In October, the High Court of the European Union made a ruling that nullified the existing Data Safe Harbor agreement between the EU and the U.S., which since 2000, outlined rules allowing the transfer of protected data from Europe across our borders. The safe harbor agreement provided a way for U.S. companies to migrate personal data originating in the EU, to the U.S. for e-discovery and regulatory purposes, in a way that was consistent with the EU Data Protection Directive.

Because smooth operation of the global economy requires consensus between the U.S., EU, and others data protections, the U.S. and EU came forth on February 2 with a new agreement, the EU-US Privacy Shield. The details of this agreement are yet to be announced, but for now, Privacy Shield serves as a (presumably stricter and more enforceable) replacement for Safe Harbor, and aims to bring some consistency in ensuring privacy when data is shared internationally. The next step in implementing the new framework is a draft "adequacy decision" from the EU, which is expected in the short-term and will provide more details on the new program.

FTI Technology Senior Managing Director Jake Frazier recently contributed an article to Bloomberg BNA, discussing the nuances of these developments, and outlining steps that can help ease the burden of cross-border e-discovery in the interim. These are summarized below; and can be read in greater detail in the Bloomberg article here.

Easing the burden of cross-border e-discovery

  • Identifying sources of sensitive data, or corporate "crown jewels," and remediating that data into a secure repository under lock and key.
  • Implementing and enforcing data deletion policies to eliminate potentially sensitive data that does not need to be saved.
  • Ensuring proper authentication controls to restrict access to sensitive data.
  • Prioritizing budgets to put in place the most reliable security hardware, software and systems.

Jake notes that while Privacy Shield is a piece of the puzzle, and important to understand, it shouldn’t be the single driving factor in implementing sound information governance and data security. There are countless drivers – from data breach prevention and e-discovery cost containment to privacy protection and FTC compliance – to put information governance at the forefront of critical business discussions and prioritize programs that can proactively address these issues.