• No results found

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Today’s Topics

Introduction to Data Privacy & eDiscovery

– General Overview

– Data Privacy in the United States

– Data Privacy in Foreign Countries

Intersection of Data Privacy & eDiscovery

– Preservation of Data

– Collection of Data

– Transfer of Data to Law Firm or Vendor

– Hosting of Data by Law Firm or Vendor

– Production of Data to Requesting Party

(2)

2 |Data Privacy & eDiscovery

Introduction to Data Privacy & eDiscovery

Understanding What Data Privacy Means is Critical to Ensuring

the eDiscovery Process Properly Protects Personal Information

– Data privacy refers to the appropriate use of personal information under the circumstances.

– What is personal information? • Sensitive information

• Personally Identifiable Information (PII) • Protected Health Information (PHI)

(3)

Introduction to Data Privacy & eDiscovery

Personal Information May Include a Wide Variety of Categories

– Name, gender, age and date of birth

– Marital status, citizenship, nationality, race, political opinion, religious beliefs

– Health information

– Veteran status, disabled status

– Personal address, phone number, email address, social media

– Business address, phone number, email address, social media

– Internal identification numbers

– Government-issued identification numbers

(4)

4 |Data Privacy & eDiscovery

Introduction to Data Privacy & eDiscovery

Organizations are Required by Law to Protect Personal

Information, but Privacy Laws Differ Among Jurisdictions

– In the United States, privacy laws focus on consumer protection

• Health, human resources, financial, education, government identifiers,

online and eCommunications

• Presumption that the organization can use personal information unless

that use is harmful or prohibited by sector-based law

– In many foreign countries, in particular in the European Union, data privacy is a human right

• Scope of what is considered personal information may be much broader

than in the United States

• Presumption is that use of personal information is prohibited unless

certain conditions are met

(5)

Introduction to Data Privacy & eDiscovery

In the United States, There are a Variety of Federal and State

Laws and a Variety of Government or Self-Regulatory Agencies

Relevant to Data Privacy

Examples of Federal & State Laws Examples of Relevant Regulators /Self-Regulatory Regimes

• Gramm-Leach-Bliley Act (GLB Act) • Right to Financial Privacy Act (RFPA) • Health Insurance Portability and

Accountability Act (HIPAA) & Health Information Technology for Economic & Clinical Health (HITECH) Act

• Children’s Online Protection Act (COPA) • Electronic Communications Privacy Act • State Privacy and Security Breach Laws • State Data Transfer Laws

• Federal Trade Commission (FTC)

• Federal Communications Commission (FCC) • Department of Commerce

• Consumer Financial Protection Bureau (CFPB) • Department of Transportation (DOT)

• Securities and Exchange Commission (SEC) • Office of the Comptroller of the Currency

(OCC)

• Federal Reserve

• Federal & State Attorneys General • Payment Card Industry Data Security

(6)

6 |Data Privacy & eDiscovery

Introduction to Data Privacy & eDiscovery

United States Discovery Rules Assume that Relevant Personal or

Private Information Must be Produced in Response to

Document Requests

– Federal Rule of Civil Procedure 26 & State analogs recognize that protections may be necessary for certain types of data, including personal information or business sensitive information

– Consideration must be given to whether personal information is “relevant” to the litigation/investigation

– Protective orders are often used to ensure the protection of personal or private information in discovery

– U.S. courts have not been willing to excuse production based on foreign data protection laws or blocking statutes

(7)

Introduction to Data Privacy & eDiscovery

In Foreign Jurisdictions, There are Different Types of Laws that

Relate to Data Privacy and May Impact eDiscovery

Data Protection Laws: Laws designed to protect privacy – in some jurisdictions they cover broader categories of data than U.S. privacy laws

Blocking Statutes: Laws designed to protect sovereignty, and shield foreign nationals from intrusive U.S.-style litigation

(8)

8 |Data Privacy & eDiscovery

Introduction to Data Privacy & eDiscovery

In the European Union, Each Country’s Data Protection Laws

Must Comply with the 1995 Data Protection Directive (Currently

Under Review)

– “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with

respect to processing of personal data”

– Directive restricts the processing and transfer of personal data

– These terms are broadly defined

– Provides for notice to affected employees, including target of an investigation

– The EU Data Protection Directive binds member-states, and each EU member state implements its own data protection laws

(9)

Introduction to Data Privacy & eDiscovery

Data Protection Laws or Blocking Statutes May Severely Restrict

Whether and How Data May be Transferred to the United

States in Response to Requests for Production

– Possible steps to permit transfer of data

• Elimination of “personal data” from set transferred

• Use of “safe harbor” vendors

• Model contracts/strict protective orders

• Hague Evidence Convention

– Blocking statutes may prohibit the transfer of data to the United States in response to litigation requests and may require appeal to foreign courts

(10)

10 |Data Privacy & eDiscovery

Introduction to Data Privacy & eDiscovery

Many Countries Outside the United States and the European

Union Have Implemented Their Own Data Protection Laws

– Outside the EU, data protection law is rapidly evolving, and the EU Directive is a leading model

– For example, there are data protection laws in Asia (e.g., South Korea, Hong Kong and Taiwan) and South America (e.g., Peru, Argentina)

– There are also other foreign laws that may be obstacles to discovery. For example:

• People’s Republic of China State Secrets Protection

• Banking Secrecy Laws in Singapore and Switzerland

(11)

Intersection of Data Privacy & eDiscovery

Protecting Personal Information Retained by an Organization

Requires Understanding how Data Privacy and eDiscovery

Intersect

– Data privacy concerns are often overlooked in litigations/investigations

– At each stage of the litigation/investigation life cycle, there may be an impact on:

• Data privacy

• Data security

• Protection of business sensitive information (BSI), e.g., intellectual property,

non-disclosure agreements, commercially important information

– Effective management of information during the litigation/

investigation life cycle is critical to maintaining compliance with data privacy obligations, protecting an organization’s valuable information, and safeguarding an organization’s reputation

(12)

12 |Data Privacy & eDiscovery

Intersection of Data Privacy & eDiscovery

Preservation of Data

– Retaining data longer than record retention policies require may implicate data privacy obligations

– Can be considered “processing” under Data Protection Laws

– Preserve-in-place v. segregation of data for preservation may impact data security

– Legal holds to U.S. employees may be different than legal holds sent to non-U.S. employees

(13)

Intersection of Data Privacy & eDiscovery

Collection of Data

– Understanding of where personal or private information may reside within the organization before collection

– Coordination between Legal and Data Privacy professionals

– Collection By Organization vs. By Outside Vendor

– Collection Manually vs. Use of Technology

– By Data Source vs. By Relevance

– How is data transferred within the organization?

(14)

14 |Data Privacy & eDiscovery

Intersection of Data Privacy & eDiscovery

Transferring Data to Law Firm or Vendor

– Communicating data privacy issues to Law Firm and Vendor

– Maintaining an audit trail and chain-of-custody

– Ensuring adequate protections are in place, e.g., encryption or mode of transfer (UPS, hand delivery, etc.)

– Consider taking additional protective measures prior to transferring any data located overseas to the United States

• Early filtering to minimize quantity of personal data involved

• Redaction/anonymization

• On-site/in-country review

– Notice and consent? 14

(15)

Intersection of Data Privacy & eDiscovery

Hosting of Data by Law Firm or Vendor

– Traditionally, eDiscovery vendor selection and contracting not subject to scrutiny

– Remember: if eDiscovery vendor discloses data, the organization may be liable

– Treat eDiscovery services as important to the organization and plan accordingly

– Terms of Engagement

• Adequate security

• Audit rights

• Indemnifications

• Limits of Liability

• Special requirements for certain data

(16)

16 |Data Privacy & eDiscovery

Intersection of Data Privacy & eDiscovery

Production of Data to Requesting Party

– To Government Agency

• Request for confidentiality (e.g., FOIA)

• Special requests for private data

• Consider coordination with foreign governments, where applicable

• Redaction is not legally required to produce?

– To Plaintiff’s/Requestors Law Firm

• Communicate data privacy issues and risks associated with production

• Protective Orders

– Attorneys Eyes Only

– Special Storage Requirements

• Redaction if not legally required to produce?

– Notice and consent? 16 |

(17)

Intersection of Data Privacy & eDiscovery

Return or Destruction of Data

– By Law Firm or Vendor

• Include in engagement letters or contracts

• Legal obligation and practical ability

• Ability to audit compliance

– By Requesting Party

• Include in protective orders

• Legal obligation and practical ability

• Ability to audit compliance

(18)

18 |Data Privacy & eDiscovery

References

Download now ( PDF - 18 Page - 314.36 KB )

Related documents

On the Fundamental Characteristics of the One Country, Two Systems Policy

According to the “One Country, Two Systems” policy, upon resumption of exercise of sovereignty over Hong Kong and Macao, the national unity shall be maintained through peaceful

New Keynesian Model Dynamics under Heterogeneous Expectations and Adaptive Learning

To describe the dynamics of the output gap is not that straightforward and the response to a demand shock seems ambiguous. A big role is now played by the effect of monetary policy.

Mixing Private and Public Service Providers and Specialization

Finally, property ( iii ) shows that when there are equal proportions of the two types in the population we can solve for the price di ff erence in equi- librium. This is

Cutting in on the \u3ci\u3eChevron\u3c/i\u3e Two-Step

Chevron ’s domain at what has been termed the “ Chevron Step Zero” inquiry—is consistent with one view that links the Court’s hostility toward the administrative state to

Administrative Balance

228. “Traditional relationship” being the relationship between Congress and the states. According to Bulman-Pozen, modern federalism is already defined as such, taking the

Determinants of consumer intentions to redeem mobile coupons

The theoretical part of the study began by discussing the differences between traditional coupons and mobile coupons. Five specific characteristics of the mobile

The Responsibility to Protect and the change in Sovereignty

In a world where the nature of conflicts have changed from textbook wars with professional soldiers shooting at each other, to bands of religious or ethnic groups fighting

1st Session VENEZUELA TPS ACT OF 2019

549 1 statutorily designates Venezuela for Temporary Pro- tected Status (‘‘TPS’’) under section 244 of the Immigration and Nationality Act. Venezuelans present in the United