Daniel Miller, a partner of the K&L Gates e-Discovery Analysis & Technology (“e-DAT”) Group and the firm’s Pittsburgh office, will attend this week’s ABA Cross-Border Institute in Paris. Daniel will also participate on a panel discussion at next week’s Master’s Conference in London.Read More
As discussed in a prior post on this blog, electronic discovery that requires the processing and use of records and information that includes the personal data of individuals residing in the and the European Economic Area (“EEA”) must often incorporate measures to allow for compliance with the European Union’s General Data Protection Regulation (“GDPR”), which contains a number of requirements and limitations regarding the processing of such personal data and its transfer to countries outside the EEA.Read More
Electronic discovery for legal matters within the United States often involves preserving, collecting, processing, reviewing, and producing data that concern individuals living outside the United States. In some of these situations, the data privacy laws of jurisdictions outside the United States can complicate electronic discovery to be performed in the United States. Perhaps the most well-known data privacy law is the European Union’s General Data Protection Regulation (“GDPR”), which outlines requirements related to the processing of the personal data of individuals residing in the and the European Economic Area (“EEA”) and addresses the transfer of data outside the EEA.
Article 45 of GDPR forbids the transfer of the personal data of EEA residents (described as “data subjects”) to any country outside of the EEA unless (i) the EU determines that the country’s legal privacy frameworks and practices ensure an adequate level of protection for data subjects’ personal data (termed an “adequacy decision”), or (ii) one or more safeguards deemed appropriate by the EU are imposed on the cross-border data transfer. Accordingly, transfers of personal data of EEA residents to a country outside the EEA that lacks an adequacy decision must rely on such safeguards (or, alternatively, a derogation defined by Article 49 of GDPR). These safeguards can include use of data processing agreements that contain standard contractual clauses, binding corporate rules that address data privacy and protection concerns, and/or binding and enforceable commitments by the data controller or processor located in the country to which the data are being transferred.
Some legal matters requiring cross-border data transfer to the United States may not clearly fit within one of Article 49’s derogations, which may prompt the need to employ such a safeguard to accommodate the data transfer because the United States does not currently have an adequacy decision from the EU. However, such an adequacy decision may soon exist. On December 13, 2022, the European Commission published a draft adequacy decision for the United States, based largely on a new United States executive order that commits to changes to its foreign intelligence agencies’ access to personal data and the creation of a new system through which EU data subjects can seek redress for the infringement of their data privacy rights in the United States. This draft adequacy decision will now receive review and feedback from the European Data Protection Board, the Council of the European Union, and the European Parliament before its possible implementation.
With a GDPR adequacy decision possible for the United States by the summer of 2023, legal practitioners in the United States can consider how data transfer and review workflows in some circumstances could be streamlined in the wake of such an adequacy decision. The European Commission’s draft adequacy decision is available at https://commission.europa.eu/document/download/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en?filename=Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.
A number of recent state regulations address privacy rights for consumers of all ages, but there is no equivalent federal law protecting all consumer’s privacy rights. That being said, the Children’s Online Privacy Protection Act of 1998 (“COPPA,” at 15 U.S. Code §6501 et seq.) provides some federal protection for data subjects under 13 years of age. This act requires the operator of a “website or online service directed to children” to provide notice on the website regarding the collection, use, and disclosure of a child’s personal information and to obtain “verifiable parental consent” for the noticed collection, use, and disclosure, with some exemptions. Parents have the right to request a description of the types of personal information collected, to revoke consent (including the operators’ use and maintenance of already collected data in addition to termination of future collection), and to obtain the personal information collected from their child(ren). By the same token, a website operator may terminate provision of services to a child when the parent has revoked consent for the use, maintenance, and/or further collection of personal information from the child. Additionally, website operators are prohibited from offering a prize for, or requiring a child to provide, additional personal information in order to participate in a game or activity. Under 15 U.S. Code §6504, the Attorney General of any US state may bring civil action for violations of 15 U.S. Code §6502(b) as parens patriae on behalf of the residents of that state.Read More
Information governance and records management are important considerations for all organizations. New data and documents are generated at ever-increasing rates through the normal (and “new normal”) course of business, and these data and documents must be maintained for different periods of time to satisfy their business and legal compliance purposes. With regard to legally-mandated retention requirements, certain business sectors (such as banking institutions, aviation and maritime companies, and businesses operating within the scope of federal Department of Energy regulations) are subject to record retention and reporting obligations that extend beyond those applicable to other types of organizations. Also, there may be insurance, contractual, and other considerations applicable to certain types of records that impact the period of time they should be maintained in the ordinary course of business. Finally, the need to preserve records potentially relevant to known or reasonably anticipated legal proceedings can create additional record preservation burdens on an organization.Read More
Electronic discovery for US litigation and legal proceedings often implicates data outside the US. As data privacy and protection laws evolved around the globe, it’s critical to understand the limitations obstacles that may arise when collecting, processing, reviewing, and producing such data. China’s Data Security Law (“DSL”) and Personal Information Protection Law (“PIPL”), both enacted in 2021, have received heightened attention following China’s imposition of fines totaling roughly $1.2 billion in light of violations of these laws and its Cybersecurity Law (“CSL,” enacted in 2017) by Didi, China’s largest ride-sharing service provider. China’s DSL and PIPL are particularly noteworthy of their potential application to data processing and transfer actions that may occur both during the ordinary course of business and in response to litigation in other jurisdictions, such as the United States.Read More
K&L Gates recently hosted a series of webinars covering potential legal and regulatory implications businesses must consider as a result of the now common hybrid work setting. The cross-practice series focused on compliance issues from a Tax, Data Protection, Privacy, and Security, e-Discovery Analysis and Technology, and Labor, Employment, and Workplace Safety perspective.
Webinar recordings and associated materials are available on the K&L Gates HUB.Read More
Key Insight: The court granted reconsideration of plaintiffs’ motion to compel discovery of documents in the possession of a corporate defendant in France. In a prior order, the court found that the GDPR did not preclude the court from ordering defendants to produce evidence, but based the order on plaintiffs’ representation that much of the requested information was located in the U.S. and therefore in the possession of domestic defendants. Thus, the court bifurcated its analysis to exclude any documents in the possession of French defendants. On reconsideration, plaintiffs claimed the important and relevant documents were located in France. Applying the factors from Restatement (Third) of Foreign Relations Law § 442(1)(c), the court found they weighed in favor of disclosure, together with the entry of a protective order that would protect France’s interests under the GDPR.
Nature of Case: Breach of contract
Electronic Data Involved: ESI generally
Key Insight: Defendant claimed that information sought by Plaintiff was discoverable. Plaintiff objected on the basis of confidentiality, and the Court struck Defendant’s confidentiality designations. Specifically, the Court rejected Defendant’s claims that the emails sought contained trade secret and proprietary information, and had the potential to cause it competitive harm. The Court ordered Defendant to use the it’s ruling as an example for dealing with similarly designated documents.
Nature of Case: Diversity, Product Liability
Electronic Data Involved: Email