Evolving Data Protection Regimes in the Asia-Pacific Arena and Their Impact on Litigation: Part II – Country-Specific Policies

Part I of this article addressed basic concepts of data privacy as set out in the policies of numerous regional and multilateral organizations, including the Organisation for Economic Co-operation and Development (“OECD”), Asia-Pacific Economic Cooperation (“APEC”), and the Association of Southeast Asian Nations (“ASEAN”).[1] In Part II, we discuss the specific policies of several Asia-Pacific nations and provide a general framework for addressing data privacy issues throughout the litigation process.

Australia

Australia has had a very robust set of data privacy laws for nearly 30 years. In the Privacy Act 1988, Australia, recognizing the privacy rights in the International Covenant on Civil and Political Rights (to which it was a party), and further recognizing the efforts of the OECD relating to data privacy, specifically adopted measures to protect personally identifiable information. Just as with the OECD Guidelines, the Australian privacy laws seek to balance the need for legitimate transfers of information between organizations and across borders with the privacy interests of individuals. While the Privacy Act has seen frequent amendments, a substantial revision has taken place in the past three years. On March 12, 2014, Australia’s existing National Privacy Principles (“NPPs;” applicable to private sector entities) and Information Privacy Principles (“IPPs;” applicable to government entities) were replaced with a new set of 13 Privacy Principles (“APPs”).[2] The APPs mirror in large measure the eight original OECD Guideline principles,[3] although they provide a greater degree of granularity. Specifically the 13 APPs are:

• Open and transparent management of personal information
• Anonymity and pseudonymity
• Collection of solicited personal information
• Dealing with unsolicited personal information
• Notification of the collection of personal information
• Use or disclosure of personal information
• Direct marketing
• Cross-border disclosure of personal information
• Adoption, use or disclosure of government related identifiers
• Quality of personal information
• Security of personal information
• Access to personal information
• Correction of personal information[4]

The Privacy Act as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 defines “personal information” for purposes of the APPs as:

    [I]nformation or an opinion about an identified individual, or an individual who is reasonably identifiable:

    (a) whether the information or opinion is true or not; and

    (b) whether the information or opinion is recorded in a material form or not.[5]

Among the changes embodied in the APPs are changes to the provisions for cross border transfers of personal information. APP 8.1 provides:

    Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

    a. who is not in Australia or an external Territory; and

    b. who is not the entity or the individual;

    the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.[6]

APP 8 eliminates a number of exceptions previously present in the NPPs related to enforcement of contracts, as well as an exception originally allowing for a transfer where the data subject would likely have consented, but it would not have been practical to obtain consent. A number of exceptions still apply, including consent of the data subject, however, the exception of most potential applicability in litigation is where the disclosing entity:

    Reasonably believes that:

        i. the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

    ii. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.[7]

Note that this exception is similar to the European Union (“EU”) safe harbor program, and will likely be subject to the same concerns recently expressed by the EU when, ironically enough on March 12, 2014, it suspended the safe harbor program in view of the National Security Agency scandal.

The open question, and one that bears watching as time passes, is whether a court enforceable protective order in US litigation will be deemed to provide similar protections as those available in Australia, particularly once information obtained through discovery is then used in open court proceedings.

China

China does not presently have an omnibus data protection regime, however, there are a number of existing laws and proposals that address data privacy. For some years, China has been pursuing implementation of a more formal policy, but has yet to fully implement it.

In 2013, however, a non-binding standard for the protection of personal information was implemented. The Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Services Information System (“the Guidelines”) define “personal information” as “[c]omputer data that is handled in computer systems, that are related to a specific natural person, and that can be used independently or in combination with other information to distinguish that specific natural person.”[8] The Guidelines define eight governing principles, which are similar in concept and scope to the OECD principles.[9] The Guidelines also distinguish between “common” personal information and “sensitive” personal information, the disclosure of which “may bring about harmful influence to the subject of the indicated personal information.”[10]

Transfers of personal information under the Guidelines are primarily subject to the consent of the data subject. Perhaps of most significance to US litigation is the guideline related to transfers to foreign entities, which states:

    Without explicit consent by the subject of personal information, or clear provisions in laws or regulations, or without the agreement of the controlling departments, personal information administrators may not transmit personal information to foreign personal information receivers, including individuals abroad or foreign-registered organizations and institutions.[11]

Notice and consent are also requirements for the collection and processing of personal information under the guidelines.[12]

Given the breadth of the Guidelines, there are potentially substantial hurdles involved when parties are seeking discovery from a Chinese entity.

Japan

Japan has an established data protection framework, implemented in 2003 through the Act on the Protection of Personal Information (Act No. 57 of 2003) (“APPI”). As with other data protection laws, the APPI seeks to balance the need for legitimate transfers of information against individual rights.[13]

The APPI defines “personal information” as “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).”[14] As with the Chinese Guidelines, the APPI limits transfer without consent of data subject or legal authority.[15]

Implications for Litigation Involving Entities Outside the United States

Given the breadth of the definitions of personal information, and the strong interest among the Asia-Pacific nations in ensuring that the balance between disclosure and protection is properly enforced, much of the data sought in modern patent litigation is potentially subject to data protection laws and restrictions on cross-border transfer. Particularly in view of the fact that litigation now often involves terabytes of data (much of which is of marginal or little actual relevance or use), the potential for disclosure of personal data is high. And given the ever increasing penalties implemented or under consideration for breaches of privacy laws, parties to a US litigation would be well-advised to address these issues head on, rather than waiting for them to be brought up in a discovery motion or a sanctions motion.

In order to properly assess the impact of data privacy issues on US litigation, one must consider how they arise in various stages of litigation, as presumptions of privacy differ markedly throughout the process. During the discovery phase, there is no presumption that the public can or should have access to materials exchanged between the parties, or in materials obtained from non-parties. However, once information is introduced into the courtroom, whether in motion practice, hearings, or at trial, the presumption shifts. At this point, there is an overriding interest in providing the public access to the courts. It is therefore important for the parties to consider what data will be needed at each stage in order to appropriately afford the greatest degree of protection to personally identifiable information.

The parties should address data privacy issues well before discovery actually begins. There are a number of potential options for limiting the unnecessary disclosure of personal information, and many can actually provide benefits to the parties through a reduction in the overall amount of information collected and reviewed and through a reduction of costs associated with collection, production, and review. While most parties will look primarily to the protective order as a mechanism for protecting the confidentiality of data,[16] a protective order in and of itself many not be fully sufficient, particularly once the data is needed for use in an open proceeding. Moreover, given the volume of information associated with modern patent litigation, redaction of personal information is often completely impractical. The parties should instead seek to address these issues as part of the Federal Rules of Civil Procedure Rule 26(f) discovery plan.

As an initial matter, each party should attempt to identify the information it will likely need to produce that may contain personally-identifiable information. Each party should also consider what information it intends to seek that may be subject to privacy laws in foreign jurisdictions, and whether the benefits of the discovery outweigh any potential individual privacy concerns (consistent with the proposed amendments to Fed. R. Civ. P. Rule 26(b)(1)).[17] The parties can then reasonably discuss methods for limiting the amount of information exchanged that may raise privacy concerns. For example, the parties may consider staged discovery such that the earlier stages involve a much more limited set of information, and then expand that discovery if and when it becomes necessary.

Companies involved in patent litigation may also consider some proactive measures to deal with privacy concerns. For instance, to the extent that there is any reasonable expectation of privacy on behalf of an employee that has not already been contractually addressed, a company may consider providing a specific notice of potential disclosure when implementing legal holds. Of course, given the variety of potentially applicable laws, any notice methods should be drafted in view of the controlling laws in the collection jurisdiction so as to avoid arguments of ineffective notice.

The parties should also specifically address potential disclosure issues for discovery that will likely be used in open court. Can personal information be appropriately redacted or anonymized? Or must the parties provide notice to the data subject and allow an opportunity for them to oppose disclosure?

At the end of the day, there are many considerations the parties to a US litigation must address with respect to the increasing number of data privacy laws worldwide. However, proper advance planning will substantially limit the number of issues that will actually arise, and also potentially provide the parties with a more streamlined and cost-effective discovery process.

© 2014 McDonnell Boehnen Hulbert & Berghoff LLP

snippets is a trademark of McDonnell Boehnen Hulbert & Berghoff LLP. All rights reserved. The information contained in this newsletter reflects the understanding and opinions of the author(s) and is provided to you for informational purposes only. It is not intended to and does not represent legal advice. MBHB LLP does not intend to create an attorney–client relationship by providing this information to you. The information in this publication is not a substitute for obtaining legal advice from an attorney licensed in your particular state. snippets may be considered attorney advertising in some states.

[3] See OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980, pt. 2, paras. 7–14 (Austl.).