At Lumen Legal, we enjoy connecting with what we call legal visionaries. A visionary is someone in the legal field who is setting the pace, thinking creatively and pushing us all to do our best. This quarter, we spoke with Debbie Reynolds who is an expert when it comes to data privacy and its impact on e-discovery. As a Director at EimerStahl Discovery Solutions in Chicago, this topic is a daily part of her life.
When most of us in the U.S. think about data privacy, what comes to mind? If you’re like most Americans, you think about data breaches at Target, Sony Pictures and the Department of Homeland Security. You worry about filing your taxes as quickly as possible so someone else doesn’t try to claim your IRS refund. Or you might consider signing up for a service like LifeLock if you believe changing your complex passwords every week isn’t enough to protect your identity. But according to Debbie, you usually don’t think about things like who knows what clubs you’re member of or other social activity information. But if you lived in one of the EU member states, you probably would because most Europeans consider personal privacy a fundamental human right. And she explains the sobering reason why.
Debbie also explains how different it can be for a lawyer in the U.S. to obtain data from a person in the EU vs in the U.S. In the EU, it all starts with Global Data Protection Regulation (GDPR) which was adopted by the EU in April 2016 and began its two-year transition in May. Consent to use data of a person in the EU has to be affirmatively given by the individual and the person can consent to some things and not others. And they have the right to ask you what data you’re using and how. I can’t imagine Target asking me for permission to track what I’m buying from them.
And don’t mess with the GDPR. The penalty for misusing or mishandling private data could be as much as 5% of the company’s worldwide gross for a year. I was also surprised to see how quickly a company must deal with privacy breaches. If a company has a data breach, they have 72 hours to provide a notification. It took months for Target to tell me that my personal data had been compromised and what they were doing about it. Ultimately, I received a new Target credit card that requires a PIN to use it at their stores. As a result, I still shop at Target but I trust them less and know a data breach could happen again.
Debbie also shares how the UK’s decision to leave the EU created uncertainty around how different the UK will treat data privacy than the EU. In the past, they had been in lock-step. We’ll see what the future holds.
Above all, Debbie stresses that companies who need data from EU persons of companies need to plan and allocate enough time to get the data. And they should also strongly consider hiring counsel in the region of interest to be sure they follow all rules. If you’d like to read her entire legal visionary profile, click here.