Imagine this scenario: Your company has customers around the world, with the majority in the U.S., but a non-negligible fraction in the EU. Mindful of those in the EU, you carefully researched your obligations under the new General Data Protection Regulation (GDPR) and set up an approach that would ensure your compliance with its data privacy requirements. You’ve even handled a few requests from EU residents for data access and one for data deletion. You’re feeling good about your GDPR readiness and your overall data privacy policies.
And then your self-congratulatory bubble is burst: you get a request for production in a minor ongoing legal matter and realize that complying with your eDiscovery obligation in that case would require you to supply emails from an EU resident. That means you’re likely going to run afoul of the GDPR’s prohibitions on sharing private personal data. What do you do now?
Unfortunately, there’s an as-yet-unmapped gray area between privacy rights—under the GDPR as well as California’s new law and the others that are sure to follow—and eDiscovery obligations. Let’s look at why that is and consider some workarounds that may help.
Navigating New Territories: Here Be Dragons
Data privacy laws play up the differences in fundamental values and belief systems between the EU and the U.S. In the States, free speech is a critical right. We value our privacy, sure, but if we had to choose between keeping our private information private and being able to shout our uncensored opinions from the rooftops, we’d mostly be out buying megaphones. The Constitution doesn’t explicitly recognize a right to privacy; in fact, it wasn’t until the 1960s that the Supreme Court ruled that such a right existed.
The EU reflects somewhat different priorities, including express rights to privacy and the protection of personal data. With the passage of the GDPR, businesses worldwide must respect those rights, safeguarding the broadly defined personal data of EU residents. That includes not just identification numbers, birthdates, and physical addresses; but also demographic identifiers, IP addresses, and cultural identities. Companies cannot collect, share, or otherwise process that information without consent or another substantial justification.
This conflicts with the U.S. litigation system’s eDiscovery obligations to retain, analyze, and provide to an opponent, and the court, information that pertains to legal disputes. These eDiscovery demands often encompass personal data. Even something as simple as a forwarded copy of an email that includes the name, email address, and phone number of an EU resident implicates the GDPR’s privacy mandates—and its harsh penalties.
What’s a company caught adrift without a map to do?
Tips for Safely Traversing Uncharted Waters
Gather as little personal data as possible. The less personal data you ever capture, the less you have to manage. If you’ve been collecting the IP addresses, names, and email addresses of everyone who contacts your website, give some serious thought to whether you need all of that information, especially for protected customers.
Employ a robust consent policy. Under the GDPR, users must actively consent based on a clear statement—it must be opt-in rather than opt-out. Ensure that your consent and privacy policies are clearly worded and that you do not gather information about individuals who have not consented.
Shore up your data security. While the GDPR’s rights extend well beyond data security or potential breaches, a cyberattack is still the surest way to risk serious sanctions. Make sure you’re using best-in-class data security measures—and backing them up by training and re-training your staff in data protection.
Be forthright about conflicts and propose alternatives. If you believe you cannot answer an eDiscovery request without violating the GDPR, promptly advise your opponent and, if necessary, the court. When you do, proactively identify and suggest alternatives such as redaction or anonymization of personal data.
Aim for reasonableness and good faith, not perfection. Even without the legal conflicts of the GDPR, there’s no such thing as perfect eDiscovery. Remember that the GDPR structures its fines to be proportional to the effort—or lack thereof—that an organization expends to protect privacy. Do your best and document your efforts, but understand that perfection may be an unattainable goal.
Are you confident that your eDiscovery technology will help you navigate the treacherous waters of data privacy under the GDPR? If not, contact us to learn how we can help.