Drew Macaulay is director of business development at First Advantage Litigation Consulting In a globalised environment where legal and regulatory matters can involve corporate subsidiaries spanning multiple jurisdictions, moving data from one country to another in order to respond to these matters can lead to significant legal, political and social challenges. The need to collect, review and produce information from multiple jurisdictions is a regular feature of international legal, regulatory and investigative matters. However, legal requirements to produce information in response to proceedings in one jurisdiction often clash with the data privacy requirements of other jurisdictions at both national and supranational levels. For example, a discovery request arising from US litigation may require the production of relevant documents from a company’s French subsidiary, including those containing personal data. The US legal team will then be faced with the EU Data Protection Directive, an instrument concerned with the level of protection of personal data after it has left the EU, and the French Blocking Statute French Penal Code Law No. 80-538, which prohibits a French national or corporation from moving data out of France in response to civil proceedings in another country. As another illustration, if a matter necessitates accessing documents originating in Switzerland, be prepared to face strong data protection laws which apply both to personal data, and to data belonging to other legal entities such as corporations. These types of hurdles are not limited to European countries. Matters involving data in China are affected by the state secrecy law, which prohibits unlawful copying, recording, transmission or storage of state secrets and incorporates a broad definition of such secrets, including ‘secrets in the areas of national economic and social development’ or ‘secrets concerning science and technology’. In Japan, the Personal Information Protection Act of 2003 does not allow acquisition and use of personal data by ‘business operators’ without consent, and contains detailed provisions regarding notification of persons concerned, specificity of purpose and security of data held by ‘business operators’ and third party organisations. In all of the above examples, serious penalties can be imposed on companies which do not pay adequate attention to the rules. However, certain steps can be taken to minimise the risk of these penalties and overcome cross-border challenges. In countries such as France which block even limited transfers of data but have acceded to the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters, a Letter of Request for evidence can be made by the court in the requesting jurisdiction to the central authority in the jurisdiction in which the data exists. This request must detail the nature of the information that needs to be collected, and will need to be highly specific, listing particular categories of documents, rather than simply a broad request for any documents potentially relevant to the matter. If consent for collection of data from individual employees, often referred to as custodians, is required under local data privacy law, consider asking the local Labour Unions’ assistance in gaining co-operation, which may particularly assist in jurisdictions such as Germany. Be aware that the collection and searching of someone’s personal information, even if it is stored on a corporate laptop or server, can be a stressful experience. Data collection staff who are able to fully explain the processes being used and the reasons why data has to be collected are often very helpful in achieving co-operation, even more so if they speak the same language as the potential custodian which is particularly important in countries such as China and Japan. In some jurisdictions such as France, several copies of the data collected may be needed, notification of collection must be provided to the custodian, and the collection itself may need to be conducted in the presence of a notary or similar figure. Where a particular jurisdiction specifically prohibits the transfer of irrelevant data, or requires that the data disclosed to be limited to only specific classes of documents, it is advisable to employ a specialist legal data collection and processing firm with facilities in that jurisdiction to assist with the management of the documents. Specialist technology and experienced technical staff can efficiently identify those documents likely to be relevant before the legal team conducts a more detailed, manual review. This process may include redaction of specific types of information such as names, social security numbers and other identifying information. Where no appropriate service provider exists in the country concerned, consider using a vendor with the ability to set up a temporary facility on the client’s site or elsewhere in that jurisdiction for that specific engagement. Using this type of arrangement can also be beneficial where corporate clients are concerned about the security of trade secrets or other confidential data. In order to prepare for cross-border information requests the first step is to map out the company’s data. A corporation may have operations in one country, but the data relating to those operations may be in another country – with very different privacy restrictions and regulations. A good understanding of the data locations and the data protection regimes in each relevant jurisdiction will aid decisions on how best to proceed if a need to collect data arises, and whether some or all of the approaches above should be employed. Secondly, understand how the company communicates, internally and externally, and stores its data. Does the corporation use outsourced data storage, ‘cloud’-based email or instant messaging? Where is this information physically held? How would one go about retrieving, searching and reviewing large numbers of these documents if required? As communication technology expands, so too does the complexity of data management. Identifying partners that have specific expertise and technology to deal with these changing information formats, and the ability to deliver services in the relevant locations, can effectively mitigate risk in responding to these complex cross-border information requests. Finally, consider spending some time identifying potential local counsel in the jurisdictions in which the company operates. Local counsel will have detailed knowledge of the regulatory and cultural environment in which a potential collection exercise may take place, which will assist in pre-empting any potential issues. This investment in time will pay dividends, particularly in regulatory matters where the speed and level of co-operation with the regulator could significantly impact the severity of fines levied on the corporation.