The European Union’s widely anticipated General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Designed to provide EU citizens with better control over their personal data, this comprehensive reform of data protection in the EU has far-reaching implications. But how and to what extent will this new regulation affect electronic discovery in U.S.-based civil litigation? Organizations subject to the GDPR should think critically about what specific steps to take when handling personal data before, during and after litigation.
Before Litigation: Focus on Information and Organizational Governance
Before litigation ensues, you should understand everything you can about your organization’s data. Conducting data inventories and mapping allows you to identify potential information governance issues, such as what types of data your organization handles, where that data exists within your systems, and how information generally flows within your organization.
It is also imperative to assess your organization. Do you have a Data Protection Officer? Are you currently subject to the U.S.-EU Privacy Shield? Does your organization have binding corporate rules (BCRs), model contractual clauses or other adequate transfer safeguards in place? The GDPR changes the existing data transfer mechanisms available to organizations subject to it, and the applicability of these mechanisms may depend on the answers to these questions.
For an in-depth analysis of preparing for GDPR compliance, see our previous client alert on connecting information governance and the GDPR.
During Litigation: Identify and Manage Risk
Does the GDPR apply?
Once you are facing litigation – or the threat of litigation – you should first determine whether the GDPR applies. It is important to highlight that an organization cannot avoid application of the GDPR because it operates outside the EU. Territorially, the GDPR applies to the processing of EU citizens’ personal data when that processing relates to (1) the offering of goods or services to EU citizens or (2) the monitoring of EU citizens’ behavior within the EU. The GDPR defines “processing” broadly as any operation that is performed on personal data and specifically includes activities such as the collection, use, disclosure by transmission, and dissemination of or otherwise making available personal data. Thus, the activities undertaken to preserve, collect, process, analyze and produce personal data during litigation all constitute “processing” under the GDPR.
You should also determine whether the litigation implicates “personal data” under the GDPR, defined as “any information relating to an identified or identifiable natural person (‘data subject’).” This includes examples such as name, identification number, location data, online identifiers, or factors that are specific to a data subject’s physical, physiological, genetic, mental, economic, cultural or social identity.
The GDPR also governs the movement of data across borders pursuant to U.S. discovery obligations. The GDPR applies to “[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.”
Handling Personal Data
Once you have determined applicability of the GDPR, your immediate goal should be to identify and minimize the scope of relevant personal data preserved under a legal hold. In parallel, you should also investigate whether you are able to secure relevant evidence through alternative means, such as interrogatories and/or deposition testimony.
It is also prudent to include explicit requirements regarding the handling and protection of personal data within a joint ESI protocol. The protocol should state that personal data preserved, collected, produced or otherwise processed should be the minimum necessary for the purposes of the litigation. Furthermore, any personal data should be processed lawfully, fairly and in a transparent manner; collected and used only for the specified, explicit and legitimate purposes of the litigation; handled in a manner that ensures appropriate technical and organizational security of the personal data; and deleted if and as soon as determined to be unnecessary for the litigation.
Beware of Custodial Content
Practitioners should beware of issues pertaining to custodial consent. It will be much harder to obtain valid consent from data subjects under the GDPR, which requires that consent be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” (Recital 32). In other words, data subjects must be given an informed and meaningful opportunity to consent and also to withdraw that consent at any time. As such, practitioners should not pursue consent-by-default or mass opt-out consent strategies for multiple data subjects in litigation. Caution should also be afforded in circumstances involving power imbalances, such as when an employer is seeking to obtain consent from employees, because it is questionable whether any consent in those circumstances can be freely given.
Moreover, when discovery obligations under U.S. law and the protection of personal data under the GDPR conflict, a custodian may refuse to comply with U.S. law and not give consent. It might be possible in this scenario to redact the personal data from this custodian’s documents, but this approach is often not feasible when, for example, the redactions needed would be too numerous or unduly burdensome to complete, or the data subject is an important custodian in the litigation. It is not yet clear how and to what extent U.S. courts will handle this tension, but you should be aware that it exists. There might be room to argue that a custodian’s refusal to consent to the processing of their personal data for U.S. litigation purposes and the monetary threat of violations under the GDPR are factors that should be considered when weighing proportionality under amended FRCP 26(b), specifically “whether the burden or expense of the proposed discovery outweighs its likely benefit.”
Anticipate Data Subjects’ Rights
The GDPR affords several new…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…