Exploring Impending Changes in Global Privacy Laws and the Implications for Multinational Corporations
Global businesses have complicated operational considerations. From technology management and legal implications to human resources conduct and accounting procedures, cultural differences, laws and regulations directly impact the way they conduct themselves in the global marketplace. At Hudson Legal, we experience this regularly in the form of an ever-increasing need to advise and execute on the stipulations of cross-border discovery. To take a deep-dive into this intriguing intersection of law and international business, we recently sat down with Kenneth Rashbaum, an experienced litigator and often-published author on the topic of international data privacy laws.
Hudson Legal (HL): Today, you wanted to discuss two recent developments stateside and abroad that are expected to significantly impact international data protection and discovery?
Kenneth Rashbaum (KR): Yes, those developments include:
- The American Bar Association (ABA) House of Delegates recently passed Resolution 103 urging US courts to respect foreign laws on data protection and privacy
- The proposed revisions to the European Union Privacy Directives, which, if accepted, should be passed into law within the next two years
HL: You were chair of the drafting team for ABA Resolution 103, can you explain the intent and potential impact of the resolution?
KR: The resolution urges courts to show respect for privacy and data protection laws that affect the discovery obligations of the litigants before them. This language came from a United States Supreme Court decision in 1987. It’s certainly not new nor is it a radical concept to show due respect for foreign law, but it’s something that the courts have gotten away from. Through this resolution, the ABA is asking for the recognition of several ongoing issues that greatly impact multinational corporations:
- When handing over information, litigants are often placed in a precarious situation when they are asked to follow the US courts rules of civil procedure, which may conflict with the laws of the foreign jurisdiction. Many will be moved to ask their attorneys “Whose law should I violate, where do you suggest I go to jail first?” If they give over, say, emails between the executives of their company in Europe as the US judge has ordered, they may be violating local privacy laws (for example, in Italy, Switzerland, Germany, and Spain – where they do prosecute!) and if they don’t follow the US ruling, they may be in contempt of court.
- This is also recognition of the state of the interconnected nature of the global economy, and a request to US courts to respect foreign laws on the principles of international comity; otherwise there may be a significant impediment to global commerce. For example, other countries could approach a commercial dispute), where the contract says that it should be interpreted pursuant to US Law, and the foreign court could easily say we plan to show US law the same due respect and consideration that our laws are shown in their courts.
HL: What is your take on the proposed revisions to the EU Privacy Directives? Do you see any of the revisions as unrealistic or unachievable?
KR: The proposed revisions to the EU privacy directives are certainly extensive and far-reaching. The proposal to create a data protection regulation for all 27 member states is a good example of this. Previously, the EU set a minimum standard for privacy protection, and the member states were required to implement it by their own legislation. This made for a very confusing privacy regime for multinational corporations that deal with many different EU countries.
It would make life easier for lawyers and multinational corporations to abide by one set of rules. It’s a great idea in terms of facilitating and regulating global e-commerce, but I wonder how realistic it is, politically speaking. The EU would be asking many countries to potentially give up some of their jurisdiction, and it’s not clear that they would be willing to do so.
I was also somewhat surprised by the attempt at extra-territorial reach set forth in the proposed draft. This says that the EU directive can be enforced against non-EU companies that do business within the EU. Other EU countries currently claim extra-territorial reach – France and the UK (for example), claim jurisdiction outside of their borders over companies that process protected data of their citizens. But in a practical sense this is questionable – if the company does not have facilities in that country, how can they enforce jurisdiction over them?
Interview Credit: Special thanks to Kenneth Rashbaum for sharing his thoughts and experiences with Hudson Legal. Mr. Rashbaum can be found on Twitter or at www.rashbaumassociates.com.
No related posts.