The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
WWW.ILTANET.ORG 53 • Is it possible to get an order from the English court or to have the request come from a local regulator? Those are the types of things you need to look at rather than providing an immediate response to the requesting authority. Treat a disclosure request with a degree of skepticism to protect the data before replying. Gayle: It's also worth bearing in mind that one of the main catalysts of this action has been the revelation that law enforcement agencies have access to too much information, and they were able to get it too easily. Make sure the data are protected. You don't want to be the next law firm in the headlines. Enforcement happens soon. What should organizations do right now to prepare? Gayle: I think we have a little bit of grace period. It's not compulsory, but these protection authorities could start enforcing tomorrow if they wanted to. However, there seems to be an agreement that nothing will happen before the 31st of January. But the 31st isn't very far away. Show that you're taking some action now even if you're not able to get everything done in time. If you're doing internal transfers, put model contracts into place. See what Binding Corporate Rules are going to be an option in the future, though you're probably not going to get those in place by the end of January. It can take up to a year to get those in place. And look at where your data are going: If data are coming to/from the U.S. from another country using Safe Harbor, it's time for a change. Jason: The Commission has been responding to this and taking advice from a body called the Article 29 Working Party. The Commission is doing its best to say that it is pushing forward with negotiations with the U.S., which is how this will be sold from a political perspective. As you can imagine, that takes time and is quite a big undertaking for the U.S. At the same time, the Commission and Article 29 Working Party have emphasized, as Gayle said, that it's still open to an individual to complain on an individual basis, and the relevant data protection authority is therefore obliged to look at that. The idea that you will be protected from those kinds of suits has whittled away, and certain data protection authorities have indicated they will be more proactive with that than others. Jason Rix Jason Rix is a Senior Professional Support Lawyer at Allen & Overy LLP. He has acted on contentious and noncontentious intellectual property and IT matters that have been heard before the High Court and the Court of Justice. Jason has a particular interest in EU and international comparative law and English contract law. Jason has worked in-house on secondment at BT Group, and he was included on the London Super Lawyers list in 2013. Contact Jason at jason.rix@allenovery.com. Gayle McFarlane Gayle McFarlane, a Partner at Cordery, is an experienced commercial lawyer with over a decade of experience working and building relationships with corporate counsel, procurement and compliance teams. Gayle has a particular interest in all things data. She has conducted data protection audits, overseen the development of compliant CRM solutions, advised businesses on how to integrate their data and counseled the public sector on when they are able to exploit data. Contact her at gayle.mcfarlane@corderycompliance.com. Binding Corporate Rules apply when you're transferring data within a group and you agree to a series of measures to protect the data. That's another immediate step companies can take. How will this affect law firms' advising their clients? How are you looking at this within your own businesses? Gayle: Law firms have the same problems as any other multinational organization with offices in the U.S. It all comes down to personal data being shared. That includes the sharing of employee information, any kind of detail that relates to individuals or any employee matter, and corporate transactions where you have employee lists. Even if you're not an international firm, the Schrems decision affects you because a lot of law firms outsource work and/or provide service outside their country. More important, most law firms use client relationship management or enterprise resource planning systems that are based overseas or in the cloud. If that's the case, you're still transferring data overseas — even though you might not feel it's going outside of your organization. If the transferred data are being protected on the basis of Safe Harbor, you need to take some action. Some vendors and suppliers have already taken proactive action to address the problem, but don't take their solutions at face value. Make sure you check them out. You mentioned disclosure. How is that affected? Jason: Typical advice is to think very carefully about what the disclosure request is and what the legal basis for the request is, and to look at the ways in which you can negotiate the extent of the request: • Can you limit the amount of data transferred and still comply with the request?