What you need to know about GDPR and Privacy Shield
Julia Chain ponders what future eDiscovery considerations will arise from regulatory and information governance demands
With exponential data growth, the proliferation of data sources from mobile, cloud, and social media technologies, growing litigation in the current economic environment, and increasingly regulatory and information governance pressures; law firms and corporate legal departments face greater challenges today than ever before.
To mitigate risk, firms and corporate legal departments need to understand and comply with the upcoming General Data Protection Regulation (GDPR) and Privacy Shield annual review. The following trends outline current key considerations for data controllers and representatives with respect to the impact on future eDiscovery obligations relating to litigation, regulatory investigation, and other similar matters.
With the GDPR set to take effect in May 2018, those organisations processing or in control of personal information should be busy considering the breadth of their obligations. Developing solutions to tackle the many requirements may feel like an almost insurmountable task. However, the stakes for non-compliance are high as even inadvertent breaches of sensitive data will likely carry significant fines.
Data privacy can be at its most vulnerable when an organisation entrusts data to a third party. Under the GDPR, those tasked with processing data on behalf of a 'controller' will now be held to the same standard of responsibility as those who were charged with protecting that data in the first place. However, it's noteworthy that the burden of protection will remain with the 'controller.' For this reason, it is imperative that law firms and legal departments ensure that their third-party providers have all the checks and balances in place to handle and inform upon the obligations set forth by the regulation.
Organisations should ensure that they consider all aspects of the regulation, including relationships with vendors, such as eDiscovery providers, when performing policy and procedure assessments and when considering their general readiness for compliance.
In October 2015, the Safe Harbour Framework for the transfer of data from the UK to the US was declared invalid, leaving transatlantic data transfers in a (albeit temporary) limbo state. Privacy Shield was agreed and installed in its place in July 2016.
However, the shield has endured a number of criticisms since its implementation, most recently from a resolution passed by European Parliament. With an annual review due in September this year, there are a number of challenges that Privacy Shield faces '“ from actions of the new presidential administration in the US and changes in federal law, to legal challenges and issues raised by data protection authorities in the EU.
If the shield is to survive the annual review, then it will need to evolve to bring clarity for global organisations (particularly US based) relating to their data privacy obligations, including cross-border eDiscovery. Should it fail to evolve, transatlantic data flows may again fall into the abyss of uncertainty.
Learning from others' mistakes
There have been a number of recent cases that are perfect examples of 'how not to do' eDiscovery. In the US, the case of Shaw v Elting, highlighted the cost of taking the wrong approach with sanctions of over $7m following the 'unusually deplorable' actions of the claimant.
In the UK, the case of Michael v Phillips offers some interesting details - the actions of the defendants were so extreme that their defence was struck out, meaning that they were not able to defend the claim against them.
These cases highlight failures in the early stages of eDiscovery and data spoliation. Law firms and in-house legal departments will glean insight on the pitfalls to avoid.
Julia Chain is managing director of Advanced Discovery UK