By David Horrigan – E-discovery Counsel and Legal Content Director, kCura
For decades, prevailing winds have blown towards globalisation and open borders for data and information. However, these winds seem to have run out of puff, leaving organisations around the world becalmed and in uncertain waters.
This may be the age of big data, but it’s also the era of Brexit and surging nationalism. What seemed to be a clear path towards goodwill and cooperation is now open to reevaluation.
In this brave new world, it is incumbent on boards of directors serving international organisations to understand the laws of many lands, the new jurisdictional challenges, and the strategies to address them. One of the clear battlegrounds will be in data, which remains one of the most potent and profound corporate and personal assets of the day.
Data affects everything, from how we eat to who we elect. Data helps hospitals refine treatments for diseases we’ve struggled to beat for years while helping corporations retain and serve customers. And data helps – and potentially hurts – litigation and compliance; growing digital data volumes have turned every case into a potential e-disclosure case.
Whether it’s in the United Kingdom, the United States, Russia, or China, nationalism affects British companies and the decisions that must be made in the ethical boardroom.
Brexit and the General Data Protection Regulation
Brexit is happening. When Article 50 was triggered on 29 March 2017, the world’s furtive discussions about the ‘if’ and ‘when’ were, in all likelihood, rendered academic. Tax lawyer Jolyon Maugham and others have filed litigation in Ireland in an attempt to halt the Brexit process, butin the United Kingdom, the people voted, Downing Street is following through, and Europe is preparing for the impacts, whatever they may be.
Of course, the process of leaving the European Union isn’t as capricious as it could be. With a minimum of two years of negotiations ahead, there will be a measure of time that can be used to untangle the millions of knots joining the UK and the European Union. This is all evident to anyone reading the news.
However, thoughts of a two-year distant decoupling or a longshot legal challenge by Mr Maugham must not distract corporate decision-makers from the very real jurisdictional challenges that will arise in the interim.
Take, for instance, the EU’s General Data Protection Regulation (GDPR), one of the strongest steps ever taken to protect individuals’ data privacy rights and increase the requirements for the protection of corporate data. The GDPR replaces Directive 95/46/ EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, known commonly as the 1995 EU Data Protection Directive, although it became effective in 1998.
The change from the Directive to the GDPR was, in large part, an attempt to harmonise data privacy and protection law throughout Europe – a goal that goes by the wayside with Brexit. Or does it?
Although adopted in 2016, the GDPR will not go in effect until May 2018. However, that will still be before Brexit is completed.
Thus, despite Brexit, the GDPR will take effect in the UK. In fact, although Prime Minister Teresa May has said famously, ‘Brexit means Brexit,’ she has acknowledged that EU laws in force before departure will become UK law. Thus, corporate boards must plan and govern themselves according to the provisions of the GDPR.
Among these provisions are data breach notification requirements, data subject consent requirements and the right to erasure (right to be forgotten), substantial administrative fines for violations by data controllers and processors, and more. Of course, complicating matters is that corporate boards must also consider the possibility that in the post-Brexit world of 2019 and beyond, these data privacy and protection provisions could change once again if the UK decides to alter things post-departure.
Thus, organisations that house data in the UK may be compelled to comply with three different data privacy and protection frameworks in the course of only a few years: the status quo, the GDPR, and whatever the post-Brexit world may bring. Another concern is that organisations with distributed data might seek to find another country in which to keep it before a changeover happens. Dublin has already seen an uptick in business inquiries since the Brexit vote. In any case, these jurisdictions may shift rapidly and the unprepared organisation has the most to lose.
There are other examples, but Brexit is the clarion call that the time is now to think about corporate data protection and personal data privacy. It’s not just about choosing between the UK and EU, but rather how to navigate transfers between the UK and the rest of the world.
To take the coming issues seriously, it would be smart business to bring a data protection and privacy wonk into the organisation as a trusted advisor and strategic decision-maker. One of the hot jobs in this new, shifting landscape will be chief privacy officer – boards should put their executive recruitment firms to work as a soon as possible to beat the rush.
Understanding international litigation strategy
When litigation hits the fan, the strategies used to resolve it vary from country to country. One of the brightest promises of the EU has been legal integration. The original goal of the original European Economic Community (EEC) was that countries would buy in to an international business system. Of course, as corporate boards know, business and legal systems go hand in hand, and with the Maastricht Treaty in 1992, the European Community dropped the ‘Economic,’ and became part of the European Union, signaling business, legal, and – to a certain extent – cultural integration.
Noble work towards that dream continues on the Continent, but nobody can pick up a legal system from a briefing book. For the curious mind, however, litigation rules are as good a place to start as any. And some of the most knowledgeable litigators can be found working in disclosure, a discipline that requires a handle on the system from even the hint of litigation through to the very final decision. As the disclosure expert on your team can tell you, EU laws currently allow organisations to file claims and begin litigation in one of several countries, depending on where the issue at hand occurred and where the damages occurred.
That means – depending on the facts of the case – an organisation can choose to litigate in disclosure-enabled countries, such as the UK, or opt for many of the civil law nations in the EU with less of a tradition of e-disclosure or e-discovery. Of course, some corporate boards may be glad that a post-Brexit Britain may limit such legal forum shopping.
On the other hand, since the formation of the EU, members have relied on these litigation options and sovereign laws. Contract composition and data norms have meshed together. Extracting a solution will be difficult if the trend away from globalising these systems continues.
Of course, organisations could take a page from the US playbook and look at alternative dispute resolutions; most cases in the States are settled between counsel and clients outside of the courtroom. Of course, this is not to say, litigation costs are less in the United States. They’re often substantially higher.
In any case, in the same sense that it’s time for organisations to understand their data, they must understand their litigation options. The experts at e-disclosure and other legal services firms are key resources in reaching understanding. Already prepared for cross-border legal issues, they could provide much-needed perspective during strategy shifts.
The privacy v. security debate
Governments have developed a taste for data. New demands for the opening of private data are happening all the time on domestic and international scales. And while data can provide measures of security, it is worth questioning how much we value that security against individual or corporate privacy.
With that question in mind, think on another as well: who ultimately makes the rules as far as privacy and security are concerned? Government intelligence agencies could well make an overbroad bulk collection of data and claim all that data was necessary to keep the people safe. It has happened around the world. As international privacy advocates note, mass surveillance will only continue to grow, and this surveillance should be a factor in corporate data decisions.
Organisations, of course, have very different concerns than do private individuals. And a core concern is – or should be – about privacy liability for where data is handled and stored.
These jurisdictional considerations and the privacy v. security debate aren’t solely issues of Brexit and the GDPR – yet they can still affect decisions in a British boardroom.
One case in the United States was a flashpoint in this discussion: the 2016 case of Microsoft Corp. v. United States, known commonly as the Microsoft Dublin warrant case. In Microsoft, government prosecutors sought user data located on Microsoft servers in Dublin, arguing that – under a US law, the Stored Communications Act, it mattered not where the data were stored, but who controlled the data – in this case, Microsoft, a US corporation subject to US law. On the other hand, Microsoft argued the US government lacked the legal right to seize the data in Ireland.
“The ethical boardroom owes a duty to its organisation to govern its data in compliance with applicable laws and regulations. Increasing global nationalism increases this challenge, but meeting these duties isn’t impossible”
The government prevailed at the trial court, but an appellate court reversed the decision, siding with Microsoft. However, the issue may not be resolved. In a 2017 decision, In research Warrant No. 16-960-M-01, a federal trial court in the US state of Pennsylvania ruled for prosecutors in a similar case involving a warrant to Google. What have been battles between tech companies and prosecutors may become a battle between US courts reaching different legal conclusions.
Although these cases originated in the US legal system, the question of when governments might compel companies to provide data is very much an international one. In a more globalised world, we might work towards a unified theory of data privacy. However, we’re not heading in that direction.
In fact, laws such as Russia’s 2015 data localisation law, restrict the movement of certain types of data outside the nation’s borders. In addition, China’s State Secrets Law and its upcoming Cybersecurity Law have the unfortunate combination of being very broad and very vague.
In addition to court decisions and new laws, global nationalism – and legitimate privacy concerns – threaten agreements, such as the Privacy Shield Framework.
Complicating these legal issues are technical issues, namely the nature of digital data itself. You can have your data centre in one country, but data lives everywhere all at once. With distributed networks and a mobile global population, information travels. If it was difficult in a globalising economy to get government and organisations to cooperate and agree on privacy standards in the face of such movement, it may only become more so going forward.
Going forward with nationalism and corporate data
As we’ve noted, Brexit is by no means the only example of nationalism affecting corporate data across the globe. Even before the nationalistic issues in last year’s US presidential election, US prosecutors believed they had the duty to fight crime by seizing data in overseas servers controlled by Americans. Whatever its motives may be, Russia feels the need to stop the flow of data from its borders, and China feels the same.
The ethical boardroom owes a duty to its organisation to govern its data in compliance with applicable laws and regulations. Increasing global nationalism increases this challenge, but meeting these duties isn’t impossible.
Whether it’s EU nations with data protection officers or other nations with chief privacy officers and data protection teams, internal controls will help. Of course, monitoring international laws is a given – especially when we may see rollbacks of international agreements, such as the Privacy Shield Framework
It also goes without saying that outside counsel can help meet these challenges. In addition, an old maxim applies here: for every problem technology creates, more technology can solve. The combination of learned counsel and new technologies has met challenges in the past, and it will in the future – even in an era of global nationalism.
About the Author:
David Horrigan is kCura’s e-discovery counsel and legal content director. An attorney, law school guest lecturer, e-discovery industry analyst, and award-winning journalist, David has served as counsel at the Entertainment Software Association, reporter and assistant editor at The National Law Journal, and analyst and counsel at 451 Research. He serves on the Editorial Advisory Board of Legaltech News and the Data Law Board of Advisors at the Yeshiva University Cardozo Law School. David holds a Juris Doctor from the University of Florida, and he studied international law at Universiteit Leiden in the Netherlands. He is licensed to practice law in the District of Columbia.