A Primer on Data Protection and eDiscovery – Part 1 (revised)

Blair_Stephanie_11438_4x5By Stephanie Blair (pictured top left), the founder and practice group leader of global law firm Morgan Lewis’s eData Practice and Laura M. Kibbe, of counsel in Morgan Lewis’s eData Practice.
In 1969, the Apollo mission landed three men on the Moon, with the help of the Apollo Guidance Computer. According to Google, just running a single search query today utilizes roughly the same amount of computing power that was used to plan and execute the entire Apollo program. As anyone with a smart phone knows, the world is growing more interconnected every day. Not only do we carry around computers in our pockets, they can be found in everything from children’s toys to refrigerators to light bulbs. It is the dawn of the “Internet of Things.” All of this information is tracked, compiled, analysed, and stored – somewhere. This is Big Data. At the same time, the world is also growing smaller. Teams working on a single project are often made up of people working in multiple time zones, in multiple countries, speaking different languages—all in instant communication with each other at the press of a button. Big Data and the globalisation of business present us with some unique, competitive benefits but also some challenges in the legal landscape.
Kibbe_LauraHaving so many facets of company information available electronically allows today’s global company to analyze data more quickly and efficiently and therefore be able to examine trends in purchasing/selling habits to better manage inventory, supply chains, and pricing. Employees’ performance can be evaluated to enhance efficiency and productivity. But in order to maximize Big Data’s analytical capabilities, data needs to be made uniform and accessible. As a result, to enable collaboration, increase productivity, and improve disaster preparedness, data creation, storage, and access should be as streamlined as possible. It may therefore make good business sense to try to keep everything in a central location and utilize cloud technology to allow it to be accessed remotely from diffuse locations. The increasing centralization of IT infrastructures to maximize the benefits of Big Data and decrease costly potential overlap is one of the major IT trends of the last few years. This consolidation is not without risk, however, as companies endeavoring to consolidate or outsource to a single provider can unwittingly find themselves in direct conflict with many of the world’s privacy laws, particularly if that consolidation is to happen in the United States.
The Conflict between Data Protection and Discovery
One example of this conflict that is requiring more and more compliance is when handling U.S. discovery. As companies are globalizing, information that may be relevant to a U.S. litigation or investigation may now be found overseas in the files of individual employees working for the company. Where the email or other files of these foreign employees are needed to respond to the litigation or investigation, the company will find itself in direct conflict with European data protection laws is in the arena of personal data. In the United States, case law and general attitudes towards privacy conclude that any material created in the course of one’s employment, particularly while utilizing systems provided by one’s employer, belongs to the employer. The person creating that information no longer has the right to control that information or protect it from disclosure, even if personal in nature, absent some other protective law. This is quite different in Europe and in other countries.
As evidenced by the recent Right to Be Forgotten decision in the Court of Justice for the European Union (CJEU), the person creating personally identifiable information is the permanent owner of that data and has the right to prevent its dissemination. This is true whether or not the person creating the data does so in the course of his or her employment or whether the person uses his or her employer’s systems to do so. This right has been codified in Directive 95/46/EC of the European Commission (“the Directive”). The Directive has been adopted by all member states of the European Economic Area (“EEA”), a group composed of the members of the European Union (“EU”) as well as Norway, Iceland, and Liechtenstein. Most of these nations have created Data Protection Authorities (DPAs) to execute laws implementing the Directive’s provisions.
The Directive protects “personal data” from transfer to jurisdictions that do not meet the same level of data protection as in EEA member states. While it could be argued that some type of business records may not be considered “personal data,” many records including email communications—are specifically covered by the Directive.
Once it has been determined that the Directive applies to a particular data set, the local jurisdiction whose data protection law will apply can vary, depending on the location of the subjects of the personal data, the party in control of the data, and the party that is going to be processing the data.
The genesis of the Directive can be found in Article 8 of the 1950 European Convention of Human Rights, which provided for the right to privacy of correspondence. The Directive mandates that member states protect those privacy rights. However, the Directive also specifically calls for the free flow of that information among member states as needed under applicable laws.
Because the Directive is adopted and implemented separately by each member state, there are a number of inconsistencies in the law’s application. For that reason, it is important to always examine the specific requirements of all jurisdictions involved in a particular situation. For example, violations of the French data privacy act can result in criminal charges, while violations of the UK data privacy act have not been criminalized. These inconsistencies can make the movement of data by a global company even more challenging.
In 2012, the European Commission developed a proposed General Data Protection Legislation (“Proposed Regulation”) that had the stated aim of harmonizing data protection rules throughout the EU. As an EU regulation, this legislation would be self-implementing and would apply directly—thereby superseding national data privacy act rules. While most national DPAs have welcomed the prospect of more uniform rules, the Proposed Regulation’s specifics have been somewhat controversial. Since it was initially proposed, the Proposed Regulation has been amended several times and still has not been formally adopted. Even after adoption, it will likely face a transition period of several years prior to full implementation.
Nevertheless, there remain certain principles common to the majority of the existing EEA data privacy acts. For the most part, data privacy acts apply to the processing of personal data where the processing is done by automated means. There are generally three parties involved in this activity: the data subject, the data controller, and the data processor.
Personal data means any information that relates to an identified or identifiable natural person. That person is the data subject. This definition changes in interpretation among DPAs, and even within member states. For example, in the UK, the Court of Appeal determined that mere mention of someone’s name is not enough to cause the data to be classified as personal. In contrast, the Information Commissioner’s Office criticized that decision and stated that even information that could “have a resulting impact upon the individual” (e.g., taxi location data) could be personal data. In addition to more usual sources of personal data such as emails or social media posts, personal data can include lists of meeting attendees, IP addresses, or any other means that would allow a third party to directly or indirectly identify an individual.
The next party involved is the data controller, i.e., the “person, public authority, agency, or any other body which . . . determines the purposes and means of the processing of personal data.” This party is key, as most of the provisions of the Directive only apply to the conduct of the controller. It is up to the controller to make sure that no personal data is processed where there is no legal right to do so, and that it is processed in accordance with the Directive’s requirements. Personal data must only be processed if it is required by some legal obligation, the protection of the vital interests of the data subject, or necessary to the public interest.
The controller is also responsible for ensuring that the data processor (the party ultimately handling the personal data) handles the data properly. This entails making sure that the data is only utilized for the purpose at hand and that only personal data needed for that purpose is processed. In addition, the processor and controller must ensure that any inaccurate or incomplete personal data is rectified or erased. Finally, if the purpose for using the personal data can be served while removing the data’s identifying characteristics, the controller and processor should do so.
Throughout the process, it is up to the controller and processor to always take all “reasonable technical or organizational precautions” to preserve the security of the personal data. This includes not only protecting the data against hacking or other disclosure, but also to preserve it from accidental loss.
The European Commission is presently working to update and reform European data protection. The Commission has stated that it seeks to strengthen protections for personal data while also lowering administrative hurdles to allow for the lawful transfer of data within and outside of the EEA. The nature of technological change and globalization means that this area of law is subject to frequent change and it is important to keep current with the regulations applicable to data’s location and potential usage.
Knowing the parties, however, is the “easy” part. Even if you overcome the hurdles of finding out which jurisdictions and players are involved and the data has been processed, transfer rules may vary from jurisdiction to jurisdiction.
Considerations for Other Jurisdictions
This is where things really get tricky for international entities—particularly when dealing with both EEA member states and no-members. Most DPAs allow for transfer among EEA member states or to other countries who have “adequate” protections in place for personal data. The Directive specifically recognizes Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, and Uruguay as having adequate protections in place to allow free transfer of data. The United States, however, has been specifically excluded from the list of nations with adequate protections.
Outside the EU, several other countries are enacting or amending their existing privacy laws to provide for similar administrative hurdles to transfer. As an example, in Japan, the Personal Data Protection Act (“PDPA”) defines personal information as any information that can identify a living individual. This definition is intentionally broad and would include even publicly available information. Any mechanism that allows this information to be collected, organized, searched or otherwise easily retrieved is classified as a Personal Information Database. Any entity that uses such a database is subject to the requirements set out by the PDPA. The entity must make a public announcement of the use of the data, and consent must be obtained for any use outside of that announcement. There is a general prohibition against sharing data with third parties—including affiliated entities—except in very limited circumstances. The security and integrity of the personal data must also be protected at all times. Breaches of the PDPA can result in both criminal and civil penalties.
Even in countries without an established data protection law in place, there are often related laws on the books or legislative efforts underway to adopt more stringent personal information protections. For example, in Brazil, a new Data Protection Bill has just entered public debate. If passed into law, the Bill would bring Brazil’s data protection regime more in line with that of the EU. In other countries, laws are on the books that provide stringent nominal protections. However, practical and bureaucratic issues may limit implementation and enforcement. Permutations of privacy law are as diverse as their creator nations. Thus, if seeking to process or transfer personal data from any country outside of the United States to the United States, it is important to research all applicable privacy laws and regulations or to obtain the assistance of someone familiar with them.
So what is a global company to do? Simply retreating within national boundaries is not an option. Yet, all is not lost. These difficulties and differences, while large, are not insurmountable. There are mechanisms in place—including Safe Harbor, Standard Contractual Clauses, Binding Corporate Rules (BCRs), and various other bilateral and multilateral agreements, to help bridge that divide. Once you have identified the various jurisdictions at play, be sure to work with local counsel or other experts to successfully navigate data protection waters while maintaining efficiencies and synergies. (Part 2 on Monday 16 March)