It all comes down to consent.
Interestingly, the primary focus for eDiscovery and the complexities of the GDPR can be reduced to one key aspect, that of CONSENT – consent by the “owner” of the documents and data that are identified as needing to be collected, reviewed and produced in a legal matter whether it be litigation, response to a governmental subpoena, third party request or other reason. We all know the owner for GDPR, for eDiscovery purposes is the custodian, the individual who has possession and “control” over what it is that needs to be gathered for a matter. And, one more point: In almost all matters, the individual is employed by a company or organization. Our focus here is on those individuals located in the European Union and what U.S. companies must do to obtain and track their consent for the documents and data to be collected and used for litigation purposes.
In the U.S. we expect full cooperation from employees in litigation matters, and it is a given, as of now, that work done on or on behalf of an employer belongs to the employer and can be used as needed to support or defend a legal event. Most U.S. companies have policies in place that clearly state the use of electronic assets and the work associated therewith is company property and employees acknowledge or concede that point through their employment relationship. Hence, there are few restrictions on the collection and use of any data. Consent is either implied or explicit.
Not so in the EU. The individual is the gatekeeper for data access. This has been so since at least 1995 with the Data Protection Directive, followed by the Safe Harbor Privacy Principles in the early 2000s, found invalid in 2015 and replaced by the Privacy Shield framework in 2016. These were not laws but guidelines that were adopted by various EU member states, and not in a uniform manner. The GDPR, on the other hand, is a law with enforcement teeth including severe financial penalties for violators. This is not the focus here, but the penalty aspect must be noted, as the consequences for non-compliance can be painful.
GDPR and eDiscovery intertwined with the consent requirement.
We will now focus on consent, that is, how to obtain it, maintain it and respond if it is withdrawn. “The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.” (https://www.eugdpr.org/the-regulation.html)
From this we can deduce the following points related to GDPR and eDiscovery to establish clear consent in the communication with the custodian:
- Explain the reason for the document and data collection (e.g., litigation, investigation…).
- Specifically state what documents and data are being collected (e.g., email, documents related to the XYZ project…).
- Explain how the data is going to be used (e.g. for review to determine relevance to production requests; production to the opposing party).
- Obtain a clear indication of the custodian’s consent for the purposes enumerated above.
- Inform the custodian of his/her ability to withdraw consent. Much is written on this point, and we will address it in a future blog entry.
There is the notion of “legitimate interest” that may obviate the need to obtain consent from employees to collect their data. But, as has been recently written, clarifying and understanding what is a legitimate interest is anything but clear. Hence, it seems prudent to obtain appropriate consent, as outlined above, until some clarity is reached on this key point.
Additionally, Article 49(1)(e) may permit data transfers in the defense of legal claims, with a focus on the word “may.” At this point, as above, prudence still dictates – obtain consent.
So with respect to GDPR and eDiscovery, obtaining express consent eliminates any doubt or questions about the appropriateness of any data collection for the purposes stated therein, and eliminates one non-compliance risk under the GDPR. It is a straightforward process that should be easily included in your eDiscovery protocol.
Thanks to Barry Schwartz, Esq for contributing to this post. Barry heads the BIA Expert Services group which consults and advises clients on a variety of topics and helps them be more successful across eDiscovery, privacy and information governance.