Monday, August 7, 2017
Will it ever be easy to navigate disparate global data privacy approaches and regulations? Probably not – especially with the looming General Data Protection Regulation (GDPR) set to go live in 2018. However, I walked away more hopeful and better informed following the ABA Cross-Border Institute in Munich at the end of July. Conference discussion topics largely focused on the interplay and potential pitfalls between European Union (EU) data protection and U.S. discovery. We also had separate ‘break out’ sessions to discuss who brews the best beers: Belgians or Germans? Hard to decide, but we spent a fair amount of time collecting first-hand data.
Perhaps a brief reminder as to why the attitude towards data protection here in Europe is markedly different.
The significance of having a data privacy-related conference in Munich was not lost on the participants. As explained in an enlightening article by Alvar and Trixy Freude, there remains a deep-seated uneasiness with personal data among Germans even today. Given the abuses of surveillance during the Third Reich and under East Germany’s Ministry for State Security (the Stasi), many feel that a lack of vigilance on data security could be taken advantage of in the event of a change in government, as has happened in the past.  What may seem like an EU fixation and a set of draconian data privacy regulations make sense for those who have lived through a very different set of experiences.
Those who cannot remember (or learn from) the past are condemned to repeat it.
It is no surprise, then, that the fundamental right to data protection is enshrined in the EU Charter of Fundamental Rights. The European Parliament has always insisted on the need to strike a balance between economic growth, enhancing security and safeguarding human rights, including data protection and privacy. The focus on data protection has also increased over the past decades in order to give EU citizens better control of their data and ensuring that their privacy continues to be protected in the digital age.
For example, in 1990, the European Commission (EC) proposed the passing of the Privacy Directive whose primary purpose was to standardise the data protection laws amongst the then twelve member states by controlling the use of personal data within the EC and between the EC and other countries. The Data Protection Directive was subsequently passed in 1995, only to be replaced by the GDPR in May 2018.
Multiple Experts – Multiple Views
It was especially instructive to speak to the attending data privacy counsels qualified in their respective countries; many of us humbly discussed that each country believes that their protection laws should prevail, even where events transpire outside of their borders. An example of this might be an Austrian citizen residing in the U.S. on a work visa: is this person in a ‘safe zone’ in which their data can be processed? Furthermore, suppose this person were subpoenaed to turn over relevant documents in a case, but their laptop is from Austria and full of personally identifiable and sensitive information. This is just one example of many conversations held and were some of the most energising I’ve had in this area.
Technology Impact – Clouding the Future of Data Privacy
I also had the privilege of participating in a panel entitled, ‘The Impact of the Cloud on Cross Border Discovery’ alongside industry peers. Apart from deliberating on a sensible, clear definition of what the cloud is, we discussed infrastructure (storage venue) issues and the high-risk scenarios in which data are synchronously scattered across several devices, some of which may be personal and not subject to company policies.
My preferred definition from the discussion separates the ‘cloud’ into two categories, each with a potential impact on data privacy and eDiscovery:
Corporations and their outside counsel are taking steps to ensure they comply with the forthcoming changes under the GDPR. Events like this demonstrate there is a willingness to understand and engage with experts in the overlapping areas of data privacy, information security, eDiscovery and law. The manic approach to GDPR is unlike anything we’ve seen in quite some time and are eerily reminiscent of the days of ‘Y2k’, for those who recall; everyone became an expert overnight, and surely had a solution to a problem they did not quite understand!
The experts who are truly equipped to advise and prepare are your counsel, technology providers and eDiscovery and risk management expert advisors with a rich history of data protection experience.
It’s quite difficult to predict, though I like to gaze into my crystal ball and make assertions every now and then: from May 2018 onward, the industry will likely see far fewer data coming to the U.S. where European residents are involved. There will be an uptick of in-country processing and review in places like Germany, The Republic of Ireland and the U.K remaining as an adequate area following Brexit dealings. Nobody wants to be the test case on the wrong side of the new proposed fines.
Echos of History: Understanding German Data Protection. Alvar Freude and Trixy Freude. October 2016
 European Parliament and Council Directive 1995/46/EC, 1995 OJ (L 281) 31