Got Data Across Borders? The Sedona Conference Has a Commentary for You: eDiscovery Best Practices
Lately, it seems like we have a new publication from The Sedona Conference® (TSC) every couple of months or so. This latest publication provides guidance to those that are transferring data across borders.
Last week, TSC and its Working Group 6 on International Electronic Information Management, Discovery, and Disclosure (WG6) announced that The Sedona Conference Commentary and Principles on Jurisdictional Conflicts over Transfers of Personal Data Across Borders (“Commentary”) has been published for public comment.
The goal of this Commentary is to provide: (1) a practical guide to corporations and others who must make day-to-day operational decisions regarding the transfer of data across borders; and (2) to provide a framework for the analysis of questions regarding the laws applicable to cross-border transfers of personal data.
This 48-page (PDF) Commentary lists six choice-of-law principles, then provides an Introduction that discusses the underlying tension, comity (not comedy) and legal and practical complexity associated with the transfer of data. It ends with a 19 page Appendix on Data Privacy Complexity and Background. In between, the Commentary goes much more into depth on the six choice of law principles, which are as follows:
Principle 1: A nation has nonexclusive jurisdiction over, and may apply its privacy and data protection laws to, natural persons and organizations in or doing business in its territory, regardless of whether the processing of the relevant personal data takes place within its territory.
Principle 2: A nation usually has nonexclusive jurisdiction over, and may apply its privacy and data protection laws to, the processing of personal data inextricably linked to its territory.
Principle 3: In commercial transactions in which the contracting parties have comparable bargaining power, the informed choice of the parties to a contract should determine the jurisdiction or applicable law with respect to the processing of personal data in connection with the respective commercial transaction, and such choice should be respected so long as it bears a reasonable nexus to the parties and the transaction.
Principle 4: Outside of commercial transactions, where the natural person freely makes a choice, that person’s choice of jurisdiction or law should not deprive him or her of protections that would otherwise be applicable to his or her data.
Principle 5: Data in transit (“Data in Transit”) from one sovereign nation to another should be subject to the jurisdiction and the laws of the sovereign nation from which the data originated, such that, absent extraordinary circumstances, the data should be treated as if it were still located in its place of origin.
Principle 6: Where personal data located within, or otherwise subject to, the jurisdiction or the laws of a sovereign nation is material to a litigation, investigation, or other legal proceeding within another sovereign nation, such data shall be provided when it is subject to appropriate safeguards that regulate the use, dissemination, and disposition of the data.
You can download a copy of the Commentary here (login required, which is free). The Commentary is open for public comment through August 10, 2019. Questions and comments on the Commentary are welcome through August 10, and may be sent to email@example.com.
As always, the drafting team will carefully consider all comments received, and determine what edits are appropriate for the final version. Also, a webinar on the Commentary will be scheduled in the coming weeks, and will be announced by email and on The Sedona Conference website to give you the opportunity to ask questions and gain additional insight on this important topic.
So, what do you think? How does your organization address transfer of personal data across borders? As always, please share any comments you might have or if you’d like to know more about a particular topic.
Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.