Forbid data access based on country origin – A challenge for document review companies
Despite the passage of a decade of analytics and technology-driven workflows, document review service remains to be the largest chunk of cost in the discovery process. Lawyers reading documents squanders time, and paying for that time can glaringly increase costs in an already tight budget. Firms and corporations, do not wish to loosen their budget for this, making way for the work to get outsourced and document review companies to come into picture.
When spoken of eDiscovery, document review service stands as one of the most arduous tasks. The document review process involves the review and analysis of collected documents to determine relevancy, privilege and other protected information to the case. In the present menacing environment, amidst the numerous high-profile data breaches, the obligation of IT in securing data is more important than ever, especially confidential legal information and more so when data in such voluminous in document review companies.
New mandates have been put into place for data privacy regulations for organizations to manage the personal information of their customers and employees. Document review companies must implement comprehensive changes in how they collect, manage, protect and process data that contributes to defining the identity of these individuals. The base ground for bringing in such laws is to protect the personal data, commercial data, and governmental information from unauthorized access, use, and corruption. Due to the nature of litigation, cross-border eDiscovery can leave document review companies at risk of violating foreign laws. The way that different jurisdictions approach data protection can be a minefield and can cause a vexation for even the most seasoned legal adviser.
Global Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are the global prototype for how privacy rights are defined and executed. These rights are conferred as overarching natural rights that are further entrenched as specific executable rights that can be exercised. Data privacy regulations seek to balance individual rights against the organization’s legitimate interests and legal requirements through specific exemptions to executable rights.
Document review service providers need to focus on the programmatic aspects and the application of eDiscovery technology to the core of Data Subject Access Requests (DSAR) / European Union and Subject Rights Requests (EUSRR) workflows to collect, cull, review, de-risk, and produce reports in response to legitimate requests, understanding what the exemptions are and applying them is an important component of a holistic DSAR/SRR workflow. Two synchronous facets of DSAR/SRR workflows are the policy-related aspects including rejecting requests that meet an exemption, and the core programmatic aspects of completing the majority of requests that require fulfillment.
Organizations who are required to comply with DSAR’s find it consistently challenging. Since the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 went into effect these requests have now become more burdensome, providing shorter time frames and greater fines. The consequences of noncompliance are significant resulting in fines of up to 4% of a corporation’s annual global turnover or €20,000,000.
Only if document review service pre-requisites were less of a herculean task, the blocking statutes which affect the preservation and production of data step in for more. In other words, a blocking statute is a law enacted in a jurisdiction that prohibits documents located there from being used in foreign location. Every country has separate laws regarding the cross-border transfer of documents; and some countries have enacted such statutes to restrict any transfer of discovery abroad. Laws like these restrict the fabrication and disclosure of any commercial information about domestic companies without prior consent from the local judiciary. Such consent is rarely given and these laws criminalize the very act of exporting any cross-border dispute-related information.
Several countries have become parties to ‘The Hague Evidence Convention’; a convention that provides procedures for a limited response to discovery requests. This process allows for evidence to be transmitted abroad via ‘letters of request’.
Considering the lifecycle of the relevant data and the various aspects of the eDiscovery process, it shall be an excellent starting point for identifying the technical, administrative, security, and privacy controls that apply to foreign data production and challenges. Using advanced data analytics during the early case assessment phase, can massively prevent costs of cross-border eDiscovery from escalating. Also, parallelly prioritizing early legal intelligence and narrowing down the scope of electronically stored information (ESI) and any personal data involved can help deal with a lot of foreign data procurement and to overcome the challenges.