This post was also written by Rosanne Kay.
Reed Smith hosted a seminar in its London office to discuss issues companies face arising from poor Records Management, Data Protection, E-Disclosure and the Proposed EU General Data Protection Regulation. Speakers included the UK Information Commissioner’s Office Head of Strategic Liaison, Jonathan Bamford, and Reed Smith London Partners Cynthia O’Donoghue and Rosanne Kay, and Pittsburgh Partner David Cohen.
In the first session, Cynthia and David addressed the issue of poor records management and how companies can take steps to improve their approach to record keeping in the Electronic Age. They commented that the volume of documentation being stored by companies is becoming increasingly difficult to manage because of emails and documents being kept for too long a period. Companies face conflicting duties of requiring a good retention policy and being prepared for litigation, at the same time as complying with data privacy principles which state that information should not be kept for longer than necessary. Companies are often saving records beyond the point where they have any useful purpose, such as emails that tend to have a lifespan of only six months, and companies can suffer from poor employee productivity when employees spend inordinate amounts of time looking for documents. The speakers advised clients to adopt a ‘six-step action plan’ to address these issues and strike a balance between the different business needs, legal considerations, and data privacy concerns, to create a workable, appropriate retention policy.
Jonathan Bamford gave a presentation on the ICO’s perspective on the EU Data Protection Regulation and Directive. The ICO is seeking a clear, easy-to-understand set of rules containing effective requirements that are both simple to exercise and low cost. The ICO wants accountability and responsibility throughout the information life cycle, and a provision which allows organisations that are compliant with the regulations to “get ahead”. He stated that the ICO welcomed certain aspects of the regulations, including:
- Improved rights for individuals
- A higher standard of consent – in the new draft regulations, consent must be explicit and can be withdrawn
- Incorporation of new concepts such as Privacy by Design
- Stronger supervisory authorities
- More consistency across the EU – one set of regulations across all 27 member states and “one-stop-shop” complaints’ procedures
Jonathan explained that some changes in the proposed framework were less welcome by the ICO, including:
- Having a separate Regulation and Directive as the two instruments could cause confusion, because the Directive seems to have a lower standard of protection
- The overly prescriptive nature of the proposed Regulation
- The lack of focus on privacy risk – the UK’s current Data Protection Act and associated measures put privacy risk at the forefront
- An outdated approach to international data transfers
- A “one size fits all” approach towards sensitive data without considering the context and risk
He also expressed doubts regarding some concepts raised in the proposals, stating that the Right to be Forgotten will be very difficult to enforce, and that the potential workload that will be placed on supervisory authorities is almost unworkable. He echoed the view expressed in the ICO’s initial opinion stating that the published opinion will not be the ICO’s last word on the draft EU Regulations.
The last session of the seminar covered E-Disclosure and Cross-Border issues. David Cohen and Rosanne Kay discussed the various issues that arise with e-disclosure/ discovery in litigation in both the UK and the US. Electronic documents have taken on a large significance in litigation in recent years because of the fact that they contain a lot of information, are easy to search using keyword terms and are difficult to destroy, and can be difficult to locate and preserve. New technologies, such as ‘concept searching’ and ‘e-mail threading’, are emerging to aid document reviews. David highlighted an emerging trend in the United States, where sanctions have been imposed on parties for e-discovery mistakes.
Cynthia then discussed conflicting laws between the EU and US on cross-border discovery stemming from the international data transfer bar contained in the EU Data Protection Directive, and some European countries’ blocking statutes. Because of the broad definitions of ‘personal data’ and ‘processing’, any US discovery seeking documents from organizations located in Europe will be caught by national data protection laws so that a transfer of data to the United States has the potential to violate national data protection laws. Cynthia discussed recent trends such as the Sedona Conference Working Group 6 principles on transfers and the new American Bar Association’s decision urging US courts to give ‘due respect’ to foreign data protection and privacy, and the International Chamber of Commerce policy statement on “Cross-border law enforcement access to company data – current issues under data protection and privacy law”. The statement makes recommendations that can help to ensure respect for both law enforcement interests, and data protection and privacy laws.