The EU Data Protection Reform's
Impact
on
Cross-Border e-Discovery
MONIQUE ALTHEIM, Esq., CIPP/US, CIPP/E
Monique Altheim, the managing partner ofThe Law Office of Monique Altheim, is a
mul...
1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
U.S. civil discovery obligations extend to ESI outside...
1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
Obstacles to discovery in the EU member states
•Data P...
1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
Is there a treaty signed by both the U.S. and EU membe...
1. The Cross-Border U.S. Discovery vs. EU Data Protection
Conundrum
Conflicts of Law: Does the International Treaty Apply ...
2. How are EU data privacy laws different than other laws
which restrict U.S. discovery?

Data Protection is a Human Right...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
•Omnibus Law.
•Implemented into national laws by 2...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Definitions
•Personal Data
•Sensitive Data
•Data S...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
When does the Directive apply?
•The Controller’s e...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Controller’s obligations and data subject’s rights...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Processor’s obligations
Contract with controller:
...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Legal basis for processing personal data (for disc...
3.Introduction to the EU Data Protection Directive
(Directive 95/46/EC)
Legal basis for transferring personal data outside...
4. How to reconcile cross-border discovery with the
directive?
•Article 29 WP 158 on pre-trial discovery for cross-border
...
5. The Proposed General Data Protection Regulation (GDPR)

The Directive no longer meets the challenges of
globalization a...
General Data Protection Regulation
5. The Proposed General Data Protection Regulation (GDPR)

Timeline

•1/25/2012: Commission proposals for a regulation and...
5. The Proposed General Data Protection Regulation (GDPR)
Main Objectives
•Greater harmonization
•One-Stop-Shop
•Strengthe...
5. The Proposed General Data Protection Regulation (GDPR)
Color Code

Red: GDPR proposal that was abandoned or changed by ...
5. The Proposed General Data Protection Regulation
(GDPR):
How will it affect cross-border discovery?
Directive GDPR

Inst...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive GDPR

JURIS...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive GDPR

Perso...
5. The Proposed General Data Protection Regulation (GDPR)
Directive

CONSENT
as basis for
processing

GDPR

LIBE
Council
a...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?

Directive GDPR

LEGI...
5. The Proposed General Data Protection Regulation
(GDPR): How will it affect cross-border discovery?
Directive GDPR

LEGA...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

NOTICE

GD...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

GDPR

LIBE...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

GDPR

LIBE...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Obligation...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Obligation...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive GDPR

Oblig...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?

Directive

Obligatio...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

CrossBorde...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Cross-Bord...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Cross-Bord...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Cross-Bord...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Dir GDPR
ecti
ve
Cros...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Direc GDPR
tive
Cross...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Data
Prote...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Directive

Sanctions
...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?

Other changes, less ...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?
Practical tips
•Keep ...
5. The Proposed General Data Protection Regulation (GDPR)
How will it affect cross-border discovery?

How will the NSA/PRI...
Questions?
monique@altheimlaw.com
Follow me
@Eudiscoveryand@MoniqueAltheim
Upcoming SlideShare
Loading in …5
×

The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013

1,079 views
983 views

Published on

This is a new set of slides, adapted after the 10/21/2013 LIBE Committee vote on the proposed amendments to the Regulation. Quite a few of the original GDPR rules have changed so far.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,079
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Belgium, Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia and UK want Directive!HR Data Processing regulation left to national laws.
  • Further criteria and requirements for BCR approval process should be determined by the EDPB instead of the Commission
  • The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Developments after the LIBE Committee Vote of 10/21/2013

    1. 1. The EU Data Protection Reform's Impact on
Cross-Border e-Discovery
    2. 2. MONIQUE ALTHEIM, Esq., CIPP/US, CIPP/E Monique Altheim, the managing partner ofThe Law Office of Monique Altheim, is a multilingual and multi-jurisdictional attorney, admitted to the New York Bar, as well as the Antwerp Bar in Belgium. Ms. Altheim advises clients on international e-discovery, international data transfers, and counsels them on privacy/data protection and social media law.
She is a Certified Information Privacy Professional (CIPP) in the US and the EU, and an active member of The Sedona Conference Working Group 6: International Electronic Information Management, Discovery and Disclosure. Monique Altheim runs a widely read blog, EDiscoveryMap.com and recently developed her own mobile information sharing App for iPhone/iPad and Android. Ms. Altheim is a regular contributor to international conferences on privacy and ediscovery.
    3. 3. 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum U.S. civil discovery obligations extend to ESI outside the U.S •Rule 34 FRCP “possession, custody , or control” of ESI •Duty to preserve, legal hold •Duty to disclose (Rule 26, FRCP) •Sanctions for non-compliance
    4. 4. 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum Obstacles to discovery in the EU member states •Data Privacy Laws •Blocking Statutes •Bank Secrecy Laws •Labor Laws •Telecom Laws AND •U.S. style discovery in civil litigation is a common law tradition and is unknown in civil law countries
    5. 5. 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum Is there a treaty signed by both the U.S. and EU member states to resolve this conflict? Yes, The Hague Evidence Convention (1970). But, it has many problems.
    6. 6. 1. The Cross-Border U.S. Discovery vs. EU Data Protection Conundrum Conflicts of Law: Does the International Treaty Apply or the National Law? •U.S. approach: Aerospatiale Doctrine: Hague Evidence Convention is optional and does not supersede FRCP. Balancing of interests test in the name of international comity. •EU approach: The Hague Evidence Convention applies; letters of request.
    7. 7. 2. How are EU data privacy laws different than other laws which restrict U.S. discovery? Data Protection is a Human Right (art. 8 Charter of Fundamental Rights of the European Union)
    8. 8. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) •Omnibus Law. •Implemented into national laws by 28 Member States of EU, plus Iceland, Liechtenstein and Norway. (European Economic Area, or EEA). •Directive acts as a floor. Not uniformly implemented by Member States.
    9. 9. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Definitions •Personal Data •Sensitive Data •Data Subject •Data Processing •Data Controller •Data Processor •Consent
    10. 10. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) When does the Directive apply? •The Controller’s establishment is in a Member State And he processes personal data in the context of his establishment’s activity Or • The Controller uses equipment in a member state for the purpose of processing personal data
    11. 11. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Controller’s obligations and data subject’s rights •Two separate situations: 1. processing 2. transfer outside of EEA •Processing: legal basis for processing, notification of DPAs, notice to data subject, data accuracy, data security, data minimization, purpose limitation, right of access, rectification & erasure and liability to data subject. •Transfer outside of EEA: legal basis for transfer, notification of DPAs
    12. 12. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Processor’s obligations Contract with controller: •Will only process on instruction of controller •Will provide adequate security
    13. 13. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Legal basis for processing personal data (for discovery purposes): •Consent •Legitimate interest of the controller, balanced against fundamental rights of data subject
    14. 14. 3.Introduction to the EU Data Protection Directive (Directive 95/46/EC) Legal basis for transferring personal data outside of EEA (for discovery purposes) •Adequate country •Consent of the data subject •Safe Harbor (U.S.) •Standard Contractual Clauses •BCRs (Binding Corporate Rules)
    15. 15. 4. How to reconcile cross-border discovery with the directive? •Article 29 WP 158 on pre-trial discovery for cross-border litigation (2009) •The Sedona Conference International Principles on Discovery, Disclosure and Data Protection (2011) •American Bar Resolution 103 (2012)
    16. 16. 5. The Proposed General Data Protection Regulation (GDPR) The Directive no longer meets the challenges of globalization and technological advances. •Caveat: The GDPR does not cover data processing by Law Enforcement. Subject of separate proposal, not covered here
    17. 17. General Data Protection Regulation
    18. 18. 5. The Proposed General Data Protection Regulation (GDPR) Timeline •1/25/2012: Commission proposals for a regulation and a directive •1/10/2013: Presentation of the draft report by MEP Albrecht (LIBE Committee) •1/23/2013: Internal Market Committee votes on its opinion •2/20/2013: Industry Committee votes on its opinion •2/21/2013: Employment Committee votes on its opinion •3/19/2013: Legal Affairs Committee votes on its opinion •3/20/2013: First discussion on amendments in the LIBE Committee •5/6-7/2013: Second discussion on amendments in the Civil Liberties Committee •5/31/2013:The Irish Presidency of the Council of the EU released a draft compromise text •10/21/2013:Vote of LIBE Committee Draft Next: Council of Ministers agreement &Trilogue: LIBE CommitteeCommission-Council negotiations If no agreement, Plenary Vote in EU Parliament in April 2014?
    19. 19. 5. The Proposed General Data Protection Regulation (GDPR) Main Objectives •Greater harmonization •One-Stop-Shop •Strengthening individual rights •Greater accountability/Reducing administrative burden of data controllers •Enforcing high level of protection for data transferred outside the EEA •More effective enforcement of the rules
    20. 20. 5. The Proposed General Data Protection Regulation (GDPR) Color Code Red: GDPR proposal that was abandoned or changed by the LIBE Committee Blue: Current draft, as voted by the LIBE Committee on 10/21/2013
    21. 21. 5. The Proposed General Data Protection Regulation (GDPR): How will it affect cross-border discovery? Directive GDPR Instrument Directive Regulation LIBE Council amendments Some MS prefer a Directive Page 21
    22. 22. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive GDPR JURISDICTION •Establish ment of controller •Use of equipment LIBE amendments •Establishment of controller •Offering goods or services to/monitoring of EU residents •Even free of charge Page 22
    23. 23. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive GDPR Personal Data/Dat a Subjects LIBE amendments Council •Any information relating to an identified/ide ntifiable natural person •Broadens definition of PD to include broad category of unique identifiers •Creates new categories of “Pseudonymous Data” and “Encrypted Data” and “Anonymous Data” •Introduces list of rights& obligations that are excluded for pseudonymous data: right of access, right to be forgotten, etc… •Any information relating to the data subject •DS: Identified or identifiable natural person in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; -lighter obligations for pseudonymous and encrypted data ex. consent Page 23
    24. 24. 5. The Proposed General Data Protection Regulation (GDPR) Directive CONSENT as basis for processing GDPR LIBE Council amendments •Unambiguous, freely given, specific & informed •May be withdrawn •Freely given, •Restricted use in employment context •Purpose limited specific & informed •May be withdrawn •Explicit •Restricted use in employment context •Reverts back to unambiguous consent •Relaxes restrictions in employment context Page 24
    25. 25. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive GDPR LEGITIMA TE INTEREST as basis for processing LIBE Council amendments •Legal basis for processing •Limited to •Legal basis for processing •Notice to data subject of type of legitimate interest and of right to object “exceptional circumstances •Lists specific situations where applicable •Must meet reasonable expectations of data subject •More flexibility for pseudonymized data Extends list to: •Fraud prevention •Anonymized/ps eudonymized data •Direct marketing Page 25
    26. 26. 5. The Proposed General Data Protection Regulation (GDPR): How will it affect cross-border discovery? Directive GDPR LEGAL Art.7 (c) OBLIGATION as basis for processing Art. 6(3) clarifies: Only EU or Member State Law LIBE amend ments Council same Extends it as legal basis to processing of sensitive data Page 26
    27. 27. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive NOTICE GDPR LIBE Council amendments •List of obligatory notice requirements (Article 10) •Additional notice requirements (Art. 14) e.g. Which legitimate interest •Easily accessible •Clear and plain language •Additional notice requirements •e.g. Specific information about the safeguards used for transfer of data outside of EU •Use of standardized icons •Greatly reduces list of notice requirements Page 27
    28. 28. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive GDPR LIBE Council amendm ents •No requirement •Some MS ex. Germany •Obligatory •To supervisory authority, within 24 hours •To data subjects: w/o undue delay, if likely to have adverse effect •To supervisory authority, within 72 hours •Without undue delay. , Data Breach Notification by Data Controllers •To supervisory authority, within 72 hours, ONLY if significant breach •Creates list of exemptions Page 28
    29. 29. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive GDPR LIBE amendments Data Breach •No •Notify controller Notification requirement “immediately” by Data •Some MS Processors Page 29
    30. 30. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Obligations of Data Controllers/P rocessors GDPR LIBE amend ments Council •DC: Duty to notify DPA of data processing activities •Data Protection Impact Assessments (DPIA) in high risk situations •Data Protection by Design & by Default •Welcomed as core innovations of the reform •DPIA only for Data Controllers •Exhaustive list of processing activities requiring DPIAs •Limits application of Data Protection by Design and by Default Page 30
    31. 31. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Obligations of Data Controllers& Processors GDPR LIBE amendments •Documentation of all data processing activities •Documentation requirement coupled with notice requirement Page 31
    32. 32. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive GDPR Obligations •Some of Data Member Controllers& States Processors re DPOs •Appoint Data Protection Officer >250 employees LIBE Council amendments •Appoint Data Protection Officer >5000 data subjects processed in 12 consecutive months. •Optional! Page 32
    33. 33. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Obligation •Data Security of Data •Only process PD Processors as instructed by Controller GDPR LIBE Council ame ndm ents Plus: •If processes PD other than instructed by controller, considered joint controller •Consent of Controller for sub-processing none •No joint controller •No consent of Controller for sub-processing Page 33
    34. 34. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive CrossBorder Data Transfers GDPR LIBE amendments •Adequate Countries •Until amended, replaced or repealed by the Commission •Added Adequate Sectors •Will only remain in force for max. five years after the GDPR takes effect, unless amended, replaced or repealed by the Commission. •No Adequate Sectors Page 34
    35. 35. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Cross-Border •U.S. Safe Data Harbor Transfers GDPR LIBE amendments •Until amended, replaced or repealed by the Commission •Will only remain in force for max. five years after the GDPR takes effect, or until amended, replaced or repealed by the Commission. Page 35
    36. 36. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Cross-Border •Standard Data Contractual Transfers Clauses •Prior authorization in some MS GDPR LIBE amendments •No prior authorization required •Until amended, replaced or repealed by the Commission Sunset Clause: Standard Clauses authorized under Directive: REauthorization by DPA required within 2 yrs of Regulation coming into effect. Page 36
    37. 37. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Cross-Border Data Transfers GDPR LIBE amendments •Binding Corporate Rules (BCRs)) •Formally recognized for Controllers and Processors •Sunset Clause: REauthorization by DPA required within 2 yrs of Regulation coming into effect of BCRs authorized under Directive. •Formally recognized for Controllers •Increase of requirements for approval •e.g. Privacy by Design Page 37
    38. 38. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Dir GDPR ecti ve Cross-Border Data Transfers •Legitimate Interest of Data Controller /Processor •Not for “frequent and massive” transfers -44(h) LIBE amendments •Legitimate Interest of Data Controller /Processor: •NEW: European Data Protection Seal Page 38
    39. 39. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Direc GDPR tive Cross-Border Data Transfers •Recital 90 •Original Art.42 that appeared in leaked Regulation, disappeared in published GDPR LIBE amendments Addition of Article 43a) Access request from non-EU authorities require prior approval of DPA and notification of data subjects Page 39
    40. 40. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Data Protection Authorities (DPAs) GDPR LIBE amendments •Greater enforcement powers •Lead DPA system: DPA of data controller’s main establishment (OneStop-Shop) •Lead DPA’s role watered down to co-ordination role with all other involved DPAs Page 40
    41. 41. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Directive Sanctions GDPR LIBE amendments •Left to implementation by member states. •Tiered fine system, up to 2% of annual sales of data controller/processo r •Tiered fine system, up to 5%of annual sales of data controller/processor or or 100 million euros •More flexibility in determining the amount of fines, with accountability & cooperation of data controllers as criteria •European Data Protection Seal exemptions Page 41
    42. 42. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Other changes, less relevant for cross-border discovery •Right of erasure •Right of data portability •Prohibition against profiling •European Data Protection Board (EDPB), formerly Article 29 WP •Consistency mechanism Page 42
    43. 43. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? Practical tips •Keep up-to-date with GDPR •Review: Notice forms, Consent forms, Privacy Policies, Data Controller – Data Processor contracts •Implement data breach notification readiness, where applicable •Implement a data processing documentation system •Data Protection (DP) by Design and DP by Default, where applicable •Conduct DP Impact assessments, where applicable •Minimize processing of Private Data (PD) and review in-country •Pseudonymize/Anonymize/Encrypt PD whenever possible •Secure PD adequately Page 43
    44. 44. 5. The Proposed General Data Protection Regulation (GDPR) How will it affect cross-border discovery? How will the NSA/PRISM leaks affect the GDPR and Cross-Border Discovery? To be followed… Page 44
    45. 45. Questions? monique@altheimlaw.com Follow me @Eudiscoveryand@MoniqueAltheim

    ×