"Just go ahead and collect the data, send it over to us, and we'll look after it."
Heard this before?
Gone are the days where international legal advisors could prioritize the free movement of data around the globe to best fit their strategies and resources over current-day compliance regulations that now exist on the very movement of that data. Unfortunately, even today, European enterprises continue to allow the unfiltered and unprocessed transfer of data in jurisdictional proceedings outside of the scope of GDPR, despite the existing penalties that exist.
In addition to the protection of personal data that falls within the issues of export control, banking secrecy, intellectual property protection, and other GDPR governed data, we as eDiscovery consultants are asked more than ever to advise our clients and their legal counsel on the meaningful, robust, and secure methodologies available today.
In this context, it is a question of leveraging the right approach, the right workflows, and the appropriate tools, each playing a very important role in tackling the data privacy challenge. Depending on the procedure and technology, communication challenges must also be considered. Who informs whom, by when, and what role do employees have?
In this article, we entertain a sensible structure for an eDiscovery process within the context of international data privacy. We believe this process should reflect the following:
Stage 1: Data Mapping, Identification, and Scoping
By involving all stakeholders early on, it’s usually possible to quickly identify and locate the relevant data sources that need to be targeted. Some stakeholders to consider include:
- Data protection
- Data security
- Employee representatives
- The legal department
- Works Council (a shop-floor organization in many European countries that represents workers and functions as a local or firm-level complement to trade unions)
If available, a data map can be referenced, or interviews of stakeholders can be conducted. At minimum, a data map should include:
- Targeted data custodians
- Their geographies and jurisdictional requirements
- Their assigned devices or accounts
- Any information that needs to be discussed and treated in relation to the data collection itself
Backup systems and data from employees who have left the organization’s employment are usually critical but problematic, primarily due to the time it takes to restore the data. However, it is recommended that companies with a constantly updated and refreshed hardware setup, automatically back up their devices from a certain hierarchy level onwards, via imaging (for example, in the case of hardware leasing).
Thanks to the ever-increasing use of centralized cloud systems such as Microsoft 365, we find ourselves more and more in a position where data from the email server can be directly identified, backed up, and forensically extracted. In the U.S., this is referred to as Legal Hold, a principle of "freezing" the email data to preserve evidence. We also see clients “self-servicing,” especially for smaller investigations, due to the increasing functionality being offered via eDiscovery search tools in these cloud solutions.
At an early stage in the overall process, the Works Council should be involved technically, and in terms of content. It is common for the exploitation and use of data to require the oversight and approval of the Works Council.
The technologies used and engaged, especially with regard to IT and forensics, usually have very profound effects on data designated as private (like a network folder with pictures from last year’s Christmas party). Therefore, it’s imperative to be transparent and open about the planned strategy, the possibilities for mitigating the processed data, and its depth, as well as the methods of protecting data in the event of any transfer.
In all respects, the Works Council plays not only a communicative role to the employees of the company who are deemed relevant the investigation, but also a decisive role in achieving any success, as the Works Council can easily allow or deny the data processing and transfer workflows for several reasons.
Regarding internal investigations, especially in Germany and Europe, it is important to balance data protection, the use of the right forensic tools, priorities, and deadlines on the part of the courts. With the ill approach of "Just go ahead and collect the data, send it over to us, and we'll look after it," the investigation is already compromised. If we add in Switzerland, with its banking secrecy and the blocking statutes, or France with its newest anti-bribery/AML requirements, things can get complex, fast!
Stage 2: Extraction, Processing, and Ingestion
After the successful scoping of the data and the parameters for extraction are outlined, issues related to IT security need to be addressed, such as technical and organizational measurements to protect the data and any related documentation or workflows.
IT security plays an increasingly important role for companies, addressing topics like where data is processed, how, and by whom. Standards such as ISO27001 and others should always be in place and audited. It’s also advisable to conduct an initial audit of the forensic service provider regarding its own technical and organizational measures.
Various cloud offerings may be available in the forensics service provider environment. Since these are mostly based on systems such as Azure and AWS, the question of the data’s geographical location plays an important role. Providers with supporting resources outside of the jurisdiction of GDPR should be eyed critically.
Once everything has been clarified technically and legally, and the consent of the "data custodian" has been obtained, the data can be collected. In most cases, it is advisable to obtain a complete copy of the data to ensure defensibility and admissibility in court.
We as forensic consultants usually generate a full image by taking a full copy of a hard drive bit by bit, with the potential of being able to restore deleted data. Or we take a more targeted approach, which is sometimes the perfect response when it comes to data privacy concerns.
In 2021, the tools that are available to us are very well capable of omitting specific data (for example, the "Pictures" folder). Furthermore, during a case assessment, specific file types and predefined areas (like data ranges or case-specific keywords) can be included or excluded during extraction.
We always work towards the goal of judicial usability, but according to the principle of data minimization, it is common for data to be anonymized or pseudonymized during extraction. Here again, the Works Council could be the ultimate holder of the anonymized or pseudonymized data custodian names and their sources.
In a following step, data is ingested for classical data processing, otherwise referred to as “indexing”. At this stage, we have the opportunity to identify relevant personal identification Information (PII), including data such as religion, ethnicity, gender.
As a service provider, the process of data culling is initially successful if we manage to greatly reduce the amount of data that later ends up in a document review platform. De-nesting, deduplication, email threading, and other targeted metadata culling can reduce data volumes up to 90% based on our methods and experience.
However, the most important factor, is the transfer of personal data within the 10% that remains. Within the remaining 10% there can be false positives—always remember, it is not uncommon for the other side, in U.S. proceedings, to demand the release of the entire document review population (the data that was uploaded into the review data pool).
So, how do we simultaneously balance time constraints and data protection concerns?
Stage 3: Hosting, Review, and Preparation of the Data
At Sandline, we mostly rely on "in-country" processing and hosting along with pre-filtering, to definitively exclude a data privacy violating transfer to a third country. This is done either by means of our own server farms in Germany, Taiwan, and the U.S., or we resort to a mobile instance or a cloud node.
The objective is to keep the maximum amount of data in the country and still allow legal departments and lawyers outside the jurisdiction to analyze it. In doing so, our clients could always leverage technologies such as automated redaction and predefined machine learning models to detect review genuineness.
We also approach many cases with a balanced mix of technology and human review, where we leverage advanced technologies for the benefit of the case—including budget and human review—with data privacy safeguards in place to reduce false positives during the document review.
What does this ultimately mean to you and your eDiscovery landscape?
If you plan to partner with an eDiscovery consultant, it’s important to start working with them at the beginning of the case, when many decisions and requirements may shift, such as priorities, options, scope, and most importantly, the geography and content of the targeted data.
It also helps to have a partner who has worked with closely the Works Council for small, medium, or large-sized organizations. As we discussed, knowledge of Works Council interworkings is an important ingredient for success.
At Sandline, we provide the experience, solutions, and support to help legal teams confidently navigate the complicated world of global eDiscovery and to provide clarity that will ultimately, take your cases further.