August 6, 2020

Volume X, Number 219

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

August 03, 2020

Subscribe to Latest Legal News and Analysis

GDPR & Electronic Discovery: What to Do Before, During and After Litigation

The European Union’s widely anticipated General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Designed to provide EU citizens with better control over their personal data, this comprehensive reform of data protection in the EU has far-reaching implications. But how and to what extent will this new regulation affect electronic discovery in U.S.-based civil litigation? Organizations subject to the GDPR should think critically about what specific steps to take when handling personal data before, during and after litigation.

Before Litigation: Focus on Information and Organizational Governance

Before litigation ensues, you should understand everything you can about your organization’s data. Conducting data inventories and mapping allows you to identify potential information governance issues, such as what types of data your organization handles, where that data exists within your systems, and how information generally flows within your organization.

It is also imperative to assess your organization. Do you have a Data Protection Officer? Are you currently subject to the U.S.-EU Privacy Shield? Does your organization have binding corporate rules (BCRs), model contractual clauses or other adequate transfer safeguards in place? The GDPR changes the existing data transfer mechanisms available to organizations subject to it, and the applicability of these mechanisms may depend on the answers to these questions.

For an in-depth analysis of preparing for GDPR compliance, see our previous client alert on connecting information governance and the GDPR.

During Litigation: Identify and Manage Risk

Does the GDPR apply?

Once you are facing litigation – or the threat of litigation – you should first determine whether the GDPR applies. It is important to highlight that an organization cannot avoid application of the GDPR because it operates outside the EU. Territorially, the GDPR applies to the processing of EU citizens’ personal data when that processing relates to (1) the offering of goods or services to EU citizens or (2) the monitoring of EU citizens’ behavior within the EU. The GDPR defines “processing” broadly as any operation that is performed on personal data and specifically includes activities such as the collection, use, disclosure by transmission, and dissemination of or otherwise making available personal data. Thus, the activities undertaken to preserve, collect, process, analyze and produce personal data during litigation all constitute “processing” under the GDPR.

You should also determine whether the litigation implicates “personal data” under the GDPR, defined as “any information relating to an identified or identifiable natural person (‘data subject’).” This includes examples such as name, identification number, location data, online identifiers, or factors that are specific to a data subject’s physical, physiological, genetic, mental, economic, cultural or social identity.

The GDPR also governs the movement of data across borders pursuant to U.S. discovery obligations. The GDPR applies to “[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.”

Handling Personal Data

Once you have determined applicability of the GDPR, your immediate goal should be to identify and minimize the scope of relevant personal data preserved under a legal hold. In parallel, you should also investigate whether you are able to secure relevant evidence through alternative means, such as interrogatories and/or deposition testimony.

It is also prudent to include explicit requirements regarding the handling and protection of personal data within a joint ESI protocol. The protocol should state that personal data preserved, collected, produced or otherwise processed should be the minimum necessary for the purposes of the litigation. Furthermore, any personal data should be processed lawfully, fairly and in a transparent manner; collected and used only for the specified, explicit and legitimate purposes of the litigation; handled in a manner that ensures appropriate technical and organizational security of the personal data; and deleted if and as soon as determined to be unnecessary for the litigation.

Beware of Custodial Consent

Practitioners should beware of issues pertaining to custodial consent. It will be much harder to obtain valid consent from data subjects under the GDPR, which requires that consent be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” (Recital 32). In other words, data subjects must be given an informed and meaningful opportunity to consent and also to withdraw that consent at any time. As such, practitioners should not pursue consent-by-default or mass opt-out consent strategies for multiple data subjects in litigation. Caution should also be afforded in circumstances involving power imbalances, such as when an employer is seeking to obtain consent from employees, because it is questionable whether any consent in those circumstances can be freely given.

Moreover, when discovery obligations under U.S. law and the protection of personal data under the GDPR conflict, a custodian may refuse to comply with U.S. law and not give consent. It might be possible in this scenario to redact the personal data from this custodian’s documents, but this approach is often not feasible when, for example, the redactions needed would be too numerous or unduly burdensome to complete, or the data subject is an important custodian in the litigation. It is not yet clear how and to what extent U.S. courts will handle this tension, but you should be aware that it exists. There might be room to argue that a custodian’s refusal to consent to the processing of their personal data for U.S. litigation purposes and the monetary threat of violations under the GDPR are factors that should be considered when weighing proportionality under amended FRCP 26(b), specifically “whether the burden or expense of the proposed discovery outweighs its likely benefit.”

Anticipate Data Subjects’ Rights

The GDPR affords several new and/or expanded rights to data subjects regarding their personal data, including with respect to ongoing litigation. Data subjects can exercise any (and as many) of the following rights at any point during the identification, preservation, collection, analysis or production efforts during litigation.

  • Request: The right to request confirmation as to whether personal data is being processed, the categories of personal data being processed, where the personal data is located, the purposes of processing, and the recipients or categories of recipients to whom the personal data has been or will be disclosed.

  • Reach: The right to obtain access to the personal data held about the data subject.

  • Receive: The right to receive personal data about the data subject in a machine-readable format (also known as “data portability”).

  • Rectify: The right to request that incorrect, inaccurate or incomplete personal data be corrected.

  • Restrict: The right to request the restriction of the processing of personal data.

  • Remove: The right to request that personal data be erased when no longer needed or if processing is unlawful (also known as the “right to be forgotten”).

It is important for organizations to anticipate these rights and to know the location of personal data within the document universe subject to litigation. Counsel must be able to swiftly isolate and carefully handle this data as needed to comply with any and all of the data subjects’ rights under the GDPR.

After Litigation: Follow-Through Is Critical

Litigants have an affirmative obligation to continue to take appropriate measures for the handling of personal data even upon the conclusion of litigation. You must determine how soon after litigation is over or a settlement has been reached to take further action on personal data being preserved subject to a legal hold. This should be done on a case-by-case basis, but as soon as defensibly possible. Once the data is release from being on hold, you should identify whether there are any regulatory and/or business reasons for continuing to preserve the personal data and, if not, take all necessary steps to either return or destroy the data quickly, fully and securely, in compliance with the GDPR.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VIII, Number 263


About this Author

Bennett B. Borden, Drinker Biddle, Commercial Litigation Attorney

Bennett B. Borden is the firm’s chief data scientist and responsible for the firm’s data analytics strategy. Harnessing the power of data is essential for helping clients drive value in their business operations and telling their side of the story in litigation. Bennett is one of the world’s first lawyer/data scientists and has recently been appointed to the National Conference of Lawyers and Scientists (NCLS) of the American Academy for the Advancement of Science.

Bennett advises the firm and its clients on the development and...

Jay Brudz, Litigation Attorney, Drinker Biddle

Jay Brudz builds and manages world class e-discovery operations, internal compliance and FCPA investigations and develops enterprise-level information governance best practices. He is co-chair of the Information Governance and eDiscovery Group. In that capacity he acts as e-discovery counsel on major complex litigation matters. Using his technical experience in digital forensics and network security, Jay assists clients with information security counselling, including breach response, policy development and cyber risk evaluations. He also serves as executive managing director of the firm’s e-discovery subsidiary, Tritura Information Governance LLC, which provides state of the art e-discovery technology and services to the firm's clients.

Jay previously served in several roles focusing on the intersection of applied technology and law, including as senior counsel for legal technology at General Electric where he created and led their corporate e-discovery center supporting more than 1,200 attorneys. In this role he was also responsible for all corporate technology initiatives within GE’s legal operation, including the successful implementation of legal hold, e-billing, insider trading compliance, intranet, and patent docketing systems.

Jason Baron, Drinker Biddle Law Firm, Washington DC, Litigation Attorney
Of Counsel

Jason R. Baron is an internationally recognized speaker and author on the preservation of electronic documents. Jason previously served as Director of Litigation for the U.S. National Archives and Records Administration (NARA) and as trial lawyer and senior counsel at the DOJ. 

As NARA’s Director of Litigation, Jason led the administration’s efforts to provide responsive White House email and other records in the massive U.S. v. Philip Morris RICO lawsuit, and assisted in the defense of lawsuits filed against the Archivist of the United States under the Freedom of...

Yodi Hailemariam, Drinker Biddle Law Firm, Washington DC, Cybersecurity Law Attorney

Yodi S. Hailemariam focuses her practice on U.S. and cross-border information governance, data privacy, cybersecurity, electronic discovery, legal analytics and the Internet of Things. Yodi has experience in a wide range of industries, including health care, pharmaceuticals and life sciences, intellectual property, insurance and financial services.

A frequent author, speaker and panelist on “all things data,” Yodi advises companies regarding electronic discovery in complex civil litigations, white collar defense, and corporate...