This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Data transfer: Tips for international data protection compliance

Feature
Share:
Data transfer: Tips for international data protection compliance

By

Deborah Blaxell and Hazel Grant explore the common pitfalls encountered in international data protection programmes

Law firms are developing global identities and conducting transactions internationally, so data stored in one jurisdiction can often be relevant to other offices abroad. Additionally, advances in technology have enabled data to be moved rapidly and stored indefinitely. As data is moved between data centres and across borders, security breaches are becoming a tangible risk.

Firms are also increasingly at risk of violating national and international data transfer regulations and privacy laws. This risk is rising as more countries implement privacy and data protection laws. These laws typically forbid cross-border transfers unless certain conditions are met, or impose regulatory obligations upon the transferring organisations. This problem is amplified if data resides in a European Union country and the requirement for disclosure emanates from the US.

Firms conducting business globally, contracting with international vendors or hosting data with international data centre providers must develop effective strategies to meet their current and future obligations related to international data transfer and data security best practice.

EU & US regulations

Pursuant to Directive 95/46 on the protection of individuals with regard to the processing of persona data, those who handle personal data relating to European Union citizens are bound by strict rules to protect the privacy of individuals.
They must ensure that no data relating to citizens is transferred to non-EU countries that do not have adequate levels of protection, as prescribed by the EU.

In March 2014, the European Parliament signalled its endorsement of proposals to update this directive, seeking to replace the varying national laws with one pan-European law for
data protection.

The changes aim to strengthen citizens’ rights to data protection, for example, by giving individuals the ‘right to be forgotten’ – ensuring that data is deleted when there are no legitimate grounds for its retention – and specifying that, where consent is used for data processing, that consent must be explicit.

Significantly, organisations based outside of Europe, but which are doing business within the EU, will be bound by these rules. Furthermore, businesses that do not comply will be susceptible to sanctions, with fines of up to five per cent of the company’s global turnover proposed. To become law, these proposals must be adopted by the Council of Ministers, which will discuss the reforms in June.

Beyond data protection and privacy laws, in European civil law jurisdictions, the concept of disclosing documents
or information to opponents is not
a recognised part of the litigation
process, adding to EU states’ reluctance to comply with requests from foreign jurisdictions.

Some European states have gone further still by introducing blocking statutes which seek to prohibit compliance with discovery requests made by countries
like the US. In an age where trade between the EU and the US is vital to
the growth of global financial markets,
this position is untenable.

The US system is noticeably different to the EU system in that it grants the litigant the right to discovery of all documents and electronically stored information (ESI) which may be relevant to the claim or action, regardless of whether the information is personal. Data protection tends to be much more limited and specific.

Practical application

Historically, the US courts have ordered discovery in cases with data in the EU without much regard for the EU restrictions on the party holding the information. In re Vivendi Universal SA Secs [Litg., No 02 Civ 5571 2006], the US court observed that the French blocking statute did not subject those complying with US requests to any realistic risk of prosecution.

However, such complaisance is dangerous, as was seen in re Advocat Christopher X [Cour de Cassation, Chambre Criminelle, Paris, 12 Dec 2007] in which a French lawyer was prosecuted for cooperating with the collection of evidence for use in US judicial proceedings. The French Supreme Court upheld the lawyer’s conviction and the imposition of a fine of €10,000. It remains to be seen whether the US will change its stance if the proposed EU data reforms come into force.

Nevertheless, following a subsequent decision of the French courts on this subject in Bruno B v Giraud et Migot [Cour de Cassation, Chamber Sociale, Paris, 15 December 2009, No 07-44264, released 8 January 2010], we may see the European system take small but significant steps towards sensible recognition that not all data that has traditionally been treated as private should continue to be so treated.

In Bruno B, an employee was dismissed after his employer found files on his work computer containing information which he had sent to government departments alleging tax
and related fraud. Bruno sued his employer for violation of his right to privacy, claiming that the documents
were personal.

The court on appeal found his employer was entitled to examine documents which were not marked ‘private’ and which it had reasonably assumed were work related. The significance of the case is that there is now arguably no right to privacy to an employee’s files stored on a work computer unless the employee marks the document ‘private’.

Although the EU is taking steps to implement common rules, a true international set of standards has not yet been developed. Until then, meaningful protections for data – both domestic and international – will remain an issue for organisations of all kinds. This is a difficult position, but one whose effects might be minimised if businesses plan adequately for cross-border e-disclosure exercises.

 

Tips to reduce the risk of regulatory penalties

  • Consider whether any of the data may be available from sources within the US or other countries that have less stringent data privacy requirements.

  • Take advice from lawyers within the jurisdiction in which the data is held. It is not sufficient to be knowledgeable about European laws in general. The lawyers must be aware of the particular idiosyncrasies of local laws to ensure the business does not inadvertently fall foul of them.

  • Process and analyse the data in the jurisdiction in which it is held. This is obviously preferable to sending vast amounts of data to foreign jurisdictions without first knowing how much of the data is relevant. Arguably, the less data you transfer, the less risk there is of breaching European law.

  • Processing and analysing data is time consuming, so use technology. Employ smart technologies to accelerate and prioritise the review of data so that you are able to comply with the challenging timeframes that courts and regulatory authorities invariably impose in these situations.

  • Once the data has been filtered and a relevant data set is produced, consider how to treat personal data to ensure compliance with European data protection laws and US discovery requirements (e.g. redaction).

  • Monitor changes to the regulatory and security landscape.

  • Ensure processes are in place to meet challenges in compliance or technical security controls and that breaches of data that have cross-border or inter-jurisdictional ramifications can be managed.

 

A strategy for data

As well as taking advice from local lawyers and utilising the new and increasingly vital document review tools that are available to cull data and thereafter accelerate review, law firms and corporations should ensure they are doing their best to monitor their data at all points of its lifecycle (see box: Monitoring the full lifecycle of data).

As information technology and
privacy legislation around the world change rapidly, law firms must remain informed about best practice, applicable laws and regulations, and security protocols to keep data safe within data centres, during transit between data centres and in connection with cross-border transfers.

Individuals, governments and businesses all have stakes in data security, whether they’re directly involved or not. Staying up-to-date on best practice, implementing an information governance programme, identifying effective mitigation techniques and continuous validation, combined with strong incident response, will enable organisations to meet the challenges presented by cross-border data
transfers and security.

 

Monitoring the full lifecycle of data

  • Creation/capture. The process of receiving or creating data, whether captured from a website, a file transfer or a physical acquisition, will affect handling. Each method of creation or capture will require a different form of protection to ensure the information is safeguarded.

  • Classification. Once the data has been securely acquired, appropriate rules must be applied. The first step is to identify the type of data acquired. Is it personally identifiable information (PII)? Is it an image or a document? What kind of document is it? Carefully sifting and sorting the data into the correct ‘bucket types’ will greatly aid compliance with international data privacy regulations and also make the disclosure process more efficient.

  • Storage/management. Where will the data be stored and does it provide adequate levels of protection? This will drive what protection controls are applied. If the data consists of PII or potential PII, then the firm may be legally required to store the data in a disk-based encryption format and encrypt backup copies of the data.

  • Retrieval/publication. Once you have securely transferred data across a border, you must make it available for use by ensuring data is encrypted at each stage – when it is transferred, stored and displayed. It must also be made certain that the data cannot be decrypted in countries where it must not be transferred, and that access to systems such as network paths which enable cross-border transfers is controlled.

  • Processing. Ensure data is only used for authorised purposes and in compliance with applicable laws. Application controls and metadata tagging are helpful during this phase.

  • Archive. When data is no longer needed, issues of long-term storage in compliance with applicable policies and legal requirements arise. Is the backup onsite or offsite? Do your backups cross international borders? Are the backups governed by other countries’ privacy and data protection laws? The answers to these questions will help ensure that all potential risk areas are mitigated.

  • Destruction. At every stage, protected data must be rendered unusable, in accordance with applicable legislation. Ensure the destruction of archives, files, physical copies and any other copies. However, there could always be an exception to the rule, so processes need to be in place for data excluded from regularly-scheduled destruction cycles. For example, data subject to legal holds and discovery requests, as well as data governed by cross-border privacy legislation, are commonly exempted.

 

Deborah Blaxell is legal consultant at Epiq Systems (www.epiqsystems.co.uk) and Hazel Grant is an IT partner at Bristows (www.bristows.com)