The document discusses upcoming changes to data protection legislation in Europe and the implications for companies. The EU General Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive in May 2018, imposing stricter rules around data collection, use, and transfers. It also discusses the replacement of the invalidated US-EU Safe Harbor agreement with the new EU-US Privacy Shield framework and the uncertainty caused by Brexit. The implications are that companies will need to devote more resources to data compliance and mobile ediscovery solutions may help address issues around cross-border data transfers and GDPR requirements.
1. 10 | KROLL ONTRACK | Report
“May you live in interesting times” is reportedly
the English translation of a Chinese curse.
Uncertainty and upheaval are not always
conducive to prosperity or productivity,
and this sentiment is particularly applicable
for in-house counsel and data protection
officers working with data in 2016.
Planned changes
The evolution of data protection legislation is
cyclical. Technology develops; legislation follows.
This pattern is what led to the creation of the EU
General Data Protection Regulation (GDPR) which
will replace the incumbent European Data Protection
Directive (95/46/EC). Introduced in 1996, the EU
Data Protection Directive provided European Union
citizens with protections designed to work with
the explosion of computer use. However, with the
advent of social media, greater internet use and
growing public concern for data protection, the
directive has reached the end of its natural lifespan.
Its successor, the EU GDPR (the directive), has been
developed to offer better protection for citizens, to
harmonise data protection regulation across the
European Union and to simplify intra-EU working.
For those working with data, the GDPR has been
anticipated for the past three years. However, the
regulation was only finalised in 2016, giving companies
just two years until it is enforced in May 2018.
The main points of interest are:
■■ Increased fines for breaches of the GDPR (up
to 4 percent of the annual global turnover).
■■ A "privacy by design" provision requiring data
protection to be designed into business services.
Ensure that measures are taken to protect data
from the start of a client or customer engagement.
■■ Explicit consent must be obtained for the collection
and processing of data. Contracts with clients or
customers should include a section on consent.
■■ Multinational companies working across the
European Union will be required to appoint an
independent Data Protection Officer. This will be
a challenging role to fulfil given the breadth of
knowledge required to manage both IT systems and
be familiar with the legal aspects of the GDPR.
■■ International companies based outside the European
Union, but which hold data inside the European
Union, will be subject to these regulations.
■■ A “right to erasure". A client or customer has the
right to request the erasing of personal data.
■■ Data will be prohibited from being transferred
outside the European Union without
approval from a supervisory body.1
The implications of GDPR will be widespread
and in-house counsel and compliance officers
will need to prioritise data protection, devoting
more time, and in some cases money, to ensuring
the conditions of the GDPR are being met. The
No Man is an Island:
The Battle for Data Privacy
2. NEW FRONTIERS IN EDISCOVERY | 11
penalties for non-compliance are high, elevating
compliance with data protection law to a similar level
of importance as compliance with anti-trust laws.
No port in a storm
In late 2015, the European Court of Justice declared
in the case Maximillian Schrems v. Data
Protection Commissioner (Case C-362/14)
that the “Safe Harbor Agreement” between the
European Union and the United States was invalid.
Schrems, an Austrian citizen, had concerns about
EU data being transferred from Facebook’s Irish
subsidiary to servers located in the United States.
He argued that the Safe Harbor agreement was
no longer sufficient in protecting the privacy of
European citizens, especially following Edward
Snowden’s revelations about the surveillance activities
of the United States Intelligence Community.
As the replacement legislation, the EU-U.S. Privacy
Shield was only finalised in July 2016, following
protracted discussions and a rejected draft agreement.
This left the 4,400 companies reliant on the agreement
in an uncertain legal position regarding transferring
data, relying on standard contractual clauses or
binding corporate rules for much of 2016.
EU-U.S. Privacy Shield
The finalised agreement shares some similarities
with the Safe Harbor. It relies on a similar approach
of self-certification but imposes significantly
greater obligations on participating organisations.
The basis for the agreement is centred on
the following seven privacy principles:
Notice: Organisations must provide individuals
with notice of the types of data collected and the
purposes of collection and be informed of third
parties who will receive their data, their right of
access to it and safeguards limiting the use and
disclosure of their personal data. The organisation
must also describe recourse mechanisms.
Choice: Organisations must provide clear and readily
available opt-out methods for disclosure of personal
data to third parties for purposes other than the one
for which it was originally collected. For sensitive
information (such as health information), individuals must
actively consent and opt in to their data being used.
Accountability for Onward Transfer: Privacy Shield
certificate holders must ensure that third-party contracts
include agreements that provide the same level of
protection as the organisation itself. They must agree
that data may only be processed for limited, specified
purposes consistent with the data subject’s consent.
The organisation will remain liable for a third party’s
violations unless it can prove that it was not responsible.
Security: Participating organisations need to
“take reasonable and appropriate measures to
protect [data] from loss, misuse and unauthorised
access, disclosure, alteration and destruction.”
These measures must be appropriate to the “risks
involved and the nature of the personal data.”
Data Integrity and Purpose Limitation: Data
collected must be “relevant for the purposes
of processing” and organisations must limit
collection to only relevant data, and it must
be accurate, complete, and current.
Access: Organisations must provide individuals
with access to their personal data and the
opportunity to correct, amend or delete information
that is inaccurate or processed in violation of
the principles outlined in Privacy Shield.
Recourse Enforcement and Liability: The Privacy
Shield agreement contains detailed mechanisms for
recourse and dispute resolution and those seeking
self-certification will need to implement complaints
procedures that meet these strict requirements.
3. 12 | KROLL ONTRACK | Report
In additional to these principles, the EU-U.S. Privacy
Shield will also:
■■ Introduce an Ombudsman to investigate any
complaints regarding access to data by the
United States Intelligence Community.
■■ Conduct a joint annual review by the European Union
and Department of Commerce of the program.
Brexit wounds?
As the European Commission and the U.S. Department
of Justice battled it out over a replacement for Safe
Harbor, the United Kingdom sought to end a decades
old debate over whether or not the country should
leave the European Union by holding a referendum
on the issue. Defying predictions made by pollsters,
pundits and politicians alike, the result – which saw
52 percent of the electorate opting to leave – shocked
the world. For in-house counsel and compliance
officers operating in the European Union and United
Kingdom, the decision once again plunged proceedings
into uncertainty regarding data protection laws.
Unlike the current Directive, the GDPR will be
unilaterally adopted across EU member states,
raising two key questions for the United Kingdom:
■■ What legislation will replace GDPR?
■■ How would Britain do business with European
Union countries operating under GDPR?
The United Kingdom currently operates under the
Data Protection Act, 1998, which was enacted to
bring British law in line with the Directive. At the
time of writing, Britain has yet to trigger Article 50
and formally start exit proceedings. Prime Minister
Theresa May has stated she will not trigger Article
50 until at least the end of the year to allow time to
prepare for negotiations. Once Article 50 is triggered,
experts in European Union constitutional law predict
that it will take two years for the exit to be finalised.
During this transition period, it is likely that the Data
Protection Act, 1998 will remain unchanged.
At first glance, no longer being subject to the
stringent conditions of GDPR may seem like a
positive consequence of Brexit. However, Brexit
is not simply a case of “in” or “out” and much of
the potential consequences of leaving depend on
whether or not Britain becomes part of the European
Economic Area (EEA) or completely severs ties.
If Britain does become part of the EEA, this would afford
Britain the same status as other European countries
such as Norway and Iceland. This would mean it
would be designated a ‘safe area’ under the GDPR.
In business terms, this would make data transfers
somewhat easier, assuming the European Union found
the United Kingdom’s safeguards to be appropriate.
Nevertheless, this would mean that the United Kingdom
would still be subject to the Directive and from May
2018 the GDPR, when transferring data across borders
to comply with legal obligations in other countries.
An EU-U.K. Privacy Shield?
If the United Kingdom does not become part of the EEA,
they would probably have to negotiate an agreement
similar to the EU-U.S. Privacy Shield in order for U.K.
companies to continue to transfer data between the
United Kingdom and countries in the European Union.
In this scenario, it is likely the Article 29
Working Party would suggest similar terms
to those applicable to the United States:
■■ An ombudsman to handle complaints from
European Union citizens about the United
Kingdom’s security services accessing their data.
■■ UK Security services / the Home Office to provide
written commitments that Europeans’ personal
data will not be subject to mass surveillance.
■■ An annual review or audit to check the
new system is working properly.
What do all these changes
mean for ediscovery?
We predict that 2017 will see a rise in demand for
mobile ediscovery solutions. The latest data protection
legislation (GDPR and the EU-U.S. Privacy Shield)
both impose greater obligations and greater fines for
violations than their predecessors. Mobile solutions
can assist with compliance in two ways; firstly by
processing data in-country, which removes the risks
associated with transferring data across borders.
Secondly, mobile ediscovery technology and predictive
coding technology in particular are adept at ensuring
only relevant data is transferred and disclosed.
The latest data protection legislation
(GDPR and the EU-U.S. Privacy Shield)
both impose greater obligations and
greater fines for violations than their
predecessors. Mobile solutions can assist
with compliance.
4. NEW FRONTIERS IN EDISCOVERY | 13
In terms of Brexit, until the United Kingdom finalises its
data protection regime and comes to an agreement
with the European Union, companies will need to think
carefully about the risks of transferring data across
European borders. Once again, mobile ediscovery
solutions provide a neat solution that allows business
to continue processing and transferring data in
Europe in a compliant and cost-effective manner.
Additionally, it is likely there will be renewed focus
on information governance in order to comply with
the “privacy by design” and “right to be forgotten”
components of the GDPR. Understanding
where data is and the volumes involved will
play a big role in ensuring compliance.
REFERENCES
1
https://www.privacyshield.gov/EU-US-Framework