts have the power to order a non-U.S. corporation to produce data?
• Will U.S. courts order discovery if there are local data protection laws in place?
• What additional factors will U.S. courts consider for discovery of overseas ESI?

Procedural rules Under the U.S. FRCP (and similar state rules), a party to a lawsuit may request the other party or a non-party to produce data. This data can involve “any non-privileged matter that is relevant to any party's claim or defense.” The responding party may voluntarily reply to these requests but if it does not, the initiating party may request a court order compelling discovery. To issue such an order, the court must have personal jurisdiction over the party who will be compelled and that party must have control of the documents (see following section). But for responding parties located outside the U.S. who control data that is the subject of a discovery production request, the court may have to consider a second set of procedural rules available from the Hague Conference on Private International Law. The Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (the “Hague Convention”) is a multilateral agreement detailing procedures for requesting evidence from the authorities in another country. Almost 50 countries are currently signatories, including the U.S. Both the FRCP and the Hague Convention are considered the law of the United States. Under the Hague Convention, to obtain evidence in the other signatory country, a letter of request is transmitted to that country’s Central Authority for execution. In Aerospatiale, the U.S. Supreme Court ruled that the Hague Convention is intended as an optional supplement to obtain evidence located abroad, as opposed to the exclusive procedure for requesting such evidence. The determination of whether the Hague Convention should be utilized is based on these three factors:

• the particular facts of each case;
• the sovereign interests of the respective countries;
• the likelihood that the Hague Convention procedures will prove effective.

A party wanting to utilize the Hague Convention has the burden of persuasion regarding its use instead of the FRCP. Article 23 of the Hague Convention allows signatories to pass laws to refuse to comply with common law discovery requests. In Asia/Pacific, only four major countries are signatories of the Hague Convention (Australia, China including Hong Kong and Macau, India, and Singapore). Each of these countries has taken an Article 23 reservation, meaning that letters of requests for discovery will not be executed by the local officials. Only China for itself (not Hong Kong or Macau) states that it will execute a letter or request that has a “direct and close connection with the subject matter of the litigation will be executed.” Even then, it may not be timely as, according to the State Department, “while it is possible to request compulsion of evidence in China pursuant to a letter rogatory or letter of request (Hague Evidence Convention), such requests have not been particularly successful in the past. Requests may take more than a year to execute.” Hong Kong, Macau, Australia, India, and Singapore will not even execute a letter of request for purposes of obtaining pre-trial discovery of documents. Australia’s declaration is typical of these: to Article 23, [we] will not execute Letters of Request issued for the purpose of obtaining pre-trial discovery of documents as known in common law countries.” As such, a responding party from an Asia/Pacific signatory country is unlikely to persuade a U.S. court to use the Hague Convention. For parties based in all other Asia/Pacific countries who are not Hague Convention signatories, a U.S. court would likely determine whether the FRCP or local rules of discovery would be used, based on two steps: first to determine whether a conflict exists between the two sets of procedural rules and second to perform a comity analysis. The comity analysis, endorsed in Aerospatiale and based on the Restatement (Third) of Foreign Relations Law §442(1)(c), uses the following five factors:

• importance to the litigation of the information requested;
• degree of specificity of the discovery request;
• whether the information originated in the U.S.;
• availability of alternate means of securing the requested information;
• extent to which non-compliance would undermine important interests of the U.S. or compliance would undermine important interests of the other country involved.

Other courts have used additional factors, such as hardship, on the responding party if facing criminal sanctions for producing the data or a non-party status. In In re Vitamins, because it is not a Hague Convention signatory, Japan’s Code of Civil Procedure Law was analyzed and a conflict was found between the local law and the FRCP. Then the comity analysis found that the local procedural rules would not allow for a “prompt and efficient resolution” and so the court ordered discovery to proceed under the FRCP instead. Jurisdiction and control A U.S. court can order a non-U.S. parent corporation to produce data if the court:

• has personal jurisdiction directly over the non-U.S parent;
• can acquire personal jurisdiction over the parent indirectly through a U.S. subsidiary;
• determines the subsidiary has control over or access to the non-U.S. parent’s data.

Personal jurisdiction directly A U.S. court must have personal jurisdiction over the responding party against whom production of the relevant data is sought under pre-trial discovery. The standard analysis is under “minimum contacts,” requiring the responding party to have a certain minimum level of contacts with the forum the court is situated in, as first described in International Shoe. The minimum contacts analysis under local statutes allows for jurisdiction that is either “general” or “specific.” General jurisdiction will support “a suit not arising out of or related to defendant's contacts with the forum” if the respondent has continuous and systematic contacts with the forum. Specific jurisdiction will support “a suit arising out of or related to the defendant's contacts with the forum” when the defendant has purposely availed itself of the benefits of the forum. In addition, the result must comport with due process in that it is reasonable and with sufficient notice. Under either general or specific jurisdiction, a U.S. subsidiary of a non-U.S. parent corporation doing business within the U.S. would likely come under the jurisdiction of the U.S. courts. A non-U.S. parent corporation that is doing business directly through a U.S. branch office would also. But would the non-U.S. parent corporation itself fall under the jurisdiction of U.S. courts if only its subsidiary, not the parent, is doing business in the U.S.? In Asahi Metals, the U.S. Supreme Court held that placing products into the stream of commerce was not sufficient contacts for personal jurisdiction over a non-U.S. (Japanese) corporation. In other cases, personal jurisdiction over non-U.S. corporations has been found. Finding of personal jurisdiction over a parent corporation under a minimum contacts analysis is very fact-specific and must be uniquely determined in each situation. Personal jurisdiction indirectly If minimum contacts between the non-U.S. parent corporation and the U.S. forum are not found, jurisdiction over the parent can still be found by looking through its U.S. subsidiary and ‘piercing the veil‘ of the parent’s U.S. subsidiary. This can apply not only when the subsidiary was set up for fraudulent or illegal purposes, but also for a legitimately organized subsidiary, depending on which of three different lines of cases, as articulated in Gallagher, is used. One precedent, termed the Cannon line of cases, holds that only by creating and then not respecting the parent/subsidiary legal differences is jurisdiction over a parent gained through a subsidiary. A second precedent, the Scophony lines of cases, holds that personal jurisdiction over a parent may be possible if based on the extent of control the parent exerts over the subsidiary, to the point of dominating the subsidiary’s operations. This looks to factors including common ownership, financial dependency of the subsidiary, the parent’s interference with subsidiary executive selection, and the parent’s control over the subsidiary’s marketing and operational policies. A third precedent, the Gallagher line of cases, allows jurisdiction over a parent if a subsidiary engaged in functions that the parent would have to otherwise undertake. As stated by the court in Bulova Watch, if a subsidiary is expanding a parent’s market position in the forum, then the parent is doing business in the forum. An analysis of the parent/subsidiary relationship should consider at least the following:

• Is the subsidiary adequately capitalized?
• How sufficiently are the corporate formalities observed?
• What level of control does the parent maintain over the subsidiary’s operations?
• Are there separate bank accounts?
• Are parent-subsidiary loans at market rates of interest?
• Is the subsidiary insured?
• Is the subsidiary 100 percent owned and are there interlocking directorates?

Control or access Once personal jurisdiction over the non-U.S. parent has been established, a party may seek production of data in its “possession, custody, or control.” A U.S. court has the power to require the production of data located in foreign countries if the court has personal jurisdiction over the corporation in possession or control of the data. But if personal jurisdiction over a non-U.S. parent is not established, a court may still order production of data held by the non-U.S. parent through its U.S. subsidiary. In In re Uranium Antitrust Litigation, the court looked at a number of factors to determine if a U.S. subsidiary had “control” over the documents held by its non-U.S. parent. These factors included the percentage of ownership of the subsidiary by the parent and the management unity of the two companies. The court noted that the ability to compel production of data and liability for a subsidiary’s acts is distinct and that the corporate formalities cannot be “used as a screen.” Other courts have also allowed access to data held by the parent corporation, even though jurisdiction was held only over the subsidiary. In Linde, the court stated that a party attempting to compel a U.S. subsidiary to produce documents of its foreign parent has to show the documents were within the subsidiary’s control. Control is inclusive of: possession, the legal right to obtain documents and access to and the ability to obtain documents. This control could be shown where documents “ordinarily flow freely between parent and subsidiary” or where it could “generally obtain documents” from its non-U.S. parent to assist itself in litigation. The court held there was no control, using these factors plus the fact that the parent and subsidiary shared no computer systems or confidential customer transaction information. Data protection laws Once a court has established the power over data held by a non-U.S. parent corporation, the court must then determine if it should use that power in the face of any data protection laws that may exist in the country of the parent corporation. Countries across the world have a variety of data protection laws, in the form of secrecy laws, privacy statutes, and blocking statutes. Commercial secrecy laws typically protect corporate and banking data. Privacy statutes typically protect consumers and their personal information. Blocking statutes have typically been enacted for the express purpose of frustrating U.S. discovery. Caselaw In Societe Internationale, the U.S. Supreme Court stated that the responding party cannot fail to produce documents because of a foreign data protection statute. The Court outlined three factors that should be considered when it is determining whether to exercise its power to order discovery in the face of a non-U.S. data protection law:

• the strength of the policies underlying the U.S. statute;
• whether the requested data are crucial to resolving a key issue in the lawsuit;
• the amount of flexibility in the application of a country’s data protection law.

Each factor requires additional explanation. The first factor does not balance the U.S statute against the data protection statue of the foreign country but only considers the U.S statute. The second factor is actually a higher standard than the typical U.S. standard for production of data during discovery, which is any data that is relevant or could reasonably lead to admissible evidence. The third factor speaks to the ability of the responding party to deal with its own government in trying to waive enforcement of the data protection law and whether it has done so. The good faith of the responding party is not considered when ordering production, but only after an order is not complied with. In cases that followed, the majority of U.S. courts have not allowed blocking statutes to stop the issuance of production orders. In In re Vitamins Antitrust Litigation, the court stated that it is well settled that blocking statutes do not deprive the U.S. courts of power to order a party to produce evidence even though the act of production may violate that statute. To some extent, this was because U.S. courts did not believe that the sanctions attached to these blocking statutes would be enforced. This may have changed with what happened after a discovery production order was issued in face of the French blocking statute. A French attorney who subsequently tried to speak to a witness in contradiction of the blocking statute was convicted and fined in a result that was upheld by the French Supreme Court. The subsequent effect of this on the analysis by U.S. courts is not yet clear. After evaluating local secrecy and privacy laws, courts have still ordered discovery anyway. In Societe Internationale itself, the Court ruled that the Swiss banking secrecy law was not sufficient to prevent ordering production of data from the respondent. In Richmark Corp., China’s secrecy law was not allowed to protect the financial information of a state-owned company. In First National City Bank, the court upheld production because Germany’s bank secrecy law was waive-able and only civil penalties and commercial consequences were likely to result. In In re Uranium Antitrust Litigation, the court held that discovery was required of respondents despite data protection laws from three different countries, each with widely differing amounts of flexibility in enforcement of those laws. Asia/Pacific data protection statutes In Asia/Pacific, there are quite a range of statutes set up to protect various types of data. These statutes serve various segments of society, from consumers to business to government. These local laws should be part of the legal risk analysis for parent corporations but it is important to understand that each statute has not been interpreted by a U.S court. In addition, many statutes are being updated or introduced as this article is being written, so any risk analysis must be constantly revisited. In addition to statutes, there are also regional frameworks, such as the non-binding APEC Privacy Principles, that may have a greater influence in the absence of local privacy law or on future statutes. The following is a non-comprehensive but representative list of regional data protection laws. ESI considerations When addressing the issue of whether to compel a party to produce data for pre-trial discovery, a court may consider additional factors solely related to ESI. There are a number of characteristics of ESI that are different than paper documents. These include:

• volume and ease of replication;
• persistence;
• dynamic nature;
• existence of hidden metadata;
• hardware and software system dependence and obsolescence;
• mobility, portability and searchability.

In Aerospatiale, the Supreme Court stated that the individual courts should show “special vigilance to protect foreign litigants from…unduly burdensome discovery” and specifically noted that courts must watch out for discovery abuses for overseas litigants based on “additional costs” and special problems on account of the “location of its operations.” The FRCP allows a responding party to resist discovery of ESI that is not reasonably accessible due to undue burden or cost. The requesting party then has to show good cause to go forward with obtaining discovery, at which point the court will analyze the following additional factors, some of which are similar to those in the comity analysis:

• the specificity of the discovery request;
• the quantity of information available from other and more easily accessed sources;
• the failure to produce relevant information that seems likely to have existed but is no longer available on more easily accessed sources;
• the likelihood of finding relevant, responsive information that cannot be obtained from other, more easily accessed sources;
• predictions as to the importance and usefulness of further information;
• the importance of the issues at stake in the litigation;
• the parties’ resources.

In addition to these factors, a court may also shift the cost burden of production to the requesting party. The Sedona Conference has documented a list of 12 factors to determine the relative accessibility of a source of potentially discoverable ESI. Six factors are based on media type (from Zubalake I) and six are based on data complexity. While none of these factors specifically relates to overseas ESI, the need for language translation from a local (possibly double-byte) language into English or additional legal reviews for confidentiality and relevance of foreign language ESI performed by foreign-qualified attorneys may provide the basis for an undue burden or cost argument. Conversely, the third factor from the Restatement’s comity analysis discussed above (”whether the information originated in the U.S.”) could be used to support an argument for discovery of ESI that may have originated in the U.S. but was then moved overseas. This may be quite typical in the emerging cloud computing environment. Finally, local e-discovery rules are being introduced, such as Australia’s Practice Note 17 or Singapore’s Practice Direction No. 3, and their effect on U.S. courts’ analyses of overseas ESI discovery is yet to be determined. Conclusion Asia-Pacific parent corporations with U.S. subsidiaries or operations should, as a first step, perform a proactive legal risk analysis for their exposure to U.S. pre-trial discovery based on the factors outlined in this article. As a second step, these non-U.S. parent corporations should analyze how prepared they currently are to respond in a timely manner to pre-trial discovery requests. This would include performing at least an inventory of the corporate data and data custodians, analyzing records retention and legal hold processes to guard against improper deletion of responsive data, and verifying that data collection procedures are legally sound. As a third step, all remediations identified in the first two steps should be designed, implemented, and monitored. It is critical that these companies enlist the proper expertise to help them through this multi-disciplinary process, including technically adroit attorneys who understand the international legal analysis required and IT resources with detailed knowledge of both the corporate data and the numerous processes needed to identify, preserve, collect, process, review, and produce data responsive to U.S. litigation. Part one of this series can be found in the November issue of the Privacy Advisor. CHART FROM PAGE 7

Regional Data Protection Laws
Australia:	The Foreign Proceedings Act of 1984 is a blocking statute for common law discovery. The Federal Privacy Act of 1988 (revised in 2001) that lays out ten National Privacy Principles, which includes a requirement to have a reasonable belief and take reasonable steps that any personal data transferred outside the country be to a recipient that upholds the National Privacy Principles. Australia also protects commercial secrets under the general law concerning confidentiality.
China:	The State Secrecy Law is implicated when any information is deemed by the Chinese government to be a state secret, which may include civil matters when the government is involved (e.g. as an owner). The Unfair Competition Law is for the protection of commercial secrets. A Data Protection Law has been in development for the last several years.
Hong Kong:	The Personal Data (Privacy) Ordinance of 1995 has a provision for the onward transfer of personal data that requires that there be a reasonable belief that any personal data transferred outside Hong Kong without consent is transmitted only to a recipient operating under similar privacy laws. Bank secrecy is contractual instead of statutory.
India:	Article 21 of Constitution has been interpreted by the Indian courts to include a right of privacy. The IT Act of 2000, based on the model U.N e-commerce law, was revised effective in 2009 and has select privacy provisions.
Japan:	The Personal Information Protection Act of 2003 protects personal data and does not allow un-consented transfers of personal data to third parties, with the exception of  certain outsourcing companies (e.g. payroll processing). It also has notice and opt-out provisions. Japan protects commercial secrets under the Unfair Competition Prevention Act.
Singapore:	There is a voluntary privacy framework, the Model Data Protection Code for the Private Sector, which applies to any recipient to whom personal data is transferred, in or outside the country. Singapore’s Banking Law states that “customer information shall not, in any way, be disclosed by a bank.”
South Korea:	The Act on Promotion of Information and Communication Network Utilization and Information Protection of 2001 protects the personal information of consumers held by certain industries. The number of industries subject to this law is in the process of being greatly expanded by the responsible government ministry.
Taiwan:	The Computer-Processed Personal Data Protection Law of 1995 protects the processing of personal data in certain kinds of industries, such as financial. It allows for restrictions on cross-border transfer of personal information.
In Malaysia, the Philippines and Thailand, new privacy legislation is expected to be enacted soon, while in Indonesia and Vietnam the e-transactions laws include privacy provisions. New Zealand is currently considering amendments to the Privacy Act of 1993 to protect cross-border movement of data and align its rules with the EU’s data protection regimen.