K&L Gates participated in this week’s 2023 Legalweek in New York City. As members of our firm’s e-Discovery Analysis & Technology (“e-DAT”) Group attended panel discussions regarding emerging legal issues and met with vendors regarding evolving legal technologies, they noted three trends that were being discussed by everyone at the conference.Read More
Employees ten years ago could not have anticipated how quickly and completely our workplaces have evolved over the past decade. In the aftermath of the global pandemic, significant numbers of employees have transitioned to telecommuting for some or all of their workweeks. The enterprise collaboration platforms adopted by many workplaces to facilitate this transition include a variety of electronic communication tools through which employees may communicate in a less mindful style than they would use in e-mails or printed correspondence, which, in turn, has created additional risks related to communications created, sent, and stored through these tools.Read More
As discussed in a prior post on this blog, electronic discovery that requires the processing and use of records and information that includes the personal data of individuals residing in the and the European Economic Area (“EEA”) must often incorporate measures to allow for compliance with the European Union’s General Data Protection Regulation (“GDPR”), which contains a number of requirements and limitations regarding the processing of such personal data and its transfer to countries outside the EEA.Read More
Within each United States jurisdiction in which attorneys are licensed to practice law, the relevant rules of professional responsibility require attorneys to meet a duty of competence. Such competence is not limited to legal judgment and skill. Instead, this legal ethical duty has been interpreted by most of these jurisdictions to include a duty of technological competence. Technological competence is particularly important when attorneys advise clients regarding electronic discovery, information governance, and other legal issues involving electronic data and information systems.Read More
By addressing how e-discovery issues will be handled in a particular case, ESI protocols can serve a valuable role in escalating such issues for early resolution and reducing later disputes on these topics. Below are five simple reminders for the next time you draft and negotiate an ESI protocol.Read More
Electronic discovery for legal matters within the United States often involves preserving, collecting, processing, reviewing, and producing data that concern individuals living outside the United States. In some of these situations, the data privacy laws of jurisdictions outside the United States can complicate electronic discovery to be performed in the United States. Perhaps the most well-known data privacy law is the European Union’s General Data Protection Regulation (“GDPR”), which outlines requirements related to the processing of the personal data of individuals residing in the and the European Economic Area (“EEA”) and addresses the transfer of data outside the EEA.
Article 45 of GDPR forbids the transfer of the personal data of EEA residents (described as “data subjects”) to any country outside of the EEA unless (i) the EU determines that the country’s legal privacy frameworks and practices ensure an adequate level of protection for data subjects’ personal data (termed an “adequacy decision”), or (ii) one or more safeguards deemed appropriate by the EU are imposed on the cross-border data transfer. Accordingly, transfers of personal data of EEA residents to a country outside the EEA that lacks an adequacy decision must rely on such safeguards (or, alternatively, a derogation defined by Article 49 of GDPR). These safeguards can include use of data processing agreements that contain standard contractual clauses, binding corporate rules that address data privacy and protection concerns, and/or binding and enforceable commitments by the data controller or processor located in the country to which the data are being transferred.
Some legal matters requiring cross-border data transfer to the United States may not clearly fit within one of Article 49’s derogations, which may prompt the need to employ such a safeguard to accommodate the data transfer because the United States does not currently have an adequacy decision from the EU. However, such an adequacy decision may soon exist. On December 13, 2022, the European Commission published a draft adequacy decision for the United States, based largely on a new United States executive order that commits to changes to its foreign intelligence agencies’ access to personal data and the creation of a new system through which EU data subjects can seek redress for the infringement of their data privacy rights in the United States. This draft adequacy decision will now receive review and feedback from the European Data Protection Board, the Council of the European Union, and the European Parliament before its possible implementation.
With a GDPR adequacy decision possible for the United States by the summer of 2023, legal practitioners in the United States can consider how data transfer and review workflows in some circumstances could be streamlined in the wake of such an adequacy decision. The European Commission’s draft adequacy decision is available at https://commission.europa.eu/document/download/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en?filename=Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.
The K&L Gates e-DAT Group send its best wishes to all for an amazing New Year!
Focusing on procedural rules and case law particular to Washington, Julie Anne Halter (Partner and e-DAT Practice Group Co-Chair) and Bree Kelly (e-DAT Senior Staff Lawyer) provide practical guidance for the state’s legal practitioners on each step of the e-discovery process in their recent LexisNexis Practice Note.Read More
Reflecting on the new enterprise collaboration and remote work technologies adopted by many employers, Julie Anne Halter (Partner and e-DAT Practice Group Co-Chair) outlines a number of related legal consideration and risks associated with these technologies in a 425 Business article published this week.Read More
A number of recent state regulations address privacy rights for consumers of all ages, but there is no equivalent federal law protecting all consumer’s privacy rights. That being said, the Children’s Online Privacy Protection Act of 1998 (“COPPA,” at 15 U.S. Code §6501 et seq.) provides some federal protection for data subjects under 13 years of age. This act requires the operator of a “website or online service directed to children” to provide notice on the website regarding the collection, use, and disclosure of a child’s personal information and to obtain “verifiable parental consent” for the noticed collection, use, and disclosure, with some exemptions. Parents have the right to request a description of the types of personal information collected, to revoke consent (including the operators’ use and maintenance of already collected data in addition to termination of future collection), and to obtain the personal information collected from their child(ren). By the same token, a website operator may terminate provision of services to a child when the parent has revoked consent for the use, maintenance, and/or further collection of personal information from the child. Additionally, website operators are prohibited from offering a prize for, or requiring a child to provide, additional personal information in order to participate in a game or activity. Under 15 U.S. Code §6504, the Attorney General of any US state may bring civil action for violations of 15 U.S. Code §6502(b) as parens patriae on behalf of the residents of that state.Read More