Cross-Border Data Privacy Views from Across the Pond

Monday, August 7, 2017

Will it ever be easy to navigate disparate global data privacy approaches and regulations?  Probably not – especially with the looming General Data Protection Regulation (GDPR) set to go live in 2018.  However, I walked away more hopeful and better informed following the ABA Cross-Border Institute in Munich at the end of July.  Conference discussion topics largely focused on the interplay and potential pitfalls between European Union (EU) data protection and U.S. discovery. We also had separate ‘break out’ sessions to discuss who brews the best beers: Belgians or Germans? Hard to decide, but we spent a fair amount of time collecting first-hand data.

Perhaps a brief reminder as to why the attitude towards data protection here in Europe is markedly different.

The significance of having a data privacy-related conference in Munich was not lost on the participants.  As explained in an enlightening article by Alvar and Trixy Freude, there remains a deep-seated uneasiness with personal data among Germans even today.  Given the abuses of surveillance during the Third Reich and under East Germany’s Ministry for State Security (the Stasi), many feel that a lack of vigilance on data security could be taken advantage of in the event of a change in government, as has happened in the past. [1]  What may seem like an EU fixation and a set of draconian data privacy regulations make sense for those who have lived through a very different set of experiences.

Those who cannot remember (or learn from) the past are condemned to repeat it.

It is no surprise, then, that the fundamental right to data protection is enshrined in the EU Charter of Fundamental Rights.  The European Parliament has always insisted on the need to strike a balance between economic growth, enhancing security and safeguarding human rights, including data protection and privacy. The focus on data protection has also increased over the past decades in order to give EU citizens better control of their data and ensuring that their privacy continues to be protected in the digital age[2].

For example, in 1990, the European Commission (EC) proposed the passing of the Privacy Directive[3] whose primary purpose was to standardise the data protection laws amongst the then twelve member states by controlling the use of personal data within the EC and between the EC and other countries. The Data Protection Directive was subsequently passed in 1995, only to be replaced by the GDPR in May 2018.

Multiple Experts – Multiple Views

It was especially instructive to speak to the attending data privacy counsels qualified in their respective countries; many of us humbly discussed that each country believes that their protection laws should prevail, even where events transpire outside of their borders. An example of this might be an Austrian citizen residing in the U.S. on a work visa: is this person in a ‘safe zone’ in which their data can be processed? Furthermore, suppose this person were subpoenaed to turn over relevant documents in a case, but their laptop is from Austria and full of personally identifiable and sensitive information. This is just one example of many conversations held and were some of the most energising I’ve had in this area.

Technology Impact – Clouding the Future of Data Privacy

I also had the privilege of participating in a panel entitled, ‘The Impact of the Cloud on Cross Border Discovery’ alongside industry peers. Apart from deliberating on a sensible, clear definition of what the cloud is, we discussed infrastructure (storage venue) issues and the high-risk scenarios in which data are synchronously scattered across several devices, some of which may be personal and not subject to company policies.

My preferred definition from the discussion separates the ‘cloud’ into two categories, each with a potential impact on data privacy and eDiscovery:

  1. Cloud computing involves the processing and calculation efforts of computers intangible to the consumer and delivered via the Internet. This is similar to the idea of clustered computing, whereby networked computers ‘share the work’, so to speak, except the service is being delivered over the larger Internet, not a localised network and is on-demand.
  2. Cloud storage is likely to be more familiar and can include platforms like Dropbox, Box and others. This is more like a repository for files that is synchronous with your devices and on-demand-accessible via the Internet. The tricky part is pinning down where those data actually lay at rest; they can be fragmented across different data centres in different jurisdictions, subject to comingling (note: I am not implying cross-contamination). The forthcoming ‘right to erasure’ and data portability requirements may prove difficult with this technology in mind.

Key Takeaways:

  • ‘Brexit’ means ‘Brexit’, but it also means something else – that hasn’t quite been sorted, nor was it our responsibility at the event! There was quite a U.K. contingent at the event and naturally, participants were curious as to whether ‘Brexit’ would impact its adoption of the GDPR. (Read my previous Blog posts on this topic “And Then There Were Twenty-Seven… Now What? Untangling Uncertainty in the UK Exit from the EU” and “No Quick “Brexit”)
  • Depending on how Brexit negotiations play out, the U.K. may be faced with an adequacy decision. If data transfer and protection terms can be ‘baked in’, then an adequacy decision may not be necessary. However, if the UK is considered a third-party transfer zone outside of the EU post-Brexit, there may be friction ahead. The Investigatory Powers Act was given Royal Ascent somewhat recently and is now live. Dubbed, The Snoopers’ Charter, this allows for mass, bulk collection of telecommunications and Internet data for national security purposes. However legitimate, this type of large scale collection and processing could arguably put the U.K. at risk of being an inadequate transfer zone, much like the U.S. [4]
  • Cloud technology is synchronous and enables people and companies to achieve more than ever, but the implementations carry data privacy concerns, particularly in light of the forthcoming GDPR. Until now, big cloud providers (roughly four main providers exist who then have smaller companies beneath them reselling those services) have been relatively tight-lipped about where their data are actually stored. Aspects of the GDPR may necessitate they divulge specifics relating to storage location and disposition of data. If you are in your company’s cloud storage environment and send files to ‘the bin’, and ‘delete forever’, who can guarantee that is truly gone? They are certainly not accessible or visible in any reasonable way, but how can one be certain they’re purged in the truest sense without infrastructure or procedure transparency?
  • Our innovations in computing technology, storage and collaboration have largely outpaced any attempts to legislate or otherwise protect these data. This may equalise as developers have ‘privacy by design’ in mind, but intangible borders and data protection laws certainly conflict with our current options.

Auf Wiedersehen

Corporations and their outside counsel are taking steps to ensure they comply with the forthcoming changes under the GDPR. Events like this demonstrate there is a willingness to understand and engage with experts in the overlapping areas of data privacy, information security, eDiscovery and law. The manic approach to GDPR is unlike anything we’ve seen in quite some time and are eerily reminiscent of the days of ‘Y2k’, for those who recall; everyone became an expert overnight, and surely had a solution to a problem they did not quite understand!

The experts who are truly equipped to advise and prepare are your counsel, technology providers and eDiscovery and risk management expert advisors with a rich history of data protection experience.

It’s quite difficult to predict, though I like to gaze into my crystal ball and make assertions every now and then: from May 2018 onward, the industry will likely see far fewer data coming to the U.S. where European residents are involved. There will be an uptick of in-country processing and review in places like Germany, The Republic of Ireland and the U.K remaining as an adequate area following Brexit dealings. Nobody wants to be the test case on the wrong side of the new proposed fines.

[1]Echos of History: Understanding German Data Protection. Alvar Freude and Trixy Freude. October 2016


[3] European Parliament and Council Directive 1995/46/EC, 1995 OJ (L 281) 31




Author: Timothy LaTulippe, EnCE, CCE, MiCFE, CCPA, DFCP

Tim LaTulippe is a Certified Forensic Examiner and a Senior Consultant with Advanced Discovery’s UK division. Timothy holds a variety of certifications including EnCE, CCE and CCPA, as well a BS in Computer and Digital Forensics and a Master of Science in Data Forensics Management (MSc (Hon)). He has assisted in complex investigations in both the public and private sectors, working with government agencies, Fortune 100 corporations and AM Law 100 firms to provide complete, correct analysis of incidents and issues, and specializes in complex investigations, data privacy, and information security.

Formerly a Senior Forensic Examiner with Digital Forensics, Inc., Timothy has served as an expert witness in a variety of State, Federal and military proceedings. His broad experience includes matters involving trade secret theft, medical malpractice, intellectual property theft, unfair business practice, fraud and internal investigations. Additionally, Timothy is the author of “Working Inside the Box: Real Life Example of GDS in a Forensic Examination,” which was published in The Journal of Digital Forensics Security & Law, and “The Need for Targeted Collections in a Diminished Economy.” He is a member of the Digital Forensics Certification Board, the International Association of Financial Crimes Investigators, the High Tech Crime Consortium, and the International Association of Computer Investigative Specialists.

More Posts

View all Posts


    Subscribe to receive our
    Experts’ Insights Blog feed.

  • Get in Touch