Will the GDPR bring a new wave of change for e-discovery?
If you think the looming General Data Protection Regulation (GDPR) is just a European anomaly that won’t have much impact ‘across the pond’, think again.
In the wake of the Facebook, Cambridge Analytica breach, the GDPR will trigger an overarching privacy framework that increases territorial scope of European data protections including a stronger “right to be forgotten” and stringent consent requirements.
It will have broad international ramifications and, it will impact traditional litigation practices in the US, like e-discovery.
It’s also poised to become the new international privacy standard, by default, because it’s practically impossible for global companies to segregate data protection by region.
In fact, some of the largest international corporations (like Facebook) have already indicated they will be applying GDPR standards globally. That sets a precedent.
So, what does the GDPR mean for e-discovery?
It means our work will become more difficult. Much more difficult.
Any entity, located in the EU or elsewhere, that collects or processes data that contains personal data about EU residents must comply with the new framework. And, collecting and processing data is pretty much what e-discovery is all about.
So, given the inconvenient reality that a many US cases require evidence from the EU, this IS going to be an issue. A big issue, particularly in light of the fact that the penalties for violating the new provisions are severe – a fine of four percent of an organization’s global gross revenue or €20 million (whichever is greater).
Simply put, the stakes are high.
Obstacles on the horizon.
One immediate challenge relates to the strengthened requirement for consent. Data subjects must be given sufficiently detailed notice of a data request. It must be given in an intelligible and easily accessible form and the language must be plain and clear.
These new arrangements haven’t yet been stress-tested in the real world so there are many ambiguous scenarios ahead for companies, law firms and e-discovery service providers.
For example, consider the collection of email. Normally we think of email in terms of a single ‘data owner’ or custodian. However, a single email box typically contains personal information relating to thousands of senders and recipients. These could all be ‘data subjects’ in terms of the GDPR definitions. So how does one ascertain which ‘data subjects’ are EU residents? Is consent from the custodian enough or could it be argued that consent from every “data subject” represented in an email box is required? It may seem an absurd proposition, but a literal interpretation of the new regulation could lead to that conclusion.
Also, what should happen when a data subject exercises their ‘right to be forgotten’ in the middle of a lawsuit or investigation? And when does a company’s “legitimate interest” in processing an individual’s data without their consent outweigh individual privacy rights?
We don’t yet have the answers and there will undoubtedly be more practical challenges that are not yet envisaged.
How do we prepare for this brave new world?
There are a number of things to consider. First, it might be prudent to review your e-discovery practices on the assumption that GDPR could evolve to become a new international privacy standard.
One practical option when faced with EU data collection challenges might be to ‘take the tools to the data’ so the whole project can be managed on-site or at least in-country.
If the collection, analysis, review, and even production is performed at the source EU location, the challenges may be alleviated and potentially side-stepped altogether.
In other cases, it may be possible to avoid the normal e-discovery debacle altogether. For example, instead of rushing to over-collect and process mountains of irrelevant documents, the legal team might benefit by focusing first on interviews with key persons of interest to glean early insight into the facts and use this knowledge to narrow the issues as early as possible. That might facilitate a more targeted, lower volume, collection – one that minimizes complexity, risk and cost.
It may also be possible.. continue reading..
This article first appeared on High Performance Counsel here
#GDPR #ediscovery #litigation #privacy
An expert in data leakage, insider risk as well as sensitive information discovery, classification & protection
6 年Another excellent and insightful article from Jo Sherman.?
OSINT | Cyber | Forensics ????????????
6 年It will also mean: collect, review and host IN country and support the client with a local expertise
CEO bei B71 Consulting Ltd.
6 年Good thoughts. As David said "better get PREPARED!!" With an end-to-end concept as Maria said, I think collecting data will be easier and reduce the risk of over-collect data. We have the tools and the knowledge so get PREPARED!!
Partner Technology Consulting - Cyber Security
6 年Good thoughts, all true - there may be a reason it’s not elaborating on the challenges of operationalization. Data discovery for GDPR can only make sense (economically, operationally) within an end-to-end Concept that reflects business requirements and integrates with an efficient privacy function.