“How horrifying to wake up that morning and find we planned to eject ourselves from the EU.” – Chris Dale, the eDisclosure Information Project
At Relativity Fest and on his own blog, Chris Dale has made no secret of his surprise at the United Kingdom’s referendum to leave the European Union this past summer. The decision will undoubtedly have lasting effects on the politics of Europe, the legalities of international business, and the nature of cross-border e-discovery.
During a Relativity Fest panel in October, Chris Dale joined moderator David Horrigan of kCura; Meribeth Banaschik of Noerr LLP’s Duesseldorf, Germany office; Patrick Burke of Seyfarth Shaw; and Edward McAndrew of Ballard Spahr for a deep dive into Brexit, the recent Microsoft case regarding US search warrants for data stored overseas, and issues of privacy in today’s digital age. These are some key takeaways from their discussions.
Takeaway #1: Ready or not, Europe will see the GDPR in play before Brexit is finalized.
There was some discussion among the panelists that Brexit is not yet a sure thing—the British government, after all, may not follow through on the result of June’s referendum. Either way, the vote’s impact is being felt across Europe.
“We in Germany were just as shocked as most of Britain when the Brexit vote passed,” noted Meribeth Banaschik. “There will be many consequences we can't anticipate, but we know that uncertainty and change usually lead to disputes. From the perspective of the US, where most cases settle, it makes sense that people about to embark on litigation focus on alternative dispute resolution (ADR) clauses, reaching out to opposing counsel and clients, and resolving what were once seen as boilerplate issues before they’re forced into playing guessing games.”
The possibility that the British government would ignore the people’s vote is unlikely, but the fact remains that untying the UK from the EU will take time—and the EU's General Data Protection Regulation (GDPR) is due to take effect long before the two say goodbye.
“The minimum period before leaving the EU is two years. That means the GDPR will pass before we are out of the EU, and we will be compelled to comply with it,” said Dale during the discussion.
All of this is driving an interesting collision of privacy preparations surrounding both GDPR- and Brexit-related concerns for international organizations, according to Patrick Burke:
The overwhelming majority of my clients, when looking at the GDPR, were hoping to be based in the UK and deal with these rules there. Now they assume it should be Ireland or some other country. There will be an explosion of hiring of privacy officers, and we'll need them. … I've found for the first time that American clients were taking the privacy thing seriously starting last December when the privacy shield was going on. They were paying attention. When the GDPR passed, they started projects for the first time on data security and having lawyers looking at their data flows. That's continued.
Takeaway #2: Brexit will change the way Europe litigates.
Currently, the EU’s laws allow organizations to file claims and begin litigation in one of several countries, depending on where the issue at hand occurred and where the damages occurred.
“People may choose to litigate in the UK because disclosure is enabled, or Germany, where cases may not involve disclosure. Germany also has no juries, and the loser pays for litigation,” explained Banaschik, adding that there will still be reasons for litigating in the UK.
Removing themselves from the EU could mean that these cross-border options on where to litigate no longer exist, leaving organizations to strategize differently as litigation arises.
Additionally, the matters themselves could be complicated by Brexit. As Dale noted: “We've been in the EU for 40 years and absorbed laws from there. Many contracts took advantage of that. How many contracts will have to be unraveled because terms are unclear this week when they were clear last week?”
Organizations will have to be prepared to audit their legal agreements before litigation if they want to avoid doing that unraveling in court.
Takeaway #3: The privacy vs. security question is challenging—and it’s getting more complicated.
The news around government demands for data isn’t new anymore—it seems another big story puts data privacy in the spotlight every quarter, as both domestic and international investigations come under scrutiny. The question is always the same: is individual privacy more important than criminal investigation?
“If the National Security Agency is accused of bulk collection, the US government would say it's actually performing a targeted collection—it just happens to be targeting all of the data. Regarding international privacy and foreign intelligence, mass surveillance is a big issue that is not going away,” Edward McAndrew asserted.
Earlier this year, the Microsoft case—in which the company and US prosecutors argued over whether a US federal court could compel Microsoft to produce data from an Irish data center for an American criminal investigation—made waves as the tech industry rallied to successfully appeal a judge’s ruling compelling Microsoft to turn over the data. But the victory for Microsoft doesn’t make the issue black and white.
“The Microsoft case is interesting and accumulates with other things going on around the question of who can compel data from companies. Who would entrust their data to a US cloud provider if US authorities could put their fingers on it at a whim?” asked Dale during the panel’s discussion of the matter.
McAndrew came back with a different question: “The government perspective on this is simple. Can a US court issue a search warrant to a US-based company for data it has possession, custody, or control over? The company is capable of getting and producing this information. So does it matter where the data is physically located?”
By leaving this question unanswered, McAndrew emphasized the difficulties that government bodies and corporations alike face in court cases involving international data storage. “We're at a point where ISPs are producing only those individual letters—not even whole words—of an email which are stored in a US location, because that's the way the cloud works. Everything is stored everywhere.”
And what does that current reality mean for today’s average case?
“I used to be fond of saying all investigations are cyber investigations,” McAndrew continued. “I now tend to think all cyber investigations are international investigations. These issues will continue to rear their heads and develop on the legal scale.”