• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here:  http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
 

The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797

on

  • 1,561 views

Check out this link for the latest version: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797 ...

Check out this link for the latest version: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
The European Commission's proposal for a new General Data Protection Regulation (GDPR), represents the most significant global development in data protection law since Directive 95/46. It will considerably impact cross-border e-discovery in the EU.

Statistics

Views

Total Views
1,561
Views on SlideShare
1,541
Embed Views
20

Actions

Likes
0
Downloads
28
Comments
0

2 Embeds 20

http://www.linkedin.com 16
https://twitter.com 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Belgium, Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia and UK want Directive!HR Data Processing regulation left to national laws.
  • Further criteria and requirements for BCR approval process should be determined by the EDPB instead of the Commission

The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here:  http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797 The EU Data Protection Reform's Impact on Cross Border E-discovery; updated here: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797 Presentation Transcript

  • The EU Data Protection Reform's Impact on
Cross-Border e-Discovery
  • MONIQUE ALTHEIM, Esq., CIPP/US, CIPP/E Monique Altheim, the managing partner ofThe Law Office of Monique Altheim, is a multilingual and multi-jurisdictional attorney, admitted to the New York Bar, as well as the Antwerp Bar in Belgium. Ms. Altheim advises clients on international e-discovery, international data transfers, and counsels them on privacy/data protection and social media law.
She is a Certified Information Privacy Professional (CIPP) in the US and the EU, and an active member of The Sedona Conference Working Group 6: International Electronic Information Management, Discovery and Disclosure. Monique Altheim runs a widely read blog, EDiscoveryMap.com and recently developed her own mobile information sharing App for iPhone/iPad and Android. Ms. Altheim is a regular contributor to international conferences on privacy and e- discovery.
  • 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum U.S. civil discovery obligations extend to ESI outside the U.S •Rule 34 FRCP “possession, custody , or control” of ESI •Duty to preserve, legal hold •Duty to disclose (Rule 26, FRCP) •Sanctions for non-compliance
  • 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum Obstacles to discovery in the EU member states •Data Privacy Laws •Blocking Statutes •Bank Secrecy Laws •Labor Laws •Telecom Laws AND •U.S. style discovery in civil litigation is a common law tradition and is unknown in civil law countries
  • 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum Is there a treaty signed by both the U.S. and EU member states to resolve this conflict? Yes, The Hague Evidence Convention (1970). But, it has many problems.
  • 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum Conflicts of Law: Does the International Treaty Apply or the National Law? •U.S. approach: Aerospatiale Doctrine: Hague Evidence Convention is optional and does not supersede FRCP. Balancing of interests test in the name of international comity. •EU approach: The Hague Evidence Convention applies; letters of request.
  • 2. How are EU data privacy laws different than other laws which restrict U.S. discovery? Data Protection is a Human Right (art. 8 Charter of Fundamental Rights of the European Union)
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) •Omnibus Law. •Implemented into national laws by 27 Member States of EU*, plus Iceland, Liechtenstein and Norway. (European Economic Area, or EEA). •Directive acts as a floor. Not uniformly implemented by Member States. * 28 Member States as of July 2013 with the addition of Croatia
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Definitions •Personal Data •Sensitive Data •Data Subject •Data Processing •Data Controller •Data Processor •Consent
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) When does the Directive apply? •The Controller’s establishment is in a Member State And he processes personal data in the context of his establishment Or • The Controller uses equipment in a member state for the purpose of processing personal data
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Controller’s obligations and data subject’s rights •Two separate situations: 1. processing 2. transfer outside of EEA •Processing: legal basis for processing, notification of DPAs, notice to data subject, data accuracy, data security, data minimization, purpose limitation, right of access, rectification & erasure and liability to data subject. •Transfer outside of EEA: legal basis for transfer, notification of DPAs
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Processor’s obligations Contract with controller: •Will only process on instruction of controller •Will provide adequate security
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Legal basis for processing personal data (for discovery purposes): •Consent •Legitimate interest of the controller, balanced against fundamental rights of data subject
  • 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Legal basis for transferring personal data outside of EEA (for discovery purposes) •Adequate country •Consent of the data subject •Safe Harbor (U.S.) •Standard Contractual Clauses •BCRs (Binding Corporate Rules)
  • 4. How to reconcile cross-border discovery with the directive? •Article 29 WP 158 on pre-trial discovery for cross-border litigation (2009) •The Sedona Conference International Principles on Discovery, Disclosure and Data Protection (2011) •American Bar Resolution 103 (2012)
  • 5. The Proposed General Data Protection Regulation (GDPR) The Directive no longer meets the challenges of globalization and technological advances. •Caveat: The GDPR does not cover data processing by Law Enforcement. Subject of separate proposal, not covered here
  • General Data Protection Regulation
  • 5. The Proposed General Data Protection Regulation (GDPR) •1/25/2012: Commission proposals for a regulation and a directive •1/10/2013: Presentation of the draft report by MEP Albrecht (LIBE Committee) •1/23/2013: Internal Market Committee votes on its opinion •2/20/2013: Industry Committee votes on its opinion •2/21/2013: Employment Committee votes on its opinion •3/19/2013: Legal Affairs Committee votes on its opinion •3/20/2013: First discussion on amendments in the LIBE Committee •5/6-7/2013: Second discussion on amendments in the Civil Liberties Committee •5/31/2013:The Irish Presidency of the Council of the EU released a draft compromise text •June 2013?:LIBE Committee votes on the negotiating mandate? •Vote of LIBE Committee postponed until October 2013 Second half of 2013: Parliament-Council negotiations? Beginning of 2014: LIBE Committee votes on text agreed text with Council, then plenary vote (Parliament as a whole)? Timeline
  • 5. The Proposed General Data Protection Regulation (GDPR) Main Objectives •Greater harmonization •One-Stop-Shop •Strengthening individual rights •Greater accountability/Reducing administrative burden of data controllers •Enforcing high level of protection for data transferred outside the EEA •More effective enforcement of the rules
  • 5. The Proposed General Data Protection Regulation (GDPR): How will it affect cross-border discovery? Page 20 Directive GDPR LIBE amendments Council Instrument Directive Regulation Strongly supports Regulation Some MS prefer a Directive
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 21 Directive GDPR LIBE amendments JURISDICTION •Establish ment of controller •Use of equipment •Establishment of controller •Offering goods or services to/monitoring of EU residents •Even free of charge
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 22 Directive GDPR LIBE amendments Council Personal Data/Dat a Subjects •Any information relating to an identified/ide ntifiable natural person •Any information relating to the data subject •DS: Identified or identifiable natural person in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; •Broadens definition to include broad category of unique identifiers •Creates new categories of “Pseudonymous Data” and “Anonymous Data” - alludes to possibility of lighter obligations for pseudonymous data ex. consent •Introduces list of rights& obligations that are excluded for pseudonymous data: right of access, right to be forgotten, etc…
  • 5. The Proposed General Data Protection Regulation (GDPR) Page 23 Directive GDPR LIBE amendments Council CONSENT as basis for processing •Unambiguous, freely given, specific & informed •May be withdrawn •Freely given, specific & informed •May be withdrawn •Explicit •Restricted use in employment context •Consent is cornerstone of EU DP Law •Additional restrictions for obtaining consent •Reverts back to unambiguous consent •Relaxes restrictions in employment context
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 24 Directive GDPR LIBE amendments Council LEGITIMA TE INTEREST as basis for processing •Legal basis for processing •Legal basis for processing •Notice to data subject of type of legitimate interest and of right to object •Limited to “exceptional circumstances •Lists specific situations where applicable Extends list to: •Fraud prevention •Anonymized/ps eudonymized data •Direct marketing
  • 5. The Proposed General Data Protection Regulation (GDPR): How will it affect cross-border discovery? Page 25 Directive GDPR LIBE amend ments Council LEGAL OBLIGATION as basis for processing Art.7 (c) Art. 6(3) clarifies: Only EU or Member State Law Extends it as legal basis to processing of sensitive data
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 26 Directive GDPR LIBE amendments Council NOTICE •List of obligatory notice requirements (Article 10) •Additional notice requirements (Art. 14) e.g. Which legitimate interest •Easily accessible •Clear and plain language •Additional notice requirements •E.g. Specific information about the safeguards used for transfer of data outside of EU •Greatly reduces list of notice requirements
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 27 , Directive GDPR LIBE amendm ents Council Data Breach Notification by Data Controllers •No requirement •Some MS ex. Germany •Obligatory •To supervisory authority, within 24 hours •To data subjects: w/o undue delay, if likely to have adverse effect •To supervisory authority, within 72 hours •To supervisory authority, within 72 hours, ONLY if significant breach •Creates list of exemptions
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 28 Directive GDPR LIBE amendments Data Breach Notification by Data Processors •No requirement •Some MS •Notify controller “immediately”
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 29 Directive GDPR LIBE amend ments Council Obligations of Data Controllers/P rocessors •DC: Duty to notify DPA of data processing activities •Data Protection Impact Assessments (DPIA) •Data Protection by Design & by Default •Welcomed as core innovations of the reform •DPIA only for Data Controllers •Exhaustive list of processing activities requiring DPIAs •Limits application of Data Protection by Design and by Default
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 30 Directive GDPR LIBE amendments Obligations of Data Controllers& Processors •Documentation of all data processing activities •Documentation requirement coupled with notice requirement
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 31 Directive GDPR LIBE amendments Council Obligations of Data Controllers& Processors re DPOs •Some Member States •Appoint Data Protection Officer >250 employees •Appoint Data Protection Officer >500 data subjects •Optional!
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 32 Directive GDPR LIBE ame ndm ents Council Obligation of Data Processors •Data Security •Only process PD as instructed by Controller Plus: •If processes PD other than instructed by controller, considered joint controller •Consent of Controller for sub-processing none •No joint controller •No consent of Controller for sub-processing
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 33 Directive GDPR LIBE amendments Cross- Border Data Transfers •Adequate Countries •Until amended, replaced or repealed by the Commission •Added Adequate Sectors •Will only remain in force for two years after the GDPR takes effect •No Adequate Sectors
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 34 Directive GDPR LIBE amendments Cross-Border Data Transfers •U.S. Safe Harbor •Until amended, replaced or repealed by the Commission •Will only remain in force for two years after the GDPR takes effect
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 35 Directive GDPR LIBE amendments Cross-Border Data Transfers •Standard Contractual Clauses •Prior authorization in some MS •No prior authorization required •Until amended, replaced or repealed by the Commission •Will only remain in force for two years after the GDPR takes effect
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 36 Directive GDPR LIBE amendments Cross- Border Data Transfers •Binding Corporate Rules (BCRs)) •Formally recognized for Controllers and Processors •Increase of requirements for approval
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 37 Direc tive GDPR LIBE amendments Cross-Border Data Transfers •Recital 90 •Original Art.42 that appeared in leaked Regulation, disappeare d in published GDPR Addition of Article 43a) •Access request from non-EU authorities require prior approval of DPA and notification of data subjects
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 38 Dir ecti ve GDPR LIBE amendments Cross-Border Data Transfers •Legitimate Interest of Data Controller /Processor •Not for “frequent and massive” transfers -44(h) •Legitimate Interest: •Limited to “exceptional circumstances” •Notice •Publication of rationale •Specific situations
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 39 Directive GDPR LIBE amendments Data Protection Authorities (DPAs) •Greater enforcement powers •Lead DPA system: DPA of data controller’s main establishment (One- Stop-Shop) •Lead DPA’s role watered down to co-ordination role with all other involved DPAs
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Page 40 Directive GDPR LIBE amendments Sanctions •Left to implementation by member states. •Tiered fine system, up to 2% of annual sales of data controller/processo r •More flexibility in determining the amount of fines, with accountability & cooperation of data controllers as criteria
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Other changes, less relevant for cross-border discovery Page 41 •Right to be forgotten •Right of data portability •Prohibition against profiling •European Data Protection Board (EDPB), formerly Article 29 WP •Consistency mechanism
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Practical tips Page 42 •Keep up-to-date with GDPR •Review: Notice forms, Consent forms, Privacy Policies, Data Controller – Data Processor contracts •Implement data breach notification readiness, where applicable •Implement a data processing documentation system •Data Protection (DP) by Design and DP by Default, where applicable •Conduct DP Impact assessments, where applicable •Minimize processing of Private Data (PD) and review in-country •Pseudonymize/Anonymize PD whenever possible •Secure PD adequately
  • 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? How will the NSA/PRISM leaks affect the GDPR and Cross-Border Discovery? To be followed… Page 43
  • Questions? monique@altheimlaw.com Follow me @Eudiscoveryand@MoniqueAltheim