In less than four months the General Data Protection Regulations (GDPR) will come into effect in the UK. But it appears that although UK and US companies believe they are ready to be compliant on 25th May 2018, recent research suggests many are being overly optimistic.
According to a survey of FTSE 500 and Fortune 500 companies, less than half (39% in the UK and 47% in the US) have set up an internal GDPR taskforce, only a third are hiring a third-party to conduct a GDPR gap analysis, and roughly only a third are hiring a third-party consultant to assist with compliance. These factors may indicate that some companies are not as well-prepared as they are declaring to the market.
The GDPR will have huge implications for in-house solicitors and external litigators on both sides of the Atlantic when it comes to eDiscovery. It is not necessarily the case that transferring data outside the EU to third countries, particularly to the US, will become more difficult. This has always presented challenges, not so much for UK-based organisations, but definitely from continental Europe, where the emphasis has always been on privacy, as opposed to the US prioritisation of disclosure. In America, the Federal Rules of Civil Procedure state that the standard for discovery is relevance, which casts a wide net over what is discoverable and what is not. In contrast, European nations regard privacy and data protection as unchallengeable human rights. Knowing this, it comes as no surprise that the GDPR was birthed in the old world rather than the new.
So, if the GDPR will not necessarily make it more difficult to transfer data to a third country for litigation purposes, why is it such a big deal? To answer this question, one only has to look at the penalties for non-compliance. For major breaches, such as failing to report a security compromise or not obtaining consent for processing data, the maximum fine is 4% of annual global turnover or €20 million – whichever is greater. Minor breaches, for example, not maintaining records of consent, carry a penalty of 2% of global turnover or €10 million.
Note the term referenced is turnover, not profit. Such fines could cripple companies who work on water-tight margins, or who are over-committed with existing liabilities.
In-house counsel and litigators dealing with cross-border disputes need an in-depth understanding of the GDPR and how they can ensure compliance when engaging in eDiscovery.
A brief overview of the GDPR
The GDPR is aimed at harmonising the data protection laws across the EU. The British Government has made it clear they will apply it to the UK even after it formally leaves the bloc in 2019. The regulations are designed to ensure data subjects receive more protection and data processors and controllers are subject to more stringent and uniform compliance obligations.
The GDPR affects not only organisations with a physical presence in the EU, but also those who are located in third countries but offer goods and services to EU nationals. In addition, any company with an establishment in the EU (such as a call-centre or HR department) is also caught by the regulations.
What are the GDPR implications for eDiscovery?
Those doing investigations for litigation purposes will be operating at ‘ground zero’ when it comes to GDPR compliance. International organisations who deal with or trade in EU states must therefore take the GDPR seriously.
Some of the main issues litigators in third countries, particularly the US, will need to manage include:
- Article 48 – this prohibits the transfer of personal data outside of the EU unless the requests are based on international treaties such as The Hague Convention. Therefore, any order from a US-based court requiring the disclosure or transfer of personal data from the EU will not be valid unless it can be hooked to an international treaty or convention. Up until now, the US courts have been inconsistent in their approach to whether a litigant can refuse to comply with a disclosure order, due to EU law. Cases have tended to turn on their facts, such as how important the documents are to the outcome of the case and whether disclosure is in the public interest. Given the high level of judicial discretion, it would be unwise for any party in litigation in the US to simply throw their hands in the air and state the GDPR prevents disclosure – a plan B will be required.
- The right to be forgotten – Article 17(1) reads “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…” – it then goes on to list the relevant grounds. However, Article 17(3)(e) states that Article 17(1) will not apply if the data is necessary for “the establishment, exercise or defence of legal claims”. There is likely to be a tension between companies who could argue that almost all data could be potentially necessary for the establishment, exercise, or defence of legal claims. Regulators, on the other hand, are likely to take a narrower approach to the interpretation of the term ‘necessary’. In addition, what would occur if a person exercised their right to be forgotten after a legal preservation notice was received? Will the relevant EU Data Regulator (in the UK, this is the Information Commissioner’s Office) check to see if a preservation notice was in place before insisting the data was deleted? It is unlikely that the US courts would be sympathetic to an order for data which may be extremely relevant to a litigation matter being erased on the grounds it protects an individual’s rights and privacy.
- The requirement for some organisations to have a Data Protection Officer (DPO) – this could lead to conflict given that a DPO must be independent of the decision-making processes of the company and cannot be fired if they exercise their authority against the Board to achieve compliance. However, given that international courts will need significant education on the affects of the GDPR and eDiscovery, DPOs may find themselves playing an important role in ensuring third country judges and regulators understand the challenges the new regulations present to litigators regarding disclosure orders.
There is no doubt the GDPR will present challenges to solicitors and organisations, not only in the EU but all over the world. Those involved in cross-border disputes will need to have a clear understanding of the compliance requirements and ensure they have back-up plans in case they are unable to comply with in-country disclosure orders. One way this can be achieved is utilising a portable solution that can sift through and analyse data onsite, rather than having to transfer it offshore.
Unfortunately, there is no one-size fits all solution. How the GDPR requirements are managed against the need for fair disclosure and the ability to conduct adequate eDiscovery in cross-border disputes remains to be seen. It is likely to take a few years for the courts to provide some form of guidance that litigators can rely on. In the meantime, it is imperative that organisations and their counsel are fully prepared to meet their compliance obligations come May 2018.
Lineal is a global leader in providing flexible eDiscovery and litigation support. To find out more about eDiscovery and the GDPR, please call us on +44 (0)20 7940 4799 or email firstname.lastname@example.org.
 Fed. R. Civ. P. 26.