5 March, 2016
Conventus Law: Conducting business in Asia, in particular in Asia’s emerging markets, has become the norm for multi-national businesses. Why might data collection and preservation be daunting to some of these businesses?
i-Analysis: There are only two jurisdictions that have eDiscovery rules in Asia, and they are Singapore and Hong Kong, where discovery is a familiar concept in legal proceedings but it may not be so in other jurisdictions.
If you look at Asia Pacific, it is those countries that are common law jurisdictions, like Singapore, Hong Kong, Malaysia, Brunei, India, Sri Lanka, Myanmar, and Pakistan, that are used to the traditional way of conducting discovery by paper. Changing to eDiscovery is not such a challenge for them.
It is when you operate in other jurisdictions that have a different legal framework, such as Thailand or Indonesia where the concept of discovery is unfamiliar or maybe doesn’t even exist, then thinking about eDiscovery is a real challenge for clients and lawyers.
One of the challenges that we see is the view from client HQs that are based in America. Because they have had NAFTA for many years, where they have the United States, Canada, Mexico, they have history, and it is really seen as a single entity. Even in the United States, though they may have many rules at the state level, it is a single country. So, people in the HQ based in the US or Europe, view Asia as Asia. But the reality is that Asia is a wide variety of countries with different legal jurisdictions, I’m not even referring to different countries or territories, just legal jurisdictions. Take for example, Hong Kong, a Special Administrative Region, it is part of China, however, it does have a separate jurisdiction. So understanding that can be quite a challenge if you are not based in the Asia Pacific region.
Other issues that parties face many times is conducting data collection and preservation in some jurisdictions is deemed an investigation, and investigations are conducted by the state and not by private investigators. So in Singapore for example, if you want to conduct digital investigations or eDiscovery, you actually fall under a specific act (Private Investigation and Security Agencies Act), and you need to obtain a Private Investigator licence. So all our staff at I-Analysis who conduct this work have a PI licence. Whereas in countries like Vietnam, because of its history, it doesn’t allow private investigations. So when we do our work, we need to explain it in a way that what we do does not fall foul of the law.
Data privacy is obviously a major concern. Data privacy laws in Asia actually predate eDiscovery laws. Singapore was the first country to have an eDiscovery Practice Direction in 2009, since then Hong Kong has its own rules, since 2014. But no other countries in Asia has such rules, not taking into consideration Australia and New Zealand.
And when we look at Thailand, China, and Japan, they don’t have eDiscovery rules to govern the disclosure of documents in electronic format. However, they do have data privacy laws. Because we now live in a post-Snowden world, and everyone is paranoid, so whenever there’s an audit or investigation, people are not only on tenterhooks, they are now also wondering what you are collecting, what you are collecting for, whether it infringes their privacy rights, etc.
Another issue we see in emerging markets is BYOD, Bring Your Own Device, where companies allow employees to connect their own device to the corporate network. The company may be paying for the line, however, the device is still owned by the employee. So, many times what we see is that employees holding company data on their personal device, leave and join another company. Then six months, 1 or 2 years down the road, there’s a legal matter and the required company data is resident on the ex-employee’s device. So hopefully it’s still there, or hopefully it hasn’t been altered in any way. If the data isnot there, then that’s a problem that needs to be explained to the court.
If you are in a situation where the ex-employee joins a competitor, and they have your company data on their personal device while working for a competitor, then you have a big problem. You don’t have a right to access that device, and many times you need to apply to court. Hence we name BYOD as Bring Your Own Disaster.
My view is that either companies should provide a company device and company data should only be on that device. Alternatively they should consider using some management software, such as MDM, so that company data is sandboxed and removed from the device when employees leave without completely resetting the device.
CL: How can technology help companies who commonly find themselves in cross-border disputes and want to preemptively store and collect data that may be used in future litigation or arbitration?
i-Analysis: Technology can do many things for us but that’s not the right question. I’d like to differentiate between what we are able to do, and what we are allowed to do.
So for example, you may use some type of enterprise tool to perform data collection and say for example, your regional HQ is in Singapore, and you need to collect some data from a neighbouring country, such as Malaysia, Thailand, or Indonesia. Many times, if you simply view the data remotely, you are already in breach of some regulations, this is particularly the case in the banking sector. We have been in discussions with many of our clients, where we host their data and the data cannot leave Singapore because of the Banking Secrecy Act. Therefore the data has to be collected, processed, and reviewed in Singapore before it can be sent overseas for litigation or regulatory inquiries.
So, some of these clients had came to us and asked whether we could assist in collecting data in other countries outside Singapore, such as South Korea. So I told them, yes we can do it but are we allowed to do it? We were talking with the investigators, and we advised them to speak to their general counsel, and they need to get legal advice from an external counsel to understand what they can or cannot do. One bank for example, we advised them that yes you can make use of this technology, which we are very familiar with, however the forensic image needs to stay within the country, and cannot leave prior to it being reviewed.
In other jurisdictions, such as China for example, viewing a document from outside China can already be considered a breach of their State Secrets Act (Law of the People's Republic of China on Guarding State Secrets). Even though technically it hasn’t been exported, the view from the authorities is that it has. So that’s the big problem.
Many of the technologies that are sold to MNCs in particular say in the United States, Australia or Europe, they don’t take into account these jurisdictional or regulatory issues. Then they don’t take in to account the underlying infrastructure. For example, when I last attended LegalTech in New York, I was talking to a number of software companies that were promoting their cloud collection software. I said that’s all fine if you are based in New York and collecting from Chicago, but what if you are based in New York and collecting from Bandung, Indonesia? Bandwidth issues alone would cause major problems. We had one client in the pharmaceutical industry that uses one of these enterprise forensic tools and was trying to image a laptop and it took them 2 weeks to do it.
So it brings back to what am I able to do and what am I allowed to do. That’s the first point I wanted to make. The second point is what I think I am able to do. If the technology allows me to do it, and say trying to collect 500GB from China to Singapore, and even if I am allowed to do it, it’s just going to take forever. People go home. Imaging 500GB over a Wide Area Network is just completely unrealistic. So what we are seeing where clients are adopting such technologies in-house, and that has been a trend for a while, they are only adopting it per country.
So for example, you may have somebody here in Singapore, and there is a lack qualified staff and resources, hence that’s why they call us in to backfill their engagements. They are remote, doing a VPN connection to a collection tool in-country, collecting and encrypting it, and if allowed, they will ship back to either in Singapore, Hong Kong or Australia to conduct their analysis. As opposed to having one implementation across every country, that’s just not realistic. So that’s what we are seeing with regards to technology.
Now cross border matters are a big problem for everyone. We thought that the EU and US have settled everything with Safe Harbour, but that has been struck down by the European Court of Justice. So where does that leave Asia? Asia always tend to look at the US and EU when adopting legal and investigation practices with regards to technology, so that is going to put a big brake on any plans for cross border agreements with regards to the deployment of use of technology.
Cloud technology is very popular in Asia, but the question I always ask is, where is the data residing? Are you allowed to put the data in the cloud? So take for example, where the national bank of Indonesia (Financial Services Authority of Indonesia) has mandated that all Indonesian customer data must remain in Indonesia, and can’t be hosted in another country. So over the last 10 years, we have this trend of technology where we have cloud technology, it’s so easy, we can sync our data across all our devices, but now the regulators are coming in to say hang on, you are not allowed to do that.
An interesting conversation I had with two different persons, one working in a bank and another a lawyer in a British law firm based in Hong Kong, about when are we allowed or not allowed to export data out of the country? So the person working in the bank said, if we are putting up our canteen menu, that can go into the cloud. But customer data, credit card details, no. And the conversation I had with the lawyer, indicating that we are assisting their firm on this regulatory matter with one of their clients, and the lawyer said thank you very much but the client has now decided to put their data onto their our own platform in the UK and have the review done by the team in Belfast. I expressed surprise that the data could be exported, and the lawyer said that the law wasn’t clear cut and wasn’t black and white. It will eventually sort itself out but right now, I see the regulators putting a brake on the adoption of cloud technology, in particular in the regulated industries, such as banking, insurance, hedge funds, extraction industries etc.
CL: Has regulatory investigations affected the amount of e-discovery that companies find themselves having to comply with?
Most of our work is internal investigations and regulatory inquiries or responses. We first started using eDiscovery tools and platforms as the amount of data that we had in our digital investigations just grew exponentially.
In 2008, I travelled to New York to visit LegalTech to see if these eDiscovery platforms could assist in our digital forensic investigations. At that point in time, the forensic tools allowed us to conduct rather simple searches and then we would just hand the data over and we would never hear back from the client. So, we had a matter in Malaysia for a Japanese client, where we ran search terms and they had 8GB of documents to go through. Today, it is still a fair amount to go through, but back then they didn’t really have an actual review platform. So, I spent some time in New York, and we adopted some eDiscovery platforms which we now have a few here at I-Analysis, depending on the matter and type of client, whether they are in Singapore or Hong Kong or in the United States.
Then a year later, in 2009, Singapore issued the first rules on eDiscovery in Asia, and we were already providing such a service. So we really saw a takeoff in eDiscovery matters and we were involved in some of the very early ones, such as the first report matter which was the Deutsche Bank matter (Deutsche Bank AG v Chang Tse Wen [2012] SGHC 248). We have worked on a number of reported matters over the years, and because we are a boutique firm, people came to us knowing what we do, as we already had the platforms in place and the track record.
One of the challenges that we face is when people talk about eDiscovery, they only think about litigation. It has sort of become kind of a dirty word, so we don’t talk about eDiscovery, we tend to talk about document review.
For example, in arbitration and discussing about the review of documents, under some rules there is discovery and disclosure. But what I’ve heard for many years from arbitration lawyers is that eDiscovery is for litigation and not arbitration. In conversations I have had with clients, they indicated that they just need to respond to the SEC or some other regulator, it’s not litigation.
At the end of the day, what people need to understand is that, what eDiscovery platforms can do for you, is to streamline the review process. They allow you to reduce the vast volume of data so that you can respond quickly to the regulators in time, to respond to court imposed deadlines in time, and to be in arbitration and be able to find the key documents quickly.
So I make the argument that in arbitration, these tools are even more important. Because if you are going to be relied on those few key documents, you don’t want to be in a position where the other party has some documents that you don’t.
So yes we use the term eDiscovery because it is familiar but we much prefer the term document review.
CL: What are some of the recent, notable developments in e-discovery in Asia?
iAnalysis: One of the things that we are seeing, not just in eDiscovery but also in litigation where parties engage experts, such as medical experts, engineering experts, and in our case it is digital forensics or eDiscovery, is the concept of joint appointments.
This is where instead of each party having their own set of experts, they agree to appoint one. What that does is that it massively reduces the time spent on the review, thus saving costs. So this year, for example, in Singapore we were appointment on 3, if not 4, cases and it is certainly a trend we are seeing moving forward.
What the courts do not want to see is an argument between experts, which will slow things down. Especially prior to or post discovery, where there is a lot of correspondence between law firms, where one expert said this and then there’s a reply, and so on and so forth. It just seems to drag on the matter, and the courts do not want to see that.
Another thing, that I haven’t experienced yet, is the concept of hot-tubbing, where at trial you will put both experts together on the stand, and hopefully they will come to some common ground, so that the court proceedings can continue as opposed to putting an expert on the stand to be cross-examined and then the other expert.
So the big trend for me is joint appointment. There are some challenges obviously, where sometimes we hear from one party but not the other party, and so we need to ensure that we communicate to both sets of lawyers fairly so that everyone knows exactly what is going on. What we experienced from joint appointments is that it does reduce costs, especially with regards to time spent in court, which is a cost to client. There are less court proceedings, and it shortens the timeline from writ to trial.
Also, from our perspective, we can provide better and cost-effective pricing because we are getting more volume, we are getting instructions from both parties, and everything is put onto a single platform. For example, we can set up two different sites, one for the plaintiff and one for the defendant, and they conduct their review and later they are all merged. In the process, we can provide economies of scale and thus cost savings to clients.
For further information, please contact:
Darren Cerasi, Managing Director, i-Analysis
darren.cerasi@i-analysis.com.sg
