The European Union’s widely anticipated General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Designed to provide EU citizens with better control over their personal data, this comprehensive reform of data protection in the EU has far-reaching implications. But how and to what extent will this new regulation affect electronic discovery in U.S.-based civil litigation? Organizations subject to the GDPR should think critically about what specific steps to take when handling personal data before, during and after litigation.
Before Litigation: Focus on Information and Organizational Governance
Before litigation ensues, you should understand everything you can about your organization’s data. Conducting data inventories and mapping allows you to identify potential information governance issues, such as what types of data your organization handles, where that data exists within your systems, and how information generally flows within your organization.
It is also imperative to assess your organization. Do you have a Data Protection Officer? Are you currently subject to the U.S.-EU Privacy Shield? Does your organization have binding corporate rules (BCRs), model contractual clauses or other adequate transfer safeguards in place? The GDPR changes the existing data transfer mechanisms available to organizations subject to it, and the applicability of these mechanisms may depend on the answers to these questions.
For an in-depth analysis of preparing for GDPR compliance, see our previous client alert on connecting information governance and the GDPR.
During Litigation: Identify and Manage Risk
Does the GDPR apply?
Once you are facing litigation – or the threat of litigation – you should first determine whether the GDPR applies. It is important to highlight that an organization cannot avoid application of the GDPR because it operates outside the EU. Territorially, the GDPR applies to the processing of EU citizens’ personal data when that processing relates to (1) the offering of goods or services to EU citizens or (2) the monitoring of EU citizens’ behavior within the EU. The GDPR defines “processing” broadly as any operation that is performed on personal data and specifically includes activities such as the collection, use, disclosure by transmission, and dissemination of or otherwise making available personal data. Thus, the activities undertaken to preserve, collect, process, analyze and produce personal data during litigation all constitute “processing” under the GDPR.
You should also determine whether the litigation implicates “personal data” under the GDPR, defined as “any information relating to an identified or identifiable natural person (‘data subject’).” This includes examples such as name, identification number, location data, online identifiers, or factors that are specific to a data subject’s physical, physiological, genetic, mental, economic, cultural or social identity.
The GDPR also governs the movement of data across borders pursuant to U.S. discovery obligations. The GDPR applies to “[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.”
Handling Personal Data
Once you have determined applicability of the GDPR, your immediate goal should be to identify and minimize the scope of relevant personal data preserved under a legal hold. In parallel, you should also investigate whether you are able to secure relevant evidence through alternative means, such as interrogatories and/or deposition testimony.
It is also prudent to include explicit requirements regarding the handling and protection of personal data within a joint ESI protocol. The protocol should state that personal data preserved, collected, produced or otherwise processed should be the minimum necessary for the purposes of the litigation. Furthermore, any personal data should be processed lawfully, fairly and in a transparent manner; collected and used only for the specified, explicit and legitimate purposes of the litigation; handled in a manner that ensures appropriate technical and organizational security of the personal data; and deleted if and as soon as determined to be unnecessary for the litigation.
Beware of Custodial Content
Practitioners should beware of issues pertaining to custodial consent. It will be much harder to obtain valid consent from data subjects under the GDPR, which requires that consent be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” (Recital 32). In other words, data subjects must be given an informed and meaningful opportunity to consent and also to withdraw that consent at any time. As such, practitioners should not pursue consent-by-default or mass opt-out consent strategies for multiple data subjects in litigation. Caution should also be afforded in circumstances involving power imbalances, such as when an employer is seeking to obtain consent from employees, because it is questionable whether any consent in those circumstances can be freely given.
Moreover, when discovery obligations under U.S. law and the protection of personal data under the GDPR conflict, a custodian may refuse to comply with U.S. law and not give consent. It might be possible in this scenario to redact the personal data from this custodian’s documents, but this approach is often not feasible when, for example, the redactions needed would be too numerous or unduly burdensome to complete, or the data subject is an important custodian in the litigation. It is not yet clear how and to what extent U.S. courts will handle this tension, but you should be aware that it exists. There might be room to argue that a custodian’s refusal to consent to the processing of their personal data for U.S. litigation purposes and the monetary threat of violations under the GDPR are factors that should be considered when weighing proportionality under amended FRCP 26(b), specifically “whether the burden or expense of the proposed discovery outweighs its likely benefit.”
Anticipate Data Subjects’ Rights
The GDPR affords several new and/or expanded rights to data subjects regarding their personal data, including with respect to ongoing litigation. Data subjects can exercise any (and as many) of the following rights at any point during the identification, preservation, collection, analysis or production efforts during litigation.
- Request: The right to request confirmation as to whether personal data is being processed, the categories of personal data being processed, where the personal data is located, the purposes of processing, and the recipients or categories of recipients to whom the personal data has been or will be disclosed.
- Reach: The right to obtain access to the personal data held about the data subject.
- Receive: The right to receive personal data about the data subject in a machine-readable format (also known as “data portability”).
- Rectify: The right to request that incorrect, inaccurate or incomplete personal data be corrected.
- Restrict: The right to request the restriction of the processing of personal data.
- Remove: The right to request that personal data be erased when no longer needed or if processing is unlawful (also known as the “right to be forgotten”).
It is important for organizations to anticipate these rights and to know the location of personal data within the document universe subject to litigation. Counsel must be able to swiftly isolate and carefully handle this data as needed to comply with any and all of the data subjects’ rights under the GDPR.
After Litigation: Follow-Through Is Critical
Litigants have an affirmative obligation to continue to take appropriate measures for the handling of personal data even upon the conclusion of litigation. You must determine how soon after litigation is over or a settlement has been reached to take further action on personal data being preserved subject to a legal hold. This should be done on a case-by-case basis, but as soon as defensibly possible. Once the data is released from being on hold, you should identify whether there are any regulatory and/or business reasons for continuing to preserve the personal data and, if not, take all necessary steps to either return or destroy the data quickly, fully and securely, in compliance with the GDPR.