Posts By :

Tom O'Connor

ALSP – Not Just Your Daddy’s LPO: eDiscovery Trends

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom also wrote a terrific four part informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes (and participated with me on a webcast on the same topic) and wrote another terrific five part informational overview on Understanding eDiscovery in Criminal Cases.  Now, Tom has written another terrific overview regarding Alternative Legal Service Providers titled ALSP – Not Just Your Daddy’s LPO that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Here’s the first part.

Introduction

One of the biggest topics of discussion at the recent Legaltech® conference in New York was Alternative Legal Service Providers or ALSPs.  I was interested in the topic really because I was confused as to what the term ALSP meant. Like several other people I spoke with at the show, I originally considered an ALSP to be just a newer name that marketers had given to legal process outsourcing or LPO.

LPO was, of course, the exporting of legal services to low-wage markets either overseas (off-shore) or in the United States (on-shore). The LPO trend had been fueled by many factors, including:

  • Globalization
  • The rising cost of legal services
  • The growth of the Internet
  • Increased automation of legal processes
  • Developments in data security

In my experience, LPO offerings tended to be focused primarily on low cost document coding or data entry and were utilized primarily by law firms. But the recent rise of ALSP services, which have LPO characteristics, seems to be fueled by corporate law departments that are interested in partners providing software built specifically for their legal and compliance needs.

These growth factors for ALSPs are illustrated in a report from The Thomson Reuters Legal Executive Institute, in partnership with the Georgetown University Law Centre for the Study of the Legal Profession and the University of Oxford Saïd Business School titled The 2017 Alternative Legal Service Study – Understanding the Growth and Benefits of These New Legal Providers (you can download a copy here)  In this global report, more than 800 law firms and corporations were surveyed, and the results indicated that the growing use of a new generation of ALSPs is largely about expertise, not lower costs, as is often assumed.  Other factors in the growing use of ALSPs noted in the study included scalability, client demand for global solutions and greater access to technological innovations.

My focus for the following discussion will be a closer look at the new generation ALSP and the factors that define it.  We will take a look at what an ALSP is, who is actually using an ALSP, why they use them and how they will impact the provision of legal services in the future.

We’ll publish Part 2 – What is an ALSP? – next Monday.

So, what do you think?  Have you used an ALSP before?  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Understanding eDiscovery in Criminal Cases, Part Five: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Thursday (Important eDiscovery Case Law Decisions of 2017 and Their Impact on 2018), which was great.  If you missed it, you can check out the replay here.  Tom also wrote a terrific four part informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Now, Tom has written another terrific overview for Understanding eDiscovery in Criminal Cases that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into five parts, so we’ll cover each part separately.  The first four parts were published last Monday, Wednesday and Friday and this Monday, now here’s the final part, Part 5.

Border Entry

Of course, not all criminal law electronic discovery matters involve futuristic technologies such as the Echo or embedded web pages. According to US Customs and Border Patrol, approximately one million people enter legally into the United States each day. Nearly half of them are crossing the US-Mexico border and many of them are traveling with laptops, tablets, smartphones, and other digital devices.

The issue surrounding possible eDiscovery disputes at the border is that case law is well settled that border searches constitute an “historically recognized exception to the Fourth Amendment’s general principle that a warrant be obtained.”  CF, United States v. Ramsey, 431 U.S. 606 (1977) where the Court recognized “the long-standing right of the sovereign to protect itself by stopping and examining persons and property crossing into this country.”

David Horrigan eDiscovery counsel and legal content director at Relativity, blogged recently about the case of United States v. Cotterman, 709 F.3d 952 (9th Cir. 2012) where border agents at an Arizona port of entry at the US-Mexico border seized the laptop of Howard Cotterman as he and his wife were returning from a vacation in Mexico. Cotterman had been flagged in the government computers due to a 15-year-old conviction for child molestation.

A search at the border found nothing but some files on the laptop were locked, so it was sent to a forensics unit which used special software to open the files and discovered images of child pornography.  A US District Court granted a defense motion to suppress evidence seized from the laptop, but a divided Ninth Circuit reversed, holding the totality of the circumstances created the reasonable suspicion required for the search.

As Horrigan noted, courts have rejected an “anything goes” approach at the border however the standards are far laxer than inside the US where the warrant standard is the more common.  Defense counsel with clients involved in a border dispute should be aware of this important distinction.

CONCLUSION

For practical purposes, with more and more ESI and possible third-party ESI that could assist in the defense of criminal cases, it is likely there will be future changes to the criminal rules to more closely mirror the civil rules. Certainly, the JETWG protocol signals a move in that direction.

As David Horrigan noted in his blog post cited above, “Criminal eDiscovery matters because technology changes the rules of the legal ballgame. Just as technological advances change what is reasonably accessible under Rule 26 in civil matters, advances in legal technology are making it cheaper and easier for the government to conduct searches in criminal matters.”

In the criminal field, the law must both keep up with changes in technology but continue the constitutional admonition to protect civil liberties. A serious challenge which will become more and more complex as technology continues to provide more challenges.

So, what do you think?  Do you handle criminal cases and have a lot of eDiscovery? Read more about it in this eDiscovery in Criminal Cases series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Understanding eDiscovery in Criminal Cases, Part Four: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Thursday (Important eDiscovery Case Law Decisions of 2017 and Their Impact on 2018), which was great.  If you missed it, you can check out the replay here.  Tom also wrote a terrific four part informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Now, Tom has written another terrific overview for Understanding eDiscovery in Criminal Cases that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into five parts, so we’ll cover each part separately.  The first three parts were published last Monday, Wednesday and Friday and here’s part four.

Working with Social Media as Evidence

88 percent of the US population uses the Internet every day and 91 percent of adults use social media regularly. (See Social Media Evidence in Criminal Proceedings: An Uncertain Frontier from Georgetown Law here).  So, it is no surprise that one of the growing electronic aspects of criminal law is social media as evidence. A good overview of the topic can be found in a recent article in California Lawyer by Atty. Robert Hill, an associate at Eisner Gorin LLP, a boutique criminal defense firm in Los Angeles.

We have discussed warrants and subpoenas of evidence earlier, but in some cases, the government may not even need a warrant or subpoena to obtain social media evidence because a specific statute, The Stored Communications Act (“SCA”) governs this area of law.  This may, in fact, make things harder for a defendant since the law does not provide them coverage and they may still need a subpoena or court order to obtain social media from a private account.

Further, it is important to note that Courts all over the United States have continued to reject the idea that litigants have a Fourth Amendment right to privacy of their social media account, both private and public.  The theory behind this position is that even though an account is private, the sharing of the social media with a number of people makes it a public activity.

But regardless of these concepts, it is important to remember that social media evidence is still just that. Evidence. As such it is subject to all the admissibility standards of any evidence.

It may still be not admissible as prejudicial, irrelevant or inflammatory evidence, among other reasons for disqualification. Furthermore, electronic evidence, such as social media, must be authenticated, that is shown to be what it is supposed to be.

However, there are several obstacles to authentication of social media created by its unique nature as dynamic data stored online. So, when attempting to admit social media evidence, it is helpful to have a witness with personal knowledge of such evidence. This supports authenticity and counters arguments that it was forged or manipulated.

The states have long been split on the way to authenticate social media with two widely recognized approaches to authentication: the Maryland standard (Griffin v. State) and the Texas standard (Tienda v. State). The Texas standard is more common and holds that the judge is the gatekeeper for the evidence and the jury makes the final decision as to its reliability. The Maryland standard is higher and more difficult to meet, with a requirement of authentication by testimony from the creator of the social media post; forensic evidence from the computer itself or information gleaned directly from the social media site.

Recent decisions, including Sublet v. State, 113 A.3d 695 (Md. 2015) and McNeil v State, No. 152, September Term, 2016, Court of Special Appeals of Maryland. Filed: January 20, 2017, UNREPORTED, seem to indicate a move towards a common ground in the two standards, but attorneys would be well advised to seek out the standard in the court where they practice. For a more in-depth discussion, see “Authentication of Social Media Evidence,” American Journal of Trial Advocacy, 36 Am. J. Trial Advoc. 433 (2013).by Judge Paul Grimm, United States District Judge of the United States District Court for the District of Maryland.

At the Federal level, effective Dec. 1, 2017, a small change to FRE 902 went into effect which deals with authentication. FRE 902 already provided for the self-authentication of certain types of records including government documents, certified copies of public records, newspapers, and certified business records. The revised rule adds two paragraphs, both of which are designed to address ESI by allowing parties to skip the step of authenticating evidence in court by simply providing an affidavit from a “qualified professional” who collected the ESI.

For more on this, I recommend an excellent article (An Early Christmas Present From The Federal Rules Of Evidence, by Atty. Kelly Twigger and a recorded webinar available on the Social Evidence web site (Authentication of Social Media Evidence: A New Take on the Old Rules).

We’ll publish the final part, Part 5 – Border Entry – on Wednesday.

So, what do you think?  Do you handle criminal cases and have a lot of eDiscovery? Read more about it in this eDiscovery in Criminal Cases series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Understanding eDiscovery in Criminal Cases, Part Three: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Thursday (Important eDiscovery Case Law Decisions of 2017 and Their Impact on 2018), which was great.  If you missed it, you can check out the replay here.  Tom also wrote a terrific four part informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Now, Tom has written another terrific overview for Understanding eDiscovery in Criminal Cases that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

But first, a note about a new feature we’re adding to eDiscovery Daily: Our new eDiscovery Tech Tip of the Week!  Each week, usually on Friday, we’ll plan to discuss a best practice concept or technical feature that can be helpful to many of you out there.  When possible, we will include a video that hopefully illustrates and illuminates the concept.  If a picture is worth a thousand words, a video is worth many thousand words, right?

Anyway, this week’s eDiscovery Tech Tip of the Week is about Early Data Assessment.  Early in a case, to make informed decisions regarding the case and your ESI collection, it’s important to understand as much as possible about that collection.  Just understanding how many gigabytes is in the collection isn’t enough as the number of files per gigabyte can vary widely, depending on the types of files contained within the collection (a while back, I conducted a little experiment on the blog to demonstrate this).  The number of files can considerably affect the estimate for discovery, especially in review.  Early data assessment can provide insight into your data to help better estimate the cost of litigation, audit, or investigation and help in case planning decisions, including whether to litigate or settle the case.

To see an example of how Early Data Assessment is conducted using our CloudNine platform, click here (requires BrightTalk account, which is free).

Anyway, Tom’s overview is split into five parts, so we’ll cover each part separately.  The first two parts were published Monday and Wednesday, here’s part three.

Issues Managing ESI Data in Criminal Cases

a. How Data is Acquired

The government will usually get its ESI by consent or warrant. Typically, when the federal government seeks data in criminal cases (and most states have a similar procedure), it requests a search and seizure warrant by filing an application or affidavit sworn before a judge. The application, as provided in Rule 41, identifies the location of the property to be searched and seized, and includes facts that support probable cause (a reasonable belief that a crime has been committed and evidence of such may be at the site) as to why the government needs (and should get) the property.

The judge then issues a search and seizure warrant from the application. Note that unless the judge authorizes delayed notice, a copy of the warrant and a receipt for the property taken must be given to the person or left at the premises. Law enforcement then conducts the authorized search and seizes the property per the warrant and are required to provide the court with an inventory of what was seized.

F.R. Crim. P. Rule 41 then establishes a two-step process when ESI is involved. The first step is the seizure and then a subsequent review of the ESI which must be consistent with the warrant. There is no time frame established for this review since it may take a substantial amount of time, especially with encrypted drives.

The government provides the defense with an inventory return form, which describes the physical storage media seized or copied. Anything not on the inventory can be challenged if it is introduced in evidence.

Additionally, F. R. Crim. P. Rule 16 allows the defense to discover any ESI that the government has in its possession that is material to its case or that the government intends to use at trial.

Regarding third parties, the court may issue a subpoena under F. R. Crim. P.  Rule 17 for a third party to produce records at trial or at another time and place.  This is typically a bank or cell phone carrier but can be any non-party thought to be in possession of relevant information. The court may then allow the defense to inspect all or part of the ESI.

b. Common Data Types

Data in criminal cases is typically far less diverse than the civil field. Email tends to be the most prominent data type followed by a variety of other standard text reports, memos, etc.  Email will most often be produced in native format (more on that below) and other documents tend to be rendered in PDF. This material can be easily searched using a number of low-cost text search programs or even the search capability found in the programs themselves.

Likewise, several data types which have received much attention in the press do not present serious technical challenges. The first, IoT devices, have been much discussed but not yet been a major data factor. In the Fitbit case which gained some notoriety, the data was used as one piece of evidence in a chain of evidence contradicting the defendant’s statements regarding his whereabouts. It was not a large piece of evidence, presented no authentication problems and was easily introduced and used.

Even more often discussed was State v. Bates, an Arkansas case where police attempted to obtain data from an Amazon Echo in a murder investigation. But in that case, the charges were dropped, and the prosecutors never had to actually deal with the issue.

Likewise, GPS location data is a data type that has been dealt with for many years.  On board computer systems in automobiles, Exif data in digital photos, GPS coordinates in Google maps are all examples of this type of data which has been used as evidence for years. The only difference now is that it may exist in cloud-based systems. But either way, like IoT data, it is easily available via subpoena and when produced by the government either in spreadsheets or native format raw data it is easily handled and searched.

There are, however, two data types which can be problematic. The first is forensic images of computers and cell phones.  These are often produced in the format of the forensic software which copied the device and will necessitate that the defense has a similar software which can open the forensic image. Although readily available these programs are expensive and may require some technical expertise to manipulate since they must be used to open up to the image and then begin examining the contents of the drive that was imaged. (To be clear on this, a forensic image of a hard drive or cell phone contains ALL the data on the device. It must be opened up and then the useful data …email, text messages, phone log records, etc … must be viewed for relevance and searched using a separate software tool.)

The second is audio and or video files from wiretaps, body wires, surveillance video, etc.  Some of these can be opened with a standard software program but very often they are in a proprietary format which must be converted to usable data. This data is typically large and will require a high volume of storage space.

In addition to format and conversion issues, programs to search audio or video files are extremely expensive.  The Federal Defenders have utilized a contractor who builds a sortable spreadsheet of metadata information with hyperlinks to the raw data.  Searches can then be done on the spreadsheet with a filter by telephone numbers, dates, the written summary, whether the inception was classified as pertinent or not, etc. with a jump to the recording but this is not a full-text search and since it is not web based, also requires a separate copy of each spreadsheet and raw files for each person doing a search and review.

c. Data Exchange Formats

As mentioned above, certain data types have been a typical source of production between parties in Federal criminal cases.  But as noted above in the Introduction, a Department of Justice/Administrative Office Joint Working Group on Electronic Technology (JETWG) has developed a recommended ESI protocol for use in federal criminal cases.

Entitled “Recommendations for Electronically Stored Information Discovery Production in Federal Criminal Cases,” it is the product of a collaborative effort between the two institutions and it has the DOJ leadership’s full support.

The primary purpose of the ESI protocol is to facilitate more predictable, cost-effective, and efficient management of electronic discovery and a reduction in the number of disputes relating to ESI.  The protocol provides a mechanism, through a meet and confer process, to address problems a receiving party might have with an ESI production early in a case, and to discuss the form of the discovery that the party receives.  The participants on both sides of JETWG are intimately familiar with the day-to-day challenges attorneys face in criminal cases, and the protocol reflects a pragmatic approach to the problems both prosecutors and defense attorneys face when dealing with electronic discovery.

JETWG negotiated and drafted the protocols over an 18-month period.  The joint working group has representatives from the Federal Defender Offices, CJA Panel, Office of Defender Services, and DOJ, with liaisons from the United States Judiciary.

The Recommendations consist of four parts:

  1. An Introduction containing ten underlying principles, with hyperlinks to related recommendations and strategies;
  2. The Recommendations themselves;
  3. Strategies and Commentary that address issues in more detail and provide specific advice on discovery exchange challenges; and
  4. An ESI Discovery Production Checklist.

Note that the ten underlying principles can be found at pages 3 and 4 of the document and basically mirror the intent of FRCP 1, which reads as follows: Rule 1. Scope and Purpose These rules govern the procedure in all civil actions and proceedings in the United States district courts, except as stated in Rule 81. They should be construed, administered, and employed by the court and the parties to secure the just, speedy, and inexpensive determination of every action and proceeding.

In general, the agreement is designed to encourage early discussion of electronic discovery issues through “meet and confers,” the exchange of data in industry standard or reasonably usable formats, notice to the court of potential discovery issues, and resolution of disputes without court involvement where possible.

d. Time Issues Specific to Criminal ESI

Although the Federal Criminal Rules have no detailed requirements for an ESI specific Meet and Confer as does the FRCP, F. R. Crim. P. Rule 17.1 does provide for pre-trial conferences to promote a fair and expeditious trial. And as mentioned above, the JETWG Recommendations for Electronically Stored Information Discovery Production in Federal Criminal Cases do provide for such a meeting.

Despite these rules, evidence in criminal matters is not always produced well in advance of trial. Prosecutors can’t disclose all discovery on the eve of trial, but on the other hand, they don’t have to divulge it all well in advance of trial. Discovery can unfold gradually with copies of police reports appearing as early as the first court appearance, but expert reports not being given until shortly before trial. And much more leeway is given with witnesses who are under protection for personal safety concerns so that if their evidence involves ESI, it can prove problematic for the defense.

We’ll publish Part 4 – Working with Social Media as Evidence – on Monday.

So, what do you think?  Do you handle criminal cases and have a lot of eDiscovery? Read more about it in this eDiscovery in Criminal Cases series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Understanding eDiscovery in Criminal Cases, Part Two: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Thursday (Important eDiscovery Case Law Decisions of 2017 and Their Impact on 2018), which was great.  If you missed it, you can check out the replay here.  Tom also wrote a terrific four part informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Now, Tom has written another terrific overview for Understanding eDiscovery in Criminal Cases that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into five parts, so we’ll cover each part separately.  The first part was published Monday, here’s part two.

Overview of Rules for Criminal Matters

Because more than 90 percent of documents today are generated in electronic format, ESI is becoming more and more prominent in criminal matters, especially white collar criminal cases.  But many attorneys who take on a criminal representation for the first time are surprised to find that there are a different set of rules than those that they are used to working within civil matters.

Although the rules and case law on eDiscovery in the civil arena have been developing at a rapid pace, the same has not happened in criminal law. The Federal Rules of Civil Procedure are just that, the rules for civil matters, while the procedural rules for criminal matters are set forth in the Federal Rules of Criminal Procedure (FRCrimP) as well as the states’ versions of criminal procedure codes.

Because so much of the work in criminal matters involves Fourth and Fifth Amendment constitutional arguments and state constitutional concerns, the rules tend to focus on that area.  The Fourth Amendment, of course, has a general prohibition against searches and seizures without a warrant, but law enforcement may have the right to search an area within the suspect’s immediate control when they arrest someone.

This exception is generally allowed for protection of law enforcement officers and may not give them the right to seize a computer unless it poses a threat. Officers may also search an immediate area if they have reason to believe another suspect is hiding and of course no warrant is needed for contraband in plain sight, neither of which are likely to apply to ESI.

Several problem areas are searches of cars and cell phones.  Upon a traffic stop, police can view the open areas of the car, and if they see something in plain view that gives them probable cause, they can do a full search. This may not extend to a locked glove box or the trunk although some state courts, especially appellate courts, tend to evaluate cases based on a “totality of circumstances” and results may differ.  If an arrest occurs, a full search of the vehicle is allowed.

But what if a laptop or cell phone is found pursuant to a legal search? If the police have probable cause to believe there is evidence of a crime on a computer, they may search it otherwise they will need a warrant.  Cell phones, however, have been given even great protection, a fact of great importance given that surveys show that more than 90 percent of Americans now own or regularly use a cellphone.

In Riley v. California, 134 S.Ct. 2473 (2014), the US Supreme Court, unanimously ruled that police may not search the cell phones of criminal suspects upon arrest without a warrant. The opinion held that smartphones and other electronic devices were not in the same category as wallets, briefcases, and vehicles which are subject to limited initial examination.

Indeed, said Chief Justice Roberts in his opinion, cell phones are “now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”  And, he added, cellphones “are based on technology nearly inconceivable just a few decades ago” when the Court had upheld the search of the arrestee’s pack of cigarettes.

Rather, citizens today have a reasonable expectation of privacy for information on their cell phones and, he said, “Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple — get a warrant.”

Also, police have generally not been allowed to force an individual to hand over passwords or encryption keys given that the Fifth Amendment protects individuals against compelled self-incrimination. However, that protection is beginning to erode as a Florida Court of Appeals recently ruled that the government can force an iPhone user to release their passcode.

In State v. Stahl, (Second District Court of Appeal of Florida, Case No. 2D14-4283, Dec 7 2016) the State filed a motion to force Stahl to give up his password, alleging that there was no Fifth Amendment implication in doing so. The Court agreed holding that “Unquestionably, the State established, with reasonable particularity, its knowledge of the existence of the passcode, Stahl’s control or possession of the passcode, and the self-authenticating nature of the passcode. This is a case of surrender and not testimony.”

Given the increasing reliance on fingerprint and facial recognition as a means of authentication, this area may change even further since police can take fingerprints and photos incident to an arrest.  Also, note that Carpenter vs. United States is pending before the Supreme Court now. This case asks if authorities need a probable-cause court warrant to access people’s mobile phone location history by “pinging” cell phone towers or is this practice an exception to the US v. Jones decision requiring a warrant for a GPS tracker to be placed on a car.  The theory here relies on the third-party doctrine, which holds that we lose Fourth Amendment protection when we disclose information, such as cell phone locations, to a third party such as ATT or Verizon.

Finally, always keep in mind that a person may give law enforcement the right to conduct a search, but the consent must be voluntarily given with full understanding of the person’s rights.

We’ll publish Part 3 – Issues Managing ESI Data in Criminal Cases – on Friday.

So, what do you think?  Do you handle criminal cases and have a lot of eDiscovery? Read more about it in this eDiscovery in Criminal Cases series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Understanding eDiscovery in Criminal Cases: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Thursday (Important eDiscovery Case Law Decisions of 2017 and Their Impact on 2018), which was great.  If you missed it, you can check out the replay here.  Tom also wrote a terrific four part informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Now, Tom has written another terrific overview for Understanding eDiscovery in Criminal Cases that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into five parts, so we’ll cover each part separately.  Here’s the first part.

Introduction

Criminal cases have long been thought of as an arena devoid of electronic discovery issues.  In fact, in 2012 eDiscovery expert Craig Ball wrote in a column regarding the then recently published “Recommendations for Electronically Stored Information Discovery Production in Federal Criminal Cases,” that “… apart from meeting Brady obligations, I think most lawyers regard criminal law as an area where there is no discovery, let alone this new-fangled e-discovery.”

But attorneys who regularly handle criminal cases know that was not the case then, and it is certainly not the state of the field now.  This paper shares a short history of the development of standards for eDiscovery in criminal matters, focusing on specific examples from the Federal court system. It also highlights main issues of importance regarding eDiscovery in criminal matters.

BACKGROUND

In 2004, Judge Marcia Pechman of the Western District of Washington presided over the white-collar case against Kevin Lawrence and his company, Znetix.  That case had nearly 1.5 million scanned electronic documents which at the time was considered an extremely high volume and caused logistical problems for both the parties and the Court.  In 2005, after that trial had concluded, Judge Pechman convened a group of attorneys from the U. S. Defenders Office and the US Attorney in Seattle to discuss more efficient and cost-effective ways to deal with electronic documents in large cases.  This group included Russ Aoki, then a Criminal Justice Act (CJA) Panel attorney appointed to represent Mr. Lawrence and now Coordinating Defense Attorney in complex matters for the Defenders.

That group created a set of best practices policies for large document cases and wiretap surveillance evidence. Those policies were in effect in the Seattle federal court as a local rule for many years before the document mentioned by Craig Ball in his column.  Several other groups then began meeting around the country, eventually resulting in the 2012 protocol which was actually a project of a Joint Technology Working Group of federal criminal practitioners created by the Director of the Administrative Office of the United States Courts (the supervising agency of the U.S. Defenders Office) and the U.S. Attorney General.

The point of this timeline is to show that although attorneys working in the criminal areas have a duty to preserve and produce electronically stored information (ESI) just as their civil brethren do, most state and federal criminal discovery is statutory, or rule-based.  Constitutional concepts apply in much the same manner as the FRCP guide civil matters, to ensure a fair trial and due process, and include the right against self-incrimination and the right against unreasonable searches and seizures.

But criminal cases involve some issues specific to that practice, and it is those we will now discuss.

Issues

An excellent overview of all the issues involved in criminal eDiscovery practice can be found in Criminal Ediscovery: A Pocket Guide for Judges. A 2015 publication of the  Federal Judicial Center authored by Sean Broderick, National Litigation Support Administrator, Administrative Office of the U.S. Courts, Defender Services Office; Donna Lee Elm, Federal Defender Middle District of Florida; Andrew Goldsmith, Associate Deputy Attorney General & National Criminal Discovery Coordinator U.S. Department of Justice; John Haried, Co-Chair, eDiscovery Working Group — EOUSA U.S. Department of Justice and Kirian Raj, Senior Counsel to the Deputy Attorney General U.S. Department of Justice.

That work focuses on a number of issues that are beyond the scope of this document and should be consulted as a resource.  This discussion, however, will focus on the following issues:

  1. Overview of Rules for Criminal Matters
  2. Issues Managing ESI Data in Criminal Cases
    • How Data is Acquired
    • Common Data Types
    • Data Exchange Formats
    • Time Issues Specific to Criminal ESI
  3. Working with Social Media as Evidence
  4. Border Entry

We’ll publish Part 2 – Overview of Rules for Criminal Matters – on Wednesday.

So, what do you think?  Do you handle criminal cases and have a lot of eDiscovery? Read more about it in the following parts of our eDiscovery in Criminal Cases series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Four: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was last Monday, Part Two was last Wednesday and Part Three was last Friday.  Here’s the fourth and final part.

Part Four: Now That I Understand The GDPR, What Do I Do?

In preparing for GDPR, all companies should start by doing the following:

Determine Their Role Under the GDPR: Any organization that decides on why and how personal data is processed is essentially a “data controller”, regardless of geographic location.

Appoint a Data Protection Officer: This is especially critical if the organization is a public body or is doing regular large-scale processing.

Prepare for Data Subjects Exercising Their Rights: These include the right to data portability and the right to be informed as well as the right to be forgotten.

And then, companies should continue by taking the following steps:

  • Build a data map
  • Identify all privacy-related data
  • Analyze all privacy-related data
  • Conform all data handling practices to GDPR standards
  • Ensure compliance policies and procedures meet GDPR standards
  • Secure all systems against data theft
  • Obtain ISO 27001 Certification
  • Hire a Consumer Data Ombudsman specifically for dealing with requests and complaints from data subjects.

This new GDPR regulatory framework will be the strictest privacy doctrine in the world and appears to be on a collision course with some US based discovery rules.

Bart Willemsen, research director at Gartner, recently commented that, “The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe and with the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”

Despite this warning and even though many organizations have been monitoring and preparing for the GDPR during the past few years of negotiation, more than a few have not. Gartner predicts that on May 28 of next year, more than half of companies affected by the GDPR will not comply fully with its requirements.

So immediate preparation is essential.  Keep in mind that the goal of the GDPR is not to punish business entities but rather the public policy purpose of ensuring that companies and public bodies increase their ability to detect and deter breaches.

Fines are designed to be proportional to the effort by companies to comply with the new regulations and will focus on those which systematically either fail to comply with the law or disregard it altogether. They can be avoided by companies which are transparent in their policies and procedures, make a good faith effort to develop that transparency and report any data breaches swiftly.

Prepare now to put into place policies and procedures for both compliance and reporting, especially if you have multiple business locations and/or handle data from inside the EU.  Various consulting firms and trusted advisors such as CloudNine can help provide guidance but don’t delay.  Remember that given the Gartner figures above, organizations in compliance with the GDPR may find themselves have a true competitive differentiator on May 25, 2018.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Three: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Part Two was Wednesday.  Here’s the third part.

Part Three: eDiscovery and the GDPR

Initial hopes were that the GDPR would promote eDiscovery cooperation between the US and Europe by standardizing data protection laws and regulations among the 31 EEA nations and the US.  But instead, some sections of the new regulation emphasize even further the difference between US law and the European countries mentioned in Part One.

US discovery comes from the UK common law system, but the other EU countries do not share that background and typically have no discovery at all or it is only available through specific requests to a judge. The regulations tend to favor that approach and thus make things difficult for US eDiscovery practitioners in several areas set out below.

First and perhaps most important is the issue of litigation holds.  In the US, data being held pursuant to a litigation hold is not considered to be data undergoing “processing”.  The GDPR definition of processing, however, is much broader and makes no provisions for holding personal data for an unlimited period of time simply because of the possibility of impending litigation in the US.

Other areas of disconnect include:

DPO Requirement: There are concerns that when a company must create a DPO position, it will exacerbate relations with any US concern seeking data by institutionalizing the resistance to data requests under the new GDPR compliance structure.

Privacy Impact Assessment (PIA) Obligation: Data that is inadvertently deleted and is potentially relevant to an ongoing investigation or litigation in the US could result in a request for a company to produce data audit information. But the company’s compliance with the GDPR’s PIA requirements would appear to create a shield against any such discovery request.

Transfer of Data to Third Countries: Article 48 of the GDPR expressly states that orders or judgments by non-EU courts and administrative authorities requiring transfer or disclosure of personal data are not a valid basis for transferring data to third countries. Article 48 states, rather, that such orders or requests will be recognized only in so far as they are based on international agreements or treaties between the third country and the EU or member state, such as The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters.

It would appear then at first blush that no request for a data transfer to a third country outside the EU will stand unless supported by a treaty or trade agreement. None of those options is well suited for a US-based discovery suit.

Data Portability Rights: Custodians who request the deletion and/or transfer of their own data, especially during a government investigation or litigation, may create a conflict between US preservation requirements and the GDPR right to forget provisions.

Sanctions: The new GDPR privacy requirements may push US litigants to early settlements rather than proceed with litigation discovery that may lead to high fines in Europe or ethical issues with regards to preservation or “complete” discovery under FRCP Rule 26(g) in the US

Extraterritorial Effects: As noted in the Introduction, the GDPR covers not only data stored in the EU but also any data created or stored in the US that concerns an EU citizen.

THE BUSINESS OF THE GDPR: CONTROLLERS AND PROCESSORS

The GDPR defines two distinct roles for business entities, that of “controller” and that of “processor”. A “controller” determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology, whereas a “processor” actually processes the personal data on behalf of a controller.

An organization cannot be both a controller and a processor of the same data, but it can be a controller of one set of data and a processor of yet another. For example, a software company such as Microsoft or IBM may be a controller with respect to personal data that it collects from its employees but can also be a processor with respect to personal data that its commercial customers collect and the company processes on their behalf through their own solutions such as Office 365 or Watson.

With respect to data sets where the company is the controller, they are directly responsible for responding to data subject requests under the GDPR.  When they are a processor, they must ensure that its customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to such requests.

Any organization that decides on how personal data is processed is essentially a data controller.  Companies which are primarily controllers will be concerned with addressing all aspects of the GDPR.  Regardless of the specific business structure, every controller will need to be sure that:

  • Compliance policies and procedures are in place
  • Business management controls are implemented
  • Users are properly trained
  • Data is properly secured
  • IT properly implements a secure system

Service providers acting as data processors have increased obligations to meet the GDPR privacy standards.  As such, a processor who demonstrates compliance with the heightened GDPR standards will likely be recognized as a preferred provider within the industry.

Processors should also have audit trials for all processing activities including:

  1. Data quality control
  2. Purpose limitations
  3. Data relevance

Processors should also demonstrate accountability and transparency in all decisions regarding personal data processing activities to maintain compliance for both present and future personal data processing activities.

Third-party service providers which are only data processors should also meet these standards. The GDPR standards require proper data subject consent and that consent and consent withdrawal must be documented scrupulously. Implied consent will no longer be accepted as an approval method.

In parts one through three in this series we have established a baseline for understanding the intent and impact of the GDPR and highlighted its impact on eDiscovery. On Monday, in the final part of our series, we will look at some recommendations for companies seeking to prepare and comply with the GDPR.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Two: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Here’s the second part.

Part Two: GDPR Definitions and Changes

A DEFINITIONAL BASELINE FOR GDPR

The first and overriding concept to be understood in dealing with the GDPR is how the regulation defines personal and sensitive data and then to determine how those definitions relate to data held by your organization.  Once you understand those concepts, you can proceed to pinpoint where any data meeting the definitions is created managed and stored.

The GDPR considers personal data to be any information related to an identifiable natural person and calls such a person a “data subject.” That can include both direct identification such as a name or indirect identification which clearly points to a specific person.  This includes online identifiers such as IP addresses and location data such as a mobile device ID or position, which the EU Data Protection Directive had previously been vague about.

Examples of information relating to an identifiable person include:

  • Name
  • Identification number such as SSN, INSEE code, Codice fiscal, DNI, etc.
  • Location data such as home address)
  • Online identifier such as e-mail address, screen names, IP address, etc.
  • Genetic data such as biological samples or DNA, including gene sequence
  • Biometric data such as fingerprints or facial recognition
  • Health data
  • Data concerning a person’s sex life or sexual orientation

There is also a general category which includes data which may reveal:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

All such sensitive personal data is afforded enhanced protections under the GDPR and generally requires an individual’s explicit consent where such data is retained or used.

Other pertinent definitions include:

Consent: Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.

Controller: A controller alone or jointly with others, determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology.  A controller is directly responsible for responding to data subject requests under the GDPR.

Data Breach Notification: Data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.

Data Protection Officers: Companies must appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, although almost all public organizations must have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information must appoint a DPO.

Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.

Fines: GDPR violations can result in substantial fines of up to 4 percent of annual revenue or 20 million Euro, whichever is greater.

Processor: A “processor” processes personal data on behalf of a controller (e.g., Microsoft is a processor with respect to personal data that its commercial customers collect and Microsoft processes on their behalf through solutions like Office 365.)

A processor must ensure that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR.

Right to Access: The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.

Right to Erasure: Known formerly as the “right to be forgotten,” these provisions give data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.

IMPORTANT CHANGES AND ORGANIZATIONAL IMPACT

 Among the key new elements of the GDPR are the following practical results:

  • Requirement that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required;
  • Significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply;
  • Changes to eDiscovery practice in the US.

DATA EXISTENCE AND GDPR COMPLIANCE 

The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required. Specifically, organizations must have in place procedures to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.

Balance these requirements against recent IDG research which suggests that approximately 70% of information stored by companies is “dark data” in a distributed, unstructured format.  If that figure is accurate, the new requirement will pose substantial legal risks.

To achieve GDPR compliance, organizations will need to develop explicit policies for handling personal information.  This will need to include:

  • Enterprise-wide Data Inventory: Identify the presence of personal data in all locations
  • Data Minimization: Retain as little personal data on EU subjects as possible.
  • Enforcement of Right to Be Forgotten: An individual’s personal data must be identified and deleted on request.
  • Effective Response Time: The ability to conduct enterprise-wide searches and report on the extent of any data breach within seventy-two (72) hours.
  • Accountability: Ability to create audit trails for all personal data identification requests.

Finally, and equally important, the company must be able to show that these policies are being enforced and followed throughout the enterprise. Failure in any of these areas will now lead to heavy fines.

FINES: THE POTENTIAL COST OF NON-COMPLIANCE

One of the biggest changes coming with the GDPR is the increase in fines for violations. Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive.

But the GDPR is a regulation that applies to all member states of the EU and as such provides a new uniform regulatory framework. This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to their own data subjects.

Under this new framework, a member state’s supervisory authority will operate in one of these ways:

  • Lead Supervisory Authority: will act as the lead for the controllers and processors whose main establishments are located in its member state.
  • Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
  • Concerned Authorities: will cooperate with the lead supervisory authority when data subjects in their member state are affected.

Article 58 of the GDPR provides these supervisory authorities with the power to impose administrative fines under Article 83 based on several factors, including:

  • How the regulator was told about the infringement
  • Types of data involved
  • Duration of the infringement
  • Whether the infringement was intentional or negligent
  • Policies and procedures deployed by the company
  • Prior infringements by the controller or processor
  • Degree of cooperation with the regulator

How is the fine calculated? There is a tiered approach with technical issues being separated from actual records management. Non-compliance on technical measures such as impact assessments, breach notifications and certifications can lead to a fine up to an amount that is the GREATER of 10 million or 2% of global annual revenue. If the breach involves key provisions of the GDPR (processing personal data, infringement of the rights of data subjects or transfer of personal data to third countries or international organizations that do not meet GDPR standards) the fine can be an amount that is up to the GREATER of 20 million or 4% of global annual turnover in the prior year.  Finally, it is important to note that these rules apply to both controllers and processors which means ‘clouds’ will not be exempt from GDPR enforcement.

In part one and part two of this series, we have established a baseline for understanding the intent and impact of the GDPR. On Friday, in part three, we will look directly at the impact of the GDPR on eDiscovery.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Here’s the first part.

Part One: What is the GDPR? A Primer for Understanding

Europe’s General Data Protection Regulation (GDPR) is set to take effect in less than 200 days.  It is important to understand the changes this new set of regulations will impose, but it is also important to understand that even if you don’t have a physical business presence in Europe, the GDPR may apply to you. Any organization that retains personal information of any EU individuals must act to comply with the GDPR.

HOW DID WE GET HERE?

To put the provisions of the GDPR in context, we should first point out the differing concepts of privacy between the United States and Europe.  The US tends to place a high emphasis on the concept of free speech more so than privacy and this emphasis is carried over into the litigation arena.

In the US, we view privacy rights as constitutional in nature, but there is actually no right to privacy enumerated in either the body of the Constitution itself or the Bill of Rights. In fact, it wasn’t until 1965 that the US Supreme Court set out an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.

In Europe however, privacy is considered a fundamental right. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). And Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.”

The seven principles governing the OECD’s recommendations for protection of personal data were:

  1. Notice: data subjects should be given notice when their data is being collected;
  2. Purpose: data should only be used for the purpose stated and not for any other purposes;
  3. Consent: data should not be disclosed without the data subject’s consent;
  4. Security: collected data should be kept secure from any potential abuses;
  5. Disclosure: data subjects should be informed as to who is collecting their data;
  6. Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  7. Accountability: data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe.  In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

But the European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and since privacy rights were declared in article 8 of the EU Charter of Fundamental Rights, acted to propose a Data Protection Directive. All seven of the OECD principles were incorporated into the EU Data Protection Directive (officially the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data) which was adopted in 1995.

However, European directives are guidelines which propose certain results but leave each Member State free to decide how to transpose them into national laws The EU currently has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). Over the years, they have made different laws that sometimes contradict each other.

A regulation, on the other hand, is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Since the 1995 Directive was only able to provide overall guidance in this area, the GDPR is designed to effectively harmonize European data protection laws. It was adopted in April 2016, and will officially supersede the Data Protection Directive and be enforceable starting on May 25, 2018.

The United States, however, while endorsing the OECD’s recommendations, did nothing to implement them within the United States. Part of the issues is the diversity of laws in our federalist structure of government. With 50 states, 94 federal judicial districts, including at least one district in each state, the District of Columbia and Puerto Rico and additional territorial courts and courts of special jurisdiction such as bankruptcy, having a unified privacy directive similar to the GDPR is problematic here.

IMPACT BEYOND THE EU

First, we should note that the GDPR affects more than merely the EU. The regulation applies not just to the 28 member states of the EU but is also being integrated into the 1992 EEA Agreement and thus applies to the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein.

Second, as noted above, you do not have to have a physical presence in Europe to be covered by the GDPR. It applies to not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals, regardless of the organization’s location.

PREPARATION TRAJECTORY

Activities to deal with the upcoming implementation of the GDPR have been slowly building momentum. Groups such as The Sedona Conference and the EDRM have been studying best practice principles for US attorneys but numerous questions remain on how to proceed.

The important point is to be prepared.  The GDPR demands, not requests, data privacy compliance and places strong emphasis on organizations to act more responsibly in their data governance practices. More than ever, you need to identify what privacy-related content you possess, why it’s there, and who has access to it.

Failure to adequately prepare for the changes can have severe ramifications, including much higher fines than under the current regulatory environment. These include penalties of up to 4% of the organization’s global gross revenue for non-compliance, a point we will discuss in more detail in following parts of this overview.

For the remainder of the overview, we will highlight key elements, evaluations, and events in the planned implementation of the GDPR. Key elements to be covered will include:

  • Discuss definitions for common terms used in the GDPR
  • Discuss changes in practice to be made under the GDPR
  • Set out distinctions to be made between obligations for a specific company as opposed to service providers
  • Discuss steps to take to insure compliance with the GDPR

So, what do you think?  Are you ready for the GDPR? Read more about this important event in the following parts of our GDPR series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.