Person opening padlock

How to navigate eDiscovery technology without the Privacy Shield

Organizations that relied on the shield must institute an alternate approved transfer mechanism or risk running afoul of the GDPR.


In brief

  • Europe’s highest court invalidated the EU-US Privacy Shield in the Schrems II decision.
  • Without the Privacy Shield, companies may still transfer personal data from the EU to the US —with appropriate safeguards.
  • Companies should follow nine action items to drive compliance and position themselves for success, without risking significant penalties.

Consumer data is the engine for companies today, enabling their business strategies, stronger relationships and greater innovation. Yet, in an ever-evolving landscape of privacy regulations globally, noncompliance risks and penalties are a constant concern. Another twist occurred in July 2020, when the EU-US Privacy Shield was invalidated, complicating business as usual for companies that depend on standard contractual clauses (SCCs) to collect and process EU personal data.

Organizations that previously relied on the Privacy Shield must immediately institute an alternative approved transfer mechanism for EU data or risk running afoul of the General Data Protection Regulation (GDPR), with fines of up to 4% of their annual revenue or €20 million, whichever is higher.

Companies with a consumer footprint in the EU must revisit their data strategies: conduct a risk assessment, recognize that removing data has consequences, avoid overbroad collections, minimize eDiscovery, ensure proper notification and deploy strong security measures. Before exploring these action steps in more depth, it’s important to understand the implications behind decisions by the Court of Justice of the European Union (CJEU). An EY report  contains more background as well.

SCCs remain valid — with considerations

The Privacy Shield was designed to help companies comply with the GDPR when transferring personal data from the EU to the US. Max Schrems, an Austrian lawyer, successfully argued that the Safe Harbor — the predecessor of the Privacy Shield — did not sufficiently protect his data when transferred to the US. Then, in a decision by the CJEU that became known as Schrems II, the Privacy Shield was also found to be inadequate.

The CJEU upheld the validity of SCCs as an approved transfer mechanism. Yet it will require, prior to any transfer, stricter scrutiny and a case-by-case assessment by the exporting and importing parties, as to whether the laws of the importing country provide an adequate level of protection essentially equivalent to that guaranteed within the EU by the GDPR. If the parties determine that the SCC cannot be complied with due to the local laws, the CJEU instructs the data exporters to immediately cease all data transfers and/or to terminate the SCC.

eDiscovery practitioners can cautiously use SCCs but might have to implement supplementary measures to comply with the GDPR and other strategies. That may include using the derogations under the GDPR Article 49 based, for example, on consent of the data subject or on the performance of a contract to transfer personal data out of the EU to the US.

Schrems II emphasizes that the SCCs must also address guarantees that prevent access to the data by public authorities or surveillance services. It is particularly important for companies relying on SCCs for eDiscovery to revisit them following the CJEU’s decision and confirm GDPR compliance.

Key considerations for moving eDiscovery forward

To meet the new requirements:

  1. Start with a risk-oriented level of protection assessment. Assess the level of protection offered by the non-EU country and identify additional safeguards that may be necessary to transfer the information safely to the US, considering contractual clauses, the possibility of any access by the public authorities of the importer country, and the relevant aspects of its legal system. If the data includes personal data, you can remove it or identify additional procedural and technical safeguards.

  2. Remove data cautiously. When redacting personal information from documents, recognize that doing so alters its form, raises authentication issues and threatens its admissibility in court. It may be more productive to segregate documents with personal information from the data set, process them in the EU member state, and transfer the remaining data to the US.

  3. Avoid removal by safeguarding details. You can anonymize or deidentify the data in the EU to hide the EU data subjects’ individual details. Alternatively, use pseudonymization techniques to mask this information. Although it does not completely sanitize the material, it remains an appropriate method of safeguarding from unauthorized access.

  4. Reflect proportionality in policies. The CJEU reasoned in Schrems II that any interference with fundamental freedoms and rights protecting data privacy must satisfy the proportionality principle: i.e., that interference should be limited to what is strictly necessary. In the view of the Court, US surveillance programs are not aligned with this principle. Companies should therefore update their compliance policies and procedures governing discovery requests and data processing to reflect the proportionality principle.

  5. Avoid overbroad eDiscovery. Companies must outline clear and precise rules addressing the scope and application of eDiscovery and impose safeguards to protect personal data against the risk of abuse. Toward that end, companies should:
    • Oppose overly broad eDiscovery requests for data in the EU
    • Re-evaluate the need for cross-border discovery and determine whether the records at issue are accessible from US sources
    • Determine whether an EU service provider can process the data instead of one based in the US

  6. Minimize eDiscovery data collection and processing. It is essential for company policies and procedures to comply with the letter and principles of the GDPR, which means that eDiscovery data collection and processing must use data minimization as a pillar. Parties must limit data processing and storage to what is strictly necessary when collected then promptly erase unnecessary material without preserving or retaining it for possible future litigation.

  7. Inform data subjects. Companies must also inform data subjects of how and why their data is processed, justify doing so, and update the information provided to them when personal information is collected and transferred. GDPR Article 13 lists the information that the controller shall provide to the data subject at the time when his personal data are obtained. And companies must have an up-to-date record of their processing activities to confirm they are able to demonstrate compliance with the GDPR.

  8. Understand that security scrutiny may increase. The GDPR also requires companies to notify individuals of a data breach resulting in a high risk to their rights and freedoms. Following Schrems II, companies should have a defined process in place and develop notification systems for data exporters, data protection authorities in EU Member States and the European Data Protection Board when changes occur in data processing. This is also necessary when data becomes subject to civil processes, government authorities or surveillance measures.

  9. Upgrade your eDiscovery IT. Companies should use technology to confirm the availability, confidentiality, integrity and resilience of processing systems and services. Controllers and processors must restore personal data after a physical or technical event, so there should be a process to test and assess the systems regularly, as well as to evaluate the effectiveness of measures for processing security.

Taking these measures offers benefits beyond the present day — they can also position organizations to potentially evolve more easily to address other regulatory issues developing elsewhere in the world.

Summary

In the aftermath of Schrems II, companies seeking eDiscovery in Europe should keep in mind that the validity of standard contractual clauses (SCCs) for transferring data from EU to the US depends on whether these SCCs include effective mechanisms that confirm compliance with the level of protection essentially equivalent to that guaranteed by the GDPR.

About this article

Related Articles

How to comply with data subject access requests

The pandemic and shift to a remote workforce make a clear compliance strategy and workflows for fulfilling DSARs more important than ever. Read more.