data privacy

 

Few areas of law have changed as significantly or rapidly in recent years as data privacy. Beginning with the passage of the GDPR in the EU in May 2018 and continuing through the CCPA going into effect on January 1 of this year, many companies have been scrambling to keep up with the requirements of a shifting regulatory landscape. While regulatory requirements are increasing, technology is evolving and companies have more data than ever stored around the world, creating an increased risk of noncompliance.

The cross-border reach of today's data privacy regulations is causing significant challenges for companies engaged in e-discovery. Companies need to be dedicated to understanding the ever-changing privacy landscape and working with experts to plan and budget for ongoing compliance.

The Current Enforcement Landscape

With the CCPA only three months old, litigation under the regulation is still in its infancy. The first class action filed under the new law was Barnes v. Hanna Andersson, LLC, which alleged violations of the CCPA for failure to adequately protect personal information and tell subjects in a timely manner of a data breach. The court hasn't yet ruled, but this case is one to watch, as any ruling will significantly impact future litigation and enforcement. Specifically, a plaintiffs' verdict would inspire many more CCPA cases in the future.

In terms of how cross-border discovery is governed from a U.S. perspective, the current standard is 28 U.S.C. § 1782(a), and more specifically the Supreme Court case that interpreted it, Intel Corp. v. Advanced Micro Devices, Inc. The decision laid out four factors for district courts to consider when ordering discovery in a particular foreign proceeding: 1) whether the producing party is a participant in that proceeding, 2) the nature of the foreign tribunal and proceeding, 3) whether the discovery request is intended to circumvent foreign or U.S. law and 4) whether the request is unduly burdensome.

Under Intel Corp., parties will likely be permitted cross-border discovery if they can show that requests are relevant and not overly burdensome. The important thing to keep in mind, however, is that you still need to be cognizant of the laws where the data resides. Too many companies have focused on complying with U.S. law while paying short shrift to international laws. With regulations like the GDPR, the CCPA and other international privacy laws now in play, that shortsightedness can have severe consequences.

In the era of new data privacy regulation, companies must change how they monitor the law. It is no longer sufficient to focus solely on the laws of your jurisdiction. You need to know exactly where you do business—and with today's global online economy, the answer can easily be almost everywhere. The laws of all those places are now relevant when you're conducting e-discovery.

Preparing for Compliance

Staying abreast of the data privacy legal landscape is a collaborative effort that must involve your corporate legal department, your IT department and trusted outside vendors. While legal must understand what is required and IT must ensure you're capable of complying, expert vendors fill the crucial role of offering the international presence and expertise in foreign laws. All these functions must be capable of working together, and management must approve sufficient hiring and budgets to make it all possible.

According to a recent survey, nearly 60% of companies lack the resources to fully comply with today's data privacy regulations. In reality, companies should expect budgets to expand by six to seven figures—thinking privacy compliance will require a small or temporary budget increase is a mistake. While those numbers may sound high, the penalties for noncompliance are even higher, with fines for violations soaring into the hundreds of thousands or millions of dollars.

Being proactive is key. Legal departments should be consulting with and leaning on the expertise of outside counsel and external e-discovery vendors to ensure they are meeting compliance requirements. If you're based in California but do business in the UK and New York, you must be ready to comply with regulations that govern each of those jurisdictions before issues arise or requests are made.

Working with expert vendors which can leverage their specialized knowledge to make the best and most efficient use of limited resources is critical to budgeting. When choosing a vendor, you want a true partner—someone with experience, project management and consulting teams and vertical integration, not just a reseller pushing someone else's products. Vetting vendors means uncovering their experience with data privacy compliance. Do they have a presence in the U.S. and in Europe? Do they have a deep knowledge of current data privacy law? Are they staying abreast of legal changes and posting relevant information on these topics?

Too many companies focus solely on the bottom line. While cost always matters, there are benefits to paying more for a vendor that can provide the support and expertise you need. Your e-discovery vendor must be able to effectively collect data in other countries and export only the necessary minimum to stay in compliance with foreign laws.

The time to assemble the best possible team of expert vendors, outside counsel and internal resources is now so that you are prepared as the privacy landscape continues to change.

Looking Ahead

While no one can predict with certainty the future of privacy law and enforcement, one thing seems clear: There will only be more regulation in the months and years to come. The framework for e-discovery has permanently changed, and companies must be prepared to comply.

Like the New York SHIELD Act, more state regulations will continue to pass, and we will soon see them in nearly every state. While the terms will vary slightly, they'll likely be similar enough that a broad compliance policy can be tailored to fit them all. We will also see a continued push for a federal privacy law in the U.S. In short, data privacy protection is here to stay.

Failing to plan for compliance and make significant changes in data policies will cripple small and midsize businesses. If you're not seriously looking at data compliance, now is the time to enlist experts to keep your company afloat as the privacy waters continue to shift.

 

Matthew Miller is an attorney with Reveal. A former litigator, he now consults with Reveal's law firm and in-house counsel clients on e-discovery projects. He can be reached at [email protected].