The European Commission is faced with significant challenges in its attempts to balance protecting the rights of the individual in respect of personal data, whilst at the same time encouraging businesses to offer their services in Europe. The purpose of the European Data Protection Directive 95/46/EC is to harmonise the regulation of personal data throughout the European Union. The Directive has been adopted into local law in the member states of the EU and sets out eight basic data protection principles which control how personal data is obtained, kept, processed and transferred. The definition of personal data is very broad and it is highly likely that every email and document now written contains personal data.
The basic principles require that personal data is handled fairly and lawfully, which in essence means that individuals must consent to the handling of their personal data or there must be a legal purpose for using the information. The Directive also prohibits the transfer of personal information outside of the European Economic Area, unless the country receiving the information provides an “adequate level of protection” for individuals in the processing of personal information.The Directive was introduced in the 1995 at a time when the Internet, whilst already in existence, was only used in a very limited way (less than one per cent of Europeans used it). It should also be noted that, whilst the Data Protection Directive, is the best known of the laws that impact the collecting, processing and transfer of data, there are also several others that also need to be considered including those relating to privacy, legal professional privilege and intellectual property. Throw into the mix blocking statutes and legislation that varies from country to country and you are indeed faced with a highly complex legal environment.
A Changing Landscape
We live in a time when not only does technology have a huge impact on the way we conduct our business and personal lives (with the lines between the two becoming increasingly blurred), but also technology continues to evolve, at an exponential rate. Whereas, even a few years ago, businesses involved in legal disputes only needed to concern themselves with electronic evidence stored in emails, their attachments and documents stored in a few specific well structured and well marshaled directories, the technological landscape has advanced to the current position where social networks and cloud computing need to be considered.
The European Commission is fully aware of this evolution and has set up the Digital Agenda in order to further promote the use of technology in order to foster innovation, economic growth and progress and an integrated market by 2015. Neelie Kroes, the Vice-President of the European Commission responsible for the Digital Agenda, recently spoke about the need for “Safeguarding Europeans' rights – without putting the development of valuable new products and services "off limits". In addition, the Commission recognises that the Data Protection Directive that was introduced 17 years ago needs to be significantly changed if it is to be relevant in today’s world.
To that end, in January 2012, it proposed a comprehensive reform of data protection rules in order to increase users’ control of their data and cut costs for business.This proposed legal framework is designed to “unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation”. Key changes in the reform are the introduction of a single set of rules on data protection valid across the EU; a requirement to report data breaches as soon as possible; stronger enforcement powers and fines of up to one million euros or up to two per cent of global annual turnover of a company; and the application of the EU rules if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
How multinationals move personal data around
Binding Corporate Rules (BCRs) were introduced by the European Union Article 29 Working Party to allow multinational companies to transfer personal data from the European Economic Area to their affiliates located outside of the EEA. The BCRs were developed as an alternative to the USA/EU Safe Harbor (which is for USA organisations only) and the EU Model Contract Clauses. BCRs currently apply to data controllers only and are not currently available for data processors, although the recent draft reforms seek to change this. In addition, they are difficult to gain approval for and it is thought that a realistic timescale to complete the approval process is 12 months. According to the latest figures available on the European Commission’s website, there are only 15 organisations that have gained BCR approval.
Can technology help?
So, against this backdrop of a complex set of laws, diversity in these laws from country to country and increasing penalties for not complying with them, how can companies go about transferring data when carrying out investigations and responding to discovery and regulatory requests for information in a legally compliant manner? A variety of approaches are taken by organisations and their appointed legal advisors not just within Europe but also within specific countries. There are two main reasons for this -variances in the interpretation of the laws themselves and the organisations’ appetite for risk.
Different uses of technology can be employed. At one extreme, hardware and software is deployed within an organisation. This IT infrastructure is used to process documents, filter them and make them available for review to a legal team also situated within the organisation. In this way all possible data transfers are prohibited as it is possible to disable all access to the data via the internet. This approach tends to be more costly than others but is used to minimise any contraventions of data transfer related laws and where the data is of a particularly sensitive nature.
Another variation on this theme is one in which the entire infrastructure is located in the same country in which the data was originally collected (as opposed to an “on-premise” solution as described above). Organisations sometimes insist that those with the ability to access and review the documents are located in the same country as the data or are at least within the EU. Others allow the review team to be situated outside of the EU including in the US. This highlights the different interpretations of what constitutes a data transfer and of their attitudes to risk. When keyword searching is applied to the data prior to a data transfer taking place, it can be done on an “inclusive” basis, i.e., including documents that contain one or more words from a list and on an “exclusive” basis, i.e., excluding documents that contain one or more specific words. Whilst this approach is not foolproof and it is possible, indeed likely, that personal data will pass through these filters, the process at least demonstrates to the relevant authorities that rigorous attempts have been made to exclude personal data and to identify the data strictly relevant to the issues at stake, as required by the Article 29 Working Party in its opinions on pre-trial discovery for cross-border civil litigation.
Self selection of data is also employed, either in isolation or in conjunction with other options in order to remove personal data. In its most straightforward form this entails asking individuals to either identify documents which are responsive to a specific discovery or regulatory request or to identify private documents and emails. This can be done either within the source application (e.g. within Microsoft Outlook) or within a “first pass” review platform. By involving the employee in this process it is likely that personal documents are excluded from the subsequent data transfer. However, relying on the employee to select responsive documents or to have any input into the document identification is clearly not without its dangers as in certain situations this could be used as an opportunity to remove key documents. The neutrality of technological filtering approach is therefore lost.
Organisations have also been known to set up internal procedures in which employees are instructed to mark any private emails as such by using certain keywords in the subject line. Automated searches are then used to exclude these documents from data transfers. In this way, the onus is put on the employee to identify personal documents.
Transferring data from the US to Europe
Commonly, where data needs to be ultimately transferred to the US (from an organisation in continental Europe), it is first transferred to another country in Europe, for example the UK, where it is processed, filtered and hosted. A legal team will then carry out a “first pass” document review in which it identifies documents that are likely to be relevant and excludes personal data by using a combination of keyword searching and manual review. Redactions can also be used in order to hide personal information where necessary. The resultant “anonymised” data set is then exported to another database in which a full and more comprehensive document review related to the issues in the case is carried out. This database can be hosted in the UK or in the US as required.
The way forward
As can be seen, there is no silver bullet available that will cut through the labyrinth of complex laws that must be navigated in order to devise an effective and pragmatic approach to cross-border data transfers in international investigations and litigation. It is vital that organisations not only have a strong knowledge of the current legal landscape and technological options available but also keep a close eye on the way both of these constantly evolve. It is only in this way that businesses can ensure that they adopt appropriate procedures for data transfers.
Andrew Szczech is the manager of business development for continental Europe at London-based data managment company Kroll Ontrack