In the wake of the Facebook, Cambridge Analytica breach, the GDPR will trigger an overarching privacy framework that increases territorial scope of European data protections including a stronger “right to be forgotten” and stringent consent requirements.
It will have broad international ramifications and, it will impact traditional litigation practices in the US, like e-discovery.
It’s also poised to become the new international privacy standard, by default, because it’s practically impossible for global companies to segregate data protection by region.
In fact, some of the largest international corporations (like Facebook) have already indicated they will be applying GDPR standards globally. That sets a precedent.
It means our work will become more difficult. Much more difficult.
Any entity, located in the EU or elsewhere, that collects or processes data that contains personal data about EU residents must comply with the new framework. And, collecting and processing data is pretty much what e-discovery is all about.
So, given the inconvenient reality that a many US cases require evidence from the EU, this IS going to be an issue. A big issue, particularly in light of the fact that the penalties for violating the new provisions are severe – a fine of four percent of an organization’s global gross revenue or €20 million (whichever is greater).
Simply put, the stakes are high.
Obstacles on the horizon.
One immediate challenge relates to the strengthened requirement for consent. Data subjects must be given sufficiently detailed notice of a data request. It must be given in an intelligible and easily accessible form and the language must be plain and clear.
These new arrangements haven’t yet been stress-tested in the real world so there are many ambiguous scenarios ahead for companies, law firms and e-discovery service providers.
For example, consider the collection of email. Normally we think of email in terms of a single ‘data owner’ or custodian. However, a single email box typically contains personal information relating to thousands of senders and recipients. These could all be ‘data subjects’ in terms of the GDPR definitions. So how does one ascertain which ‘data subjects’ are EU residents? Is consent from the custodian enough or could it be argued that consent from every “data subject” represented in an email box is required? It may seem an absurd proposition, but a literal interpretation of the new regulation could lead to that conclusion.
Also, what should happen when a data subject exercises their ‘right to be forgotten’ in the middle of a lawsuit or investigation? And when does a company’s “legitimate interest” in processing an individual’s data without their consent outweigh individual privacy rights?
We don’t yet have the answers and there will undoubtedly be more practical challenges that are not yet envisaged.
How do we prepare for this brave new world?
There are a number of things to consider. First, it might be prudent to review your e-discovery practices on the assumption that GDPR could evolve to become a new international privacy standard.
One practical option when faced with EU data collection challenges might be to ‘take the tools to the data’ so the whole project can be managed on-site or at least in-country.
If the collection, analysis, review, and even production is performed at the source EU location, the challenges may be alleviated and potentially side-stepped altogether.
In other cases, it may be possible to avoid the normal e-discovery debacle altogether. For example, instead of rushing to over-collect and process mountains of irrelevant documents, the legal team might benefit by focusing first on interviews with key persons of interest to glean early insight into the facts and use this knowledge to narrow the issues as early as possible. That might facilitate a more targeted, lower volume, collection – one that minimizes complexity, risk and cost.
It may also be possible to investigate the data in-situ instead of undertaking a massive over-collection and schlepping unnecessary data across international borders for a typical processing and review fiasco.
Ultimately, conducting investigative analysis, on-site, with the right tools could avoid risky data transfers and resolve the case by finding key evidence more quickly. Of course, such an approach would require litigators to think more like investigators but surely that’s not an entirely audacious proposition.
How can EDT help?
EDT software can help you comply with GDPR obligations in relation to litigation or investigations.
An EDT Portable deployment enables you to ‘take the tools to the data’, so collection, analysis, review and production can all occur on-site, which means simplifies the consent requirements. The end-to-end platform can even fit on a small laptop and has a starting price point of only $USD 3,500 per month with no user license fees and no per GB charges. As such, it’s not only portable, it’s also an extremely affordable option for cases involving EU data.
Alternatively, an On-Premise deployment, can reside behind the firewall on client hardware or in a client managed, EU based data center of choice.
edt.BLUE could also be deployed in any of the 28-member EU countries using any client approved cloud provider such as IBM, Microsoft or Amazon. These providers now offer localization of data commitments to comply with the GDPR and EDT’s complete turn-key solution can be deployed within 48 hours so you not only save costs, you can also get rolling, fast.
If you’d like to know more take a look at EDT’s website.