eDiscovery Daily Blog
eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Three: eDiscovery Best Practices
Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems. He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great. If you missed it, you can check out the replay here. Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes. Enjoy! – Doug
Tom’s overview is split into four parts, so we’ll cover each part separately. Part One was Monday, Part Two was Wednesday. Here’s the third part.
Part Three: eDiscovery and the GDPR
Initial hopes were that the GDPR would promote eDiscovery cooperation between the US and Europe by standardizing data protection laws and regulations among the 31 EEA nations and the US. But instead, some sections of the new regulation emphasize even further the difference between US law and the European countries mentioned in Part One.
US discovery comes from the UK common law system, but the other EU countries do not share that background and typically have no discovery at all or it is only available through specific requests to a judge. The regulations tend to favor that approach and thus make things difficult for US eDiscovery practitioners in several areas set out below.
First and perhaps most important is the issue of litigation holds. In the US, data being held pursuant to a litigation hold is not considered to be data undergoing “processing”. The GDPR definition of processing, however, is much broader and makes no provisions for holding personal data for an unlimited period of time simply because of the possibility of impending litigation in the US.
Other areas of disconnect include:
DPO Requirement: There are concerns that when a company must create a DPO position, it will exacerbate relations with any US concern seeking data by institutionalizing the resistance to data requests under the new GDPR compliance structure.
Privacy Impact Assessment (PIA) Obligation: Data that is inadvertently deleted and is potentially relevant to an ongoing investigation or litigation in the US could result in a request for a company to produce data audit information. But the company’s compliance with the GDPR’s PIA requirements would appear to create a shield against any such discovery request.
Transfer of Data to Third Countries: Article 48 of the GDPR expressly states that orders or judgments by non-EU courts and administrative authorities requiring transfer or disclosure of personal data are not a valid basis for transferring data to third countries. Article 48 states, rather, that such orders or requests will be recognized only in so far as they are based on international agreements or treaties between the third country and the EU or member state, such as The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters.
It would appear then at first blush that no request for a data transfer to a third country outside the EU will stand unless supported by a treaty or trade agreement. None of those options is well suited for a US-based discovery suit.
Data Portability Rights: Custodians who request the deletion and/or transfer of their own data, especially during a government investigation or litigation, may create a conflict between US preservation requirements and the GDPR right to forget provisions.
Sanctions: The new GDPR privacy requirements may push US litigants to early settlements rather than proceed with litigation discovery that may lead to high fines in Europe or ethical issues with regards to preservation or “complete” discovery under FRCP Rule 26(g) in the US
Extraterritorial Effects: As noted in the Introduction, the GDPR covers not only data stored in the EU but also any data created or stored in the US that concerns an EU citizen.
THE BUSINESS OF THE GDPR: CONTROLLERS AND PROCESSORS
The GDPR defines two distinct roles for business entities, that of “controller” and that of “processor”. A “controller” determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology, whereas a “processor” actually processes the personal data on behalf of a controller.
An organization cannot be both a controller and a processor of the same data, but it can be a controller of one set of data and a processor of yet another. For example, a software company such as Microsoft or IBM may be a controller with respect to personal data that it collects from its employees but can also be a processor with respect to personal data that its commercial customers collect and the company processes on their behalf through their own solutions such as Office 365 or Watson.
With respect to data sets where the company is the controller, they are directly responsible for responding to data subject requests under the GDPR. When they are a processor, they must ensure that its customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to such requests.
Any organization that decides on how personal data is processed is essentially a data controller. Companies which are primarily controllers will be concerned with addressing all aspects of the GDPR. Regardless of the specific business structure, every controller will need to be sure that:
- Compliance policies and procedures are in place
- Business management controls are implemented
- Users are properly trained
- Data is properly secured
- IT properly implements a secure system
Service providers acting as data processors have increased obligations to meet the GDPR privacy standards. As such, a processor who demonstrates compliance with the heightened GDPR standards will likely be recognized as a preferred provider within the industry.
Processors should also have audit trials for all processing activities including:
- Data quality control
- Purpose limitations
- Data relevance
Processors should also demonstrate accountability and transparency in all decisions regarding personal data processing activities to maintain compliance for both present and future personal data processing activities.
Third-party service providers which are only data processors should also meet these standards. The GDPR standards require proper data subject consent and that consent and consent withdrawal must be documented scrupulously. Implied consent will no longer be accepted as an approval method.
In parts one through three in this series we have established a baseline for understanding the intent and impact of the GDPR and highlighted its impact on eDiscovery. On Monday, in the final part of our series, we will look at some recommendations for companies seeking to prepare and comply with the GDPR.
So, what do you think? Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization. And, as always, please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.