International eDiscovery

Cell Phone Geolocation Evidence May Be Off the Mark (At Least in Denmark): eDiscovery Trends

If you watch Dateline, 20/20, 48 Hours or any other news program that covers notable crime stories, one trend has become more and more common – the use of cell phone/mobile device geolocation data to put alleged criminals at the scene of the crime (or at least very close to it).  We consider these devices – and the geolocation data obtained from them – to be highly accurate and important evidence in obtaining convictions for guilty parties or exonerating innocent ones.  Maybe we shouldn’t.

According the The Guardian (Denmark frees 32 inmates over flaws in phone geolocation evidence, written by Jon Henley), Denmark has released 32 prisoners as part of an ongoing review of 10,700 criminal cases after serious questions arose about the reliability of geolocation data obtained from mobile phone operators.

In addition, nearly 40 new cases have been postponed under a two-month moratorium on the use of mobile phone records in trials, which was imposed after police found multiple glitches in the software that converts raw data from phone masts into usable evidence.

Among the errors police have discovered is a tendency for the system to omit some data during the conversion process, meaning only selected calls are registered and the picture of the phone’s location is materially incomplete.

The system has also linked phones to the wrong masts, connected them to several towers at once, sometimes hundreds of kilometres apart, recorded the origins of text messages incorrectly and got the location of specific towers wrong.

Taken together, the problems meant not just that innocent people could potentially have been placed at crime scenes but that criminals could have been wrongly excluded from inquiries, said Jan Reckendorff, Denmark’s director of public prosecutions, who said “This is a very, very serious issue.  We simply cannot live with the idea that information that isn’t accurate could send people to prison.”  Announcing the case review and moratorium late last month, Reckendorff conceded it was a “drastic decision, but necessary in a state of law”.

There are no statistics on how many court cases in Denmark are decided on the basis of mobile phone data, but it is often used to corroborate other evidence and, although not considered as reliable as DNA, has previously been seen as highly accurate.

Isolated incidences of clearly inaccurate mobile data have occurred in the past in the US and South Africa, but this is the first time it has been questioned by a national justice system. Three years ago, a Kansas family sued a digital mapping company after being visited “countless times” by police and others.

I certainly experienced how inaccurate geolocation data tracking can be sometimes when I was in Italy the past couple of weeks.  Trying to use Google maps over there to help direct you to a location can be challenging as the application frequently reported inaccurate locations for where we were when trying to provide directions.

So, what do you think?  Are you concerned about the accuracy of geolocation data in the US?   Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

University of Florida Brings eDiscovery Teachings to a Chinese University: eDiscovery Best Practices

Needless to say, eDiscovery is becoming more global than ever and we’ve certainly seen a lot of instances where non-U.S. legal practitioners have to not only better understand U.S. discovery obligations, but also understand the methodologies and technologies associated with managing eDiscovery.  One U.S. university recently spent some time bringing some of those teachings to a university in Nanjing, China.

As covered in Legaltech News® (University of Florida Brings E-Discovery Expertise Abroad With Chinese University Partnership, written by Rhys Dipshan), the University of Florida’s Levin College of Law recently partnered with Southeast University in Nanjing, China, to launch an intensive two-week course aimed at educating local law students on U.S. eDiscovery laws and practices. William Hamilton, legal skills professor and executive director of the University of Florida’s E-Discovery Project, led the course, which took place at Southeast University during the last two weeks of August.

Transmitting Hamilton’s wealth of eDiscovery knowledge to the 68 undergraduate and graduate Chinese students who attended the class, and who were all used to a vastly different legal culture, was a challenge. “The e-discovery process is not intuitive to Chinese students,” Hamilton said.  So, he had an idea about how to explain this complex subject matter to e-discovery novices: stick to concrete, real-life examples.

Hamilton designed the two-week course around a fictional cross-border e-discovery case. “We set up the course as though we were in the trenches, and I think that was very helpful for the students to see the context right away, instead of starting with relatively abstract concepts.”  As a result, the cross-border eDiscovery case that Hamilton created was loosely based on actual litigation he handled years ago as a practicing attorney in Florida and involved two fictional companies: “U.S. Computer” and “Nanjing Electric.”

“I created a mock dispute in which Nanjing had manufactured motherboards and shipped those to U.S. Computer to be incorporated into a product that was then sold to consumers. The consumer product, however, allegedly had defects in it, and the U.S. consumers were complaining and returning the product. So U.S. computer sued Nanjing Electric for breach of contract.”

Hamilton asked the class to pretend they were the law firm representing “Nanjing Electric,” and explained the U.S. legal process and e-discovery obligations they would face. From there, he moved on to teaching the students how to use e-discovery tools in preparation for the pretrial discovery.

There are talks between the two schools to extend their partnership and Hamilton noted that Southeast University is “very eager to continue to expand the relationship.”  In fact, given that eDiscovery expertise is fast becoming a much-needed skill in China, he expects such collaborations to become more common in the future.

So, what do you think?  Is your organization dealing with more cross-border eDiscovery?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

FTC Cracks Down on Privacy Shield Posers: Data Privacy Trends

Did you ever wonder what happens if a company falsely claims that they are certified compliant with either the EU-U.S. or Swiss-U.S. Privacy Shield framework?  Or falsely claims that they are in the process of being certified compliant?  Apparently, the Federal Trade Commission (FTC) gets on their case about it.

According to ACEDS (California Company Settles FTC Charges Related to Privacy Shield Participation), ReadyTech Corporation, a California company, has agreed to settle Federal Trade Commission allegations that it falsely claimed it was in the process of being certified as complying with the EU-U.S. Privacy Shield framework, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law (we covered details of the framework when it was introduced over two years ago).

“Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield,” FTC Chairman Joe Simons commented. “We believe Privacy Shield is a critical tool for ensuring transatlantic data flows and protecting privacy that benefits both companies and consumers.”

According to the FTC’s complaint, the Commission alleges that ReadyTech, which provides online training services, falsely claimed on its website that it is “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” While ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield framework. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.

The FTC alleges in its complaint that the company’s false claim that it is in the process of certification violates the FTC Act’s prohibition against deceptive acts or practices.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing Privacy Shield. It continues the FTC’s commitment to enforcing international privacy frameworks, making a total of 47 cases enforcing the Privacy Shield, the predecessor Safe Harbor framework, and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework.

As you may or may not know, CloudNine is certified for both the EU-U.S. and EU-Swiss Privacy Shield Frameworks (so, yes, at CloudNine we are “certifiable”).  :o)  Periodically, you have to recertify – in fact, I just completed the recertification process for CloudNine a while back.  It’s good to know that somebody is checking up on companies to make sure that their claims of being privacy shield compliant are valid.

So, what do you think?  Is your organization privacy shield certified?  Are your providers certified?  Please share any comments you might have or if you’d like to know more about a particular topic.

P.S. — Happy Birthday, Kiley!  You’re now officially a teenager!  😮

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

CLOUD Act Renders Supreme Court Decision in the Microsoft Case Moot: eDiscovery News

The Supreme Court heard arguments on February 27th over Microsoft’s ongoing data privacy case involving email stored in Microsoft datacenter in Ireland.  Supposedly, according to reports from those attending, the justices didn’t seem swayed by Microsoft’s claims that data stored overseas should not be accessible to government prosecutors.  However, Congress has since passed the CLOUD (Clarifying Lawful Overseas Use of Data) Act. Parties on all sides of the case expected the passage of the CLOUD Act to render the Microsoft case moot.  And, they were right.

Yesterday, in an unsigned three-page opinion, the Supreme Court justices threw out a ruling by the U.S. Court of Appeals for the 2nd Circuit, explaining that the case had become moot.

On March 23, Congress passed – and President Donald Trump signed – legislation that directly addressed the legal issue before the court in the Microsoft case. The CLOUD Act contains a provision that requires email service providers to disclose emails within their “possession, custody, or control,” even when those emails are located outside the United States. Once the CLOUD Act was in effect, the federal government went back to court and got a new warrant, which has replaced the warrant originally served on Microsoft back in 2013.  According to ZDNet, Microsoft officials said they are reviewing the new DOJ warrant before deciding how to proceed.

Microsoft officials repeatedly have said they were in favor of legislation, not legal action, in settling these kinds of matters. Though it seems contradictory, Microsoft actually backed The CLOUD Act, which stipulates that cloud providers comply with court orders for data regardless of whether the information is located in the U.S. or not.

Microsoft released the following statement from its President and Chief Legal Officer Brad Smith yesterday regarding the Supreme Court’s move:

“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into to law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”

In light of all these facts, the court concluded, there is no longer a “live dispute” between the United States and Microsoft on the legal question that the justices had agreed to review. The court therefore invalidated the 2nd Circuit’s ruling and sent the case back to the court of appeals with instructions to vacate the district court’s rulings against Microsoft and to direct the district court to dismiss the case.

So, what do you think?  Does the CLOUD Act end the disputes over data stored by internet providers overseas?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Germany Finds that Facebook’s Privacy Settings and Terms of Service Violate Their Privacy Rules: Data Privacy Trends

One of the things that Tom O’Connor and I discussed in last week’s webcast about the upcoming Europe General Data Protection Regulation (GDPR) was how consent will be interpreted for use of data for its data subjects.  Last month, a German court may have given an early indication of how consent will be enforced.

In Legaltech News (Facebook Foreshadowing: German Court Underscores Tech’s Uncertain GDPR Future, written by Rhys Dipshan, free subscription required), the author notes that after a three-year battle, a regional court in Berlin has found that Facebook’s default privacy settings, terms of service, and requirement that users register under their own name violate Germany’s data privacy and consent rules.

The January 2018 ruling (available here, in German, of course) based on German law on a case brought by The Federation of German Consumer Organisations (VZBV) could nonetheless illustrate trouble for international technology companies under the GDPR, once it takes effect on May 25th of this year.

Germany’s data privacy laws are currently based on the EU Directive 95/46/EC, the data privacy directive passed by the European Union in 1995 which has provisions that mirror those in the GDPR, especially around the issue of consent.  EU Directive 95/46/EC will be replaced by GDPR on May 25th.

Last November, the EU Article 29 Data Protection Working Party (WP29) issued Guidelines on Consent under Regulation 2016/679 to clarify how the EU would move to define and regulate consent and that guidance aligns closely with how the German court interpreted consent in the case against Facebook. For example, the court ruled that the pre-activated privacy settings on Facebook’s mobile application, such as allowing geotagging and for search engines to index a user’s Facebook profile, are a violation of user consent.

The court also found that eight clauses in Facebook’s terms of service assumed and framed consent too broadly and declared that asking users to register under their own names “was a covert way of getting people’s consent to use their real names,” said Nick Wallace, a senior policy analyst at the Center for Data Innovation.

The WP29’s guidance affirms both points and it also notes, “If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given.”  WP29 also states, “The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.”

Debbie Reynolds, director of EimerStahl Discovery Solutions, an affiliate of law firm Eimer Stahl, stated that “Facebook and a lot of tech companies sell marketing,” and having their users register under their real names “makes the information they collect more valuable. So I think this is going to in some way change the foundation of how they are operating today.”

As you can imagine, the requirements of specific consent could change things for a lot of companies that currently collect data from individuals, including EU data subjects – perhaps significantly.  We will see.

Speaking of data privacy, today is the day that the Supreme Court will hear oral argument in United States v. Microsoft Corp (which we’ve referred to as the “Microsoft Ireland” case).  Needless to say, the ruling in this case will have major impact on how organizations treat data privacy as well.  We will certainly cover the ruling when it’s issued.

So, what do you think?  Is your organization changing how it obtains consent from individuals for handling their data?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Don’t Panic, but the Countdown is on and GDPR is Coming!: Data Privacy Trends

I have a “panic button” on my desk.  Are you panicking about the upcoming Europe General Data Protection Regulation (GDPR) yet?  If so, see below.

I stumbled across an EU GDPR countdown clock yesterday.  As of when I’m writing this, the clock says there are 92 days, 22 hours, 11 minutes and 08 seconds “Until the EU GDPR comes into force” (on May 25th).  So, time is ticking!

Are you ready?  Gartner predicts that on May 25th, more than half of companies affected by the GDPR will not comply fully with its requirements.

If you’re afraid you may be one of those companies, or not even sure whether or not GDPR applies to you, today at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast eDiscovery and the GDPR: Ready or Not, Here it Comes! In this one-hour webcast that’s CLE-approved in selected states, we will discuss how data privacy requirements have evolved over time, the parameters associated with the GDPR, what they mean to your organization and what steps your organization needs to take to ensure compliance with the GDPR.

Once again, I’ll be presenting the webcast, along with Tom O’Connor, who recently wrote an article about GDPR that we covered as a four part blog series.  It’s not too late to register for it, if you want to attend, click here.  Even if you can’t make it today, you can still go ahead and register to get a link to the slides and to the recording of the webcast (if you want to check it out later).

Oh, and I really do have a “panic button” from Hoops & Yoyo™.  I keep it on my desk at work and it comes in handy at times to relieve stress.  If you want to see what it looks like and sounds like, click here.

So, what do you think?  Are you ready for GDPR?  If not, don’t panic!  Please share any comments you might have or if you’d like to know more about a particular topic.

*Oh, now we’re down to 92 days, 21 hours, 41 minutes and 49 seconds!  Just in the time it’s taken me to write this blog post!  :o)

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Ready for GDPR? Here’s a Webcast that Can Help You Get Ready: eDiscovery Best Practices

If you think that your organization isn’t subject to the requirements of Europe’s impending General Data Protection Regulation (GDPR), you may be wrong about that.  If it is, are you on target to be compliant by May 25?  Here’s a chance to find out what you need to know to be compliant.

On Wednesday, February 21 at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast eDiscovery and the GDPR: Ready or Not, Here it Comes! In this one-hour webcast that’s CLE-approved in selected states, we will discuss how data privacy requirements have evolved over time, the parameters associated with the GDPR, what they mean to your organization and what steps your organization needs to take to ensure compliance with the GDPR.  Topics include:

  • How Data Privacy Requirements Have Evolved in the US and Europe
  • Scope of the GDPR Beyond the EU
  • A Definitional Baseline for GDPR
  • Important Changes and Organizational Impact
  • Data Existence and GDPR Compliance
  • Challenges Presented by Privacy Rights Associated with the GDPR
  • Fines: The Potential Cost of Non-Compliance
  • Business of the GDPR: Controllers and Processors
  • Steps to Take to Comply with the GDPR

Once again, I’ll be presenting the webcast, along with Tom O’Connor, who recently wrote an article about GDPR that we covered as a four part blog series.  To register for it, click here.  Even if you can’t make it, go ahead and register to get a link to the slides and to the recording of the webcast (if you want to check it out later).  Doing so might just keep you from a fine of the GREATER of €10 million or 2% of global annual revenue!

So, what do you think?  Are you ready for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Four: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was last Monday, Part Two was last Wednesday and Part Three was last Friday.  Here’s the fourth and final part.

Part Four: Now That I Understand The GDPR, What Do I Do?

In preparing for GDPR, all companies should start by doing the following:

Determine Their Role Under the GDPR: Any organization that decides on why and how personal data is processed is essentially a “data controller”, regardless of geographic location.

Appoint a Data Protection Officer: This is especially critical if the organization is a public body or is doing regular large-scale processing.

Prepare for Data Subjects Exercising Their Rights: These include the right to data portability and the right to be informed as well as the right to be forgotten.

And then, companies should continue by taking the following steps:

  • Build a data map
  • Identify all privacy-related data
  • Analyze all privacy-related data
  • Conform all data handling practices to GDPR standards
  • Ensure compliance policies and procedures meet GDPR standards
  • Secure all systems against data theft
  • Obtain ISO 27001 Certification
  • Hire a Consumer Data Ombudsman specifically for dealing with requests and complaints from data subjects.

This new GDPR regulatory framework will be the strictest privacy doctrine in the world and appears to be on a collision course with some US based discovery rules.

Bart Willemsen, research director at Gartner, recently commented that, “The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe and with the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”

Despite this warning and even though many organizations have been monitoring and preparing for the GDPR during the past few years of negotiation, more than a few have not. Gartner predicts that on May 28 of next year, more than half of companies affected by the GDPR will not comply fully with its requirements.

So immediate preparation is essential.  Keep in mind that the goal of the GDPR is not to punish business entities but rather the public policy purpose of ensuring that companies and public bodies increase their ability to detect and deter breaches.

Fines are designed to be proportional to the effort by companies to comply with the new regulations and will focus on those which systematically either fail to comply with the law or disregard it altogether. They can be avoided by companies which are transparent in their policies and procedures, make a good faith effort to develop that transparency and report any data breaches swiftly.

Prepare now to put into place policies and procedures for both compliance and reporting, especially if you have multiple business locations and/or handle data from inside the EU.  Various consulting firms and trusted advisors such as CloudNine can help provide guidance but don’t delay.  Remember that given the Gartner figures above, organizations in compliance with the GDPR may find themselves have a true competitive differentiator on May 25, 2018.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Three: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Part Two was Wednesday.  Here’s the third part.

Part Three: eDiscovery and the GDPR

Initial hopes were that the GDPR would promote eDiscovery cooperation between the US and Europe by standardizing data protection laws and regulations among the 31 EEA nations and the US.  But instead, some sections of the new regulation emphasize even further the difference between US law and the European countries mentioned in Part One.

US discovery comes from the UK common law system, but the other EU countries do not share that background and typically have no discovery at all or it is only available through specific requests to a judge. The regulations tend to favor that approach and thus make things difficult for US eDiscovery practitioners in several areas set out below.

First and perhaps most important is the issue of litigation holds.  In the US, data being held pursuant to a litigation hold is not considered to be data undergoing “processing”.  The GDPR definition of processing, however, is much broader and makes no provisions for holding personal data for an unlimited period of time simply because of the possibility of impending litigation in the US.

Other areas of disconnect include:

DPO Requirement: There are concerns that when a company must create a DPO position, it will exacerbate relations with any US concern seeking data by institutionalizing the resistance to data requests under the new GDPR compliance structure.

Privacy Impact Assessment (PIA) Obligation: Data that is inadvertently deleted and is potentially relevant to an ongoing investigation or litigation in the US could result in a request for a company to produce data audit information. But the company’s compliance with the GDPR’s PIA requirements would appear to create a shield against any such discovery request.

Transfer of Data to Third Countries: Article 48 of the GDPR expressly states that orders or judgments by non-EU courts and administrative authorities requiring transfer or disclosure of personal data are not a valid basis for transferring data to third countries. Article 48 states, rather, that such orders or requests will be recognized only in so far as they are based on international agreements or treaties between the third country and the EU or member state, such as The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters.

It would appear then at first blush that no request for a data transfer to a third country outside the EU will stand unless supported by a treaty or trade agreement. None of those options is well suited for a US-based discovery suit.

Data Portability Rights: Custodians who request the deletion and/or transfer of their own data, especially during a government investigation or litigation, may create a conflict between US preservation requirements and the GDPR right to forget provisions.

Sanctions: The new GDPR privacy requirements may push US litigants to early settlements rather than proceed with litigation discovery that may lead to high fines in Europe or ethical issues with regards to preservation or “complete” discovery under FRCP Rule 26(g) in the US

Extraterritorial Effects: As noted in the Introduction, the GDPR covers not only data stored in the EU but also any data created or stored in the US that concerns an EU citizen.

THE BUSINESS OF THE GDPR: CONTROLLERS AND PROCESSORS

The GDPR defines two distinct roles for business entities, that of “controller” and that of “processor”. A “controller” determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology, whereas a “processor” actually processes the personal data on behalf of a controller.

An organization cannot be both a controller and a processor of the same data, but it can be a controller of one set of data and a processor of yet another. For example, a software company such as Microsoft or IBM may be a controller with respect to personal data that it collects from its employees but can also be a processor with respect to personal data that its commercial customers collect and the company processes on their behalf through their own solutions such as Office 365 or Watson.

With respect to data sets where the company is the controller, they are directly responsible for responding to data subject requests under the GDPR.  When they are a processor, they must ensure that its customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to such requests.

Any organization that decides on how personal data is processed is essentially a data controller.  Companies which are primarily controllers will be concerned with addressing all aspects of the GDPR.  Regardless of the specific business structure, every controller will need to be sure that:

  • Compliance policies and procedures are in place
  • Business management controls are implemented
  • Users are properly trained
  • Data is properly secured
  • IT properly implements a secure system

Service providers acting as data processors have increased obligations to meet the GDPR privacy standards.  As such, a processor who demonstrates compliance with the heightened GDPR standards will likely be recognized as a preferred provider within the industry.

Processors should also have audit trials for all processing activities including:

  1. Data quality control
  2. Purpose limitations
  3. Data relevance

Processors should also demonstrate accountability and transparency in all decisions regarding personal data processing activities to maintain compliance for both present and future personal data processing activities.

Third-party service providers which are only data processors should also meet these standards. The GDPR standards require proper data subject consent and that consent and consent withdrawal must be documented scrupulously. Implied consent will no longer be accepted as an approval method.

In parts one through three in this series we have established a baseline for understanding the intent and impact of the GDPR and highlighted its impact on eDiscovery. On Monday, in the final part of our series, we will look at some recommendations for companies seeking to prepare and comply with the GDPR.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Two: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Here’s the second part.

Part Two: GDPR Definitions and Changes

A DEFINITIONAL BASELINE FOR GDPR

The first and overriding concept to be understood in dealing with the GDPR is how the regulation defines personal and sensitive data and then to determine how those definitions relate to data held by your organization.  Once you understand those concepts, you can proceed to pinpoint where any data meeting the definitions is created managed and stored.

The GDPR considers personal data to be any information related to an identifiable natural person and calls such a person a “data subject.” That can include both direct identification such as a name or indirect identification which clearly points to a specific person.  This includes online identifiers such as IP addresses and location data such as a mobile device ID or position, which the EU Data Protection Directive had previously been vague about.

Examples of information relating to an identifiable person include:

  • Name
  • Identification number such as SSN, INSEE code, Codice fiscal, DNI, etc.
  • Location data such as home address)
  • Online identifier such as e-mail address, screen names, IP address, etc.
  • Genetic data such as biological samples or DNA, including gene sequence
  • Biometric data such as fingerprints or facial recognition
  • Health data
  • Data concerning a person’s sex life or sexual orientation

There is also a general category which includes data which may reveal:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

All such sensitive personal data is afforded enhanced protections under the GDPR and generally requires an individual’s explicit consent where such data is retained or used.

Other pertinent definitions include:

Consent: Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.

Controller: A controller alone or jointly with others, determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology.  A controller is directly responsible for responding to data subject requests under the GDPR.

Data Breach Notification: Data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.

Data Protection Officers: Companies must appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, although almost all public organizations must have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information must appoint a DPO.

Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.

Fines: GDPR violations can result in substantial fines of up to 4 percent of annual revenue or 20 million Euro, whichever is greater.

Processor: A “processor” processes personal data on behalf of a controller (e.g., Microsoft is a processor with respect to personal data that its commercial customers collect and Microsoft processes on their behalf through solutions like Office 365.)

A processor must ensure that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR.

Right to Access: The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.

Right to Erasure: Known formerly as the “right to be forgotten,” these provisions give data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.

IMPORTANT CHANGES AND ORGANIZATIONAL IMPACT

 Among the key new elements of the GDPR are the following practical results:

  • Requirement that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required;
  • Significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply;
  • Changes to eDiscovery practice in the US.

DATA EXISTENCE AND GDPR COMPLIANCE 

The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required. Specifically, organizations must have in place procedures to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.

Balance these requirements against recent IDG research which suggests that approximately 70% of information stored by companies is “dark data” in a distributed, unstructured format.  If that figure is accurate, the new requirement will pose substantial legal risks.

To achieve GDPR compliance, organizations will need to develop explicit policies for handling personal information.  This will need to include:

  • Enterprise-wide Data Inventory: Identify the presence of personal data in all locations
  • Data Minimization: Retain as little personal data on EU subjects as possible.
  • Enforcement of Right to Be Forgotten: An individual’s personal data must be identified and deleted on request.
  • Effective Response Time: The ability to conduct enterprise-wide searches and report on the extent of any data breach within seventy-two (72) hours.
  • Accountability: Ability to create audit trails for all personal data identification requests.

Finally, and equally important, the company must be able to show that these policies are being enforced and followed throughout the enterprise. Failure in any of these areas will now lead to heavy fines.

FINES: THE POTENTIAL COST OF NON-COMPLIANCE

One of the biggest changes coming with the GDPR is the increase in fines for violations. Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive.

But the GDPR is a regulation that applies to all member states of the EU and as such provides a new uniform regulatory framework. This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to their own data subjects.

Under this new framework, a member state’s supervisory authority will operate in one of these ways:

  • Lead Supervisory Authority: will act as the lead for the controllers and processors whose main establishments are located in its member state.
  • Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
  • Concerned Authorities: will cooperate with the lead supervisory authority when data subjects in their member state are affected.

Article 58 of the GDPR provides these supervisory authorities with the power to impose administrative fines under Article 83 based on several factors, including:

  • How the regulator was told about the infringement
  • Types of data involved
  • Duration of the infringement
  • Whether the infringement was intentional or negligent
  • Policies and procedures deployed by the company
  • Prior infringements by the controller or processor
  • Degree of cooperation with the regulator

How is the fine calculated? There is a tiered approach with technical issues being separated from actual records management. Non-compliance on technical measures such as impact assessments, breach notifications and certifications can lead to a fine up to an amount that is the GREATER of 10 million or 2% of global annual revenue. If the breach involves key provisions of the GDPR (processing personal data, infringement of the rights of data subjects or transfer of personal data to third countries or international organizations that do not meet GDPR standards) the fine can be an amount that is up to the GREATER of 20 million or 4% of global annual turnover in the prior year.  Finally, it is important to note that these rules apply to both controllers and processors which means ‘clouds’ will not be exempt from GDPR enforcement.

In part one and part two of this series, we have established a baseline for understanding the intent and impact of the GDPR. On Friday, in part three, we will look directly at the impact of the GDPR on eDiscovery.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.