Privacy & Cross-Border Data Transfers Got You in a Quandary?

Abdeslam Afras

Jun 08 2016

Have you found yourself in a quandary these days, trying to sort through the whirlwind of debates on privacy laws in Europe and data transfers to the U.S.? I know many of our digital discovery clients are searching for a better understanding and advice on how to manage all of this. So I am excited to host the Cross-Border Quandary Tour: When Data Transfers Collide with Data Privacy this month in London, Amsterdam and Frankfurt.

I recently chatted with a few of the amazing panelists on our Quandary Tour. In this blog post, please enjoy a sneak peek from a few of our expert panelists including U.S. Judge Andrew Peck who, along with our moderator Chris Dale of the eDisclosure Information Project, will speak in all three cities.

Jonathan Armstrong, a partner at Cordery sees more internal and regulatory investigations and more data processing challenges these days.

Data subjects – individual employees – are exercising their data protection rights more frequently. For example, in a corruption investigation, some have asserted that their privacy rights will be violated if their sensitive, personal data is sent to U.S. headquarters or remotely collected by U.S. compliance teams during an investigation. This causes delays that can often mean the suspected employee stays on the payroll longer, putting off getting sacked and hurting their reputation, according to Jonathan.

“You just have to be smarter when conducting investigations because data subjects are getting smarter,” says Armstrong. Conducting investigations onsite in Europe, and sending the U.S. Department of Justice or the Securities Exchange Commission (SEC) filtered, smaller data sets is a good strategy if you can gain agreement with the regulators.

Jonathan adds that the Privacy Shield, the proposed replacement for the invalidated Safe Harbor data transfer agreement for U.S. companies, faces real challenges, mostly based on continued U.S. government surveillance concerns.

Georg Kirsch, Sr. Patent Litigation Counsel at Bayer IP GmbH says we will have to wait for the new General Data Protection Regulations (GDPR) to be tested in initial cases. Also, so far, companies continue to use EU model clauses with service providers for cross-border data transfers, as the Privacy Shield continues to get pummeled.

Georg emphasized that a lot of the recent discussions have the biggest impact on Internet companies whose businesses revolve around massive data processing and transfers. Many other industries aren’t as impacted. So much depends on the facts of the legal activity. In intellectual property (IP) disputes, for example, Bayer purposefully tries to avoid dealing with personal data. In IP “it’s all about the technical issues.” There isn’t a ton of personal data nvolved. Any data that goes to their U.S. lawyers is always filtered to be responsive to the issues in the case.

Georg sees advantages in the common law legal cultures in Canada, the UK and South Africa where parties’ information exchanges are balanced and proportionate. Litigants share very small, targeted data sets based on a “list of particulars” to save time and money and expand the data set as needed. Georg, who finds himself in U.S. courts more often, also commented that improvements are needed in U.S. laws to prevent third parties from getting leaked information from a plaintiff or defendant that ends up partially influencing the public via news stories.

With all the technical challenges in managing massive volumes of information, Mark Hoekstra,Head of Advisory Services at Grant Thornton in the Netherlands, says the European mainland legal world is getting the idea that use of e-discovery technology is the way to go. Though European law enforcement works in the old fashion way – seizing whatever they need – European firms with a U.S. mother company are rapidly adopting e-discovery technology to find and sort data before sharing it with regulators or litigants, according to Mark. Bankruptcy trustees that must interrogate enormous amounts of asset data are another group starting to employ the search-and- sort technology found in e-discovery solutions.

Mark sees big changes in the mainland legal culture – “The party that has their information management act together and the technology to quickly find the right information in fast, thorough investigations has an advantage.” The other side may still be fumbling through partial email chains, while the company with technology quickly gets the right data in the right context for strategy development and successful outcomes.

“The real world is so connected that it makes things incredibly complicated,” according to U.S. Magistrate Judge Andrew J. Peck, the first judge anywhere to approve the use of technology assisted review (TAR). Earlier this year, British Master Matthews extensively quoted Judge Peck’s Da Silva Moore ruling in another first – the first approval of TAR by a UK court.

Judge Peck is glad to see the use of predictive coding, also known as TAR, is advancing not only in U.S. but also in closely related common law countries in Europe. “There’s just too much data to be reviewed the old way without breaking the bank. As of now, TAR seems to be the most advanced analytical tool available,” says Judge Peck. He also reminds litigants that TAR does not replace human review – the idea is to use TAR to get to a smaller data set for eyes-on lawyer review, where much of the expense lies.

Judge Peck sees another topic to be explored at the Quandary Tour panels – the extraterritorial reach of U.S. courts – as “an incredibly difficult area.” In his view, early U.S. case law does not help much as it was a reaction to French Blocking statutes rather than privacy laws. Peck sees the U.S. notion that it is only fair that where companies do business in the U.S., parties should have access to data to seek justice in U.S. courts, although that may collide with the EU fundamental right to privacy.

According to the Judge there is a silver lining in all of this – the recent explosive debates concerning cross-Atlantic data transfers has raised U.S. judges’ awareness that the EU right to privacy is a fundamental right in the EU Charter, similar to the fundamental rights so highly valued in the U.S. Bill of Rights.

There’s still time to join us in London, Amsterdam or Frankfurt to delve further into these thorny issues with this learned panel. Be my guest, and register today!

Contact us today to learn more about our products and our
approach to improving how you collect, analyze and use data.
Tell Me More