Managing the demands of preserving, collecting, processing, reviewing, and producing data under the U.S. discovery rules is challenging, but lawyers litigating matters that involve data stored in Asian countries may have to fight battles on two fronts: the legal controversy itself and disputes over the permissible scope of discovery.
The liberal discovery of the U.S. is at odds with the curtailed disclosure allowed in Asian countries for a host of reasons, including strict privacy regimes that restrict the collection and use of certain business-related and personal information.
E-Discovery in Asian Nations
No standard blueprint for conducting e-discovery exists in this region. For example, Singapore, Hong Kong, and Japan generally follow rules for e-disclosure that resemble U.K. procedure, while South Korea has no formal e-discovery framework. In these nations, laws designed to protect data have the greatest impact on e-discovery – and all Asian countries have privacy laws that restrict the transfer of personal data outside their borders.
China has a number of data protection and secrecy laws that operate like blocking statutes, forbidding the cross-border transfer of state and commercial secrets. In addition, before collecting and processing personal information, two conditions must be met: first, the law must authorize the collection or the data subject must provide consent, and second, there must be a specific, clear, and reasonable purpose for the data collection. Among other things, the data subject must be informed of the purpose for the collection. Although laws that apply to specific industries may restrict international data transfer, no general restrictions on data transfer exist.
The Personal Data (Privacy) Ordinance controls the collection and handling of personal data. The ordinance requires data subjects whose information is being collected to be informed of a number of items, including the purpose for the use and who may receive it. The provisions prohibiting the transfer of data without notice to the data subject have not yet come into effect.
The Personal Information Protection Act of 2003 requires organizations that collect personal information to specify to the individual how the data will be used and to obtain the individual’s consent for the transfer of personal information. Personal data may not be disclosed to a third party without the person’s prior consent. Corporations that violate the law may face fines or criminal penalties.
The 2011 Personal Information Protection Act requires those collecting, processing, and transferring personal information to notify and to obtain the consent of the data subject. Violations can lead to imprisonment or fines.
In late 2012, Singapore enacted the Personal Data Protection Act; parts of the law are in effect as of early 2013, and others will become effective in 2014. The Act permits the transfer of personal data outside the country so long as a comparable standard of protection is given to that data. Violations may lead to fines.
The Computer-Processed Personal Data Protection Law of 1995 prohibits certain industries from processing personal data. Data collection and processing is permitted in certain circumstances, including where it is stipulated by law, where the subject has disclosed the data, and where the subject has provided written consent. The data subject must be informed of the purpose for collecting the data, among other things. Data transfer is also limited: for example, transfer is permissible when the country receiving the data has proper regulations to protect the data.
Managing E-Discovery in Asia
Litigants involved in cross-border litigation involving Asian nations must often choose between two evils: (1) violate U.S. procedural obligations and face sanctions, or (2) breach Asian data privacy laws and face civil and criminal penalties.
Regardless of which option they choose, they should take advantage of tools that can ease the burden of e-discovery in Asian countries. First, finding a discovery software platform that offers Asian language support is critical. Otherwise, the characters and sentence structures of Asian languages pose challenges for e-discovery tools. For example, the lack of spaces between words and sentences in these languages can stymie software’s ability to index documents, search for keywords, and run predictive coding algorithms. In addition, to avoid running afoul of privacy laws, organizations can leverage tools that prevent the disclosure of personally identifiable information, such as automated redaction. This tool sets up rules that search for certain patterns, such as account numbers, in documents and automatically redacts data matching those patterns.
Because most U.S. courts are unsympathetic to litigants’ plights and refuse to limit pretrial discovery, parties can take advantage of these discovery tools and engage counsel and e-discovery specialists who can help them navigate the nuances of complex cross-border discovery laws.