"Software as a Service" (SaaS) providers such as Google, IBM, Cisco and others are offering multinational corporations the opportunity to replace their enormously expensive and ever changing technological infrastructure with SaaS computing facilities. Individual companies would archive and access information in these systems through the internet at a presumably lower unit price (cloud computing). These providers also promise to manage the skyrocketing costs of collecting and disclosing electronically stored information (ESI), especially emails, demanded in U.S. judicial and regulatory proceedings (e-discovery). Since these repositories are not under the control of the company being sued, they argue that the very strong policy and procedure, audit trails and reliability in the "cloud" are a vast improvement over a company's internal procedures. However, international cross-border e-discovery issues threaten to rain on the cloud computing parade. The SaaS provider, the multinational corporation and their attorneys must carefully address and anticipate these e-discovery issues early in their discussions or risk costly sanctions. Moreover, litigation counsel cannot be surprised to learn that all of the company's ESI is outside of the company's control.
Civil code countries, such as France and Germany, take dramatically different approaches to cross-border information transfer than does the U.S. The U.S. requires parties in any litigation to exchange information which "may" lead to the discovery of admissible evidence. Issues of confidentiality and privacy are dealt with through various devices such as protective orders and confidentiality agreements. This is not true for many European and Asian countries where U.S. type discovery is rare and broad data protection and privacy rights are enforced by the state and are not negotiable by an employer. For example, "processing," includes a company's operations relating to collecting, storing, retrieving, disclosing and transmitting personal data and includes any information relating to an identified or identifiable natural person. Countries have introduced laws ("blocking statutes") to restrict cross-border disclosure of information to foreign jurisdictions. See generally, "The Sedona Conference Framework for analysis of cross border discovery conflicts-A practical guide to navigating the competing currents of international data privacy and discovery" (August, 2008 Public Comment Version).
Moreover, in these jurisdictions, the use of e-mails during the course of litigation requires the consent of the sender or receiver. The mere retention or searching for records containing personal data in anticipation of discovery, which may never leave Europe, would likely violate the general privacy rules. See Directive 95/46/EC of the European Directive, Art.2. The restrictive nature of these rules was illustrated when European authorities refused to allow General Motors to update its electronic phone books so that its engineers in Taiwan could look up colleagues in Germany. "Europe's New High-Tech Role: Playing Privacy Cop to the World" (The Wall Street Journal, October 10, 2003).
The promise of cloud computing to reduce cost and the problems of cross-border discovery collide in the following scenario. Plaintiff Company A (a U.S. corporation), sues Defendant Company B (a multinational French corporation) in a New York Federal Court. Defendant Company B stores all of its ESI generated in the U.S. with a French SaaS provider whose computer facilities are also in France. Plaintiff Company A asks for discovery of data from Defendant Company B which asserts that the requested information is in France, is not readily discoverable and cannot be produced under French law.
U.S. courts have required compliance with discovery orders even if illegal under the laws of a foreign jurisdiction. See Societe Nationale v. Industrielle Aerospatiale v. United States District Court for the District of Iowa, 482 U.S. 522 (1987); Lyondell-Citgo Refining LP v. Petroleos de Venezuela, S.A., 2005 WL 356808 (S.D.N.Y. 2005 and the Restatement (Third) of the Foreign Relations Laws of the United States, § 442. Thus, the e-discovery issues in this scenario are likely to be hotly contested and likely to be litigated. Any company that stores its ESI with a foreign SaaS provider can expect to be accused of using the SaaS provider to avoid discovery.
The first issue to arise in our hypothetical will be how to satisfy Defendant Company B's duty to preserve information. Defendant Company B must insure that the SaaS provider follows the company's document retention policies. When Defendant Company B, as required under U.S. law, issues a litigation hold to its offices in the United States it must send it to the French SaaS as well. Initially, this may present a problem with the French SaaS since the mere institution of a litigation hold and keeping information that may otherwise have been destroyed could violate EU laws. At a minimum, Defendant Company B must insure that the SaaS is competent and understands its e-discovery responsibilities. The company must insure, by contract or otherwise, that the SaaS provider will comply with any litigation hold sent to it, maintain the ESI as instructed, and periodically check that the litigation hold is being complied with. U.S. laws also impose an obligation upon outside counsel to insure that proper retention procedures are followed. Thus, the SaaS provider must agree to review its data storage technology and its retention practices with outside counsel to insure that proper procedures were followed. SaaS providers and multinational corporations need to consider whether this is a real concern and if it is negotiate a solution with the appropriate foreign jurisdiction or possibly keep separate email archives within the U.S. and avoid the problem altogether.
Another potential issue in our hypothetical relates to the amount of time and money a defendant must spend to located the requested information. U.S. Companies, without further court intervention, are not required to produce ESI that is not "reasonably accessible" and are not, for example, required to spend large sums of money to restore ESI saved in backup tapes. In our hypothetical, Defendant Company B refuses to produce the information on the grounds that it is informed by the French SaaS provider that the requested information is not "reasonably accessible." Plaintiff Company A rejects this assertion and demands to depose the person with knowledge. Normally this would be a Defendant Company B employee. But with cloud computing, this may be an employee of the SaaS provider. Moreover, following these depositions, courts have sometimes ordered the opposing party to allow the requester to conduct a forensic investigation of the company's computing system. Again, is this something the third party SaaS provider will agree to? Will the SaaS provider require a subpoena? How will it be enforced in a foreign jurisdiction? What if ESI is improperly destroyed by the SaaS provider, will the provider be liable for a possible default judgment? Again these issues must be addressed before the cloud computing arrangement is entered into.
Even if the litigation hold and reasonably accessible issues are solved, the even more difficult question is whether the French SaaS provider can legally transfer the information from France to the U.S. The transmission of information covered by EU data protection and privacy laws is, to say the least complicated, and a matter of contention between the U.S. and other countries. See Article 29 Data Protection Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation. There is no easy solution but again before transferring its ESI under a cloud computing arrangement with a foreign SaaS provider, Defendant Company B must carefully consider how it will deal with this situation. Failure to do so may very well result in sanctions that could include a default judgment in the civil litigation. See Strauss v. Credit Lyonais, 242 F.R.D. 199 (E.D.N.Y. 2007).
Finally, there are a host of other practical and legal issues that need to be addressed with the foreign (and domestic) SaaS provider. Will the data packets, bits and bites, generated as they are transported over the internet be handled in the same way as meta data, and will the original meta-data remain intact when it is transferred? Can the SaaS provider transfer the company's information to a third party in its "native format" as required by U.S. discovery rules? How do the company's attorneys apply early case assessment concepts to learn the scope of the ESI in the cloud?
None of these problems are insurmountable, but they do require multinational corporations to carefully analyze them before jumping into the cloud.