European Privacy and Data Protection Regulations: Effective Defense Tools in eDiscovery But Also a Compliance Risk!

Posted on December 5, 2011


Last week, nearly 300 privacy professionals gathered in Paris for the second International Association of Privacy Professionals (IAPP) European Data Protection Congress. Completely focused on the latest developments in privacy for the European data protection community, this conference was an extraordinarily high quality event—one of the best I have ever attended. The organizers sought to produce an event that would trigger “thought-provoking discussion, engaging debates, game changing analysis and unparalleled education”, and as far as I am concerned, they succeeded! I really enjoyed being among top international privacy and data protection experts from business and government.
This year, IAPP had an impressive list of keynote speakers, among them the highest ranking officials from the European Union, including Euro Commissioner Viviane Reding, who is responsible for justice, fundamental rights and citizenship, and Peter Hustinx, the European Data Protection Supervisor. I had the honor of participating on a panel Wolter Wefers Bettink, a renowned IP, IT-law, e-business and privacy specialist and partner at the Dutch law firm of Houthoff Buruma.

The following observations stem from that session and the others I had an opportunity to attend.

1. European Privacy and Data Protection Regulations: Effective Defense Tools in eDiscovery

European companies are often at a disadvantage when they are up against a US company or regulator in a civil, regulatory or criminal investigation which involves a large eDiscovery. Failing to follow the US rules (the Federal Rules of Civil Procedure –FRCP) and best practices, as set by The Sedona Conference, EDRM and other court opinions, will undoubtedly lead to sanctions, fines, penalties and sometimes even a default decision. US parties may leverage this as a strategy to force European companies into unfavorable settlements. As a result, European companies often engage US law firms to process all data, often leading to violations of European privacy and data protection regulations, but also to huge costs and future risks, because you never know where your data will end up in US courts and in the hands of a hostile opposing party. European privacy and data protection regulations in combination with international treaties can help European companies as a great defensive strategy to:

a. Use technology to find, isolate and produce only documents that do not contain any data which violates privacy or data protection acts.
b. Process and review data in Europe to avoid cross border issues.
c. Use machine assisted review technology to reduce the amount of data that human eyes must review.
d. Use random sampling for legal defensibility of your machine-assisted, automated processes.
e. Maintain control over your data, and thus over cost and risk control.
f. Implement true early case assessment in Europe; Find what really matters and use this to negotiate a more favorable settlement on your terms. Understand the impact of search terms before agreeing to them.
g. Avoid penalties from European regulators for violation of European privacy and data protection acts.
h. Produce and disclose less information in the US.
i. And as a result have lower costs and less risk for court sanctions and penalties.

2. European Privacy and Data Protection Regulations: Also a Compliance Risk!

Many companies have terabytes of legacy information. In almost all cases, the privacy or data protection officer does not know all details of what resides within all of this data. Every day, we read news stories pertaining to data leakage and other violations of privacy and data protection acts. Given the seriousness of this problem, regulators continue to increase fines and penalties. In addition, reputations and revenue streams can be negatively impacted. As a result, and even more than for other compliance officers, it is very important for privacy and data protection officers to understand what is in the legacy data and to handle compliance issues before something goes wrong. Automation by using technology can help to quickly identify information, understand what is there and find documents that contain sensitive information such as names, addresses, credit card numbers, social security numbers, bank accounts, medical information, etc. Pattern based intelligent redaction, data transfer or data retention are then among the possible options.
It became clear during these wonderful sessions that if one should run into trouble in this area, it will be absolutely essential to engage a high-quality lawyer with extensive experience and knowledge in this area. The field is moving very rapidly and there are many different rules and regulations in Europe. This, in combination with new regulations and judgments continues to increase the importance of engaging top-quality lawyers who understand the intricacies–especially when the opposing party is not as skilled and knowledgeable as your lawyer!
In summary, it was a great conference and I’ll definitely go back next year.