2018 continued a trend of significant vendor consolidation in the e-discovery and information governance space, return to form in delaying the time to answer the complaint and in triggering other discovery options after a motion to dismiss is filed under the Northern District of Illinois’ Discovery Pilot Program and a growing conversation around BYOE (Bring Your Own Email) versus BYOD (Bring Your Own Device). However, the most significant events of 2018 involved the implementation and enactment of the General Data Protection Regulation (“GDPR”) by the EU; passage of the US Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”), mooting Microsoft’s challenge to the extraterritorial application of the Stored Communications Act in the Supreme Court; and the continued grappling by US courts and litigants on how to apply the 2015 Amendments to the Federal Rules of Civil Procedure.

Each of these three seminal topics was discussed in Mayer Brown’s Electronic Discovery & Information Governance Practice Tips of the Month series in 2018 and are recapped below. We begin with the enactment of GDPR in May 2018 and the initial investigations and fines issued. Next, we move to the CLOUD Act and its implications on cross-border seizure of data. Finally, we discuss the renewed focus on proportionality and further consideration of defensible disposition as a consequence of changes to Rule 37(e) as part of the 2015 Amendments.

GDPR Comes to Life. In 2019 individual EU member states will continue to flex GDPR muscle as they will likely go after larger and more well-known companies. Below is a look back at GDPR actions and fines in 2018 since the regulation took effect on May 25, 2018:

  • In July, Portugal's Commissao Nacional de Proteccao de Dados (“NCPD”) hit a hospital with a 400,000 Euro fine for allowing employees indiscriminate access to patient data.
  • In September, the UK's regulator, the Information Commissioner's Office (“ICO”), accused AggregateIQ, a Canada-based company, of using names, email addresses, and other personal data to target UK individuals with political advertising messages on social media. The ICO ordered the company to erase any UK individuals’ personal data retained on its servers.
  • In October, Austria's Osterreichische Datenschutzbehorde (“DPA”) issued a 4,800 Euro fine to a retail company that used a surveillance camera that captured too much of the sidewalk. The DPA cited that the retailer lacked the GDPR's required notice and transparency.
  • In November, France's CNIL found that Vectuary, a mobile ad network, illegally obtained the consent of more than 67 million people. CNIL ordered the company to change its consent practices and purge all data collected on the basis of the invalid consent obtained.
  • Later in November, Germany's Data Protection and Freedom of Information Baden-Wuettemberg (“LfDI”) issued a fine of 20,000 Euros after a data breach at a social media company, in which a hacker stole and published passwords.

SCA and the CLOUD Act. Courts continue to be faced with questions regarding whether certain communications are properly within the realm of the Stored Communications Act (the “SCA”) and just what constitutes being retained “for backup protection.” The biggest development in this area was the passage of the CLOUD Act, which the Supreme Court found mooted Microsoft’s challenge to the extraterritorial application of the SCA. The overall impact of the CLOUD Act remains to be seen, but, for SCA purposes, it is now clear that the government can obtain data stored overseas in certain circumstances.1

Court’s Application of 2015 Federal Rule Amendments. The courts’ continued application of the amended rules in 2018 consumed much of the year in e-discovery. Two areas of continued focus were Rules 26(b)(1) (proportionality) and 37(e)(spoliation sanctions).

  • Focus on Proportionality. The 2015 Amendments to the Federal Rules of Civil Procedure noted that in some cases discovery of relevant information may not be proportional to the needs of the case, which refocused attention on the role of proportionality in discovery. Since December 2015, many courts have sought to apply the proportionality factors to determinations of the appropriate scope of discovery in the particular case at issue. Under Amended Rule 26(b)(1), the scope of discovery is limited to documents and information that are both relevant to the claims and defenses in the specific matter and proportional to the needs of the case. The responsibility to ensure that discovery is proportional to the needs of the case is on all parties and the court. However, in recent practice, much of the effort to establish that certain discovery is disproportionate falls on the responding party or the judge, as requesting parties too often shoot for the moon. While in some cases the court can determine that specific requests are facially disproportionate, in other instances, the court looks to the producing party to demonstrate with specificity why specific requests are not proportional to the needs to the case. In these situations, most responding parties (including third parties) attempt to argue undue burden and/or cost. In such cases, the producing party needs to offer more than just boilerplate objections and instead provide actual costs and/or realistic estimates. In addition, there are certain types of discovery that are generally not proportional without a showing of a deficiency in the producing party’s production, such as (1) discovery-on-discovery, (2) unfettered direct access to the responding party’s ESI and (3) requests for searches of all company databases when the case involves only a narrow issue or specific set of custodians. In 2019 and beyond, parties need to be aware of attempts to improperly expand the scope of discovery and the need to educate the court on the specific burden the producing party faces.2
  • Changing World of Spoliation Sanctions Under Amended Rule 37(e). Overall Rule 37(e) appears to have had its intended impact in terms of lessening the threat of or use of spoliation motions as a tactical weapon in the context of civil litigation. Courts are finally focusing on the predicates to the Rule that require, before sanctions/curative measures can be imposed, that (i) there was a loss of ESI, (ii) the ESI is relevant and proportional to the claims and defenses, (iii) the party in question failed to take reasonable steps to preserve the ESI and (iv) the ESI could not be replaced from other sources. We have seen that courts are increasingly inventive in their use of “curative measures” short of “severe” sanctions. One important outstanding question is whether courts can, or should, apply the Rule 37(e) approach to spoliation of tangible things and/or hard copy documents.3 This more reasoned approach to Rule 37(e) sanctions has led to many companies considering resuming on-the-books but not strictly enforced document retention policies and seeking defensible means of disposing unneeded data.