eDiscovery Daily Blog

Chris Dale of the eDisclosure Information Project: eDiscovery Trends 2018

This is the eleventh (and final) of the 2018 Legaltech New York (LTNY) Thought Leader Interview series.  eDiscovery Daily interviewed several thought leaders at LTNY this year (and some afterward) to get their observations regarding trends at the show and generally within the eDiscovery industry.

Today’s thought leader is Chris Dale.  Chris is Editor of the eDisclosure Information Project.  Chris qualified as an English solicitor in 1980. He was a litigation partner in London and then a litigation software developer and litigation support consultant before turning to commentary on electronic disclosure / discovery. He runs the e-Disclosure Information Project which disseminates information about the court rules, the problems, and the technology to lawyers and their clients, to judges, and to suppliers. He was a member of Senior Master Whitaker’s Working Party which drafted Practice Direction 31B and the Electronic Documents Questionnaire. Chris is also a well-known speaker and commentator in the UK, the US and other common law jurisdictions.

{I spoke to Chris during LTNY and this is a rough transcript of our discussion}

Everybody over here in the US is talking about the General Data Protection Regulation (GDPR), what it will mean to American businesses and especially the potential of large fines for lack of compliance.  What are people saying about it in Europe?  Is this as big a deal as everyone is making it out to be?

I’m plotting with somebody to have a conference in London before the implementation date, at which we will not mention the GDPR in the marketing profile.  Whether we’ll get that through the marketing department or the education department I have yet to find out, but there’s no doubt that GDPR is driving a lot of attention, often for the wrong reasons.

You say for the wrong reasons? Why do you say that?

A lot of people are talking about the 4% fines as if that was the only driver which matters. There are lots of people who are talking about “citizens” but have not responded to my challenge find the word ”citizens” anywhere in the GDPR. There’s a lot of pig ignorance about precisely what it says and what its terminology is, let alone what its effect is likely to be. That’s quieting down and the shouters are beginning to shout a bit less about 4% fines. Of course, the fines have to be mentioned, because they are part of the bottom line, and companies like Facebook may well face the very big fines. As a motive for doing anything about GDPR, they should not be the most compelling one for most companies.  It would be good to see people taking a more rounded approach to what the implications are. I interviewed someone this morning who is very good, very knowledgeable about it and yet he (to my surprise) mentioned the 4% fine.  But when we discussed the fine, it was clear that he didn’t mean everybody is at a risk from that. It would be good to see people produce a business case for dealing with GDPR that doesn’t refer either to the 4% fine or to “citizens”, because there’s a lot of nonsense going on about it at the moment. There are an awful lot of people who act as experts on it, but whose first paragraph about it betrays the fact that they haven’t got a clue.  I saw an article promoting a service just recently and the first paragraph had a gross error in it.

So, I guess it’s an understatement to say there’s a lot of misconceptions about the GDPR?

Yes. One of the results of that, to some extent anyway, is that companies just throw their hands up in horror and say, “Well, I can’t comply by the due date, so I’ll just hide and pretend it’s going to go away.” That’s the result of hype and what happens when providers raise the stakes. We saw it in Zubulake and we saw it with the federal changes way back. People are thinking, “Well I can’t comply with it anyway, so why bother?” And that is not exactly the right attitude.

There are people who talk about the 72-hour deadline for breach notification as if that meant you have to do everything, produce every last bit of information to a regulator and possibly to the people affected within the 72 hours.  All this hype tends to make a lot of organizations say, “I can’t, I know I don’t comply with that anyway, I’ll just keep my head down, hope they hit somebody else.” Whereas there needs to be a more moderated approach to what needs to be done and what the implications are of not doing it, and a more positive look at what you gain from compliance.

My favorite quotation came from a chap called Patrick Burke whom you may know. He was in private practice advising on privacy and data protection, and specifically on the GDPR, and I asked him, “What’s your clients’ reactions, are they in fear of fines?” He said, “No, they just want to keep doing business.” Which is a really good line. Very quickly, the clients of the organizations who haven’t complied are probably going to start putting it into their RFP. They’ll be asking not just, “Have you complied?” but ”Can you indicate what you have done to be consistent with compliance with GDPR?” Those who have to say, “Oh, I don’t know what you’re talking about,” which I’m afraid includes quite a lot, will start losing business.  Possibly the companies who are asking that themselves won’t be compliant or know what it means, but it’ll become one of those tick box items like so many other things and the inability to give a satisfactory answer will lose business.

If you look at one of the companies in the UK that’s been fined under the present regime, they were fined 400,000 pounds, which sounds a lot of money until you look at what else they lost – £80 million in direct and indirect costs. It is said that they lost more than 6% of their market share, so you could multiply that £400,000 fine by roughly ten times under the new regime and you’re still not scratching the surface of the losses they’ve suffered overall, because they come across as the sort of company that doesn’t look after its customers’ data properly.

The conventional marketing of, “I know GDPR and I can help you through it,” doesn’t scratch the surface particularly if they start using terminology that doesn’t actually exist in it.  But you’re not offering expert services in guidance through the GDPR, you’re offering the ability to do specific things like to identify personal data and believing it is somebody else’s problem perhaps to decide what personal data is and what the risk profile is. Stick resolutely to the provision of services to meet whatever requirements are offered are sought, such as the ability to identify personal data and the ability to adapt, to show what data you’ve got in case you need to do so.

Perhaps that doesn’t matter as long as one gets business from it.  There’s certainly a lot of work coming out of it. Maybe we are at last finding the ROI for information governance that was missing on the first round through IG. Maybe people will begin to realize that if they get rid of their “crap”, they have less of a problem. That’s valuable.  The end result is less crap, or at least a better handle on their crap through data maps and things like that.  And knowing where it is from the moment of its creation and what in it might be offensive – knowing what ought to be deleted.

Or at least confront the decision. “Yes, I ought to delete that because the EU rules say that once it’s no longer serving the purpose for which it was collected it ought to be deleted.” Weighing that against, “Yes, but then I might be in trouble with a US regulator or court.”  It’s about making the informed decision that you’re keeping it or not keeping it, depending on which of those risks you see as the most important.  We will see gradually US courts acknowledging that there’s an EU requirement to delete data – if it contains personal information that’s no longer required for the purpose for which it was collected –and to acknowledge that that is a reason, an excuse if you like, for its non-availability.

That will take three to five years. For a period you’ll have judges who either don’t give a damn what everybody outside the US says or are too uninformed to understand what all this means with arguments put in front of them by lawyers who neither care nor understand what it all means.  But you’ll reach a point where I think the US courts will acknowledge that there are problems for those who keep EU data at the rate it that has been done most times in the EU. All that will take time and I hope there’ll be some examples. There’ll be some people who get some serious difficulties because of failure to comply. We don’t wish bad things for those people, but until we start seeing that we don’t actually know what target we’re aiming for. Regardless how well we might think we understand the statutes until we start seeing how regulators enforce them, we won’t know what to expect.  Of course, whether we get consistency between EU regulators (as is the hope) or whether in fact they all end up with different shades of interpretation will make a difference. It will take time and very interesting to see. That problem makes it sound even more daunting than it was.

In addition to GDPR, the Supreme Court decision in the Microsoft Ireland case will also have an impact of privacy rights for data subpoenaed by US law enforcement agencies.  What do you think will happen there and what do you think will be the impact?

I think it’s likely that Judge Francis’ original opinion is upheld by the Supreme Court. I think it will be upheld because the politics of it is not Supreme Court’s concern. It will be interesting to see what will happen when the Supreme Court says, “Yes, it’s absolutely fine for US agencies to dip their hands into data stores all over the world even if they don’t know that it’s a US citizen.” That’s a perfectly possible outcome.  What are you going to do then? What’s China going to do? There’s all these sort of political things, which as I say are not strictly the concern of the Supreme Court. What’s the backlash going to be?  Nobody knows.

Regardless of what the decision ultimately is, the CLOUD Act currently before Congress (to amend the Stored Communications Act to allow US federal law enforcement to compel U.S.-based service providers via warrant or subpoena to provide requested data stored on servers regardless of whether they are located within the U.S. or in foreign countries) could make the Supreme Court decision moot.  {Editor’s Note: The CLOUD Act was signed into law as part of the Omnibus Bill in March.}

What would you like our readers to know about things you’re working on?

We have some new civil discovery rules pending in England and Wales, and we have had some cases worthy of comment recently. The main thing is to keep writing – I’m getting 60 more page views per day this year than last year (that is, nearly 22,000 extra page views a year) which suggests a growing interest in this subject.

Part of that, perhaps, is down to the videos which we do and I am keen to make more use of this medium to get messages across, whether about the rules of England and Wales, the GDPR, or the interesting developments in discovery US and worldwide. They are very time-consuming to do properly but are well worth it.

Thanks, Chris, for participating in the interview!

As always, please share any comments you might have or if you’d like to know more about a particular topic!

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation.  Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer:  The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine.  eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance.  eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.