At Lighthouse our teams have the benefit of working across numerous clients, cases, and jurisdictions. As a result, we are building deep institutional knowledge across many aspects of eDiscovery that may be more difficult for individuals or teams to amass organically. To benefit our clients, we regularly share these insights in an ongoing series of best practices articles.
This article provides updated guidance on cross-border eDiscovery in the wake of a recent adequacy determination by the European Commission for EU-US data transfers.
Best Practices to Support Cross-Border Data Transfers in eDiscovery
In any matter that potentially involves the processing and transfer of personal data across country borders, case teams should consider the following factors before deciding on a strategy:
- The underlying company’s own policy governing the processing of personal data (including transfer mechanisms, such as consent and/or binding corporate rules)
- The specific countries at issue (some countries have additional requirements for data residency, heightened consent requirements, etc.)
- The nature of the data (including special categories of protected data, i.e., high risk data), as well as the importance of the custodian and uniqueness/criticality of the data
- The options and feasibility of obtaining custodian consent for the transfer of their data (e.g., time to obtain consent, employment status of the custodian, the impact of obtaining consent on an investigation)
When evaluating options for where the data should be processed, case teams should also consider:
- The country where most custodians are located (i.e., where the largest volume of data will be located)
- Data center options (if no data center, consider other cloud based or remote kit options and the impact on downstream search/review)
- The pros and cons of processing data in a single data repository
- Minimization at the point of collection as opposed to once data is processed into a review tool
Note that most clients follow a “hub-centric” approach and process data in accordance with specific regions, e.g., data stored in the US is processed in the US; data stored in Europe is processed in a European data center; data stored in APAC is process either in APAC, depending on the country-specific laws, or in Europe, and so forth.
Whenever non-U.S. data is present in a matter, case teams should consider the following best practices for cross-border data transfers:
- Establish lawful grounds for processing personal data (e.g., custodian consent, adequacy decision, or a legal exception defined by applicable data privacy regulations, such as the GDPR’s legitimate business interest exception). Note that many case teams choose not to rely solely on custodial consent for larger matters, unless the data originates from a highly restrictive jurisdiction (e.g., Switzerland, France, Germany, Luxembourg, etc.) or the matter involves specially protected data.
- Ensure there are adequate safeguards in place to support exceptions, such as the legitimate business interest exception. At a minimum, this includes efforts to “minimize” what is being processed (i.e., collecting only data that is necessary for the activity at hand). Case teams can minimize the volume of data being processed by using keywords or other filters to reduce what is collected, culling data at the processing stage, conducting a search for certain categories of personal data, redacting personal data, and permitting a custodian to review data prior to transfer.
Case teams should also follow specific best practices when encountering any of the below scenarios during eDiscovery:
- Matters involving U.S. litigations and eDiscovery: Consider adding supplemental data privacy safeguards, including putting a protective order in place that specifically addresses the handling of personal data subject to applicable law (e.g., GDPR and other applicable country specific regulations). This includes provisions to designate certain data as subject to the protective order and specific provisions that require the deletion of data (and confirmation of deletion) once the litigation concludes.
- Matters involving cross-border transfers from other (non-U.S.) countries: Ensure an appropriate cross-border transfer mechanism is in place for all data transfers. Common examples of appropriate cross-border transfer mechanisms include model contract clauses, intra-company agreements, and adequacy decisions rendered by the European Commission (including the adequacy decision for the new EU-U.S. Data Privacy Framework).
- Matters involving data originating in China (PRC): Take into consideration all data security implications and PRC laws before transferring any data out of the country (including the requirement to conduct a state-secrets review in-country before any data can be transferred outside the country).
- Matters involving data originating in countries with heightened privacy restrictions and/or sector-specific requirements (i.e., bank secrecy): Consider processing (and potentially reviewing) data in-country.
- Document the protocol adhered to for each matter.
While transferring personal data across borders may feel like an increasingly complicated task for legal and eDiscovery teams, it is also a task that will be increasingly necessary as corporate data volumes grow and spread. The good news is that case teams do not have to navigate those complexities alone. An experienced eDiscovery partner with a global footprint and information governance/legal experts on staff can work closely with both outside and in-house counsel to develop a solution for cross-border data transfers that meets the legal requirements and needs of each matter.