How EU Privacy Impacts the U.S.

Debbie Reynolds, renowned as a global thought-leader and advisor for handling electronic evidence in high-stakes litigation, spoke to us about privacy and e-discovery in the European Union (EU) and how that affects the U.S. Reynolds is the Director of EimerStahl Discovery Solutions LLC, an affiliate of Eimer Stahl LLP.

Privacy in the EU

According to Reynolds, personal data privacy protections are stricter in the EU for several reasons: In the U.S., there is no single federal personal data privacy law to protect people’s privacy (states may have different laws), and data privacy in the U.S. is often based on data type rather than on the individual person, as it is in the EU. “In the EU, personal privacy is considered a fundamental human right. This stems from World War II and Nazi Germany. Europe wanted to safeguard citizens against the days when life or death decisions were made about people based on personally identifiable or private information,” Reynolds says.

Individuals in the EU often consider certain types of information private that a U.S. citizen might not think of in the same way. Reynolds gives club memberships and other social activity information as an example. “In the U.S., we think of things like Social Security numbers and banking information as being private information,” she says, “but people in the EU often think of personal privacy in much broader terms.”

This affects U.S. corporate litigation because if an attorney needs to obtain data from a person in the EU, there are different rules that apply. This is especially critical in light of the Global Data Protection Regulation (GDPR), which was adopted by the EU in April of 2016 and began its two-year transition period in May of 2016.

“Consent to use data of a person in the EU has to be affirmatively given by the individual, and you may need to get consent from the actual individual in addition to the corporation. Consent is also revocable and granular—meaning the individual can consent to some things but not others. People have the right to know what data you’re using and how. And, when you’re finished with the data, it must be deleted or returned,” Reynolds says. Because this is so different from the way that consent works in the U.S., she stresses the importance of developing mechanisms whereby U.S. lawyers and technology people can better manage the frailty of consent if persons in the EU want to inspect their data or revoke consent entirely during a litigation process.

The GDPR

The scope of the GDPR “is very broad and impacts any company in the world that provides goods or services to anyone in the EU,” Reynolds says. The penalty for “misusing or mishandling” EU personal or private data “could be as much as 4% of the company’s worldwide gross for a year.” Though the regulation passed in 2016, the penalty and enforcement phase does not go into full effect until May 2018.

The challenge of complying with the GDPR is that “most technology used in litigation is not currently designed to comply” with its new rules. “Typically, in U.S. litigation, there are few technology workflows in place if someone were to revoke consent during discovery or if a person wants to see the data you are using about them during the course of a legal matter.” Though the GDPR penalty phase is 18 months away, that’s a relatively short period for the legal industry to rethink how to approach the impact of EU Privacy issues in U.S. litigation. “This looming and far-reaching GDPR regulation may impact a corporation’s bottom line significantly if it doesn’t comply with it.”

Reynolds points out some changes to the way that companies must deal with privacy because of the GDPR. “One example is that if a company has a data breach, they have 72 hours to provide a notification.” Reynolds says that many corporations may not yet be prepared to react so quickly—but “they have to be able to address the speed of data breach notifications to comply with the GDPR,” she says.

“One interesting thing that’s happening because of the GDPR is that an EU individual’s right to privacy can move beyond their own territorial borders,” Reynolds says. She cites a recent “right to be forgotten” case in France, where an individual wanted information they deemed private to be deleted from the internet—not just in France, but worldwide. These changes give rise to a new challenge: “Figuring out the best way to comply with these kinds of regulations and creating technology and workflows that enable corporations to react to these types of situations or requests.”

The EU’s reasoning behind the GDPR was “to create a one-stop set of rules that would harmonize the privacy laws across the EU member states and put privacy right into the hands of the individual,” Reynolds says, “but some EU member states also have their own rules that differ and must be adhered to as well.” For example, she says that France and Germany both have blocking statutes that can create “additional complications for U.S. litigants seeking discovery data in those countries,” including potential judicial involvement to request targeted discovery data from individuals in EU member states. “The GDPR applies throughout the EU, but if you’re doing litigation that impacts a certain country, you may also be subject to additional rules from that EU member state.”

Brexit and privacy

Reynolds says that when the UK voted to leave the EU, it created uncertainty around how differently the UK will treat data privacy than the EU. “Up to this point, the UK and the EU have been in lock-step.”

At the time of Brexit, the U.S. and the EU were in the process of making an agreement to replace the Safe Harbor Framework with the EU-U.S. Privacy Shield Framework which was approved in 2016. “The approval of the EU-U.S. Privacy Shield in 2016 came on the heels of the Brexit vote and helped ease some of the uncertainly felt by U.S. companies dealing with the now defunct EU-U.S. Safe-Harbor Framework which was invalidated in late 2015. The Privacy Shield was a replacement for the Safe Harbor to establish a protocol by which EU-U.S. data transfers provided adequate privacy protection and judicial redress for persons in the EU if their data is used in the U.S.,” Reynolds says. “There was uncertainty not only about Brexit’s impact on commerce, but how it would impact litigation. It remains to be seen how a post-Brexit UK might differ from the EU on personal data privacy going forward.”

Don’t wait

EU privacy rules, regulations, and differences add up to one important piece of advice from Reynolds: “Don’t wait until the last minute to develop your plan.”

She says that it just takes longer to get data from EU persons or companies than from businesses or custodians in the U.S. “It takes more lawyer time. It will take more negotiation. You will need a different workflow to get consent and obtain the data you need. You will probably get less data since the individual can decide how granular or targeted the data exchange will be. Be ready and able to comply with the transparency requirements on data use, and know you will need to delete their data or return the data at the end of litigation.” She recommends that litigators contact the data authority in the region where they’re working and says it may be a good idea to hire counsel or get advice from lawyers in those regions, as well.

Once you have your bases covered on the legal side, discuss the issues with a tech expert: “A lot of the challenges in complying with these laws come from technology not being made to behave in the ways that have been prescribed by these privacy rules and regulations.” She predicts that software developers are already hard at work to address these new challenges, but stresses that it’s important to have an alternative plan developed in the meantime. “Talk through what’s possible with your current technology and find out what you can do differently with your litigation workflow to comply with the EU privacy issues in U.S. litigation.”

INTERESTED IN READING MORE LEGAL VISIONARY PROFILES?

2016 interviews included:

  • Maria Green, General Counsel and SVP of Ingersoll Rand
  • Brian Levey, General Counsel and CFO of Upwork
  • Aaron Crews, Senior AGC and Head of e-Discovery at Walmart
  • Ivan Fong, SVP, Legal Affairs and GC at 3M
  • Bill Solomon, GC of Ally Financial
  • Cameron Findlay, SVP, GC and Secretary at the Archer Daniels Midland Company

Click here to read their profiles.