Why Do These Differences Exist?
For many countries outside the United States, the right to have one’s personal information kept private trumps any right to the kind of discovery necessary for a meaningful “day in court.” And with that right comes a much broader definition of “personal data,” as in the 1995 EU Data Protection Directive.
In the EU, for example, any information that identifies or can be used to identify an individual—sometimes, even a person’s name in an email—is considered personal data. That’s a pretty broad definition compared with the U.S., where personal data typically includes very specific information, such as social security numbers, certain financial information, and medical information covered by HIPAA.
This fundamental difference in how countries view personal data lays the groundwork for conflicting data privacy and protection laws.
The Two Pillars of Personal Data Protection
In general, there are two areas personal data protection rules tend to cover.
1. Restrictions on processing personal data.
“Processing” in this context is not limited merely to computer processing, but rather includes any kind of handling of personal data outside the normal course of an employee’s work, for example. In the context of cross-border e-discovery, segregating, collecting, or searching such data is all considered processing. Even issuing a legal hold notice to preserve certain information for legal reasons can be interpreted as unauthorized “processing.”
There are certain authorized reasons for being able to process personal data, such as when it is necessary to process it for the benefit of an employee, as in the context of payroll and benefit administration. But in other contexts, especially transnational e-discovery, no blanket authorization exists. For example, in some countries, data protection authorities or workers councils must bless the manner and extent to which personal data is processed to help protect employee data privacy rights. These hurdles vary across countries—even within the EU—because the EU Directive only sets a floor, not a ceiling, to the regulation of personal data.
2. Restrictions on transferring personal data.
Many jurisdictional laws prohibit—or at least limit—cross-border data transfers. In the EU, you may not transfer personal data outside the host country unless the country to which you’re transferring it has adequate data privacy and protection safeguards in place. All of the EU countries—as well as a smattering of other countries, such as Argentina and Canada—have safeguards deemed adequate, but the U.S. does not. Thus, transferring data from one country to the States is often a hurdle.
That’s not to say there aren’t alternatives. The U.S.-EU Safe Harbor framework, for instance, says that if certain rules are followed by U.S. companies, those companies can transfer personal data from the EU to the United States. Other options include Binding Corporate Rules and EU Model Contract Clauses. But there’s one huge catch—none of these options supports the cross-border transfer of personal data for litigation discovery purposes, putting many companies back to square one.
More change is on the horizon. After a multi-year process, the pending EU General Data Protection Regulation (GDPR), an effort to harmonize data privacy and protection across Europe, is now being finalized. The EU Commission, the EU Parliament, and the Council of the EU have all approved versions of the regulation, and they are now working on the final version. The goal is to finish the process by the end of this year or early next year, which the changes becoming effective two years later. Among the provisions under consideration are substantially increased fines for data privacy and protection violations, enhanced data breach notification requirements, requirements for medium- and large-sized companies to have a full time Data Protection Officer (DPO), and a mandate that all IT systems that handle personal data incorporate “Privacy by Design” principles to monitor, manage, and ensure security for all personal data in the organization.
Preparing for International e-Discovery
As with many e-discovery challenges, cross-border issues are best handled proactively. Whether you’re involved with international matters now or not, you should be able to confidently answer “yes” to the following questions:
- Am I aware of the different data protection and privacy risks? If you’re a company with an international presence, you should be aware of the sometimes conflicting laws and regulations for each country in which you do business.
- Do I have a team with enough litigation experience? Ideally, you should have attorneys on staff who have litigation experience that serves the complexity of your global footprint, as well as expertise in one or more of the following fields:
- Computer science and programming
- Information security training
- Information governance and records management
- Privacy law and consulting
- Project management
- Do we have technology to help limit costs of international matters? Technology is a window into your data—take advantage of it. For example, you can use tools like Relativity’s Collection scout feature to see if there is data that might be relevant to claims and defenses before incurring the high cost of loading and reviewing everything.