Data Considerations for Cross Border Collections

Dr. Tristan Jenkinson

Introduction

The difficulties and complexities that cross-border elements can add to a matter have an impact not just for the company involved, but typically also for their legal representatives and, if engaged, their electronic disclosure providers.

In this article, we discuss some of the practical steps that the above parties may want to consider when dealing with cross-border data collections for electronic disclosure, for example in the case of litigation, with particular regard to the implications of collecting data within the EU and the impact of the General Data Protection Regulation (GDPR).

Local Legal Counsel

When completing data collections outside of a “home” jurisdiction, parties involved would be well served by discussing the particulars of their matter with local legal counsel based in the relevant jurisdiction.

It is worth noting that while the GDPR – discussed further below – aims to reach a consistent approach to data privacy across the EU, there may be subtle differences between the views of local Data Protection Authorities (“DPA”), local counsel will best placed to advise on the subtleties of their jurisdiction. These subtleties may go further than typical data privacy laws and a local legal counsel would be able to flag up other issues such as for example, any relevant blocking statutes.

Outside of the EU, it can be even more important for parties to consult with local legal counsel to understand best practice as well as local laws and regulations. For example, in China there are strict state secret laws that need to be considered in advance of any data collection to ensure that a suitable methodology can be put into place – once again, assisted by local legal counsel to identify relevant issues.

GDPR Considerations

The GDPR considers involved parties to be either a data controller or a data processor. In a typical electronic disclosure case, the company which is responsible for the data that is ultimately being collected would be considered the data controller. Their legal representatives, typically considered to be acting as an agent of the company, would therefore also be considered to be a data controller. If engaged, an electronic disclosure provider would generally be considered to be a data processor in the eyes of the GDPR.

Again, local legal counsel can provide guidance with regard to the obligations of the company as a data controller, as well as other data privacy considerations. This may include issues such as if consent will be required, and what format that consent may need to take. They may also be able to assist in identifying any issues that the data processor may need to take on board, such as a requirement to process data onsite.

The company and their legal representatives acting as the data controller should also be aware that they may need to provide relevant custodians with a privacy notice, and may also need to complete a Data Privacy Impact Assessment (“DPIA”). More information about privacy notices and DPIAs can be obtained from the UK Information Commissioners Office (“ICO”);

Privacy Notices : https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/

Data Protection Impact Assessments : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

Under the GDPR many organisations will have appointed a Data Protection Officer (“DPO”). If a company needs to collect data from an EU location, a DPO can be a valuable asset in planning the approach.

The Electronic Disclosure Provider

As discussed above, under the GDPR a third party performing data collection or processing will be considered to be a Data Processor. As such the company, and their legal representatives, will need to make sure that there is a formalised contract in place with the provider. As the Data Controller, the company is responsible for ensuring that the actions taken by the Data Processor are performed in a manner compliant with the GDPR. This means that they should seek ‘sufficient guarantees’ that the requirements of the GDPR will be met by their provider.

Under the GDPR, the company and their legal advisers, acting as Data Controllers, and the third party provider acting as a Data Processor are considered to be jointly liable for data breaches, should any occur. It is important therefore that companies can be sure that their provider has an understanding of the potential issues and that they take their data security seriously. Some points to consider would be if the provider has any certifications, such as ISO 27001, which require external audits to verify data security.

The company may also want to discuss with their provider, and with local counsel, if a transfer agreement (or similar) needs to be put into place to cover any data that is transferred. This is discussed further below.

Potential Workflows

One of the first considerations that should be made before determining a suitable workflow is identifying the likelihood that the data to be collected contains personal information. Most data privacy law, and the GDPR in particular is focussed on Personally Identifiable Information (“PII”). Therefore, if the Data Controller can be sure that the data to be collected contains no personal data, there may be fewer restrictions on that data. However, the company should document the process used and the basis for the decision, so that they can defend the assertion that no PII was collected. This may be another point where local counsel can provide invaluable guidance.

There are a number of “typical” workflows which could apply for a data collection, depending on the particular situation.

For example, if a case was being heard in the Courts of England and Wales, that is, therefore, the jurisdiction where the data needs to be disclosed at the end of the process. Assuming that there is potentially relevant data stored in a country outside of the UK, then the options could include;

  • That data could be collected, processed, and fully reviewed on site, with data only leaving a site for production to in line with the relevant proceedings after full onsite review has been completed.
  • The data could be collected and processed onsite, and then a specific set of keywords applied. If it is considered that this would sufficiently ensure that personal data should not be hit by that keyword set, then the data controller may take the view that this data could be transferred to the UK for review, where it could be prepared and uploaded to the review tool, and “deduplicated” against, and reviewed with, other data hosted there, prior to disclosure.
  • The data could be collected and the view taken that the sources are such that they should not contain personal information, and so can be transferred to the UK for processing, review, and disclosure.
  • The data could be collected on site, and left in a secure location onsite in evidence bags until a decision can be made with regard to further action.
  • A combination of the above.

It may be that some datasets can be considered as containing no personal data (or highly likely to contain no personal data) in which case it may be that those data sets can be treated in a workflow separate to those data sets which do contain personal data.

For example, if there is data from Document Management Systems that the Data Controller believes should contain only technical data and no personal information, it may be that this data can be considered separate to email data, which the Data Controller has ascertained will likely contain personal data.

Reducing Volume by Considering Overlap

Where there are multiple locations to collect data from, it is possible that there may be some data overlap between those locations. There is an advantage, therefore, to performing deduplication between the locations. Due to data privacy, however, it may not be possible to transfer the data from one location to another, and so deduplication is not straightforward.

There is a solution to the above scenario that could be considered. While the data itself cannot be transferred, it may be possible to share information about files and email which allow duplicates to be identified, so that they only need to be reviewed in one location.

To do this, it is possible to create a “digital footprint” of a file. This “digital footprint” is generated by a mathematical algorithm, or “hash”, such that copies of the same file will have the same “digital footprint”.  The likelihood of two different files having the same “digital footprint” is extremely unlikely[1].

This “digital footprint” is also a one-way calculation – you cannot rebuild the original file from the digital footprint. This means that these can then be shared, without sharing the information within the file itself.

By sharing the “hash” it is possible to identify files in one jurisdiction that are also found in others. In this way, the parties involved can identify in which location it makes most sense to review the data and can flag the other locations copies as duplicates. Because no data content is shared, there is no breach of data privacy laws.

Hardcopy Data

When considering cross border data, it can be easy to focus on the electronic data, and forget about hardcopy data, which may be just as important.

There is a common misconception that Data Privacy laws relate only to electronically stored data. This is not the case, the GDPR in particular applies to any hardcopy data which is stored in an organised way – for example in a series of notebooks, or within a filing system.

When considering hardcopy documents, companies should ensure that they are taking the same measures that they are for the equivalent electronic data.

Customs Considerations

When working with multi-jurisdictional matters, there is more to consider than just the data itself. Customs or similar functions could have a major impact. For example, if a provider is going to be processing data on site, how are they getting their equipment to the relevant address? In some jurisdictions equipment, servers, laptops or hard drives could be seized by customs, either on their way to location or often worse, when containing data which is being transferred out of the country.

This risk can be minimised by consideration beforehand to identify and plan for such scenarios. The risk can be further mitigated by ensuring that data on hard drives, as well as within servers, laptops etc. are fully encrypted, and, if transferring identified data out of the country, ensuring that a backup of this data exists – potentially leaving a copy of the data on site.

Data Transfer to Third Countries

Many multi-jurisdictional issues may be heard in the US courts. This means that ultimately, data is likely to be transferred to the US for purposes related to US disclosure, or for use in US proceedings.

If that data comes from the EU, then there are a number of considerations. This is because under EU Data Protection law, the US is considered to be a “Third Country”, meaning that the EU does not consider there to be adequate data protection in place.

With the transfer of data to the US (or any other “Third Country”), there are similar themes at play. Firstly, if a US company is transferring data from the EU to the US, then, as with other data transfers, they are best served consulting with legal counsel based in the UK. There are options regarding data transfer, but this can be a complex issue and companies should ensure that they have relevant local legal advice.

There are also GDPR considerations to take into account as the transfer could represent a breach of GDPR rules. As Data Processors are jointly liable in the event of such a breach, a third party provider may want to ensure that the relevant legal position has been confirmed (likely by local counsel) to ensure both they as Data Processors, and the Data Controller, have considered data subject rights.

In addition, under GDPR rules, a transfer of data could only be effectuated with written instruction from the Data Controller (as is the case with any processing instruction). This instruction would need to be from the Data Controller, e.g. the company whose data it is, or their legal representatives acting in their capacity as agent for the Data Controller.

Some of the methods that have been considered for the transfer of data to the US in an electronic disclosure matter have included Privacy Shield, Binding Corporate Rules, or Model Clauses.

These methods were designed for the movement of data within a company itself, not for use as a vehicle for the transfer of data related to electronic disclosure purposes.  The reason for this is that when the data is moved, the relevant privacy laws and protection are still attached to that file. This means that although the file may be moved within the company to the US, that file still cannot be provided to, or accessed by, third parties. Effectively the data should be considered as contained within a “data embassy” where the same rights and laws still apply from its original jurisdiction.   Producing documents from an environment protected by one of these vehicles effectively constitute a foreign transfer outside its consideration and thus would breach data privacy regulations.

Another approach may be to instruct a provider to transfer the data. As above, the same rights and data privacy laws would apply to that data once it has been transferred. Even if the transfer itself was not a breach as it was in line with Privacy Shield, Binding Corporate Rules or Model Clauses, the data would again be in a data embassy, meaning it would not be able to be accessed by or provided to third parties. If the transfer was, in fact, a breach, then the provider would potentially have an obligation to report this to the data controller, who would then be obligated to report it to the relevant Data Protection Authority within 72 hours.

A method that may be effective would be the use of transfer agreements. These should be drawn up with assistance from local legal counsel in the UK/EU, who would be able to advise if they would be an effective measure to cover the data transfer or not. As above, the provider would likely need to be assured that the relevant data privacy concerns had been addressed because of their liability in a breach situation. Transfer agreements can be used to reassure companies that data is adequately secure during transfer and storage. For instance, transfer agreements could set out the methodologies and security which must be put into place for the transfer of data to take place, and how that data must be treated when it is received.

Other Legal Obligations

Due to the implementation of GDPR, as well as the use of Privacy Shield, many multinational companies have updated terms and conditions or privacy statements on their websites and may have updated their contracts with their customers.

Such areas may contain additional legal obligations with regard to data privacy. For instance, there may be a statement that any data that is transferred under Privacy Shield shall be encrypted using a specified protocol. Companies, as well as their providers, should ensure that any additional obligations that they are under as part of statements made on their website, or agreements in contracts, are addressed when transferring data.

[1] For example, using Message Digest 5 (“MD5”) a popular hashing algorithm, the odds of two different files having the same MD5 hash is 1 in 2128 (which is very roughly 340 followed by 36 zeroes).