If you think the looming General Data Protection Regulation (GDPR) is just a European anomaly that won’t have much impact ‘across the pond’, think again.
In the wake of the Facebook, Cambridge Analytica breach, the GDPR will trigger an overarching privacy framework that increases territorial scope of European data protections including a stronger “right to be forgotten” and stringent consent requirements.
It will have broad international ramifications and, it will impact traditional litigation practices in the US, like e-discovery.
It’s also poised to become the new international privacy standard, by default, because it’s practically impossible for global companies to segregate data protection by region.
In fact, some of the largest international corporations (like Facebook) have already indicated they will be applying GDPR standards globally. That sets a precedent.
So, what does the GDPR mean for e-discovery?
It means our work will become more difficult. Much more difficult.
Any entity, located in the EU or elsewhere, that collects or processes data that contains personal data about EU residents must comply with the new framework. And, collecting and processing data is pretty much what e-discovery is all about.
So, given the inconvenient reality that a many US cases require evidence from the EU, this IS going to be an issue. A big issue, particularly in light of the fact that the penalties for violating the new provisions are severe – a fine of four percent of an organization’s global gross revenue or €20 million (whichever is greater).
Simply put, the stakes are high.
Obstacles on the horizon.
One immediate challenge relates to the strengthened requirement for consent. Data subjects must be given sufficiently detailed notice of a data request. It must be given in an intelligible and easily accessible form and the language must be plain and clear.
These new arrangements haven’t yet been stress-tested in the real world so there are many ambiguous scenarios ahead for companies, law firms and e-discovery service providers.
For example, consider the collection of email. Normally we think of email in terms of a single ‘data owner’ or custodian. However, a single email box typically contains personal information relating to thousands of senders and recipients. These could all be ‘data subjects’ in terms of the GDPR definitions. So how does one ascertain which ‘data subjects’ are EU residents? Is consent from the custodian enough or could it be argued that consent from every “data subject” represented in an email box is required? It may seem an absurd proposition, but a literal interpretation of the new regulation could lead to that conclusion.
Also, what should happen when a data subject exercises their ‘right to be forgotten’ in the middle of a lawsuit or investigation? And when does a company’s “legitimate interest” in processing an individual’s data without their consent outweigh individual privacy rights?
We don’t yet have the answers and there will undoubtedly be more practical challenges that are not yet envisaged.
How do we prepare for this brave new world?
There are a number of things to consider. First, it might be prudent to review your e-discovery practices on the assumption that GDPR could evolve to become a new international privacy standard.
One practical option when faced with EU data collection challenges might be to ‘take the tools to the data’ so the whole project can be managed on-site or at least in-country.
If the collection, analysis, review, and even production is performed at the source EU location, the challenges may be alleviated and potentially side-stepped altogether.
In other cases, it may be possible to avoid the normal e-discovery debacle altogether. For example, instead of rushing to over-collect and process mountains of irrelevant documents, the legal team might benefit by focusing first on interviews with key persons of interest to glean early insight into the facts and use this knowledge to narrow the issues as early as possible. That might facilitate a more targeted, lower volume, collection – one that minimizes complexity, risk and cost.
It may also be possible to investigate the data in-situ instead of undertaking a massive over-collection and schlepping unnecessary data across international borders for a typical processing and review fiasco.
Ultimately, conducting investigative analysis, on-site, with the right tools could avoid risky data transfers and resolve the case by finding key evidence more quickly. Of course, such an approach would require litigators to think more like investigators but surely that’s not an entirely audacious proposition.
How can EDT help?
EDT software can help clients comply with GDPR obligations in relation to litigation or investigations and EDT’s consulting partners who have many years of experience working in the eDiscovery and privacy space can assist with your GDPR compliance plans.
An EDT Portable deployment enables you to ‘take the tools to the data’, so collection, analysis, even review and production can occur on-site. No data movement means fewer consent challenges. The end-to-end platform can fit on a small laptop, and at a low starting price point per month with no user license fees or per GB charges. As such, it’s not only portable, it’s also extremely affordable.
Alternatively, an On-Premise deployment, can reside behind the firewall on client hardware or in a client managed, EU based data center of choice.
edt.BLUE could also be deployed in any of the 28-member EU countries using any client approved cloud provider such as IBM, Microsoft or Amazon. These providers now offer localization of data commitments to comply with the GDPR and EDT’s complete turn-key solution can be deployed within 48 hours so you not only save costs, you can also get rolling, fast.
If you’d like to know more take a look at EDT’s website.
Jo is a lawyer and computer scientist with extensive international experience in the application technology to law. Jo has also, over the last twenty years, held C-Suite roles in three legal technology companies she has founded. Other roles have included, Court of Appeal Registrar, Law Society CTO and Ministry of Justice CIO.
She has consulted to international law firms, courts and justice agencies including the Canadian Judicial Council, the Federal Court of Australia, the Queensland Courts, the Victorian Courts, the Ministry of Justice and Alberta Courts, Canada, the Queensland Department of Justice and Attorney-General, the Council of Chief Justices of Australia and New Zealand and the British Columbia Securities Commission.
Jo founded software company, EDT, in 2004 to develop litigation and investigation software. EDT now has an international client base of GLOBAL100 and magic circle law firms, fortune 20 corporations, government agencies, forensic experts and consulting service providers. The company is now focused on R&D in relation to emerging AI and Analytics technology.
Jo’s advisory paper regarding information governance in Canadian courts is available here. This was commissioned by the Canadian Judicial Council.
Jo is a member of the Data Law Information Governance Board of Advisors for the Benjamin N. Cardozo School of Law in New York. She is also an accomplished public speaker who presents regularly in the international justice technology arena and she was a finalist in the Australian Telstra business woman of the year awards.
Jo runs competitively in various international marathon events. Her personal best time is 3 hours.
Ph: +1 347 915 8766