What are the eDiscovery issues related to the Internet of Things?
If one were to identify the Wild West of not only eDiscovery, but privacy law, the Internet of Things (IoT) would be a frontrunning contender. Most of us are completely oblivious to the fact that, even without our mobile phones, many of the devices we use to collate and send data to the cloud. An Englishman’s home may still be his castle, but thanks to Fitbits, Nest thermostats, Amazon’s Alexa and Apple/s Siri, modern living involves letting Big Tech across the drawbridge.
The rapid expansion of the IoT means the scope of data which can be included in the eDiscovery process has dramatically expanded. And this, in turn, brings up issues surrounding managing litigation, cost budgets and people’s privacy.
Can lawyers demand data from the Echo for the purposes of eDiscovery? And if so, is the data the property of the café owner, Amazon, or the persons who may feature in any of the data retrieved?
Litigation cost budgets – set to explode?
The Jackson Reforms transformed civil litigation in 2013. However, six years later, the IoT has ushered in a new wave of eDiscovery, comprising of issues outside what Lord Justice Jackson could have possibly envisaged.
Despite the fact that metadata can reveal contextual information regarding the location, type and calibration of a particular device, factors such as the identity of a person may be more difficult to pin down via IoT data. Device users are generally more fluid than users of, say email or WhatsApp, and data can be shared across multiple devices. The cost of analysing whether Nest data is related to a homeowner, an intruder, or a guest may prove too great to justify eDiscovery, despite the fact the data could be highly relevant to a specific legal case.
Privacy and data protection
The biggest challenge when it comes to the IoT and eDiscovery is privacy, not only of the owners of devices, but also of third parties who may have unwittingly provided personal information. For example, let’s imagine a breach of contract. The breaching company’s CFO and MD discuss terminating an agreement in a café. The café is equipped with Amazon Echo. Can lawyers demand data from the Echo for the purposes of eDiscovery? And if so, is the data the property of the café owner, Amazon, or the persons who may feature in any of the data retrieved?
In the case of State v Bates, James Bates had three friends over to his home in Arkansas on 21 November 2015 to watch a sports game. After it finished, one friend went home while the other, who stayed overnight, jumped into the hot-tub and continued drinking. Mr Bates claimed he went to bed around 1am. When he awoke the next morning, his friend was lying dead in the hot-tub, surrounded by blood.Whilst investigating the scene, police noticed an Amazon Echo and wondered if it had recorded anything that went on during the night. If the device had been activated after 1am, it would have contradicted Mr Bate’s statement that he had been in bed asleep.
Amazon was served with a search warrant, requesting “electronic data in the form of audio recordings, transcribed records or other text records”. The tech giant handed over records of Echo transactions but refused to part with any audio recordings, citing the First Amendments and privacy and issued proceedings to quash the warrant.
Mr Bates lawyer told the Court, “I have a problem that a Christmas gift that is supposed to better your life can be used against you. It is almost like a police state”.
In the end, Mr Bates did not object to the audio being acquired by the police (although the outcome of the analysis of the audio data has not been publicly disclosed). The case does, however, highlight some of the real issues to be resolved regarding eDiscovery and the IoT.
When it comes to the General Data Protection Regulations (GDPR), many data processing activities which stem from the IoT will need to comply. Therefore, data protection needs to be embedded into any new IoT technology as it is created, including concepts of transparency, fairness, purpose limitation, data minimisation, data accuracy and the ability to deliver on data subject rights.
Amazon, Apple, Google, Netflix, and Spotify should be in full compliance with GDPR principles in relation to the personal data they hold on EU citizens. However, privacy group Noyb said it found that most of the big streaming companies did not fully comply. In January 2019, it filed a formal complaint with Austria’s data protection regulator.
Given big tech’s reluctance to part with data being collected and held via IoT devices, legal teams currently face an uphill battle to gain access to personal information which could dramatically affect the outcome of a litigation matter.
The need to recognise IoT in eDiscovery
Right now, there is no protocol for dealing with IoT data in relation to eDiscovery. Therefore, it is incumbent on in-house counsel and external legal advisors to ensure IoT is included in information governance and litigation response. eDiscovery experts are now racing to develop systems and technologies to source and analyse data from IoT devices in a cost-effective manner. However, it is likely that new civil procedure rules will need to be created to provide guidance around the scope of this type of data in a legal case.
If you have any questions regarding eDiscovery, please contact our team on +44 (0)20 7940 4799 or email firstname.lastname@example.org.
How Well Is Your Organisation Handling Data Subject Access Requests (DSAR)?
All organisations must be prepared and able to respond to Data Subject Access Requests (DSARs); how prepared are you?