Sedona Working Group 6, Data Privacy Best Practices & Brexit
QA with Craig Earnshaw, Senior Managing Director, FTI Technology
For those that aren't familiar with The Sedona Conference, or Working Group 6, can you talk a little bit about who's involved in the organization, and what the goals are?
Craig Earnshaw: The purpose of the Sedona Conference is to bring together the key lawyers, e-discovery service providers, in-house counsel, regulators, members of the judiciary and other regulatory bodies aimed at, in Sedona’s own words, “moving the law forward in a reasoned and just way,”
Working Group 6 is part of the Sedona Working Group Series, and is focused on the international issues associated with information management, discovery and disclosure. The primary aim of the group is to identify and address issues that arise at the intersection between cross border disputes and investigations, differing legislative and regulatory landscapes, and e-discovery / information governance. A good example of the work that WG6 has done is to publish “The Sedona Conference International Principles on Discovery, Disclosure & Data Protection”, which gives practical guidance for handling situations where EU-based documents and data are required to be disclosed in US-based litigation proceedings.
The people who attend the Working Group 6 events are typically drawn from a wide range of backgrounds but are involved with the intersection of cross-border disputes and investigations on a day-to-day basis. This includes disputes and investigations lawyers, US regulators, European data privacy authorities, in-house counsel and e-discovery practitioners, US judges, academics, and other e-discovery experts.
What would you consider to be some of the key challenges when it comes to data privacy, and having a working, tenable solution for cross border matters?
Craig Earnshaw: A key challenge is awareness of the different pieces of data privacy legislation – on a country by country basis, and also an industry by industry basis – that can impact cross border disputes and investigations. The requirements that exist in Germany may be different from the requirements in the UK, and different again from the requirements in Argentina.
Staying aware of all of the various laws and acting in compliance with them is no easy task. How are you informing employees if there are notification requirements to preserve and review their documents in a particular jurisdiction? What mechanisms and protections are you using to move data from one jurisdiction to another? Does any information need to be redacted from documents prior to international transfer if they’re being disclosed in a civil litigation that doesn’t need to be redacted if its disclosed in relation to a regulatory investigation?
Can you talk about any recent developments that were discussed at the Sedona meeting?
Craig Earnshaw: In October last year, the EU-US Safe Harbor scheme was declared invalid. This was one of the main ways in which corporations transferred documents from Europe to the United States that were required in in disputes and investigations. An Austrian privacy advocate named Max Schrems filed a claim on the basis that he believed that Facebook wasn’t adequately protecting his personal data by transferring it from Ireland to the US under the protection of the Safe Harbor scheme. This ultimately led to the European Court of Justice ruling that the Safe Harbor scheme did not provide an adequate level of protection for personal data that was transferred from Europe to the US, therefore it was declared invalid. This caused a big wave in the data privacy world because Safe Harbor was a long-standing mechanism that allowed the transfer of personal data from Europe to the US, providing that the requesting company was certified as complying with the requirements of the Safe Harbor scheme.
Following the declaration of Safe Harbor as being invalid, there has now been a draft of a new piece of legislation that's currently being referred to as the Privacy Shield. This is essentially a revised version of the Safe Harbor scheme and is currently in review with various parties, including European Data Protection Authorities through their umbrella organization, the Article 29 Working Party. Whilst the Article 29 Working Party regarded the current draft of Privacy Shield as a “significant improvement” to the Safe Harbor scheme, it was still lacking in a number of key areas. Consequently, the Privacy Shield draft is now being reworked to strengthen it in a few key areas, which will again be reviewed before it gains widespread support.
The second key development is the impending General Data Privacy Regulation, or GDPR, which will be implemented in the EU’s 28 member states in May of 2018. The current principle piece of data privacy legislation in Europe is the Data Protection Directive, which is in force in each of the 28 member states in different ways. The new GDPR legislation is designed to harmonize the implementation so that it’s consistent throughout all of the EU. It will also include some other important changes, including fines of up to four percent of worldwide turnover for corporations that fail to comply with the GDPR’s data privacy requirements.
Will bigger fines change behavior?
Craig Earnshaw: To date, the fines for non-compliance with data protection legislation have typically been low. As an example, there has recently been a series of three small fines levied by the Hamburg Data Protection Authority. It found that three corporations were continuing to transfer data from Europe to the US after the annulment of the Safe Harbor scheme, and that these corporations hadn’t implemented suitable protection mechanisms for the employee data being transferred to the US. Fines totaling €28,000 (approximately $32,000) across all three matters were subsequently issued.
A $32,000 fine for a global corporation is not a significant amount of money, and there have not been a lot of prosecutions of companies failing to comply with the international transfer aspects of data privacy laws. When U.S. government agencies and the US judiciary look at the size of the fines and number of prosecutions, they may not give much weight to the argument that “we can’t produce those documents because of European data privacy laws”. This is likely to change when the GDPR comes into force, with the increase in fines for breaches of the legislation.
Are there any best practices that you would advise clients to keep in mind?
Craig Earnshaw: Yes. I’ve worked on dozens of these cross-border matters over the years and there are quite a few best practices. A good start is for a corporation to implement an information governance strategy. The corporation should assess where its data resides, where its data may need to go, and what mechanisms they can put in place that will allow them to defensibly disclose data in key jurisdictions.
There are ad hoc protocols that could be put in place, known as Standard Contractual Clauses, that provide protection for personal data enabling it to be transferred from Europe to US. There are also more wide scale, formalized processes known as Binding Corporate Rules, which can also be implemented within a corporate structure to provide similar protection mechanisms for data transfer.
It’s also important to think about the geographic location of documents as early as possible in any dispute or investigation. If the documents reside in Europe, and ultimately need to be produced in the US, there are steps you must take to ensure personally identifiable information (PII) is redacted, only relevant data is transferred, etc. Additionally, we’re seeing a lot of clients that are opting to undertake most of the collection, processing and review of documents within the jurisdiction in which the data resides, and only transferring relevant documents outside of the jurisdiction. Whilst these processes can be implemented rapidly, the earlier you can plan for this the smoother the overall process of document collection, review and disclosure is likely to be.
Do you have any example case studies?
Craig Earnshaw: We recently handled a trust dispute for a global financial services client where all of the documents were resident in Continental Europe, however needed to be produced in multiple jurisdictions within and outside of Europe as part of a variety of individual claims. In addition to the EU data privacy laws, there were additional banking secrecy requirements for the documents which would incur a potential $10,000 per document fine for any breaches. We deployed a team onsite at the bank to undertake the preservation of the data, which we processed with our mobile FTI Investigate platform so that it didn’t have to leave the four walls of the client’s offices. The resulting documents were loaded into an implementation of our Ringtail review environment behind the bank’s firewall, and we brought in a team of qualified multi-lingual document reviewers to conduct the review and perform the necessary redactions prior to the data being produced into the various international jurisdictions.
Are there any other themes that were top of mind for attendees at the meeting?
Craig Earnshaw: My key takeaway from the discussions that I had at the Sedona meeting is that corporations are growing more strategic when it comes to their data. More multinational corporations are starting to do discovery work in country, they are implementing structures and protocols to enable data to be moved around the corporation, and they are taking a global approach. Many of them are standardizing on a small number of global service provider partners to ensure a consistent approach on a global basis, which leads to a much more cost effective solution in the long run.
All in all, as data privacy laws become stricter and fines look to grow in size, corporations are responding with better data management and discovery programs.
Will the recent “Brexit” referendum result in the UK, where the UK has voted to leave the EU, have an impact on the data privacy position for global corporations?
Craig Earnshaw: Following last week’s referendum result, the details have yet to emerge as to what any aspect of ultimate relationship will look like between the UK and the remaining 27 member states of the EU, including data protection. The UK will remain a member of the EU for a least the next two years whilst the exit negotiations, and trade renegotiations, take place, and will therefore continue to be bound by the same rules and regulations in relation to data privacy as it is now, including the Data Protection Directive, and, highly likely the new GDPR which is due to be implemented in May 2018.
If, post the UK’s exit from the EU, documents containing personal data are to be transferred from the EU to the UK, the UK would need to either continue to apply the GDPR (to ensure an equivalent level of protection to the personal data), or to implement another protection mechanism that is deemed to provide an “adequate” level of protection to personal data from EU citizens. Whilst speculation, I believe that it would be highly likely that the UK would continue to include legislative protections to the personal data of UK citizens similar to those that are currently in place, that may still preclude transfer to the US without alternative solutions being implemented, such as equivalents to the current EU mechanisms of Standard Contractual Clauses or Binding Corporate Rules, or a revised version of the Privacy Shield.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.