If a litigant needs documents from the other party to prove its case, an Australian court will issue a properly bounded subpoena for documents to be produced to the court or an order that the documents be “discovered” by the litigant. Discovery involves the identification and disclosure of documents that relate to the claims made in the dispute between the parties. In some courts, orders for discovery can extend to non-parties.
As useful as this sounds, the legal avenues for compelling the production of data that is stored overseas are severely limited. The general public can use a search engine to access publicly available data held on web servers almost anywhere in the world. But, where access to privately-held data is involved, Australian courts lack the kind of commitment to the interests of justice that we are seeing from North American courts in particular.
In this litigation update Moulis Legal associate Ben Game looks at recent developments in Canadian and US practice. He concludes that aliens landing on this planet would be confused as to why, in a world where access to information has been globalised, Australian courts cannot also be as proactive.
Australian courts are reluctant in civil proceedings to issue extraterritorial subpoenas due to a mysterious concern it might undermine the sovereignty of the foreign jurisdiction. Such concern is said to arise by the mere fact of the data’s storage overseas, rather than the more intuitive consideration of where it is created and accessed by the end user. Only where the interests of international comity and cooperation make it “appropriate” will Australian courts deign to issue an extraterritorial subpoena. In some cases, Australian courts have even declined to issue the subpoena because of the difficulties of effecting service overseas. Even if overseas service were impracticable, the courts’ reluctance to issue subpoenas for this reason is perplexing. In a globalised era where cloud computing and cross-border contracts are ubiquitous, why not at least try?
A 2022 decision by Canada’s Quebec Superior Court demonstrates how a court can compel cross-border production of data. The key is to find that the court’s discovery or subpoena rules have extraterritorial effect. In Re SPVM, the Montreal Police Department sought an order pursuant to Canada’s Criminal Code that SnapChat provide a user’s account data in connection with a Canadian criminal investigation. Although SnapChat had an office in Toronto, the requested data was stored in and only accessible from California. The court decided that the Criminal Code’s production rules can have extraterritorial application where the company in possession of the data is located in, and the data has a sufficient connection to, Canada.
US courts frequently issue extraterritorial subpoenas and even rule that foreign privacy frameworks do not exempt a litigant from providing evidence. For example, in January 2020, the US District Court for the Southern District of New York compelled messaging app Telegram to produce its overseas bank records. It did so despite Europe’s General Data Protection Regulation (GDPR) restricting the release of personal information of EU citizens wherever it was held.
Another example is last year’s well-reported decision of the US District Court of Northern California in Cadence also demonstrates the willingness of US courts to “find a way” to obtain evidence from an external jurisdiction. Cadence, a US company, alleged that Syntronic Beijing, a Chinese subsidiary of a Swedish research company, had engaged in unlicenced usage of Cadence’s software, as identified by Cadence’s own anti-pirating systems.
Syntronic resisted production of its computers, which Cadence demanded be shipped to the US for inspection, on the basis that the computers held personal information of its employees. As a result, Syntronic argued, China’s Personal Information Protection Law prohibited access to the information without the individual consent of those employees. But Cadence pointed out to the Californian court that the Chinese law allowed court orders to override this prohibition and did not say this was limited to Chinese court orders. Syntronic replied by saying that the foreign court order would first need to be recognised by a Chinese court, confident, we assume, that this would not happen.
The Californian court heard evidence from Chinese legal experts for each of the parties before siding with Cadence. The US District Court’s reasoning included that it did not find a conflict between a US order for production of the computers and the Chinese law protecting personal information.
Although the privacy implications are controversial, these decisions do illustrate that a suitably confident court can “second guess” the legal effectiveness of the privacy laws of another country.
Australia is an experienced trading country and Australian businesses have been more commercially outgoing than most. The internet has made information never more accessible. However reciprocal arrangements for data production by individuals and companies in other jurisdictions remain outdated.
Australia’s International Production Order (IPO) framework has improved things to some extent. The IPO framework, initiated in July 2021, allows Australian law enforcement to seek production of communications data directly from foreign communications providers in countries who enter reciprocal arrangements with Australia. Australia signed the Australia-US CLOUD Act Agreement in December 2021 to allow the issue of IPOs to US telecommunication companies, subject to privacy and data protection safeguards.
The IPO framework only applies to serious criminal matters, and its expansion relies on like-minded countries consenting to reciprocal arrangements with Australia. That like-mindedness appears to be lacking. Australia has yet to enter into similar agreements with important Asia-Pacific neighbours despite, for example, the rapid uptake of Chinese social media services such as WeChat and TikTok.
However, one advantage of any such reciprocal arrangements is that countries with conflicting privacy frameworks can negotiate privacy safeguards rather than relying on a foreign judiciary to recognise a genuine privacy claim.
There remains no straightforward mechanism to compel the production of overseas data in Australian civil proceedings. Aliens observing from outer space might be perplexed as to why Australian courts attribute paramount legal significance to the location of data, and fear to tread in unfamiliar jurisdictions to obtain that data. The interests of justice and international comity suggest they should at least try. Absent a more assertive judiciary, and further expanded and more progressive agreements than the IPO framework, the practical difficulties of obtaining orders for cross-border production and having them enforced could deter important litigation for years to come.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2023
 (Re) Service de police de la Ville de Montréal 2022 QCCS 3935
 SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (Dkt. 67)
 Cadence Design Systems, Inc. v. Syntronic AB et al. Case No. 21-cv-03610-SI (N.D. Cal. September 12, 2022)