All posts in International Ediscovery

Japan and China: New Data Protection and Transfer Laws Imminent in Asia Pacific

Ediscovery in China

Kate Chan, APAC ediscovery

Kate Chan, KrolLDiscovery, Legaltech News

Editor’s note: this article originally appeared in Legaltech News.

The global ediscovery community is abuzz about data protection. 2018 will usher in new data protection and transfer laws in the European Union (EU), but many ediscovery professionals are less informed about similar changes in Asia that have recently taken effect.

Japan: Land of the Rising Sun

Japan’s Act on the Protection of Personal Information (APPI) stands as one of Asia’s oldest data protection laws and has remained unchanged since it went into effect in the early 2000s. The decision to enact Japanese amendments to the APPI was most likely influenced by three factors: a significant increase in the volume of data being created, a rise in data breaches and illegal sale of private information and a pressure to update policies in light of the EU’s work on the General Data Protection Regulation (GDPR).

A word of warning: The APPI amendments went into full effect on May 30, 2017 and Japanese authorities expect companies to make immediate changes. Below are some key provisions of the APPI amendments in Japan.

1. Creation of the Personal Information Protection Commission: The amended APPI went into partial effect in 2016, creating the Personal Information Protection Commission (PPC) as a central, independent regulatory authority with enforcement powers.

2. Two new classifications: Two information classifications will determine whether data can be transferred and if the owner of that information can give consent to its transfer: sensitive information and anonymized information. Sensitive information (information about a person’s race, creed, social status, medical records, criminal history, etc.) receives enhanced regulatory protection, with the person’s content required before such data can be transmitted. Anonymized information (personal information where there is no possibility of identifying the person) can be transmitted with restrictions but without the express consent of the individual.

3. “Opt-in” is now “opt-out”: The current rules require the user’s permission before personal data can be transferred. Under the amendments, companies can share data without permission if they disclose certain information to the user beforehand, such as the nature and purpose of the personal data being provided, and the way the data is being provided. The company transferring the information must also give the user the option to opt out of the transfer before it occurs. Businesses must disclose to the PPC if they will continue to default to an “opt-out” policy, or change the process transferring information to a third party. The PPC will make these changes known to the public.

4. International data transfer policy: For the first time, the APPI will address international information sharing. Any company transferring personal records outside Japan’s borders will need the user’s permission and opting out will not be an option unless the foreign jurisdiction has similar privacy standards.

5. Sanctions for noncompliance: The PPC is enacting a two-tiered criminal penalty measure into the APPI and its guidelines. A negligent violation will bring about an enforcement notice ordering the company to either correct the issue or halt data transfer operations. Failure to comply may result in imprisonment up to six months or a fine up to JPY 300,000. Intentionally stealing or providing personal information for a dishonest purpose may result in a direct penalty of up to one year in prison or a fine up to JPY 500,000.

China: The Red Dragon

In early June 2017, the People’s Republic of China is implemented its controversial Cybersecurity Law. The government is becoming more involved with data protection and strengthening enforcement. Up until now, its current rules have not been clearly defined or regularly enforced, so it is important to keep up with developments or risk getting caught off guard.

Unlike Japan’s focus on protecting data, China turns its attention to the network operators managing data. Below are some key facets to its new policy.

1. Data stored in mainland China: The new law insists that Chinese citizens’ “personal information” and “important data” be stored on servers within its borders. Any companies claiming an exception that is “truly necessary” must undergo a security assessment before information can be released. This will affect the majority of foreign companies that operate in China; in particular, those that use their global infrastructure and IT resources to operate their business in China, as the original data collected, including business data and customer data, within China will typically be stored directly in the data centers or servers physically located overseas. For example, many global companies are still using email servers located outside China for their China operations.

2. Law applies to network product and service providers: The majority of the new law’s provisions apply to “Critical Information Infrastructure Operators” (CIIO) possessing data critical to China’s security. Industries predominantly targeted in this new definition include financial, transportation, health care, utilities and telecommunications.

3. Stronger data protection provisions: Supplementing existing data privacy guidelines in China, network operators must first obtain their clients’ consent before collecting and disclosing personal information, including the reason for the disclosure, and take measures to ensure the security of personal information. Companies need to ensure that an appropriate framework is established for collecting and using data, demonstrating that any data collected has a proper purpose and that its use can be explained in detail. Companies should also ensure appropriate security and protection measures are in place to safeguard the data as well as incident response procedures for responding and reporting any breach.

4. Security examinations: All network providers must pass a “network security examination.” This includes specific requirements that network operators must follow when purchasing new network systems.

5. Severe consequences for noncompliance: While specific penalties are unknown at this time, cancellation of a business license is part of the current regulations. Additionally, the new regulations require CIIO’s to establish violation reporting mechanisms, suggesting that China is taking the new law very seriously.

In instances where there are concerns with removing data from China, or the company premises themselves, a mobile solution may be the answer. Over the past couple of years, mobile technology has become incredibly powerful, facilitating processing, filtering and analysis onsite. Onsite mobile solutions can also be used in tandem with traditional processing by acting as a cost-effective method of segregating and filtering out personal information, sensitive company data or privileged documents early on and prevent unwanted disclosure. When conducting ediscovery or internal investigations in China, companies must review and clear any state secrecy or data privacy concerns, and redact sensitive information prior to sharing it out of the country. This, in turn, reduces the risks and costs associated with over-collection by culling irrelevant data and focusing on what is relevant or responsive.

As legal and technology professionals in law firms and corporations prepare for the data protection implications of the EU GDPR, do not disregard important changes afoot in Asia. Most importantly, seek guidance from local, in-country experts, prepared to help you collect, host and transport data in investigations, litigation or regulatory matters around the world.

Spring Digest: Everything You Need to Know (so far!) in 2017

Ediscovery has been busy this year. We’re only five months in and we’ve already seen developments in predictive coding, proportionality standards and ediscovery practices around the world.

Before you head off on your summer vacation, take a minute to refresh yourself on some of the hottest topics in ediscovery so far this year.

Proportionality is Key

One of the most significant amendments to the Federal Rules of Civil Procedure back in 2015 was a new requirement for discovery to be “proportional to the needs of the case.” Today, counsel must ensure that their discovery requests are specific and add value to their case in relation to the accompanying expense.

Australia Gets in the Predictive Coding Game

First the United States, then Ireland and England, and now Australia. Predictive coding (also known as TAR) continues to spread around the world as courts encourage parties to consider technology to discover and inspect documents.

Using Cellebrite in Mobile Phone Investigations

You need not be a computer wizard to appreciate the volumes of relevant data housed on the mobile device in your hand. The standards and technology for extracting mobile device data are still progressing, variable and slightly confusing. KrolLDiscovery’s Jason Bergerson answers common questions around specific technology and processes in mobile phone investigations.

Ediscovery Around the World

Throughout this year, KrolLDiscovery will be diving deep into ediscovery practices around the world. We hope you’ll join us as we explore data collection, privacy, proportionality and production practices in the Americas, EMEA and APAC. So far, we’ve stopped in Australia, Ireland, Canada, the U.K. and Germany to discuss some ediscovery trends in each locale.

Be sure to sign up for updates from The Ediscovery Blog to stay on top of everything ediscovery.

Germany: The Hub of European Ediscovery Technik

Guten Tag!

From information about predictive coding in Australia and Ireland to cooperation in Canada and data protection in the UK, KrolLDiscovery is your international ediscovery resource.

The next stop on our ediscovery world tour is Germany. As a leader in technology exports and the world’s fourth-largest economy, legal technology, privacy, security and data protection practices are a well-known and vital part of Germany’s business culture.

LITIGATION AND ENFORCEMENT IN GERMANY

Germany’s central location in the European Union and expertise in technology make it an attractive location for international business. As such, it is no surprise that international disputes and exacting governmental regulation are also a regular part of German business activities. Specifically, when it comes to litigation, German law firms are commonly managing cross-border disputes, often involving jurisdictions such as the United Kingdom and the United States where ediscovery is required in civil cases. Further, Germany’s position as a prominent global economic force means that many companies’ planned mergers will be large enough to attract the attention of the European Commission and be subject to a merger control investigation. Lastly, Germany’s own independent competition authority, the Bundeskartellamt, is one of the most active in Europe and has a reputation for its meticulous and demanding approach to investigations. For German companies facing investigations, regulatory scrutiny or cross-border litigation, ediscovery technology provides a lifeline in meeting requests for volumes of business documents.

WHAT MAKES GERMAN EDISCOVERY PRACTICES UNIQUE

What is unique about these cases is the way German lawyers are using ediscovery technology. German lawyers not only use ediscovery technology to search and analyze data to discover material facts or produce large amount of data to regulators in a short period of time. They also need the technology to redact personally identifiable information in accordance with Germany’s strict data protection laws. Data protection in Germany is primarily regulated by the Bundesdatenschutzgesetz (BDSG), which implements the European Union’s Data Protection Directive (which will be replaced by the General Data Protection Regulation in May 2018). In addition, there are state data protection laws providing legal requirements for data processing carried out by state-level public authorities or public bodies.

TIPS WHEN CONDUCTING EDISCOVERY IN GERMANY

  • Prioritize information governance and know where your data is before you start a case.
  • Use predictive coding. Data volumes are growing all the time and predictive coding is the most efficient way to find the right information. Regulators are not sympathetic to those who miss deadlines.
  • Choose quality over cost. In multi-jurisdictional cases, mistakes come at a high cost. Choosing the cheapest providers in each company can often be a false economy. It is safer to choose an established provider with a network of local offices and experts who have experience in working collaboratively across jurisdictions.

Stay to speed on global ediscovery practices. Don’t miss this whitepaper, “A Practical Guide to Cross-Border Ediscovery.”

United Kingdom: Ediscovery Around the World

The United Kingdom, a common law jurisdiction, is the second most established geography for ediscovery after the United States. There is a high degree of familiarity with ediscovery in the United Kingdom because edisclosure is a formal stage of the civil litigation process, governed by Part 31 of the Civil Procedure Rules, along with associated Practice Directions.

Our next stop exploring data collection, privacy, proportionality and production practices in the Americas, EMEA and APAC brings us to the United Kingdom.

How are ediscovery practices in the United Kingdom different from neighboring countries or the United States?

Because there has been a keen emphasis on proportionality for a longer time, edisclosure in the United Kingdom is narrower than ediscovery in the United States.  In addition, unlike many of its European neighbours, the United Kingdom has had edisclosure form part of its Civil Procedure Rules for over a decade. During that time, practical know-how regarding ediscovery technology has spread beyond litigation, so most lawyers are comfortable with the advantages a full analysis of electronic evidence can bring to their case.

How are data protection and privacy laws impacting ediscovery in the U.K.?

U.K. law firms frequently face cross-border discovery issues, which comes with the significant challenge of transferring data across borders to countries where different rules and regulations apply. While the United Kingdom is considered less strict than Russia and China, the EU General Data Protection Regulation (GDPR) might change this. Further, impending Brexit implications are also expected to have some impact on the way that data is handled for disputes and investigations in the United Kingdom. The bottom line: in the midst of this uncertainty, it seems sure that there will be more scrutiny on the holding of personal data and more fearsome penalties for mishandling personal data in the future.

What best practices are recommended for conducting ediscovery in the United Kingdom?

Akin to ediscovery practices around the world, edisclosure in the U.K. is often delivered by collective teams, making teamwork an absolute best practice. Further, similar to many other countries, disclosure and regulatory deadlines must be met in a well-ordered and timely fashion. The urgency and precise requirements of ediscovery cases carry a high degree of risk, so “getting it right” calls for expertise, care and coordination, as well as responsive support. For this reason, practicing ediscovery is as much about the people you work with, as it is about the technology you use.

In the U.K., companies and their counsel are interested in taking a more surgical approach to data selection. Instead of using keywords, review platforms offer analytical tools that can reveal more about the data, helping to provide a better understanding of who was involved, how they communicated and the words they actually used. In medical terms, this level of sophistication is akin to keyhole surgery, as opposed to older and cruder methods. Additionally, ediscovery technology can be used to perform proactive checks on employee behavior. Keeping up to date with ediscovery market developments is another new ‘best practice.’ The United Kingdom has a competitive ediscovery industry, so being able to quickly select the right provider for a quantifiable advantage (such as local presence or a particular technology) is of tremendous benefit.

Looking to stay up to speed on global ediscovery practices? Don’t miss this whitepaper, “A Practical Guide to Cross-Border Ediscovery.” From predictive coding practices in Australia and Ireland to cooperation in Canada, KrolLDiscovery is your international ediscovery resource.

The Luck of the Irish…and Predictive Coding

On this St. Patrick’s Day, it’s opportune to revisit a prominent Irish judicial opinion – in fact, the first known judicial opinion in Europe to endorse predictive coding.

In the spring of 2015, Ireland embraced predictive coding in Irish Bank Resolution Corporation Ltd v. Quinn [2015] IEHC 175, a case holding that, in the discovery of large data sets, technology assisted review (TAR) using predictive coding is at least as accurate as, and probably more accurate than, the manual or linear method of identifying relevant documents.

The judgment is a great read for predictive coding pundits and a shining endorsement of the potential benefits of this technology. Specifically, the court held that:

  • The rules of court in Ireland do not require a manual document review to be carried out;
  • The evidence establishes that in discovery of large data sets, TAR using predictive coding is at least as accurate as, and probably more accurate than, the manual or linear method in identifying relevant documents;
  • As TAR combines man and machine, the process must contain appropriate checks and balances which render each stage capable of independent verification. The parties need to agree to these;
  • Provided the process has sufficient transparency, TAR using predictive coding discharges a party’s discovery obligations;
  • Predictive coding will save time and money if used to refine a data set and to limit the pool of documents to be manually reviewed. It was projected that 10% of the 680,809 documents would need to be manually reviewed after employing predictive coding, as compared to the traditional linear review estimate that required a team of 10 experienced reviewers, a nine month time frame and a cost of two million Euros; and
  • Parties should first agree to the use of predictive coding, run agreed upon keyword searches to initially refine the data set and then use predictive coding subject to agreed-upon checks and balances. Documents suggested by the software as being potentially relevant should then be reviewed manually by a human review team.

The ruling addressed major concerns expressed about predictive coding and sought to sway the skeptics. It unequivocally stated that predictive coding will save time and money. Although there is no specific reference to proportionality in Irish law, the judgment stated that cost should not be a barrier on access to justice.

The Irish opinion relied significantly on Judge Peck’s Da Silva Moore opinion, setting the predictive coding tone in the United States in 2012. A year after Ireland’s Quinn opinion, the UK would celebrate its first judicial opinion referencing predictive coding when the English High Court issued Pyrrho Investments Ltd. v. MWB Property Ltd. [2016] EWHC 256 (Ch). In that case, Master Matthews estimated that predictive coding would offer significant cost savings and that the possible disclosure of over two million documents done via traditional manual review would be disproportionate and “unreasonable.” Late in 2016, Australia joined the list of countries tackling predictive coding issues when Justice Vickery from the Supreme Court of the State of Victoria issued a key opinion in McConnell Dowell Constructors v. Santam.

As we continue through 2017, what country will be next to focus on predictive coding? Don’t miss any development; subscribe to KrolLDiscovery’s weekly email updates.

Canada: A Close-knit Ediscovery Community, Continuously Embracing New Technology

In 2017, KrolLDiscovery will be diving deep into ediscovery practices around the world. Tour with us as we explore data collection, privacy, proportionality and production practices in the Americas, EMEA and APAC.

A couple weeks ago, we travelled to the Land Down Under to learn about predictive coding practices in Australia. Our next stop: Canada, where we find that Canada is leading the way on cooperative ediscovery.

What role does ediscovery technology play in Canadian litigation matters?

Ediscovery practices in Canada closely align to analogous processes, principles and goals in the United States and the United Kingdom. For example, Canadian parties and their counsel are seeking to collect, process, review and produce electronic documents as quickly and efficiently as possible. To achieve that goal, many law firms have implemented in-house ediscovery technologies to be able to support their clients’ litigation needs. Some firms and corporations, on the other hand, also take advantage of the close-knit ediscovery community in Canada and choose to work with an ediscovery provider in a managed services capacity. Akin to the United States, many law firms are continuously re-evaluating current technologies and looking for new solutions as the cloud opens new avenues for conducting ediscovery faster and possibly cheaper without sacrificing security.

What is unique about ediscovery in Canada?

In Canada there is not a large body of ediscovery case law like in the United States or even the United Kingdom. In fact, a prominent judicial opinion referencing predictive coding or Technology Assisted Review has yet to be handed down. Instead, legal teams rely on practices and guidelines such as those found in The Sedona Canada Principles or Ontario Rules of Civil Procedure 29.1.03. Furthermore, the Ontario Ediscovery Implementation Committee (EIC) released a series of model documents to help guide litigants through the ediscovery process, including a Discovery Agreement, Preservation Agreement, Checklist for Preparing a Discovery Plan and a Proportionality Chart.

Specifically, when talking with Canadian ediscovery gurus, there is a general sense that Canada leads the global ediscovery community in terms of cooperation and proportionality, with many practitioners stating that developing ediscovery parameters with opposing counsel or regulators is simply more collaborative when compared to ediscovery matters in other jurisdictions.

What are some obstacles to ediscovery in Canada?

In some aspects of legal technology, the Canadian legal system is still playing catch-up, especially when it comes to the technically complex areas of ediscovery, trial presentation or technology in the courtroom. For example, there are factions of early-adopters embracing predictive coding in document review. However, despite the well-established benefits, the majority of legal teams are reluctant to leverage artificial intelligence to categorize documents.

Over the next few years, document review workflows will modernize as additional Canadian legal teams become more experienced with new technology such as predictive coding. This will be increasingly important in the antitrust practice area, where regulators are starting to adopt broader policies similar to U.S. antitrust protocols. The need for predictive coding will increase if parties in antitrust matters need to sift through additional volumes of documents.

How often do Canadian legal teams transfer data to the United States or Europe for ediscovery?

Canadian legal teams are continuously evaluating the needs of the specific matter and comparing risks and benefits of conducting ediscovery in Canada versus elsewhere. Many corporations in Canada have U.S. offices; so often, Canadian litigation has a U.S. based component and ediscovery documents easily cross borders. However, sometimes legal teams are reluctant to transfer data to the United States for ediscovery processing, hosting and review because of the potential impact on other pending cases or the importance of privacy in the matter. Legal teams in Canada understand that ediscovery is available in the global marketplace and should the availability of technology, ability to deliver under tight time frames or need for a large pool of document reviewers demand resources outside of Canada, parties will consider transferring subsets of data to the United States or Europe.

How does language impact ediscovery in Canada?

Many cases contain documents in both English and French; accordingly, legal teams often require document review teams comprised of bilingual Canadian lawyers fluent in English and French. This sometimes drives up the costs associated with review, placing more importance on advanced search and analytics technologies that increase document review speeds and effectiveness.

Looking to stay up to speed on global ediscovery practices? Don’t miss this whitepaper, “A Practical Guide to Cross-Border Ediscovery.”

Australia Gets in the Predictive Coding Game

G’day, mate!

As we have said before, predictive coding (also known as Technology Assisted Review or TAR) is taking the globe by storm. First the United States, then Ireland and England, and now Australia. Ediscovery practitioners take heed: significant predictive coding developments are afoot in Australia.

(Special Note: If you are looking to stay informed on ediscovery around the world, don’t miss this whitepaper, “A Practical Guide to Cross-Border Ediscovery.”)

Predictive Coding: From New York City to the Australian Outback

Late last year, Australia joined the list of countries tackling predictive coding issues when Justice Vickery from the Supreme Court of the State of Victoria issued a key opinion in McConnell Dowell Constructors v. Santam.

In this case, the parties faced massive costs to review 1,400,000 documents, and they could not agree on a review method. Justice Vickery appointed a Special Referee to deliver a report to the court addressing the appropriate management of discovery in the proceeding. Relying on previous TAR decisions from the U.S. and Europe, as well as the Special Referee’s recommendation to use TAR, the court approved predictive coding as an effective method of document review when “the cost of traditional discovery processes in a case such as this dictates that [such processes] are not appropriate.”

Notably, the McConnell opinion made it clear that the courts, not the parties, would have the final determination in whether predictive coding will be employed in civil proceedings in Victoria state court. Specifically, Justice Vickery held that “the Court may order discovery by technology assisted review, whether or not it is consented to by the parties” in cases where the volume of ESI is substantial and “the costs of research may not be reasonable and proportionate.”

However, McConnell was not Victorian litigators’ first exposure to TAR in the courtroom. Three months before the McConnell decision, the Supreme Court of Victoria released a Standard Operating Procedure (TEC SOP 5 [TAR]) to provide litigants with interim measures for using TAR in construction and engineering cases. On January 30, 2017, the court replaced TEC SOP 5 with Technology in Civil Litigation Practice Note SC Gen 5, opening up TAR for general use in Victoria’s commercial courts.

Consent or No Consent: That is the Predictive Coding Question

While predictive coding is gaining traction as an effective tool to tackle massive document sets, there is no bright line on whether a party can be required to use TAR. Contrary to the holding in McConnell, U.S. courts have not compelled parties to leverage TAR. In 2016, two key opinions, Hyles v. New York City, 2016 U.S. Dist. LEXIS 100390 (S.D.N.Y. Aug. 1, 2016), and In re Viagra (Sildenafil Citrate) Prods. Liab. Litig., 2016 BL 347130 (N.D. Cal. Oct. 14, 2016), acknowledged the efficiencies associated with predictive coding, but refused to force a party to leverage the cutting-edge technology. That being said, U.S. attorneys need to be prepared that the days of insisting on manual review may one day soon be bygone. As noted by Judge Peck in Hyles, “[t]here may come a time when . . . it might be unreasonable for a party to refuse to use TAR . . . [but][w]e are not there yet.”

What’s Next for the Land Down Under?

Victoria is not the only state in Australia getting in on the ediscovery action. Courts in New South Wales abide by their state Supreme Court’s 2008 Practice Note No. SC Gen & for Use of Technology encouraging parties to consider technology to discover and inspect documents. While this practice note and other similar guidance in the Australian federal court system do not specifically reference TAR, savvy Australian practitioners know that this will likely change in the near future.

Looking to stay up to speed on global ediscovery practices? Don’t miss this whitepaper, “A Practical Guide to Cross-Border Ediscovery.”

January 2017 Ediscovery Case Summaries

Failure to Preserve Interactive Website Data Held Insufficient to Impose Sanctions Under Rule 37(e)
FTC v. Directv, Inc., 2016 U.S. Dist. LEXIS 176873 (N.D. Cal. Dec. 21, 2016)

Jury to Decide Issue of Intent for Spoliation
Cahill v. Dart, 2016 U.S. Dist. Lexis 166831 (N.D. Ill. Dec. 2, 2016)

Australian Court Takes Predictive Coding Down Under
McConnell Dowell Constructors (Aust) Pty Ltd v. Santam Ltd & Ors (No 1),
[2016] VSC 734 (Dec. 2, 2016)

Illinois State Court Leverages Proportionality Standards in FRCP 26(b)(1) to Determine if Forensic Imaging is too Intrusive
Carlson v. Jerousek, 2016 IL App (2d) 151248 (Ill. App. Ct. 2d Dist. 2016)

Kansas Court Rejects Proportionality Arguments and Boilerplate Objections
Duffy v. Lawrence Mem. Hosp., 2016 U.S. Dist. LEXIS 176848 (D. Kan. Dec. 21, 2016)

Crossing Borders: Where Discovery and Privacy Collide

international ediscovery

Litigation teams face new challenges when an ediscovery project crosses borders – from multilingual data and unique cultural norms to unfamiliar laws, regulations and data privacy practices. In addition, the international data protection landscape is changing and U.S. businesses with global operations need to be prepared. Companies need to think carefully about the risks of transferring data across borders.

To help practitioners navigate these challenges, Kroll Ontrack synthesized information on more than seventeen countries to create a succinct, new guidebook, A Practical Guide to Cross-Border Ediscovery: Insights for U.S. Lawyers.

This guide includes practical insights into how organizations all over the world are managing a wide range of business challenges using ediscovery technology, including:

  • Case studies on cross-border litigation and FCPA investigations;
  • An “At a Glance” visual map that shows the legal system, applicable rules and ediscovery practices for key countries in the Americas, EMEA and APAC regions;
  • Short summaries from experts on the ediscovery landscape in key countries; and
  • A timeline of EU Data Privacy and Protection milestones.

Litigation, compliance demands and investigations are part of the regular course of business for U.S. lawyers. With global considerations and cross-border implications, law firms and companies now rely on mobile ediscovery technologies, in-country data centers and local expertise to empower the processing and transferring of data in a compliant and cost-effective manner. This guide is just one way that Kroll Ontrack is here to help attorneys and their counsel thrive and adapt in a changing ediscovery world. Read the new cross-border guide today.

Brexit: Through the Eyes of a US Legal Team

Brexit

The headlines are nearly ubiquitous at this point: this summer, the people of the United Kingdom voted to leave the European Union. The reasons cited for leaving are varied and complicated, with many commentators still debating what caused a niche political movement be adopted by 52% of the electorate. However, most agree that the following broad factors led to the vote to leave (aka “Brexit”):

  • A belief that the EU wields too much power over UK legislation and a subsequent desire to restore sovereignty
  • Dissatisfaction over the costs of EU membership and a feeling that the UK paid too much and received too little in return in comparison to other countries
  • Concern over EU immigration policy and a desire to have full control over UK borders
  • Anger over the UK government’s austerity regime, particularly in areas that have suffered a decline in manufacturing and industrial jobs

Technically speaking, the controversial referendum was not an official notice to the EU that the UK will leave the EU. As soon as the formal notice is given to the EU, a ticking clock begins which is set for a two year exit phase to organize the finer points of Brexit. UK Prime Minister Theresa May said she understands the need for certainty but has indicated that she does not intend to give the formal notice this year. At the earliest, Brexit could become official in 2019.

But what does this referendum mean for US businesses with global operations? Specifically, what is the full impact of Brexit on data transfers in corporate litigation and investigations? How should US in-house counsel and their law firms be preparing for future data protection and privacy changes as a result of Brexit? What will be the impact on global ediscovery practices?

Data Protection: New Horizons or Business As Usual?

The UK currently operates under the Data Protection Act 1998 (DPA), which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain voted to leave the EU, it is likely that the DPA will remain unchanged at least during the Brexit transition period.

The future state of the law is partly dependent on whether or not Britain becomes part of the European Economic Area (EEA) or the European Free Trade Association. If the UK becomes part of the EEA and the EU finds the UK’s data protection safeguards to be appropriate, this would make transferring data outside of the UK easier. However, it is likely that businesses will still have to comply with the new requirements to be implemented under the forthcoming General Data Protection Regulation, when transferring data across borders to comply with legal obligations in other countries.  If Britain does not become part of the EEA, the situation is more complicated, and it is likely that an arrangement similar to the EU-US Privacy Shield would need to be agreed to. This would likely provide a safe passage for the transfer of data between the UK and other countries in Europe.

Ediscovery: Knowledge and Technology are Power

The crux of the situation is that the international data protection landscape is changing regardless of the outcome of the Brexit referendum and US businesses with global operations need to be prepared for the differences. Until the UK finalizes its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across UK borders. But, business does not have to come to a standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European data centers to continue processing and transferring data in Europe in a compliant and cost-effective manner.

Kroll Ontrack is here to help you and your business thrive and adapt in a changing ediscovery world. Subscribe to our email newsletters, follow us on Twitter and connect with us on LinkedIn, and read up on ediscovery all around the world.

 
css.php