Under English or American law (or any other common law system), you or your company may be ordered by a court to identify and disclose not just physical documents but also electronically stored information (ESI) as part of a litigation process. This could apply to you even if you are not a party to the court proceedings.
Location of the ESI
Data is often stored or replicated in an external hosting centre or within a software application – particularly in relation to SaaS software, or in a corporate data centre. If numerous data centres are used they are usually in different physical locations which could be in various countries. The court order to disclose data may well conflict with compliance and privacy requirements in relation to data in the countries in which the data is actually held. However for the purposes of complying with a court order the actual location of the data and the local rules applying to the storage of the data cannot be used as a reason to refuse disclosure.
For example in AccessData Corporation v ALSTE Technologies GmbH a US court ordered a German company to disclose emails stored in Germany as part of the disclosure process in a court case, although the company argued that this breached the German Data Protection Act.
In order to protect yourself against the above scenario, you should include clauses in your terms and conditions that permit you to comply with requests for disclosure of both physical and electronic information in relation to court orders. If you hold data on behalf of customers, you should also try to exclude liability for a technical or any other type of failure to properly comply with a disclosure request that they forward to you.