The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
Check out this link for the latest version: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
The European Commission's proposal for a new General Data Protection Regulation (GDPR), represents the most significant global development in data protection law since Directive 95/46. It will considerably impact cross-border e-discovery in the EU.
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
Ähnlich wie The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
Ähnlich wie The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797 (20)
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
1. The EU Data Protection Reform's
Impact
on Cross-Border e-Discovery
2. MONIQUE ALTHEIM, Esq., CIPP/US, CIPP/E
Monique Altheim, the managing partner ofThe Law Office of Monique Altheim, is a
multilingual and multi-jurisdictional attorney, admitted to the New York Bar, as well as the
Antwerp Bar in Belgium.
Ms. Altheim advises clients on international e-discovery, international data transfers, and
counsels them on privacy/data protection and social media law. She is a Certified
Information Privacy Professional (CIPP) in the US and the EU, and an active member of
The Sedona Conference Working Group 6: International Electronic Information
Management, Discovery and Disclosure.
Monique Altheim runs a widely read blog, EDiscoveryMap.com and recently developed
her own mobile information sharing App for iPhone/iPad and Android.
Ms. Altheim is a regular contributor to international conferences on privacy and e-
discovery.
3. 1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
U.S. civil discovery obligations extend to ESI outside the U.S
•Rule 34 FRCP “possession, custody , or control” of ESI
•Duty to preserve, legal hold
•Duty to disclose (Rule 26, FRCP)
•Sanctions for non-compliance
4. 1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
Obstacles to discovery in the EU member states
•Data Privacy Laws
•Blocking Statutes
•Bank Secrecy Laws
•Labor Laws
•Telecom Laws
AND
•U.S. style discovery in civil litigation is a common law tradition and is unknown
in civil law countries
5. 1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
Is there a treaty signed by both the U.S. and EU member states to
resolve this conflict?
Yes, The Hague Evidence Convention (1970).
But, it has many problems.
6. 1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
Conflicts of Law: Does the International Treaty Apply or the
National Law?
•U.S. approach: Aerospatiale Doctrine: Hague Evidence Convention
is optional and does not supersede FRCP.
Balancing of interests test in the name of international comity.
•EU approach: The Hague Evidence Convention applies;
letters of request.
7. 2. How are EU data privacy laws different than other laws
which restrict U.S. discovery?
Data Protection is a Human Right
(art. 8 Charter of Fundamental Rights of the European Union)
8. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
•Omnibus Law.
•Implemented into national laws by 27 Member States of
EU*, plus Iceland, Liechtenstein and Norway. (European
Economic Area, or EEA).
•Directive acts as a floor. Not uniformly implemented by
Member States.
* 28 Member States as of July 2013 with the
addition of Croatia
9. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Definitions
•Personal Data
•Sensitive Data
•Data Subject
•Data Processing
•Data Controller
•Data Processor
•Consent
10. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
When does the Directive apply?
•The Controller’s establishment is in a Member State
And he processes personal data in the context of his establishment
Or
• The Controller uses equipment in a member state for the purpose of
processing personal data
11. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Controller’s obligations and data subject’s rights
•Two separate situations: 1. processing 2. transfer outside of EEA
•Processing: legal basis for processing, notification of DPAs, notice
to data subject, data accuracy, data security, data
minimization, purpose limitation, right of access, rectification &
erasure and liability to data subject.
•Transfer outside of EEA: legal basis for transfer, notification of
DPAs
12. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Processor’s obligations
Contract with controller:
•Will only process on instruction of controller
•Will provide adequate security
13. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Legal basis for processing personal data (for discovery
purposes):
•Consent
•Legitimate interest of the controller, balanced against fundamental
rights of data subject
14. 3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Legal basis for transferring personal data outside of EEA
(for discovery purposes)
•Adequate country
•Consent of the data subject
•Safe Harbor (U.S.)
•Standard Contractual Clauses
•BCRs (Binding Corporate Rules)
15. 4. How to reconcile cross-border discovery with the
directive?
•Article 29 WP 158 on pre-trial discovery for cross-border
litigation (2009)
•The Sedona Conference International Principles on
Discovery, Disclosure and Data Protection (2011)
•American Bar Resolution 103 (2012)
16. 5. The Proposed General Data Protection Regulation (GDPR)
The Directive no longer meets the challenges of
globalization and technological advances.
•Caveat: The GDPR does not cover data processing by Law Enforcement.
Subject of separate proposal, not covered here
18. 5. The Proposed General Data Protection Regulation (GDPR)
•1/25/2012: Commission proposals for a regulation and a directive
•1/10/2013: Presentation of the draft report by MEP Albrecht (LIBE Committee)
•1/23/2013: Internal Market Committee votes on its opinion
•2/20/2013: Industry Committee votes on its opinion
•2/21/2013: Employment Committee votes on its opinion
•3/19/2013: Legal Affairs Committee votes on its opinion
•3/20/2013: First discussion on amendments in the LIBE Committee
•5/6-7/2013: Second discussion on amendments in the Civil Liberties
Committee
•5/31/2013:The Irish Presidency of the Council of the EU released a draft
compromise text
•June 2013?:LIBE Committee votes on the negotiating mandate?
•Vote of LIBE Committee postponed until October 2013
Second half of 2013: Parliament-Council negotiations?
Beginning of 2014: LIBE Committee votes on text agreed text with
Council, then plenary vote (Parliament as a whole)?
Timeline
19. 5. The Proposed General Data Protection Regulation (GDPR)
Main Objectives
•Greater harmonization
•One-Stop-Shop
•Strengthening individual rights
•Greater accountability/Reducing administrative burden of data controllers
•Enforcing high level of protection for data transferred outside the EEA
•More effective enforcement of the rules
20. 5. The Proposed General Data Protection Regulation
(GDPR):
How will it affect cross-border discovery?
Page 20
Directive GDPR LIBE
amendments
Council
Instrument Directive Regulation Strongly
supports
Regulation
Some MS
prefer a
Directive
21. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 21
Directive GDPR LIBE
amendments
JURISDICTION
•Establish
ment of
controller
•Use of
equipment
•Establishment of
controller
•Offering goods or
services
to/monitoring of EU
residents
•Even free of
charge
22. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 22
Directive GDPR LIBE
amendments
Council
Personal
Data/Dat
a
Subjects
•Any
information
relating to an
identified/ide
ntifiable
natural
person
•Any information relating to
the data subject
•DS: Identified or
identifiable natural person in
particular by reference to an
identification number, location
data, online identifier or to
one or more factors specific to
the physical, physiological,
genetic, mental, economic,
cultural or social identity of
that person;
•Broadens definition to
include broad category
of unique identifiers
•Creates new categories
of “Pseudonymous
Data” and
“Anonymous Data”
- alludes to possibility of
lighter obligations for
pseudonymous data ex.
consent
•Introduces list
of rights&
obligations that
are excluded
for
pseudonymous
data: right of
access, right to
be forgotten,
etc…
23. 5. The Proposed General Data Protection Regulation (GDPR)
Page 23
Directive GDPR LIBE
amendments
Council
CONSENT
as basis for
processing
•Unambiguous,
freely given,
specific &
informed
•May be
withdrawn
•Freely given,
specific & informed
•May be withdrawn
•Explicit
•Restricted use in
employment context
•Consent is
cornerstone of EU
DP Law
•Additional
restrictions for
obtaining consent
•Reverts back
to
unambiguous
consent
•Relaxes
restrictions in
employment
context
24. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 24
Directive GDPR LIBE
amendments
Council
LEGITIMA
TE
INTEREST
as basis for
processing
•Legal basis
for processing
•Legal basis for
processing
•Notice to data
subject of type of
legitimate interest
and of right to
object
•Limited to
“exceptional
circumstances
•Lists specific
situations where
applicable
Extends list to:
•Fraud
prevention
•Anonymized/ps
eudonymized
data
•Direct
marketing
25. 5. The Proposed General Data Protection Regulation
(GDPR): How will it affect cross-border discovery?
Page 25
Directive GDPR LIBE
amend
ments
Council
LEGAL
OBLIGATION
as basis for
processing
Art.7 (c) Art. 6(3) clarifies:
Only EU or Member
State Law
Extends it as
legal basis to
processing of
sensitive data
26. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 26
Directive GDPR LIBE
amendments
Council
NOTICE •List of
obligatory
notice
requirements
(Article 10)
•Additional notice
requirements (Art.
14)
e.g. Which
legitimate interest
•Easily accessible
•Clear and plain
language
•Additional notice
requirements
•E.g. Specific
information about
the safeguards
used for transfer
of data outside of
EU
•Greatly
reduces list
of notice
requirements
27. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 27
,
Directive GDPR LIBE
amendm
ents
Council
Data Breach
Notification
by Data
Controllers
•No requirement
•Some MS ex.
Germany
•Obligatory
•To supervisory authority, within
24 hours
•To data subjects: w/o undue
delay, if likely to have adverse
effect
•To
supervisory
authority,
within 72
hours
•To supervisory
authority, within
72 hours,
ONLY if
significant breach
•Creates list of
exemptions
28. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 28
Directive GDPR LIBE
amendments
Data Breach
Notification
by Data
Processors
•No
requirement
•Some MS
•Notify controller
“immediately”
29. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 29
Directive GDPR LIBE
amend
ments
Council
Obligations
of Data
Controllers/P
rocessors
•DC: Duty to
notify DPA of
data processing
activities
•Data Protection
Impact
Assessments
(DPIA)
•Data Protection by
Design & by
Default
•Welcomed
as core
innovations
of the
reform
•DPIA only for Data
Controllers
•Exhaustive list of
processing activities
requiring DPIAs
•Limits application of
Data Protection by
Design and by Default
30. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 30
Directive GDPR LIBE
amendments
Obligations of
Data
Controllers&
Processors
•Documentation of
all data processing
activities
•Documentation
requirement coupled
with notice
requirement
31. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 31
Directive GDPR LIBE
amendments
Council
Obligations
of Data
Controllers&
Processors
re DPOs
•Some
Member
States
•Appoint Data
Protection
Officer >250
employees
•Appoint Data
Protection
Officer >500
data subjects
•Optional!
32. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 32
Directive GDPR LIBE
ame
ndm
ents
Council
Obligation
of Data
Processors
•Data Security
•Only process PD
as instructed by
Controller
Plus:
•If processes PD other
than instructed by
controller, considered
joint controller
•Consent of Controller
for sub-processing
none •No joint
controller
•No consent of
Controller for
sub-processing
33. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 33
Directive GDPR LIBE
amendments
Cross-
Border Data
Transfers
•Adequate
Countries
•Until amended,
replaced or
repealed by the
Commission
•Added
Adequate
Sectors
•Will only remain in
force for two years
after the GDPR takes
effect
•No Adequate
Sectors
34. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 34
Directive GDPR LIBE amendments
Cross-Border
Data
Transfers
•U.S. Safe
Harbor
•Until
amended,
replaced or
repealed by
the
Commission
•Will only remain in force
for two years after the
GDPR takes effect
35. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 35
Directive GDPR LIBE
amendments
Cross-Border
Data
Transfers
•Standard
Contractual
Clauses
•Prior
authorization in
some MS
•No prior
authorization
required
•Until amended,
replaced or
repealed by the
Commission
•Will only
remain in force
for two years
after the GDPR
takes effect
36. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 36
Directive GDPR LIBE
amendments
Cross-
Border
Data
Transfers
•Binding
Corporate
Rules (BCRs))
•Formally
recognized for
Controllers and
Processors
•Increase of
requirements
for approval
37. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 37
Direc
tive
GDPR LIBE amendments
Cross-Border
Data Transfers
•Recital 90
•Original Art.42 that
appeared in leaked
Regulation, disappeare
d in published GDPR
Addition of Article 43a)
•Access request from non-EU
authorities require prior
approval of DPA and
notification of data subjects
38. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 38
Dir
ecti
ve
GDPR LIBE amendments
Cross-Border
Data Transfers
•Legitimate Interest of Data
Controller /Processor
•Not for “frequent and
massive” transfers -44(h)
•Legitimate Interest:
•Limited to “exceptional
circumstances”
•Notice
•Publication of rationale
•Specific situations
39. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 39
Directive GDPR LIBE
amendments
Data
Protection
Authorities
(DPAs)
•Greater enforcement
powers
•Lead DPA system:
DPA of data
controller’s main
establishment (One-
Stop-Shop)
•Lead DPA’s role
watered down to
co-ordination
role with all
other involved
DPAs
40. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Page 40
Directive GDPR LIBE
amendments
Sanctions •Left to
implementation
by member
states.
•Tiered fine
system, up to 2%
of annual sales of
data
controller/processo
r
•More flexibility in
determining the
amount of fines,
with accountability
& cooperation of
data controllers as
criteria
41. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Other changes, less relevant for cross-border discovery
Page 41
•Right to be forgotten
•Right of data portability
•Prohibition against profiling
•European Data Protection Board (EDPB), formerly Article 29 WP
•Consistency mechanism
42. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Practical tips
Page 42
•Keep up-to-date with GDPR
•Review: Notice forms, Consent forms, Privacy Policies, Data Controller
– Data Processor contracts
•Implement data breach notification readiness, where applicable
•Implement a data processing documentation system
•Data Protection (DP) by Design and DP by Default, where applicable
•Conduct DP Impact assessments, where applicable
•Minimize processing of Private Data (PD) and review in-country
•Pseudonymize/Anonymize PD whenever possible
•Secure PD adequately
43. 5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
How will the NSA/PRISM leaks affect the GDPR and
Cross-Border Discovery?
To be followed…
Page 43