The General Data Protection Regulation (GDPR) poses significant new risks in copying, transferring and using EU-based data in US legal matters. The problem is acute for US companies with employees in Europe. The GDPR’s expansive definition of “personal” data to mean any identifying information – even a person’s name – makes it virtually inevitable that the regulation will apply. The good news is that proven eDiscovery strategies can be repurposed to minimize the post-GDPR risks of conducting discovery in EU countries.
Key provisions of the GDPR relating to US discovery
The GDPR, which took effect on May 25, governs the use and handling of “Personal Data” of EU residents. It applies to any company that falls within the definition of a “Data Controller” or “Data Processor.” Controllers determine the purpose and means of the processing; Processors perform the processing.
The similarity to eDiscovery terminology is purely coincidental. GDPR processing is far broader in scope than eDiscovery processing. In fact, it covers effectively all uses of data throughout the litigation lifecycle. This includes the EDRM stages of collection through production (inclusive of review), ongoing data storage and data destruction at matter close. In effect, litigants, law firms and service providers all come under the GDPR.
There are several GDPR requirements of particular relevance to discovery. Processing is only allowed within specific legal grounds defined by the GDPR. It cannot go outside the scope of the initial purpose. The data must be kept secure. There are restrictions on data transfer within the EU and additional restrictions on transfers to countries outside the EU. Finally, the GDPR has an extremely broad definition of personal data, even including name and work email address.
The intersection of eDiscovery and GDPR goals
The GDPR collides head on with US discovery in the context of matters requiring EU-based document collections. There are three main avenues to reducing risk in this situation. First, collect less data. Second, transfer less data to the US. And third, implement heightened restrictions around data disclosure during and after litigation.
These three points dovetail with several familiar eDiscovery goals. Reducing data volume is a prime strategy to cut costs. Transferring only the smallest possible subset of records from the home country to the US limits exposure of company data in other unrelated legal matters. Cybersecurity is of course always essential. Finally, privileged and sensitive information is redacted prior to production.
The ideal way to avoid GDPR issues is to not collect EU residents’ personal data. Unfortunately, given the GDPR’s expansive definition, not collecting any personal data is virtually impossible. (This article presupposes that the personal data is not itself the subject matter of the legal proceeding.) However, there are legal and technological strategies available to keep collection, transfer and production of personal data to a minimum.
Five eDiscovery strategies to reduce risk under the GDPR
These five proven eDiscovery strategies can be deployed to reduce risk under the GDPR.
1. Take full advantage of legal tools to limit the scope of discovery.
The first strategy is to deploy the full battery of legal tools for limiting the scope of discovery:
- Raise the GDPR as an issue in the meet and confer, scheduling conference and initial disclosures. In state courts that don’t present similar procedural opportunities, proactively raise GDPR issues as early as possible. Lay the groundwork for your argument to the judge.
- Seek an agreement to limit EU-based discovery. This approach will be most fruitful when both parties are operating under the GDPR.
- Make specific objections to requests for production on the basis of undue burden, cost and other proportionality factors based on the GDPR. Where available, agree to produce alternative sources of the data from US custodians instead.
- Invest extra time and effort in EU custodian interviews to identify responsive files, leveraging identification to prepare a highly targeted collection plan. Don’t take on unnecessary risks by collecting non-responsive files.
- Seek a protective order limiting the scope of discovery to minimize or even avoid EU-based collections. The costs and risks associated with GDPR compliance can be powerful facts in support of a proportionality argument.
2. Use eDiscovery technology tools to limit the scope of collection.
The second strategy is to limit the scope of collection using forensically sound collection software and methodology. A defensible collection plan can include using eDiscovery technology to apply date restrictions, file type filtering or keyword searches during the collection.
Use the legal tools outlined above to lay the groundwork for this strategy. When improperly designed or implemented, filtering during collection can open the door to an eDiscovery challenge. Prior agreement with opposing counsel or court approval for your collection plan goes a long way to reducing eDiscovery risk.
Companies with ongoing, large-scale EU-based discovery needs may want to evaluate enterprise discovery solutions such as Encase. While enterprise solutions are a significant investment, the GDPR has changed the cost-benefit analysis.
3. Review in the country of origin to limit data transfers.
Data transfer is a significant GDPR risk factor, especially to countries outside the EU. The third strategy is to use a local service provider for eDiscovery processing and hosting of the EU collection data. Review can be done remotely by the case team or by local contract attorneys (a well-established option for reviewing foreign language documents). Under this approach, only the documents actually produced in the case are transferred to the US.
Whether local review makes sense in your case is a fact-specific determination. The benefits are directly proportional to the total collection volume and the amount (actual or suspected) of personal data of EU employees and customers. Also relevant, and perhaps most important, is the type of personal data at issue. The GDPR provides heightened protections – and associated penalties – for sensitive data such as medical records and financial information.
4. Use the protective order to limit further disclosure of produced documents.
When designing the discovery plan at the start of the case, you should assume that some portion of the EU-based collection will ultimately be produced. Use the protective order to erect barriers against further disclosure of EU residents’ personal data in produced documents.
First, designate documents that originated in the EU as attorneys’ eyes only. The receiving party may always seek a change in classification for a particular file that does not include any GDPR-covered information.
Second, agree on a procedure for making and challenging redactions and pseudonymisation. Pseudonymisation – consistent substitution of a pseudonym for the real name throughout the dataset – has been recommended by many commentators as a GDPR compliance strategy in both the business operations and discovery contexts.
Third, consider alternative, more secure means of production. For example, you can make designated records available in a firewalled, locked-down review database. This can be especially useful in limiting the risk of production to expert witnesses, as they often have inadequate data security measures.
Last but not least, include robust requirements for data destruction at matter close.
5. Repurpose existing eDiscovery redaction solutions.
Redaction will be a key tool of GDPR compliance. All litigators are familiar with redacting privileged information and many have experience with redacting personally identifiable information (PII) and protected health information (PHI). Good workflows and technology tools already exist to identify and redact privileged or sensitive information.
The fifth strategy is to repurpose existing eDiscovery redaction solutions to redact non-relevant personal data of EU residents from business documents prior to production. It’s true that personal data as defined by the GDPR is far broader in scope than PII/PHI and is different in kind from privileged information. However, there’s no need to reinvent the process wheel.
There are many good eDiscovery strategies for cutting costs, reducing risk and keeping data secure. Some of those strategies can readily be pressed into service to meet the similar, sometimes overlapping requirements of the GDPR.