A Year of GDPR: What does this mean for
In the first year since its adoption, misinformation in the industry surrounding General Data Protection Regulation (GDPR) has resulted in many businesses and industries addressing data privacy with extreme levels of caution. This article explores the impact of the GDPR on the e-discovery industry and seeks to simplify some of the less-discussed provisions and exemptions.
When Does the GDPR Apply?
GDPR appears to have a broad reach: It applies to all processing of personal data where the data forms part of a filing system. As such, it may appear that the GDPR applies to all activities typically undertaken in an e-discovery project (“processing”) and to almost every circumstance where information about an individual exists (“personal data.”)
In reality, the GDPR is focused on protecting individuals and safeguarding data from data processing giants like Facebook and Google, not on restricting the flow of information or legitimate uses of data. This is evidenced by paragraph 15 of the preamble:
“Files or sets of files […] which are not structured according to specific criteria should not fall within the scope of this Regulation.”
This provision is important because it establishes a distinction between normal, everyday usage of data such as an individual’s mailbox and loose files (unstructured data) and carefully structured pools of information such as a customer database of contact details (structured data).
Structured vs. Unstructured Data
In the information age, we are constantly contributing to a subterranean mountain of structured data. As we know, a single Google search can forever alter the ad content curated across your social media channels. Somewhere in a climate-controlled catacomb of servers, a carefully-organised database stores a record with your name, age, sex, location, and search history, alongside billions of data points on other consumers.
This is structured data – precisely what the GDPR is designed to protect. Due to the prevalence of personal information and the ease of access, structured data presents a much higher risk of exposing personal information than unstructured data.
Unstructured data comprises the vast majority of electronic discovery. Understandably so, as electronic evidence more commonly resides in the form of a communication, contract, or meeting minutes than in a database of consumer purchase histories.
The Litigation Exemption
For data that does fall in-scope of the regulation, GDPR provides that Member States may provide exemptions for data that is being processed as part of legal proceedings, but they are not required to do so.
It is important to check the local law on this point to determine whether you fall within the scope of the GDPR, as Altlaw have had to do regarding some of our projects since the inception of GDPR.
By way of example, the French Data Protection Act allows processing of data without consent where it is required to comply with any legal obligation. It also allows for transfer of data out of the jurisdiction if it is required to meet legal obligations or to pursue or defend legal claims.
In England, there is an exemption where a data controller is required to disclose data by an enactment, rule of law, or an order of a court or tribunal. This provision is broad enough to capture discovery in connection with legal proceedings, including prospective legal proceedings and taking legal advice.
On that basis, e-discovery activities such as data collection and processing would be exempted from the GDPR, even when undertaken proactively at the start of a dispute but before legal proceedings have officially commenced.
It is important to note, however, that the litigation exemption only reduces the obligations relating to the processing of data, and provisions regarding data security will still apply.
When it comes to the privacy and security of personal information, a cautious approach is advised. However, it’s important to remember that the GDPR wasn’t designed to hamstring litigators, and, for e-discovery practitioners, often may not apply. If your practices pre-GDPR were robust and defensible, it may be that nothing needs to change. However, be aware of the types of data you deal with most and know your specific jurisdictional regulatory environment.
Written by Steve McCann
In-House Counsel / Altlaw