P2P

Spring22

Peer to Peer: ILTA's Quarterly Magazine

Issue link: https://epubs.iltanet.org/i/1463380

Contents of this Issue

Navigation

Page 42 of 72

43 I L T A N E T . O R G S ince the Schrems II ruling came down last year, invalidating the legacy Privacy Shield framework, lawyers have worried over the implications to their existing and future cross-border e-discovery matters. Indeed, transferring data from the EU to the U.S. has become far more complicated without Privacy Shield. But even before that ruling, the General Data Protection Regulation (GDPR) and other global privacy laws had made cross-border data transfer a risky business. Today, most legal teams will encounter some degree of multi-national e-discovery that requires the movement of data between jurisdictions—often from regions with strict data privacy laws (such as Europe, China, Japan and Australia) to the U.S., which is considered by many countries to lack sufficient protections for personal and sensitive information. One survey of legal professionals reported that nearly 60% have been required to balance discovery obligations in one region with data protection regulations in another. One of our team's current clients, a European-based pharmaceutical company, had relied upon Privacy Shield for years as its primary method for transferring data to the U.S. for litigation and regulatory investigations. The implications of Schrems II are significant for this company, and as a result it has has halted all flows of data to the U.S., until it has a new approach that will hold up against regulatory standards. With prolonged travel restrictions due to the COVID-19 pandemic and heightened concerns about an impending uptick in litigation across industries, counsel are under pressure to adjust and button up their approaches to multi-national e-discovery matters. With the aim of standardizing privacy best practices, our team has compiled a set of five steps counsel can take to build defensible data protection into their cross-border data transfers. Initially, counsel should exhaust other mechanisms to limit the cross-border need, including descoping the data in question to only what is potentially relevant, reviewing if the data can be captured in other jurisdictions, and/or following data minimization techniques. As these are exhausted and cross-border transfers are required, the following steps are recommended to proceed: 1. Before data is moved, perform and document a Data Protection Impact Assessment (DPIA). The DPIA serves as evidence that counsel has reviewed the data, evaluated the steps needed to protect it, and integrated those considerations with the creation of a broader risk and safety net. The DPIA documents all of these steps and accounts for anticipated risks and pitfalls that may impact the protection of sensitive or personal data. Investing the time up front in a DPIA reduces the risk of breaching data protection regulations and establishes a consistent "Counsel are under pressure to adjust and button up their approaches to multi-national e-discovery matters."

Articles in this issue

Archives of this issue

view archives of P2P - Spring22