The proposed EU-U.S. Privacy Shield is designed to replace the now defunct Safe Harbor scheme which was developed to protect the transfer of personal data between the EU and the United States. However, the framework only addresses one aspect of risk in dealing with data. It does not account for contentious regulatory, investigatory or dispute situations — where there is a paramount need to trawl and mine data (e.g., digital documents, email communications and other relevant material). Additionally, and arguably more critically, risks exist that make decisions on data handling fundamental to the successful management of a case.
Background on the EU-U.S. Privacy Shield
One of the key considerations to bear in mind is that neither the European Commission or the United States is in the driver’s seat during this process. This is due to the fact that the Court of Justice of the European Union in Schrems did not destroy the concept of the Safe Harbor, but rather focused on whether any transfer under this scheme actually provides an adequate level of protection. Therefore, the criticism was more fundamental than the simple mechanisms of the scheme. In fact, critics were really looking at the heart of data protection and privacy and whether an individual’s data could be adequately protected in the recipient country.
The criticism, in effect, speaks to the core differences between the U.S. and the EU in terms of how data protection and privacy laws are viewed. In the EU, privacy is considered a fundamental human right. There, it is a popular view to respect others’ personal and family lives, including their related internet communications. Although there has been a recent decision in the European Court of Human Rights regarding employers’ access to employees’ private communications sent via work hours, it still remains territory that must be carefully considered before being seized in an examination.
In respect to data protection, the current law driven by the EU Data Protection Directive 95/46/EC protects individuals from the unlawful processing of their data. The law is defined very widely and prohibits the transfer of data to countries with inadequate levels of protection (as referenced red to above). However, in December 2015, it was announced that the wording for the new General Data Protection Regulation had been finalized and is due to come into effect by spring 2018. The move is expected to impact the legal landscape quite significantly. Examples of forthcoming changes include the introduction of maximum fines for data protection breaches which will account for 4 percent of global annual turnover; mandatory reporting of serious security breaches to regulators and affected individuals; and the focus on consent to ensure it is explicitly obtained and may not be deemed valid in an employee-employer relationship, as it cannot be a freely-taken decision without consequences.
The Jurisdiction Debate
However, one of the more critical risks that must be considered examines jurisdiction, specifically, whether moving data to one jurisdiction from another creates other external risks. For example, moving data to the U.S. from another jurisdiction suddenly places it within the reach of both U.S. law enforcement agencies and courts/plaintiffs — especially if the data is transferred prior to any privilege or relevance review. It is obviously unavoidable to move data that has to be disclosed, but moving an entire dataset is something that should be considered with extreme caution.
The other side of the jurisdictional debate, is that there are many local laws in host countries that place restrictions on what can and cannot be done with data. Therefore, country-specific laws need to be fully taken into account during a discovery exercise. For example, the French Law n 78-17, otherwise known as the blocking statute, and legislation in some countries state that reading an unread email constitutes an unlawful interception of communication and thus could result in criminal charges.
Local Government Influence
Cultural and language barriers, as well as a lack of exposure to discovery procedures and a desire for secrecy, are just part of the equation. Another key factor that must be considered is the power of the works council and unions in certain jurisdictions. For example, in Germany, the representatives of the workforce form 50 percent of the supervisory board and therefore have a direct influence on the strategic management decisions and critical incidents involved in a major investigation. This often results in “operational agreements” between the works council and the management board, often touching data protection, privacy, disclosure and the modus operandi for investigations.
Although there are significant risks involved with the management of data in these scenarios, the risks of not reviewing the data are arguably more severe. Therefore, organizations have to find a way to manage both sides of the scales. Luckily, technology can also play a role here, especially where it is employed in as part of a creative solution. What is important to understand is the core differences among the risks, in order to determine a feasible way forward. In my practice, the easiest way to highlight the different solutions available is through examples of where they have been used before.
Case in Point
My client was recently involved in a large-scale accounting investigation, whereby the legal team needed to review significant volumes of data for different aspects of the investigation. In this case, not only were there data protection and privacy concerns, but the client also had numerous contracts with local government agencies which meant that some of the data was classified from a national security context.
Four different servers were deployed in this project, the first of which lived on the client site. There, data was filtered for national security concerns, and any responsive data was quarantined until an appropriately security-vetted individual could review it. The second was situated with a local law firm so that a privacy and data protection review could be performed. The third was within a London data center where there were a number of substantive reviews performed to determine relevance and privilege. The fourth and final server was in the United States where the European data was merged with the data residing in the United States and used in the ensuing legal and regulatory actions.
In another situation, a global energy company faced a Foreign Corrupt Practices Act and sanctions investigation, where data resided in seven different European countries. Due to the various data protection, privacy and works council concerns, all data was collected, processed and searched within the company’s premises in each country. On leaving each site, all data was transferred to encrypted hard drives and secured in evidence bags with independent security professionals in each country. The keyword responsive data was then exported to Germany to be centrally hosted for a substantive review, before relevant and non-privileged documents were sent to the United States for disclosure to the relevant authorities.
In responding to a U.S. discovery request, a very security-conscious Russian organization needed to balance its sense of security and privacy with the demands of the U.S. litigation. A combination of local and experienced consultants allowed for a protocol to be agreed on, whereby all data would be captured and processed on the organization’s premises and would not leave. The agreed keywords were then run across the data and the client reviewed the results and the source of the results before the documents were provided to the legal team for their review – which again took place on the organisation’s premises. Finally, only the responsive documents were extracted and sent to the United States as part of a formal response to a discovery request.
When dealing with complex situations, it is important to develop individual approaches and solutions for each case. European and local laws, the standing corporate operating procedures and the interests of all involved stakeholders must be taken into account to achieve the best possible result for all involved parties.