The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013

The EU Data Protection Reform's
Impact
on Cross-Border e-Discovery

MONIQUE ALTHEIM, Esq., CIPP/US, CIPP/E
Monique Altheim, the managing partner ofThe Law Office of Monique Altheim, is a
multilingual and multi-jurisdictional attorney, admitted to the New York Bar, as well as the
Antwerp Bar in Belgium.
Ms. Altheim advises clients on international e-discovery, international data transfers, and
counsels them on privacy/data protection and social media law. She is a Certified
Information Privacy Professional (CIPP) in the US and the EU, and an active member of
The Sedona Conference Working Group 6: International Electronic Information
Management, Discovery and Disclosure.
Monique Altheim runs a widely read blog, EDiscoveryMap.com and recently developed
her own mobile information sharing App for iPhone/iPad and Android.
Ms. Altheim is a regular contributor to international conferences on privacy and ediscovery.

1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
U.S. civil discovery obligations extend to ESI outside the U.S
•Rule 34 FRCP “possession, custody , or control” of ESI
•Duty to preserve, legal hold
•Duty to disclose (Rule 26, FRCP)
•Sanctions for non-compliance

Conundrum
Obstacles to discovery in the EU member states
•Data Privacy Laws
•Blocking Statutes
•Bank Secrecy Laws
•Labor Laws
•Telecom Laws
AND
•U.S. style discovery in civil litigation is a common law tradition and is unknown
in civil law countries

Conundrum
Is there a treaty signed by both the U.S. and EU member states to
resolve this conflict?
Yes, The Hague Evidence Convention (1970).
But, it has many problems.

Conundrum
Conflicts of Law: Does the International Treaty Apply or the
National Law?
•U.S. approach: Aerospatiale Doctrine: Hague Evidence Convention
is optional and does not supersede FRCP.
Balancing of interests test in the name of international comity.

•EU approach: The Hague Evidence Convention applies;
letters of request.

2. How are EU data privacy laws different than other laws
which restrict U.S. discovery?

Data Protection is a Human Right
(art. 8 Charter of Fundamental Rights of the European Union)

3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
•Omnibus Law.
•Implemented into national laws by 28 Member States of
EU, plus Iceland, Liechtenstein and Norway. (European
Economic Area, or EEA).
•Directive acts as a floor. Not uniformly implemented by
Member States.

Definitions
•Personal Data
•Sensitive Data
•Data Subject
•Data Processing
•Data Controller
•Data Processor
•Consent

When does the Directive apply?
•The Controller’s establishment is in a Member State
And he processes personal data in the context of his establishment’s activity
Or
• The Controller uses equipment in a member state for the purpose of
processing personal data

Controller’s obligations and data subject’s rights
•Two separate situations: 1. processing 2. transfer outside of EEA
•Processing: legal basis for processing, notification of DPAs, notice
to data subject, data accuracy, data security, data minimization,
purpose limitation, right of access, rectification & erasure and
liability to data subject.
•Transfer outside of EEA: legal basis for transfer, notification of
DPAs

Processor’s obligations
Contract with controller:
•Will only process on instruction of controller
•Will provide adequate security

Legal basis for processing personal data (for discovery
purposes):
•Consent
•Legitimate interest of the controller, balanced against fundamental
rights of data subject

Legal basis for transferring personal data outside of EEA
(for discovery purposes)
•Adequate country
•Consent of the data subject
•Safe Harbor (U.S.)
•Standard Contractual Clauses
•BCRs (Binding Corporate Rules)

4. How to reconcile cross-border discovery with the
directive?
•Article 29 WP 158 on pre-trial discovery for cross-border
litigation (2009)
•The Sedona Conference International Principles on
Discovery, Disclosure and Data Protection (2011)
•American Bar Resolution 103 (2012)

5. The Proposed General Data Protection Regulation (GDPR)

The Directive no longer meets the challenges of
globalization and technological advances.

•Caveat: The GDPR does not cover data processing by Law Enforcement.
Subject of separate proposal, not covered here

General Data Protection Regulation


Timeline

•1/25/2012: Commission proposals for a regulation and a directive
•1/10/2013: Presentation of the draft report by MEP Albrecht (LIBE Committee)
•1/23/2013: Internal Market Committee votes on its opinion
•2/20/2013: Industry Committee votes on its opinion
•2/21/2013: Employment Committee votes on its opinion
•3/19/2013: Legal Affairs Committee votes on its opinion
•3/20/2013: First discussion on amendments in the LIBE Committee
•5/6-7/2013: Second discussion on amendments in the Civil Liberties
Committee
•5/31/2013:The Irish Presidency of the Council of the EU released a draft
compromise text
•10/21/2013:Vote of LIBE Committee Draft
Next: Council of Ministers agreement &Trilogue: LIBE CommitteeCommission-Council negotiations
If no agreement, Plenary Vote in EU Parliament in April 2014?

Main Objectives
•Greater harmonization
•One-Stop-Shop
•Strengthening individual rights
•Greater accountability/Reducing administrative burden of data controllers
•Enforcing high level of protection for data transferred outside the EEA
•More effective enforcement of the rules

Color Code

Red: GDPR proposal that was abandoned or changed by the LIBE Committee
Blue: Current draft, as voted by the LIBE Committee on 10/21/2013

5. The Proposed General Data Protection Regulation
(GDPR):
How will it affect cross-border discovery?
Directive GDPR

Instrument Directive

Regulation

LIBE
Council
amendments
Some MS
prefer a
Directive

Page 21

Directive GDPR

JURISDICTION

•Establish
ment of
controller
•Use of
equipment

LIBE
amendments

•Establishment of
controller
•Offering goods or
services
to/monitoring of EU
residents

•Even free of
charge

Page 22

Directive GDPR

Personal
Data/Dat
a
Subjects

LIBE
amendments

Council

•Any
information
relating to an
identified/ide
ntifiable
natural
person

•Broadens definition of
PD to include broad
category of unique
identifiers
•Creates new categories
of “Pseudonymous
Data” and “Encrypted
Data” and
“Anonymous Data”

•Introduces list
of rights&
obligations that
are excluded
for
pseudonymous
data: right of
access, right to
be forgotten,
etc…

•Any information relating to
the data subject
•DS: Identified or
identifiable natural person in
particular by reference to an
identification number, location
data, online identifier or to
one or more factors specific to
the physical, physiological,
genetic, mental, economic,
cultural or social identity of
that person;

-lighter obligations for
pseudonymous and
encrypted data ex. consent

Page 23

Directive

CONSENT
as basis for
processing

GDPR

LIBE
Council
amendments

•Unambiguous,
freely given,
specific &
informed
•May be
withdrawn

•Freely given,

•Restricted use in
employment
context
•Purpose limited

specific & informed
•May be withdrawn
•Explicit
•Restricted use in
employment context

•Reverts back
to
unambiguous
consent
•Relaxes
restrictions in
employment
context

Page 24


Directive GDPR

LEGITIMA
TE
INTEREST
as basis for
processing

LIBE
Council
amendments

•Legal basis
for processing

•Limited to

•Legal basis for
processing
•Notice to data
subject of type of
legitimate interest
and of right to
object

“exceptional
circumstances
•Lists specific
situations where
applicable
•Must meet reasonable
expectations of data
subject
•More flexibility for
pseudonymized data

Extends list to:
•Fraud
prevention
•Anonymized/ps
eudonymized
data
•Direct
marketing

Page 25

5. The Proposed General Data Protection Regulation
(GDPR): How will it affect cross-border discovery?
Directive GDPR

LEGAL
Art.7 (c)
OBLIGATION
as basis for
processing

Art. 6(3) clarifies:
Only EU or Member
State Law

LIBE
amend
ments

Council

same

Extends it as
legal basis to
processing of
sensitive data

Page 26

Directive

NOTICE

GDPR

LIBE
Council
amendments

•List of
obligatory
notice
requirements
(Article 10)

•Additional notice
requirements (Art.
14)
e.g. Which
legitimate interest
•Easily accessible
•Clear and plain
language

•Additional notice
requirements
•e.g. Specific
information about
the safeguards
used for transfer
of data outside of
EU
•Use of
standardized icons

•Greatly
reduces list
of notice
requirements

Page 27

Directive

GDPR

LIBE
Council
amendm
ents

•No requirement
•Some MS ex.
Germany

•Obligatory
•To supervisory authority, within
24 hours
•To data subjects: w/o undue
delay, if likely to have adverse
effect

•To
supervisory
authority,
within 72
hours
•Without
undue delay.

,
Data Breach
Notification
by Data
Controllers

•To supervisory
authority, within
72 hours,
ONLY if
significant breach
•Creates list of
exemptions

Page 28

Directive

GDPR

LIBE
amendments

Data Breach •No
•Notify controller
Notification requirement “immediately”
by Data
•Some MS
Processors

Page 29

Directive

Obligations
of Data
Controllers/P
rocessors

GDPR

LIBE
amend
ments

Council

•DC: Duty to
notify DPA of
data processing
activities

•Data Protection
Impact
Assessments
(DPIA) in high risk
situations
•Data Protection by
Design & by
Default

•Welcomed
as core
innovations
of the
reform

•DPIA only for Data
Controllers
•Exhaustive list of
processing activities
requiring DPIAs
•Limits application of
Data Protection by
Design and by Default

Page 30

Directive

Obligations of
Data
Controllers&
Processors

GDPR

LIBE
amendments

•Documentation of
all data processing
activities

•Documentation
requirement coupled
with notice
requirement

Page 31

Directive GDPR

Obligations •Some
of Data
Member
Controllers& States
Processors
re DPOs

•Appoint Data
Protection
Officer >250
employees

LIBE
Council
amendments
•Appoint Data
Protection
Officer >5000
data subjects
processed in 12
consecutive
months.

•Optional!

Page 32


Directive

Obligation •Data Security
of Data
•Only process PD
Processors as instructed by
Controller

GDPR

LIBE Council
ame
ndm
ents

Plus:
•If processes PD other
than instructed by
controller, considered
joint controller
•Consent of Controller
for sub-processing

none

•No joint
controller
•No consent of
Controller for
sub-processing

Page 33

Directive

CrossBorder Data
Transfers

GDPR

LIBE
amendments

•Adequate
Countries

•Until amended,
replaced or
repealed by the
Commission
•Added
Adequate
Sectors

•Will only remain in
force for max. five
years after the GDPR
takes effect, unless
amended, replaced or
repealed by the
Commission.
•No Adequate
Sectors
Page 34

Directive

Cross-Border •U.S. Safe
Data
Harbor
Transfers

GDPR

LIBE amendments

•Until
amended,
replaced or
repealed by
the
Commission

•Will only remain in force
for max. five years after
the GDPR takes effect, or
until amended, replaced or
repealed by the
Commission.

Page 35

Directive

Cross-Border •Standard
Data
Contractual
Transfers
Clauses
•Prior
authorization in
some MS

GDPR

LIBE
amendments

•No prior authorization
required
•Until amended, replaced
or repealed by the
Commission

Sunset Clause:
Standard Clauses
authorized under
Directive: REauthorization by DPA
required within 2 yrs of
Regulation coming into
effect.

Page 36

Directive

Cross-Border
Data Transfers

GDPR

LIBE
amendments

•Binding Corporate
Rules (BCRs))

•Formally recognized for
Controllers and
Processors
•Sunset Clause: REauthorization by DPA
required within 2 yrs of
Regulation coming into
effect of BCRs
authorized under
Directive.

•Formally
recognized for
Controllers
•Increase of
requirements for
approval
•e.g. Privacy by
Design

Page 37

Dir GDPR
ecti
ve
Cross-Border
Data Transfers

•Legitimate Interest of Data
Controller /Processor
•Not for “frequent and
massive” transfers -44(h)

LIBE amendments

•Legitimate Interest of
Data Controller
/Processor:
•NEW: European Data
Protection Seal

Page 38

Direc GDPR
tive
Cross-Border
Data Transfers

•Recital 90
•Original Art.42 that
appeared in leaked
Regulation,
disappeared in
published GDPR

LIBE amendments

Addition of Article 43a)
Access request from non-EU
authorities require prior
approval of DPA and
notification of data subjects

Page 39

Directive

Data
Protection
Authorities
(DPAs)

GDPR

LIBE
amendments

•Greater enforcement
powers
•Lead DPA system:
DPA of data
controller’s main
establishment (OneStop-Shop)

•Lead DPA’s role
watered down to
co-ordination
role with all
other involved
DPAs

Page 40

Directive

Sanctions

GDPR

LIBE
amendments

•Left to
implementation
by member
states.

•Tiered fine
system, up to 2%
of annual sales of
data
controller/processo
r

•Tiered fine system, up to
5%of annual sales of data
controller/processor or or
100 million euros
•More flexibility in
determining the amount of
fines, with accountability &
cooperation of data
controllers as criteria
•European Data Protection
Seal exemptions

Page 41


Other changes, less relevant for cross-border discovery

•Right of erasure
•Right of data portability
•Prohibition against profiling
•European Data Protection Board (EDPB), formerly Article 29 WP
•Consistency mechanism

Page 42

Practical tips
•Keep up-to-date with GDPR
•Review: Notice forms, Consent forms, Privacy Policies, Data Controller
– Data Processor contracts
•Implement data breach notification readiness, where applicable
•Implement a data processing documentation system
•Data Protection (DP) by Design and DP by Default, where applicable
•Conduct DP Impact assessments, where applicable
•Minimize processing of Private Data (PD) and review in-country
•Pseudonymize/Anonymize/Encrypt PD whenever possible
•Secure PD adequately

Page 43


How will the NSA/PRISM leaks affect the GDPR and
Cross-Border Discovery?
To be followed…

Page 44

Questions?
monique@altheimlaw.com
Follow me
@Eudiscoveryand@MoniqueAltheim

The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (16)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013

Ähnlich wie The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013 (20)

Mehr von AltheimPrivacy

Mehr von AltheimPrivacy (8)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013

Hinweis der Redaktion