Tag:Cross-Border Data Transfer

1
e-DAT Practice Group Partner to Attend Upcoming ABA Program and Master’s Conference in Europe on E-Discovery and Data Privacy
2
Bumps in the Road for a US Adequacy Decision Under GDPR
3
Will 2023 Be the Year When the United States Receives an Adequacy Decision under GDPR from the European Union?
4
Chinese Data Security, Data Protection, and Cybersecurity Law: A Recent Enforcement Action Resulting in Large Fines Highlight Risks
5
In re del Valle Ruiz, No. 18-3226 (2nd Cir. 2019).
6
In re CA Investment (Brazil) S.A (District of Minnesota, 2019)
7
United States v. Asgari (6th Cir., 2019)
8
Brooks Sports, Inc. v. Anta (China) Co., Ltd. 1:17-cv-01458 (E.D. Virginia, 2018)
9
In re Ex Parte Application of Levi Strauss & Co (Northern District of California District Court, 2018)
10
In re: Application of Biomet Orthopaedics Switzerland GMBH Under 28 U.S.C. 1782 For An Order to Take Discovery for Use In A Foreign Proceeding, No, 17-3787 (3rd Cir. Aug. 6, 2018).

e-DAT Practice Group Partner to Attend Upcoming ABA Program and Master’s Conference in Europe on E-Discovery and Data Privacy

Daniel Miller, a partner of the K&L Gates e-Discovery Analysis & Technology (“e-DAT”) Group and the firm’s Pittsburgh office, will attend this week’s ABA Cross-Border Institute in Paris. Daniel will also participate on a panel discussion at next week’s Master’s Conference in London.

Read More

Bumps in the Road for a US Adequacy Decision Under GDPR

As discussed in a prior post on this blog, electronic discovery that requires the processing and use of records and information that includes the personal data of individuals residing in the and the European Economic Area (“EEA”) must often incorporate measures to allow for compliance with the European Union’s General Data Protection Regulation (“GDPR”), which contains a number of requirements and limitations regarding the processing of such personal data and its transfer to countries outside the EEA.

Read More

Will 2023 Be the Year When the United States Receives an Adequacy Decision under GDPR from the European Union?

Electronic discovery for legal matters within the United States often involves preserving, collecting, processing, reviewing, and producing data that concern individuals living outside the United States. In some of these situations, the data privacy laws of jurisdictions outside the United States can complicate electronic discovery to be performed in the United States. Perhaps the most well-known data privacy law is the European Union’s General Data Protection Regulation (“GDPR”), which outlines requirements related to the processing of the personal data of individuals residing in the and the European Economic Area (“EEA”) and addresses the transfer of data outside the EEA.

Article 45 of GDPR forbids the transfer of the personal data of EEA residents (described as “data subjects”) to any country outside of the EEA unless (i) the EU determines that the country’s legal privacy frameworks and practices ensure an adequate level of protection for data subjects’ personal data (termed an “adequacy decision”), or (ii) one or more safeguards deemed appropriate by the EU are imposed on the cross-border data transfer. Accordingly, transfers of personal data of EEA residents to a country outside the EEA that lacks an adequacy decision must rely on such safeguards (or, alternatively, a derogation defined by Article 49 of GDPR). These safeguards can include use of data processing agreements that contain standard contractual clauses, binding corporate rules that address data privacy and protection concerns, and/or binding and enforceable commitments by the data controller or processor located in the country to which the data are being transferred.

Some legal matters requiring cross-border data transfer to the United States may not clearly fit within one of Article 49’s derogations, which may prompt the need to employ such a safeguard to accommodate the data transfer because the United States does not currently have an adequacy decision from the EU. However, such an adequacy decision may soon exist. On December 13, 2022, the European Commission published a draft adequacy decision for the United States, based largely on a new United States executive order that commits to changes to its foreign intelligence agencies’ access to personal data and the creation of a new system through which EU data subjects can seek redress for the infringement of their data privacy rights in the United States. This draft adequacy decision will now receive review and feedback from the European Data Protection Board, the Council of the European Union, and the European Parliament before its possible implementation.

With a GDPR adequacy decision possible for the United States by the summer of 2023, legal practitioners in the United States can consider how data transfer and review workflows in some circumstances could be streamlined in the wake of such an adequacy decision. The European Commission’s draft adequacy decision is available at https://commission.europa.eu/document/download/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en?filename=Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.

Chinese Data Security, Data Protection, and Cybersecurity Law: A Recent Enforcement Action Resulting in Large Fines Highlight Risks

Electronic discovery for US litigation and legal proceedings often implicates data outside the US.  As data privacy and protection laws evolved around the globe, it’s critical to understand the limitations obstacles that may arise when collecting, processing, reviewing, and producing such data. China’s Data Security Law (“DSL”) and Personal Information Protection Law (“PIPL”), both enacted in 2021, have received heightened attention following China’s imposition of fines totaling roughly $1.2 billion in light of violations of these laws and its Cybersecurity Law (“CSL,” enacted in 2017) by Didi, China’s largest ride-sharing service provider.  China’s DSL and PIPL are particularly noteworthy of their potential application to data processing and transfer actions that may occur both during the ordinary course of business and in response to litigation in other jurisdictions, such as the United States.

Read More

In re CA Investment (Brazil) S.A (District of Minnesota, 2019)

Key Insight: Foreign corporation can seek discovery of American party to be used in foreign court if its narrowly tailored

Nature of Case: corporate share agreements, corporate ownership international

Electronic Data Involved: documents (generally)

Keywords: foreign proceedings, corporate ownership, discovery, foreign corporation

View Case Opinion

Brooks Sports, Inc. v. Anta (China) Co., Ltd. 1:17-cv-01458 (E.D. Virginia, 2018)

Key Insight: Failure to produce discovery and making misrepresentations about the nature and content of documents so as to not produce them.

Nature of Case: trademark infringement

Electronic Data Involved: business documents, text messages, personal messages of employees.

Keywords: Compel, “chinese privacy law” misrepresentation,

View Case Opinion

In re Ex Parte Application of Levi Strauss & Co (Northern District of California District Court, 2018)

Key Insight: Party could obtain discovery of websites archived by American company for use in a foreign tribunal

Nature of Case: trademark enforcement

Electronic Data Involved: archived websites

Keywords: foreign discovery, archived websites, Section 1782 application, international trademark enforcement

View Case Opinion

In re: Application of Biomet Orthopaedics Switzerland GMBH Under 28 U.S.C. 1782 For An Order to Take Discovery for Use In A Foreign Proceeding, No, 17-3787 (3rd Cir. Aug. 6, 2018).

Key Insight: Trial Court had denied request for documents. Third Circuit remanded for further review based off four-factor discretionary test after finding that it met the basic statutory requirements to be considered.

Nature of Case: Trade Secret

Electronic Data Involved: Documents in US, desired for foreign matter

Keywords: foreign proceeding.

View Case Opinion

Copyright © 2022, K&L Gates LLP. All Rights Reserved.