NOT LEGAL ADVICE. This non-exhaustive Letterman-style list is to help you spot the GDPR’s potential impacts on data collection and production in litigation involving EU persons.
Overview (10. – 6.)
10. The European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It applies to the processing of “personal data” of EU citizens and residents (a/k/a “data subjects”). A major stick to force compliance is that, now the penalty for a company’s violation of GDPR could be as high as the greater of: 4% of a business’ worldwide gross revenue; or €20 Million ( ≈ $24 Million).
9. “Personal data” is defined much more broadly than under U.S. privacy law to include “any information relating to an identified or identifiable natural person.” That could include work email addresses, communications and more that are tied to a unique individual. The law imposes restrictions on collecting and “processing” (also broadly defined) personal data of EU data subjects, even when employed by U.S. companies in the EU.
8. Absent a legally recognized exception/mechanism non-anonymized personal data cannot be transferred to a non-EU country that fails to provide “adequate protection” to private information. In general, personal data of a “data subject” (such as an employee, a user/customer, etc.) may be collected and/or processed and then transferred to the U.S. only if the individual has provided clear and verifiable consent.
7. There are, however exceptions to the consent requirement, such as “legal basis” (“legitimate interest”) and for “establishment, exercise or defence of legal claims.” And, as to the cross-border transfer requirement, there are exceptions (some of which are under legal challenge or as yet have other uncertainty as to viability).
6. A company or service provider (including a law firm) is responsible for contracting with, and monitoring (to the extent possible) all entities that may directly or indirectly receive personal data downstream (via “onward transfer”). Examples of such downstream providers/vendors include co-counsel, local counsel, eDiscovery providers, opposing counsel and the like.
EU eDiscovery To Do’s in a Lit. Matter (5. – 1.)
5. Intake: Ascertain if EU “personal data” owned by the client is within the scope of the discovery or government-inquiry response in the matter. If so, find out:
a) What are the volumes and sources?
b) Has the client undertaken a GDPR preparedness / compliance project (perhaps via your firm’s Privacy/ Cyber Group)?
c) Does the client have a Privacy (Compliance) Officer who owns a pertinent process?
d) Does the client have local counsel “in country”; and, if not, does the client want you to help it line up same?
4. Law and Tech Resources: Early on, seek the consult, and ask law and technology questions of, the most knowledgeable folks inside and outside your firm.
3. Litigation Hold: Assess what the scope should be and decide whether or not individual verified consent(s) is/are needed and/or advisable. If consents will be prepared, do your best to be very clear as to scope, time frame and onward transfer(s). Find out whether any EU custodians have made requests to their employer for “erasure” of, or access to, their personal data, and whether those requests have been acted upon. Establish a procedure with the client as to what to do if preserved data becomes the subject of a future erasure or access request.
2. Meet/Confer – ESI Order or ESI Part of 26(f) Initial CMC Order: Perhaps seek staged/phased discovery by which your client does not have to produce EU personal data unless and until the case gets to a certain point, e.g., and unless a protective order is entered by the Court. Include as requirements for opposing party and its counsel and vendors: data-security standards, e.g., encryption (and specific encryption minimums for data at rest and in transit) and also redaction processes.
1. Collection/Culling: If EU data collection is needed, consult with those most knowledgeable at your client, your firm and tech vendor to develop a collection plan to determine whether, given the volume and sensitivity of data, culling and anonymization of data should take place “in country” before transfer to the U.S.
Be careful out there!
Originally published on the IT Law Today blog on June 20, 2018.