FALL 2018 TODAY’S GENER AL COUNSEL
E-Discovery
Litigation Holds and the GDPR By Aloke Chakravarty and Zaven Sargsian
T
he European Union’s General Data Protection Regulation (GDPR) has complicated the process of complying with litigation holds. Because of GDPR’s extraterritorial reach, companies that hold personal data of European Union data subjects, regardless of their location, must now consider the implications of GDPR when preparing for litigation. GDPR violations carry potential fines of 20 million euros or four percent of global annual revenue, whichever is greater.
26
Assuming that a company is subject to GDPR, litigation holds present several challenges. Although every United States company that possesses information about European Union citizens is not automatically subject to GDPR, a company that is specifically targeting European Union citizens or actively tracking their behavior is likely to fall within its ambit. Many United States companies have already engaged in an analysis in order to comply with GDPR for business processes and general infor-
must determine whether its preservation of the data for a litigation hold is a separate data process, and whether it has a lawful basis to do so. A separate data process is also defined broadly in the GDPR, referring to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;” and it includes operations such as collection, organization, storage, retrieval and destruction of data. Consequently, preserving and
Companies must tread carefully down a path of unsettled data protection law at the risk of being made an example in a transatlantic tug-of-war. Corporate litigation holds are common in the United States to preserve records relevant to reasonably foreseeable litigation. United States courts have not only come to expect corporate litigants to properly preserve such records, they have also issued severe sanctions, such as fee-shifting and adverse evidentiary rulings, in cases where records have not been properly preserved. Unsurprisingly, the practice in most European Union countries is quite different. In the European Union, the breadth and depth of civil discovery is generally more limited, and litigation holds are much less common. Considering the European Union’s general disdain for United States privacy protections, when a United States company relies on its national law to avoid compliance with the European Union’s privacy requirements, it shouldn’t be a surprise if the European Union Data Protection Authority (DPA) takes notice. Companies must now tread carefully down a path of unsettled data protection law at the risk of being made an example in a transatlantic tug-of-war.
mation security; but may not have fully appreciated how the compliance issue may affect litigation. PERSONAL DATA DEFINED BROADLY
GDPR becomes an issue for corporate counsel seeking to marshal discoverable information in the United States about European Union citizens, and to obtain explicit consent from a European Union citizen authorizing the processing of their data for discovery or other litigation obligations. Litigation holds and discovery involving European Union data subjects may be considered data processes separate from the business processes for which they were obtained. The GDPR defines “personal data” more broadly than most United States laws as “any information relating to an identified or identifiable natural person.” Some identifiers are obviously personal data, such as name, address and ID numbers; but personal data under the GDPR also includes IP addresses, cookie IDs or other unique identifiers. If the hold relates to any such data, then a company
producing this data for discovery purposes are likely to be considered additional data processes under the GDPR, as they were under the data protection standards that the GDPR replaced. The European Union Data Protection Board (EDPB) has yet to opine on this issue. Companies should narrowly tailor their hold, closely monitor compliance and seek initial informed consent in order to comply with a hold. Counsel must determine whether the preservation process would fall within one of the lawful bases to process data under the GDPR. Consent of the data subject is a common lawful basis relied upon by United States companies that collect or process European Union citizens’ information. However, obtaining consent pre-litigation could be difficult or impossible. The most applicable alternative lawful basis to preserve records under the GDPR is that processing is considered lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except