If you must play, decide on three things at the start: the rules of the game, the stakes,
and the quitting time. – Chinese proverb
The fundamental mechanics around e-discovery have long been settled as a process: Collect data, search it, review it and use the fruits of the review in whatever context applies – litigation, investigation, or regulatory inquiry. The technology involved does continue to develop, and companies now employ search methodologies and technologies that simply didn’t exist a few years ago. However, the end goal is still the same, which is to find relevant information quickly, efficiently, and in a way that complies with applicable rules and also withstands scrutiny from opposing parties and judicial entities. In-house counsel who are exposed to international matters have realized that cross-border discovery and related work performed in foreign jurisdictions can have a significant ability to disrupt historically accepted workflows. What is permissible and commonly accepted with regards to U.S. best practices in discovery may simply not be feasible or not recommended in many other countries as a result of local data privacy regulations, cultural distinctions and unique aspects of differing legal systems.
While ongoing changes to the EU Safe Harbor and its related data transfer framework are currently receiving wide media attention, Asia serves as an excellent example of an area where discovery will likely be conducted differently in order to stay within the boundaries of both law and custom. Further, unlike the EU, Asia does not have an overarching data protection and privacy framework, so each country must be considered separately in patchwork fashion. For example, the rules in China are vastly different than those in South Korea, Japan or even Hong Kong (which is a part of China). In fact, the spectrum of regulatory development and market understanding of traditional discovery practices runs the gamut from clear and developed (Hong Kong) to maturing (China) to comparatively undeveloped (South Korea).
How Did We Get Here?
Conflicting viewpoints around data, who owns it and what can be done with it, drive a variety of differing norms in each individual country and with regards to Asia in general. Also, there have been a spate of high-profile data breaches throughout Asia, which may have created a climate of increased scrutiny and data security relative to other jurisdictions.
All of this has presented companies operating in Asia with a tension caused by the need to stay on the right side of the various local regulatory schema designed to protect or control data, while at the same time fulfilling legal discovery obligations in litigation and investigation matters in foreign jurisdictions.1 This tension creates a culture of uncertainty in some circumstances whereby extraordinary measures are sometimes taken (at extraordinary cost) without possibly understanding whether these measures are really necessary.
In this discussion, it is useful to distinguish between two main matter profiles that cover much of the landscape: litigation or disputes, and regulatory or internal investigations. For litigation or dispute matters (think transactional), many are still papered in English, and the parties have either agreed to arbitration clauses pointing to a specific jurisdiction (e.g. Hong Kong or Singapore) or have designated the specific governing law as English Common Law, the law of a particular U.S. state (such as Delaware, which is a common choice of law in corporate transactions) or some other mutually agreeable jurisdiction. While there are certainly complications, the ability to negotiate terms and design a case-specific framework among civil parties allows for the most flexibility among practitioners. However, regulatory and internal investigations, which tend to account for a significant amount of discovery throughout Asia, seem far less linear and often tend to allow less room to negotiate customized solutions with the requesting party.
Where Are We Today?
As mentioned, Asia is composed of a group of individual countries with varying data privacy and protection protocols. There is no common data protection framework, like what has existed in the EU, and such a framework does not seem to be on the horizon. Most Asian countries, with the notable exceptions of Hong Kong and Singapore, are civil law jurisdictions, which generally tend to have more limited views on discovery than common law jurisdictions. Adding more complexity to the environment is the ever-growing data breach threat, which is a global phenomenon to which Asia has not been immune. Given this dynamic, it’s not surprising that many companies and their counsel seem to take a very cautious view of how to handle data, sometimes going beyond even what local laws may otherwise dictate.
A brief look into the current situation in China, Hong Kong, Japan and South Korea can serve as a good example of the practical differences often seen across the region. These differences are real and can dictate what may be permissible and advisable with regards to discovery and cross-border data flows.
An entire treatise could well be written about best practices for conducting discovery in China, but for purposes of this article, it is relevant to note that this is likely one of the most restrictive jurisdictions for discovery in Asia, and tremendous care should be taken to comply with local laws and regulations. Specifically, the draft of the Chinese cybersecurity law proposed in July 2015 may add another layer of data review to the pre-existing State Secrets doctrine that China legal teams are accustomed to navigating. The practical impact of these laws is that discovery practitioners may well be advised to conduct an initial document review in-country prior to exporting any data. Further, other practitioners continue to take the “belt and suspenders” approach by conducting the entire review in China and, in some cases, specifically on-site at the client’s location. This latter route may not be necessary in many cases and likely ends up creating costs, inefficiencies and scalability problems that need not exist.
In a relevant display of China’s “one country, two systems” policy, the Special Administrative Region of Hong Kong operates under common law and seems to have a more developed approach to discovery than perhaps any other jurisdiction in the region.2 There are clear regulations and guidelines governing the discovery process and navigating them should be familiar to U.S. practitioners. For example, exporting data from Hong Kong to the U.S. and/or the EU for review is generally more acceptable, and there is often more latitude to negotiate tailored solutions for individual cases.
Like China, Japan is a civil law jurisdiction that seems to be still developing its domestic discovery process, but Japan does not appear to have the same stringent regulatory environment related to concepts like national security and state secrets. As such, there appear to be fewer legal impediments to exporting data out of Japan than China, but as a matter of practice, many Japanese clients prefer to keep their data in-country for processing, hosting and review to increase privacy protection. Local firms and providers tend to follow more conventional procedures when operating in Japan than when operating in China, as discovery in Japan appears to have been commonplace for a decade or more.
In another corner of the region, the South Korean market seems less developed than Japan from a discovery perspective, possibly as a result of only more recently opening itself up to foreign law firms and related service providers. As a result, discovery in South Korea appears to be still in its infancy,3 but it is possibly developing quickly to adapt to the heavy docket of intellectual property matters and other litigation that seems to be occurring there. While many other countries in the region tend to adopt a nationalistic view of data privacy, South Korea may operate with even more sensitivity in this regard as it was rocked with several high-profile data breaches4 that may drive the desire to keep data local and
highly protected.5
While there are various approaches and laws at play in each of these jurisdictions, two common threads emerging among them are increasing regulatory oversight with regards to data privacy and confidentiality, as well as a heightened awareness regarding the potential for a data breach. This means that understanding cultural considerations and local preferences is likely as important as understanding the outer boundaries of any existing laws that may be in place. This is a regional distinction that may be unfamiliar to many U.S. practitioners and should be taken into account.
What Is the Path Forward?
Many believe that increased cooperation among Asian regulators is the key to streamlining the discovery process going forward. While such regional cooperation could potentially provide companies with relief when local obligations are in conflict, this result may not be easily attainable. In fact, the recent demise of the EU Safe Harbor framework may expose potential pitfalls of such an approach to begin with. In reality, a potential near-term solution for practitioners in Asia might be more of a function of determining the highest common denominator that would require an understanding of local sensitivities, laws and customs – and this is obviously not a one-size-fits-all solution. For example, a plain vanilla litigation with touch points and data in the U.S. and Japan should be handled very differently than an FCPA matter involving a Chinese company with operations spanning the U.S. and China.
Looking through that lens, we see that applying methods employed in one jurisdiction to other jurisdictions can be unnecessarily burdensome and expensive without any added benefit. One good example of this is the widespread usage of mobile processing and review systems (which are typically set up behind the client’s firewall) in situations where a full-scale in-country data center may be better suited for the needs of the project. Believing that the mobile unit approach resolves all data privacy concerns could result in a costly mistake that potentially reflects uncertainty rather than reason. Hence, avoiding the “if it works in China, it works everywhere in Asia” model can be one key to minimizing costs and maximizing effectiveness.
In that sense, the old Chinese proverb may very well apply to discovery throughout Asia today: For those who wish to play the game, they must first take the time to understand the stakes and, more importantly, the rules. As for the quitting time, it seems we’ll likely be playing this game for years to come.
Tom Antisdel, Managing director in AlixPartners’ Washington, D.C. office. [email protected]
Tarek Ghalayini, Director in the New York office of AlixPartners LLP. [email protected]
[1] For an example of this, see the Longtop matter, where the U.S. SEC sought to enforce a subpoena against accounting firm Deloitte’s Chinese unit, requiring the firm to turn over audit papers in potential violation of Chinese data privacy laws. While it was eventually dismissed, similar actions, such as The Securities and Futures Commission v. Ernst & Young (23/05/2014, HCMP1818/2012), have plagued other major firms and companies operating in multiple jurisdictions between the U.S., EU and Asia.
[2] See Practice Direction SL1.2, which details the requirements with regard to e-discovery and even provides guidance as to best practices for searching data, and Order 24 of the Hong Kong Rules of High Court, which provides a framework for discovery and for courts to limit it.
[3] Two relevant laws are the Personal Information Protection Act (PIPA, 2013) and the Unfair Competition Prevention and Trade Secret Prevention Act (1961).
[4] See, for example, the Cyworld video game breach, in which 27 million people were impacted in a country of 35 million.
[5] Practitioners note that multiple layers of data encryption are deployed more frequently in South Korea than in other jurisdictions.
Published March 3, 2016.