International data transfer practices are in for a rough transition period. With the outcome of Schrems II invalidating the Privacy Shield — the agreement between the US, EU and Switzerland that governed international data transfers — and Britain’s official exit from the EU on December 31, 2020, transferring data from the EU to other countries will be a serious challenge. For litigation experts, these changes pose additional hurdles to speedy and effective eDiscovery.
How can legal professionals navigate these uncertain international waters?
The end of the Privacy Shield
For years now, practitioners relied on the Privacy Shield to transfer electronically stored information (ESI) across borders. The Privacy Shield was a set of agreements administered by the US Federal Trade Commission that required parties to stick to several data protection and self-certification principles. This provided an avenue of communication for US and EU data protection authorities and binding arbitration between data exporters and importers.
Such an agreement was necessary since the broad data collection practices in the US don’t pass muster in the EU.
The General Data Protection Regulation (GDPR) ensures that EU citizens’ personal data is always collected to the minimum degree possible, that what is collected is documented and justified and that the data subject always knows how and why their data is being processed. Not so in the US. Thus, the Privacy Shield was constructed to ensure that data collection and processing practices in international data transfers between the EU, US and Switzerland met the standards of the GDPR.
But CJEU Data Protection Commissioner v. Facebook Ireland and Maximillan Schrems (Schrems II) ruled that the Privacy Shield was insufficient to protect the privacy of EU citizens. Without the Privacy Shield, litigation that involved international eDiscovery data was left in limbo.
Brexit has also complicated matters. The UK has passed regulations related to data protection, privacy and electronic communications meant to essentially match the GDPR, but the adequacy of these regulations remains to be seen.
EU authorities need to assess the UK regulations to determine whether their data protection law passes muster. Not only will this assessment take some time, but there’s no guarantee that the regulation will be deemed adequate. Like the US, the UK permits bulk surveillance of communications, a practice in direct opposition to the GDPR’s principles. Furthermore, EU citizens need to have means of legal redress from the UK if their rights to data privacy are infringed. These and other factors will affect whether UK regulations meet the EU’s standards.
Avenues for compliant data transfer
All of this makes the collection and processing of eDiscovery data a touch complicated. Many avenues for collecting this data suffer from fatal flaws, such as:
- Obtaining consent from the data subjects: Because eDiscovery data needs to be collected and processed before it can be deemed relevant or irrelevant to the matter, legal professionals will be faced with a huge number of data subjects to obtain consent from, making this tactic prohibitively slow and labor-intensive.
- Transferring data through Binding Corporate Rules: BCRs, internal regulations that match the general principles of the GDPR, are intended for internal data transfers within an organization and are thus of limited use for litigation.
- Letters rogatory under the Hague Convention: Countries that are party to the Hague Convention can request documents related to a legal matter across borders. This process, however, still requires that litigants satisfy the requests of data protection authorities and is a very slow process — likely too slow for the needs of a litigant.
Fortunately, there are a few avenues still available for law firms, legal departments and litigation support partners; specifically, standard contractual clauses (SCCs). These form contracts allow for data transfers from an EU controller to outside of the EU for a variety of purposes, including eDiscovery for litigation.
After the July ruling on Schrems II, the viability of SCCs was tenuously confirmed, but only if the safety of EU citizens’ data was guaranteed. Thus, it’s possible that even this approach for compliant data transfers could be deemed insufficient.
Soon after, however, the European Data Protection Board (EDPB) released guidance on how international data flows can become compliant with EU laws. Following these guidelines can help solidify the validity of using an SCC when transferring eDiscovery data. Specifically, the EDPB laid out six steps:
- Know your transfers: Data exporters should map all transfers of personal data to third parties (a simpler task when it comes to eDiscovery data since this will likely go only to a US- or UK-based controller and to outside counsel from there). Additionally, data exporters should verify that the data they transfer is adequate, relevant and limited to what is necessary for its purpose.
- Verify your transfer tools: Data exporters need to verify that they are transferring data in accordance with one of the transfer tools listed in Articles 46 GDPR (for transfers that are regular and repetitive) or 49 GDPR (for occasional and non-repetitive transfers — like eDiscovery).
- Assess third-country laws and practices: Data exporters should assess whether the country they will be exporting to has laws or practices that may interfere with the safeguards of the transfer tools the data exporter is relying on.
- Identify and adopt supplementary measures: If the assessment in the third step shows the laws and practices of the third country impinge upon the transfer tools safeguards, then the data exporter should adopt measures that bring the level of protection up to EU standards. This could include, for instance, pseudonymization of the data among other measures listed in Annex 2 of the EDPB guidance.
- Take any formal procedural steps needed to adopt supplementary measures: Depending on the transfer tool or the supplementary measure, formal procedures may be necessary.
- Periodically re-assess the level of data protection and monitor any developments: This step will likely be more relevant for on-going data transfers rather than eDiscovery data transfers, it could be relevant for lengthy eDiscovery projects.
Find expert help
Being familiar with these laws and guidelines is essential, but the easiest way to ensure compliance with EU regulations today and going forward is to identify a reliable litigation support partner. Any litigation support partner with international experience will depend upon the compliant transfer of eDiscovery data for their work and so should be able to provide guidance and strategic recommendations on how to stay compliant, avoid data spoliation sanctions and ensure that data is transferred in time for court deadlines.
We’ve assembled a guide of practical advice that legal professionals can use when assessing whether a litigation support partner is up to the task called “Finding the Future-Fit Litigation Support Partner.” If recent data privacy regulations have thrown a wrench into your litigation, it could help you find the right partner.
Contact us to learn more about our Litigation Support Services.