Written by S. Richard Carden, Partner, McDonnell Boehnen Hulbert & Berghoff LLP
S. Richard Carden reviews the specific policies of Hong Kong, China, Singapore, Australia and Japan and provides tips on how to address data privacy issues in cross-border litigation.
Part I of this article addressed basic concepts of data privacy as set out in the policies of numerous regional and multilateral organisations, including the Organisation for Economic Co-operation and Development (“OECD”), Asia-Pacific Economic Cooperation (“APEC”), and the Association of Southeast Asian Nations (“ASEAN”). Part II addresses the specific policies of several Asia-Pacific nations and provides a general framework for addressing data privacy issues throughout the litigation process.
Hong Kong’s data privacy regime is governed by the Personal Data (Privacy) Ordinance (Cap. 486) of 1996, as most recently amended in 2012 (the “PDO”). While providing a relatively broad definition of personal information, the PDO does place some reasonable limitations on what constitutes personal information. Specifically s. 2 defines personal data as any data (1) related to a living individual, (2) that allows the identity of the individual to be ascertained, (3) “in a form in which access to or processing of the data is practicable.” Schedule 1 to the PDO sets forth six guiding principles that are largely consistent with the OECD Guidelines, including requirements for accuracy and security of personal information, limits on the purposes and manners of collection and use of information, and requirements for access to information.
The PDO provides specific exemptions for uses of personal data in legal proceedings (s. 60B) and for the performance of the judicial function (s. 51A). Thus, the PDO should have little impact on litigation within Hong Kong. However, cross-border transfer of personal information for purposes of overseas litigation is subject to more stringent protections. Section 33 of the PDO details the prohibitions on transfer of personal data outside of Hong Kong, where the personal data is either collected or processed in Hong Kong or is in the control of an entity with a principal place of business in Hong Kong. For purposes of this section, an entity has a principal place of business in Hong Kong if it is incorporated in Hong Kong. Thus, foreign entities with separately incorporated Hong Kong entities may be subjected to the cross-border transfer provisions of s. 33. There are a number of limitations detailed in s. 33, including the specific consent of the data subject; several address the situation where the receiving entity is subject to laws that would provide similar protections to those available in Hong Kong. Whether or not the US would meet this qualification today is an open question, given the recent NSA scandal. Indeed, the EU ended the safe harbor program and has revisited its data privacy laws specifically in view of this scandal.
Unfortunately, however, US courts may pay little attention to the PDO when the Hong Kong entity is controlled by the US entity. On 31 July 2014, a federal judge in New York upheld a magistrate judge’s ruling requiring Microsoft to turn over e-mails maintained in Ireland pursuant to a warrant issued by a US court (see In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., F.Supp.2d, 2014 WL 1661004 (S.D.N.Y. 2014)). While discussion in the case was limited primarily to whether US warrants could have extraterritorial effect, there was also a suggestion that a US court could require production even when a foreign nation’s privacy laws would otherwise preclude production. This places a company in the unenviable position of either subjecting itself to sanctions from the US court or potentially incurring both monetary and criminal penalties for violations of privacy laws. And under s. 64 of the PDO, there are substantial penalties (HK$1,000,000 fine and 5 years in prison).
For an in-depth analysis of all provisions of the PDO, visit www.pcpd.org.hk.
China does not presently have an omnibus data protection regime, however, there are a number of existing laws and proposals that address data privacy. For some years, China has been pursuing implementation of a more formal policy, but has yet to fully implement it.
In 2013, however, a non-binding standard for the protection of personal information was implemented. The Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Services Information System (the “Guidelines”) define “personal information” as “[c]omputer data that is handled in computer systems, that are related to a specific natural person, and that can be used independently or in combination with other information to distinguish that specific natural person.” (the Guidelines Art. 3.2). The Guidelines distinguish between “common” personal information and “sensitive” personal information, the disclosure of which “may bring about harmful influence to the subject of the indicated personal information.” (Id. at Arts. 3.7–3.8). Article 4.2 of the Guidelines sets out eight governing principles, which are similar in concept and scope to the OECD principles.
Transfers of personal information under the Guidelines are primarily subject to the consent of the data subject. Perhaps of most significance to overseas litigation is the stringent limitation of Art. 5.4.5 related to transfers to foreign entities:
Without explicit consent by the subject of personal information, or clear provisions in laws or regulations, or without the agreement of the controlling departments, personal information administrators may not transmit personal information to foreign personal information receivers, including individuals abroad or foreign-registered organisations and institutions.
Notice and consent are also requirements for the collection and processing of personal information under the Guidelines (Id. at Arts. 5.2.3, 5.3.4).
Notwithstanding the lack of overarching guidelines, China has actively enforced privacy rights. In August 2014, China convicted two British citizens for illegal collection of private data. These individuals had established companies in China and Hong Kong for the purposes of investigating Chinese companies on behalf of the Chinese subsidiaries of multinational corporations. The companies purchased and resold private data related to Chinese citizens. Both were given a prison term and a substantial fine.
Given the breadth of the Guidelines, there are potentially substantial hurdles involved when parties are seeking discovery from a Chinese entity, or conducting due diligence regarding a Chinese entity.
In 2012, Singapore enacted the Personal Data Protection Act (No. 26 of 2012) (“PDPA”), which is supplemented by a variety of additional associated regulations and notifications. Singapore’s definition of personal data is substantially broader than Hong Kong’s and applies to all data that can lead to the identification of an individual, either by itself or in conjunction with other data to which a data user has access (PDPA, Part I, Section 2).
Several Schedules attached to the PDPA provide exceptions where an organisation can collect, process and use information without the consent of the individual. While these schedules do not specifically state that any use in court proceedings is allowable, there are provisions related to the collection, processing and use of personal data for the provision of legal services. Thus, presumably there are few issues with the PDPA in the context of litigation in Singapore.
Section 26 of the PDPA, however, limits cross-border transfers of personal data to those areas that offer equivalent protection as is available under the PDPA. The Personal Data Protection Commission (“PDPC”) may grant exemptions to the limitations. Cross-border transfer restrictions are further delineated in Part III of the Personal Data Protection Regulation of 2014, but still require equivalent protections.
As with other nations, Singapore provides for both monetary penalties and imprisonment for violations of the Act, up to S$100,000 and 12 months imprisonment per offence (s. 51). Just as with China, Singapore is actively enforcing privacy rights. The PDPC recently launched an investigation of Xiaomi, China’s largest mobile provider, for improperly providing mobile user data to telephone marketers. According to the PDPC, if found guilty of violating the PDPA as alleged in the complaint, Xiaomi may face fines up to S$1,000,000.
Australia has had a very robust set of data privacy laws for nearly 30 years. In the Privacy Act 1988, Australia, recognising the privacy rights in the International Covenant on Civil and Political Rights (to which it was a party), and further recognising the efforts of the OECD relating to data privacy, specifically adopted measures to protect personally identifiable information. Just as with the OECD Guidelines, the Australian privacy laws seek to balance the need for legitimate transfers of information between organisations and across borders with the privacy interests of individuals. On 12 March 2014, Australia’s existing National Privacy Principles (“NPPs”) (applicable to private sector entities) and Information Privacy Principles (“IPPs”) (applicable to government entities) were replaced with a new set of 13 Australian Privacy Principles (“APPs”). In addition, a new Privacy Regulation went into effect. The APPs mirror in large measure the eight original OECD Guideline principles, although they provide a greater degree of granularity, acknowledging modern day considerations.
Consistent with many other nations, the Privacy Act provides a broad definition of personal information that encompasses any information about an identified or identifiable individual. However, the Privacy Act contains a potentially problematic twist in that it also covers information that is not “recorded in a material form.”
Among the changes embodied in the APPs are changes to the provisions for cross border transfers of personal information. Just as with other Asia-Pacific nations, APP 8.1 requires that prior to a cross-border transfer, the transferring party must “take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the [APPs] (other than [APP] 1) in relation to the information.”
Australia’s approach is similar to the European Union (“EU”) safe harbor program, and will likely be subject to the same concerns recently expressed by the EU when, ironically enough on12 March 2014, it suspended the safe harbor program in view of the National Security Agency scandal.
The Australian Privacy Commissioner has investigated numerous data breaches of varying size in the past year, including breaches related to the personal information of detained immigrants, police data regarding ongoing investigations, and [several private company data breaches. In one instance a telecommunications company was fined for allowing personal data related to its customers to be found through simple online searches.
Japan has an established data protection framework, implemented in 2003 through the Act on the Protection of Personal Information (Act No. 57 of 2003) (“APPI”). As with other data protection laws, the APPI seeks to balance the need for legitimate transfers of information against individual rights.
Article 2(1) of the APPI defines “personal information” as “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).” Article 23 of the APPI limits transfer without consent of data subject or legal authority, similar to the Chinese Guidelines.
Enforcement efforts in Japan are also on the rise. In July, for example, authorities arrested a man for misappropriating and selling personal information related to over 20 million customers of an education services firm. The breach has led to calls for Japan to further strengthen its data protection laws.
Implications for Litigation Involving Entities Outside the United States
Given the breadth of the definitions of personal information, and the strong interest among the Asia-Pacific nations in ensuring that the balance between disclosure and protection is properly enforced, much of the data sought in modern patent litigation is potentially subject to data protection laws and restrictions on cross-border transfer. Particularly in view of the fact that litigation now often involves terabytes of data (much of which is of marginal or little actual relevance or use), the potential for disclosure of personal data is high. And given the ever increasing penalties implemented or under consideration for breaches of privacy laws, parties to litigation would be well-advised to address these issues head on, rather than waiting for them to be brought up in a discovery motion or a sanctions motion.
In order to properly assess the impact of data privacy issues on litigation in the US, one must consider how they arise in various stages of litigation, as presumptions of privacy differ markedly throughout the process. During the discovery phase, there is no presumption that the public can or should have access to materials exchanged between the parties, or in materials obtained from non-parties. However, once information is introduced into the courtroom, whether in motion practice, hearings, or at trial, the presumption shifts. At this point, there is an overriding interest in providing the public access to the courts. It is therefore important for the parties to consider what data will be needed at each stage in order to appropriately afford the greatest degree of protection to personally identifiable information.
The parties should address data privacy issues well before discovery actually begins. There are a number of potential options for limiting the unnecessary disclosure of personal information, and many can actually provide benefits to the parties through a reduction in the overall amount of information collected and reviewed and through a reduction of costs associated with collection, production, and review. Most parties will look primarily to the protective order as a mechanism for protecting the confidentiality of data. However, a protective order in and of itself may not be fully sufficient, particularly once the data is needed for use in an open proceeding. Moreover, given the volume of information associated with modern patent litigation, redaction of personal information is often completely impractical. The parties should instead seek to address these issues as part of a discovery plan.
As an initial matter, each party should attempt to identify the information it will likely need to produce that may contain personally-identifiable information. Each party should also consider what information it intends to seek that may be subject to privacy laws in foreign jurisdictions, and whether the benefits of the discovery outweigh any potential individual privacy concerns. The parties can then reasonably discuss methods for limiting the amount of information exchanged that may raise privacy concerns. For example, the parties may consider staged discovery such that the earlier stages involve a much more limited set of information, and then expand that discovery if and when it becomes necessary.
Companies involved in patent litigation may also consider some proactive measures to deal with privacy concerns. For instance, to the extent that there is any reasonable expectation of privacy on behalf of an employee that has not already been contractually addressed, a company may consider providing a specific notice of potential disclosure when implementing legal holds. Of course, given the variety of potentially applicable laws, any notice methods should be drafted in view of the controlling laws in the collection jurisdiction so as to avoid arguments of ineffective notice.
The parties should also specifically address potential disclosure issues for discovery that will likely be used in open court. Can personal information be appropriately redacted or anonymised? Or must the parties provide notice to the data subject and allow an opportunity for them to oppose disclosure?
At the end of the day, there are many considerations the parties to litigation must address with respect to the increasing number of data privacy laws worldwide. However, proper advance planning will substantially limit the number of issues that will actually arise, and also potentially provide the parties with a more streamlined and cost-effective discovery process.