By Ryan Costello, Esq., CIPP/E, CIPM
As originally published in ACEDS March 21, 2019.
The implementation of the European Union (EU)’s General Data Protection Regulation (GDPR) has raised a number of questions as to how best to approach cross-border discovery. Friction between legal holds and the “right of erasure,” anxiety about the scope of collections amid data minimization requirements, and considerable financial and operational penalties for failure to comply with the GDPR have created an environment of trepidation about how, and where, to best process, host, and review EU data in connection with US-based eDiscovery. In particular, risk associated with data transfers and access to data have prompted a data location-centric and localized view toward the management of EU data that is subject to discovery.
But let’s stop for a moment and take a deep breath here.
The timorous approach of limited data transfer and localized-only management of EU personal data actually stands in contrast to what the GDPR is designed to do, which is ensure a high level of protection of personal data while ALSO facilitating the free flow of personal data both within the European Union AND to third countries (i.e. those countries outside of the European Economic Area).
Even with limited case law on the GDPR, and an enforcement picture that’s still developing, we have regulatory guidance which reflects an understanding of the need for data transfer in cross-border investigations and pre-trial discovery procedures provided by the Article 29 Working Party (WP29, the group of regulatory representatives now referred to as the Europe Data Protection Board under the GDPR).
By implementing appropriate data management across the EDRM that is adequate, relevant and limited to what is necessary in each discovery exercise, it is possible to strike a balance between discovery needs and EU data protection requirements.
More specifically, cross-border discovery success can be ensured by following a mindful approach to data transfer and access, steeped in awareness of not only the impacts and risks for data subjects and custodians, but also including the best practice methods and technical measures needed to ensure the security and confidentiality of data.
Such a mindful approach to cross-border transfer and discovery brings greater assurance and clarity, but is not without responsibility. It requires balancing data collection, processing, and data transfer requirements with an understanding of how best to approach the data protection rights of EU individuals. The key for gaining certainty in understanding resides in the following recommended practices:
Assessing the impact for data subjects
Though it predates the GDPR, WP29 guidance on pre-trial discovery for cross-border litigation strongly promotes balancing the obligations of the discovery process with the potential impacts to the rights and freedoms of data subjects. Considerations should include the necessity and proportionality of data collected for discovery and ensuring that adequate safeguards and protections are in place.
There is little to suggest that these considerations have changed all that much under the GDPR. In fact, the need for organizations to document their decisions and analyses related to cross-border discovery “balancing” is underscored by the accountability obligations of the GDPR, and particularly via the data protection impact assessment (DPIA) requirement. It is possible to demonstrate the necessary awareness of, and commitment to, the protection of EU personal data by carrying out a DPIA with analysis of impacts to data subjects and ensuring the documented measures are in place for remediation.
In the event discovery is subjected to a regulatory oversight inquiry, the DPIA provides the appropriate documentation of GDPR compliance considerations and balancing of EU data protection requirements with discovery, as well as solid evidence of good faith data protection efforts.
Applying technical and organizational measures for security
Article 32 of the GDPR lays out the framework for implementing the technical and organizational measures required to ensure a level of security appropriate to the risks presented for data subjects. For discovery processes, this will mean ensuring ongoing confidentiality, integrity, and resilience of data processing and hosting systems, and could even mean instituting an approved certification mechanism to demonstrate advanced security implementation, such as ISO 27001.
While risk adverse organizations may have taken to limiting/eliminating data transfers and following a localized, in-country approach to data processing, hosting, and review to avoid the specter of GDPR enforcement, it can be argued that the real risk is in failing to approach the technical and organizational measures required for security in a holistic and well thought-out manner. Think about it: data that exists in an insufficiently secure environment within the borders of a single jurisdiction is likely more at-risk than data that is securely protected in its place of origin, while in transit, and in a cross-border location that is also securely protected.
The crux of these requirements is protection for the data subject, not limitations around data movements.
Accordingly, a mindful approach to cross-border discovery will look to the interests of the client by focusing on robust security, and not choking off the flow of data, as the real means to ensuring success and cost mitigation under the GDPR.
Ensuring lawful and secure transfer and remote access to personal data
Given the spirit, purpose, and intention of the GDPR as a means of protecting an individual’s personal information while also fostering the free flow of data, a position to keep data localized in the EU simply because of the GDPR’s limitations on transfers to third countries outside the EEA would seem misguided. Reality is more nuanced.
A mindful approach to data transfer is focused on ensuring that the data protection guarantees enjoyed by individuals in the EU are not lost when the data is transferred overseas. Carrying out discovery requirements solely in-country misses the point, and potentially at considerable financial and logistical/operational expense.
The transfer requirements of GDPR Chapter V are not intended to prohibit data transfers entirely, but rather to ensure that the appropriate safeguards exist when transfers take place to countries (such as the US) where substantially equivalent protections have not been defined for individuals.
Accordingly, a mindful approach to data transfers, as with other elements of cross-border discovery, entails considering how data subjects can be protected throughout the process.
Despite some continued concerns about its efficacy, the Privacy Shield self-certification mechanism allows for the transfer of data to the United States, and does so by extending GDPR protections to EU individuals. It has now passed annual review twice. Intra-company transfers are allowable under the Privacy Shield, as well as transfers to other Privacy Shield signatory companies.
Those organizations that do not have a Privacy Shield certification in place, or fall outside the jurisdiction of the Federal Trade Commission or Department of Transportation (the US Agencies which oversee the framework), can select standard corporate contracts (sometimes called model contracts), or Binding Corporate Rules (which are subject to direct DPA approval) as a means of transfer.
What all these transfer mechanisms have in common is that they ensure the appropriate safeguards are in place for data protection, including the appropriate security measures, in addition to providing for enforceable data subject rights and effective legal remedies for individuals. As with the entirety of the GDPR, the focus is on the individual and protection of their rights, not curtailing global business operations for the sake of keeping data in the EU.
If there was any doubt about the legislative intent and enforcement prerogatives, we also have guidance from the European Data Protection Board (EPDB) on the derogations for data transfer under GDPR Article 49 in specific reference to circumstances for cross-border discovery and the necessity for transfer. The derogations are exemptions for limited, non-repetitive data transfers in specific situations where no other transfer mechanism applies, and Article 49(1)(e) provides an exemption for transfers “necessary for the establishment, exercise, or defense of legal claims.”
The EPDB guidance on this provision states that this derogation is intended to cover a range of activities, including for the purposes of formal pre-trial discovery procedures, civil litigation, and administrative investigations, such as in the anti-trust context. Accordingly, we have evidence here that not only are regulatory authorities aware of the fact that data transfers are an inevitable result of cross-border discovery, but they are in fact providing a clear means with which to carry out those transfers in a lawful manner, given the appropriate conditions and safeguards for data subjects.
It should also be noted that remote access to data located in the EU is considered a transfer under the best understanding we have at the moment through limited European Court of Justice case law and WP29 opinions that pre-date the GDPR. That said, given what we know about DPA awareness of cross-border discovery transfer requirements and the free flow of data under the GDPR, there is a strong argument to be made that limited access to EU data by US-based processing and/or IT service teams is permissible transfer, provided that access is adequate, relevant, and limited to what is necessary for the cross-border discovery process.
Clear implementation of protections for data subjects, documented considerations of risk remediation, and strictly limited access and oversight protocols will be substantial indicators of thoughtful consideration of the compliance requirements at play when determining an appropriate approach to remote access.
Serenity Now – Fostering Cross-Border Discovery through Careful Consideration of Data Protections
GDPR requirements are neither prescriptive nor proscriptive, and in a wave of uncertainty regarding what compliance frameworks should look like, how data transfers should be appropriately handled, and potential sanctions for non-compliant discovery operations, organizations have been quick to consider in-county processing, hosting, and review as the only answer to meeting GDPR compliance.
However, a compliant approach to GDPR really requires a carefully documented analysis and consideration of the impacts for data subjects, and implementation of the best-suited security protections and appropriate safeguards given an organization’s litigation profile and cross-border operational structure. A degree of assurance and certainty can then be achieved with these measures in place. While some in-country data processing may still be necessary to ensure that personal data subject to cross-border discovery is indeed adequate, relevant and limited, there is nothing to suggest a prohibition on transfer is necessary or required. Further, limiting cross-border litigation expense and operational impacts is possible through a mindful approach to discovery. Namaste.