Information Governance and Data Privacy: A World of Risk 2016 Northeast eDiscovery & IG Retreat Panel Introduction September 26, 2016
Information Governance and Data Privacy Data Privacy Laws The European Union Other Jurisdictions Effects on Information Governance Effects on Discovery Compliance
Introduction Realities of global enterprise information systems and infrastructure Obstacles to cross-border flow of business information that includes “personal information” and other specific types of data Jurisdiction-specific analyses of relevant legal considerations
Key Considerations Types of data subject to privacy protections Actions with data (including cross-border transfer) that may be limited or restricted due to data privacy laws Interactions with government regulators and data subjects
Data Privacy Laws in the European Union klgates.com
EU Data Protection Directive (Directive 95/46/EC) It regulates the “processing” of “personal data” in the EU in light of seven key principles. “Processing” can include any actions upon data, including collection, storage, alteration, use, disclosure, transfer, combination, or disposal. “Personal data” broadly includes any information relating to an identifiable person.
EU Data Protection Directive as Implemented by Member States Each EU nation adopted implementing legislation regarding the Directive. Accordingly, these countries vary in how they implement different aspects of the Directive. Data Protection Authorities (“DPAs”) in each country receive complaints and give advice to the government.
EU Data Protection Directive and Data Transfer The Directive generally prohibits transfer of “personal data” from the EU to countries outside the European Economic Area in the absence of adequate data protection safeguards. The European Commission has determined that the US does not maintain adequate data safeguards.
Accomplishing Data Transfer to a Country Found to Lack Adequate Safeguards Separate entities can enter into data transfer agreements incorporating model contract clauses regarding data protection. Transfers within a corporate entity can be accomplished pursuant to approved binding corporate rules. Data recipients were once able to comply with the EU-US Safe Harbor.
Safe Harbor No More: Schrems The roughly 4,400 US entities that relied on the EU-US Safe Harbor should seek alternate means of compliance for their data transfers from the EU. Alternative means of compliance with regard to data transfers to the US may soon draw greater scrutiny from DPAs. A new “EU-US Privacy Shield” has been unveiled.
The Road to Schrems October 6, 2015: CJEU ruling July 2014: Irish High Court asks the Court of Justice of the European Union (“CJEU”) for a preliminary ruling. September 2013: Irish DPA receives (and refuses to hear) complaint. September 2015: Advocate General Yves Bot issues advisory opinion to the CJEU. October 2013: Irish High Court agrees to review inaction by DPA.
Why Was Safe Harbor Invalidated? The CJEU found that the US government has access to personal information “without limitation.” The CJEU also found that EU citizens could not pursue legal remedies in the US to access and correct their personal information.
Alternative Compliance Options: Data Transfer Agreements These agreements must incorporate model contract clauses set forth by the European Commission. The agreements must describe the relevant data, its use and purposes, and relevant security measures. Relevant DPAs must be kept updated regarding the grounds for the data transfer.
Alternative Compliance Options: Binding Corporate Rules (“BCRs”) BCRs can address a wide range of data protection issues. BCRs must be approved by the relevant DPAs. BCRs are often time-consuming and costly to adopt and implement.
Alternative Compliance Options: Consents from Data Subjects Consents must be informed, explicit, and specific. Consents must be freely given and discretionary. Consents must be retractable at any time. Some consents may not be obtainable.
Ensuring Compliance Relating to Use of Personal Data Consents from the data subjects can support such use. Certain uses related to legal proceedings and the provision of legal advice are exempt from the restrictions on use of such data.
EU-US Privacy Shield: A New Option The European Commission has approved of a new “EU-US Privacy Shield,” and organizations are now able to register under this framework.
EU-US Privacy Shield: Broad Outline Heightened requirements on US companies that accept personal data from European data subjects Limitations and transparency requirements on US governmental access to personal data from European data subjects when necessary for law enforcement and national security purpose Redress options for European data subjects
EU Data Privacy: A Moving Target Agreement on General Data Protection Regulation is expected by early 2016, with the regulation likely coming into effect in 2018. The regulation will make more entities outside the EU subject to its data privacy law, make this law more consistent across the EU, bolster data subjects’ rights, require companies to appoint Data Protection Officers, and increase potential sanctions.
Data Privacy Laws in Other Jurisdictions klgates.com
Data Privacy Laws in Russia “Personal data” is subject to Russian data privacy law, and its processing often requires notification of government authorities. There are certain exemptions to the data privacy law when the personal data (and its processing) relate to employment functions. “Personal data” is subject to a localization requirement.
Data Privacy Laws in China Personal information is subject to data privacy laws and restrictions on transfer. Collection, use, and transfer of personal information to the US must be preceded by consent from the relevant data subjects. Personal information collected by certain entities cannot be transferred outside of China.
Data Privacy Laws in Australia Personal information is subject to data privacy laws, although there are certain exceptions related to such information found in “employee records” within the scope of the individual’s employment. Prior to transfer of personal information, data subjects must be notified. Collection statements and privacy policies can help to provide such notifications.
Effects on Information Governance klgates.com
Record Retention Issues Requirements differ across countries (and, often, among different jurisdictions within countries). Most retention requirements in the US define minimum retention periods. Some jurisdictions’ record retention requirements, informed by data privacy concerns, state maximum retention periods.
Data Security Requirements Data privacy laws in some jurisdictions require data security assurances and limitations on the accessibility to access personal data. Data security standards must also meet other legal and contractual requirements.
Data Flows and Cross-Border Transfers Understanding the relevant data flows within an organization is a key first step. Certain types of data transfers (and particularly cross-border transfers) can require the organization to meet additional data privacy requirements under applicable laws.
Effects on Discovery Compliance klgates.com
Changes to Discovery Response Processes “Processing” can include more than document processing, searching, and review. It can also include records preservation. Organizations should consider how to adapt certain discovery response processes to address data privacy requirements. For instance, should some screening or review to exclude personal data occur before transferring records from the EU to the US for discovery purposes?
Technological Support What technologies can assist in discovery response in a way that maintains compliance with applicable data privacy laws?
Differing Privilege Standards Privilege review is complicated by the potential applicability of different privilege standards across different jurisdictions.
Questions? klgates.com