UHY Advisors is an independent member of UHY International, which has more than 200 offices in over 70 countries.  As such, the eDiscovery & Digital Forensics Practice is called upon regularly to travel both domestically and abroad to preserve electronic evidence sources and in most cases perform the Digital Forensics and eDiscovery data processing onsite. 

UHY Advisors also offers a unique Mobile eDiscovery Solution (MeDS), which is effectively a full-service, portable processing platform to serve our clients needs throughout the world.

MeDS is a completely portable solution that can be dispatched at a moment’s notice along with the appropriate personnel to meet our client’s needs.

MeDS was developed to allow our European Union clients to receive the same level of detailed, quality service within member countries, while adhering to the often complex and unyielding parameters of local, state, and international laws. 

Chain of Custody and the European Union

Directive 95/46/EC concerning the protection and free movement of personal data was enacted in 1998 and since such time all member states of the European Union have been required to adopt their own data protection legislation. The European Union’s recent legislation concerning personal data holds the possibility of presenting American ediscovery efforts with a significant degree of frustration along with the possibility of exhaustive IT reworking. Directive 95/46/EC details the scope to which private information must be protected in Europe and, in turn, outlines the significant obstacles with which American efforts at communicating across the Atlantic will be met, both in terms of interdepartmental transfer which takes place within the EU, as well as any and all importing and exporting of data across the respective borders.

Self-regulation and a system of piecemeal retroactive legislation in the U.S. is inevitably presenting anyone concerned with data transfer into and out of the EU with a host of problems. The European Union’s right to privacy is a closely-held quality of life and experience has presented a different way of approaching problems associated with data protection. While in the U.S. a piecemeal approach has been the normal practice, the EU has in place a comprehensive system of rules and regulations. Retroactive legislation on an issue as important as human rights in the European Union is uniformly opposed and there is a wide reaching system of national laws in effect to deal with any and all human rights violations. This however does not bode well for the ever increasing transmittal of information between the two continents.

‘Processing of personal data is defined to mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” E.U. Directive, Art. 2(b). Approaching data privacy in such a way affords the EU with a sizeable responsibility:  Hinder the free flowing exchange of data between the two powers or form legislation that will allow for continued interaction with strict parameters as to how the exchange will be kept within legally acceptable boundaries. ‘Adequate’ data privacy protections must now be in place for any and all outside countries to export data into the EU, interpretations of ‘adequate’ are, of course, met with contention.

Special circumstances for U.S. to European Union data transfers seem logical enough and there are three transfer authorities set up to aid in this important aspect of international communication. First, Safe Harbor protections and their relation to companies under the jurisdiction of the Federal Trade Commission as well as the Department of Transportation. Safe Harbor protections allow for data transfer without prior approval from the member states of the EU with the agreement that IT and other data related aspects of the business adhere to the strict EU guidelines set forth by the Directive. While this concept seems rational enough, few American businesses have reached the upper echelons of EU approved data transfer.

Second are Model Contracts, whereby data handling practices are established in accordance with EU law (actually member states’ laws) as well as adhering to the EU’s ability to call for internal audits of the business’ data handling methods including human rights inquiries. When a satisfactory contract has been established and the EU laws have been taken into consideration in the construction of data handling methods, then the transfer of data can commence, again a difficult exercise.

Third are Binding Corporate Rules covering the enforcement of the Directive within a corporation in order to meet the standards of transference for the purpose of uninhibited company communication. This third authority is meant to be used by countries other than the U.S.- who enjoys Safe Harbor protections and can therefore bypass any other stipulations under the Directive given that they are liable to EU standards as well as an internal audit of said standards. Binding Corporate Rules however must be approved by the data processing authorities of each and every member state and is in turn seen as a pitfall to the free trade of information.

However the criteria set forth by the EU clashes with the usual practices of the U.S., and has the potential to be highly detrimental to American efforts given the EU’s already significant claim in the global market.

The International Chamber of Commerce seems to be aware of the shortcomings associated with the EU Directive and is in the ongoing process of dispelling uncertainties in the world of international data transfers. Armed with recommendations on how to effectively incorporate Binding Corporate Rules into business practices, something many businesses have thus far been hesitant to instate, the ICC is attempting to tackle uncertainties about the new EU laws.

In fact U.S. courts have now become active in addressing new practices associated with the EU Directive. Amendments to The Federal Rules of Civil Procedure have gone into effect recently and attempt to thwart unsavory business attitudes towards the recent European legislation. Electronic discovery efforts, in particular, have been given special attention and the recent amendments summarize in detail the new methods in which E-discovery practices must abide, operate and be legally accountable.

Definitions of material involved in electronic discovery, electronic discovery procedures, asserting claim of privilege and safe harbor limits are included in the recent amendments. The Advisory Committee not only attempted to more accurately address the problems associated with electronic discovery, especially international efforts, but they also entertained public discourse concerning the then upcoming legislation. 

The new EU statutes present myriad hardships for transference of personal data into or out of the member states of the  European Union. Although specific stipulations allowing for the movement of certain data are in place, there has yet to be a single multinational corporation to receive full approval under the new system. Approval must not only be obtained from each participating EU member state, but the corporation must also guarantee that all standards are met internally as well. This presents a new source of friction for IT departments in particular, whereas a full overhaul of operations will inevitably have to be undertaken in order to adhere to the new EU data privacy laws.

Obviously U.S. efforts at competing with the EU’s attack on unscrupulous data practices are markedly behind schedule, they are attempting to catch up with reformed legislation and increased attention to electronic discovery trends in the global market. 

International eDiscovery efforts therefore must take a unique angle in data transfer practices.