LITIGATION SUPPORT TIP OF THE NIGHT

The General Data Protection Regulation was been discussed here before, but keep in mind that Chapter II of the GDPR specifies 6 key principles for processing personal data and 7 general principles overall.

1. ARTICLE 5 - Processing of Personal Data

1. Must be lawful and transparent.

2. The processing must be limited to a specified purpose.

3. Only the minimum data needed should be processed

4. Inaccurate data must be immediately erased or corrected.

5. Personal data must be stored in a manner permitting personal identification for no longer than is necessary.

6. Data Security must be maintained.

THINK: MC PSST - MINIMIZE; CORRECT; PURPOSE; STORE; SECURITY; TRANSPARENT

2. ARTICLE 6 - Lawfulness of Processing

Data can only be processed if there is consent; a contractual obligation; a legal obligation; a need to protect a vital interest of a person; a public interest; or legitimate interests of a third party that don't override the rights of the data subject.

3. ARTICLE 7 - Conditions for Consent

Specific consent must be given for specific matters and consent can be withdrawn at any time.

4. ARTICLE 8 - Child's Consent

Parental consent is needed for the use of data pertaining to children younger than 16 years old.

5. ARTICLE 9 - Special Categories of Personal Data

Data cannot be processed to show a person's racial or ethnic origin, political opinions, sexual orientation, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to identify a person is prohibited without consent or for another legitimate purpose.

6. ARTICLE 10 - Criminal Convictions

Only official authorities can keep a comprehensive register of criminal activity.

7. ARTICLE 11 - Processing That Does Not Require Identification

If the purpose for which data is processed does not require identification of a data subject, the controller does not have to process additional information to identify the data subject for the purpose of complying with the GDPR.

This is a silly anagram, but think: LID CCCC

On Friday, Magistrate Judge P. Bradley Murray, issued a decision, D'Amico Dry D.A.C. v. Nikka Fin. Corp., No. 18-0284-KD-MU, 2018 U.S. Dist. LEXIS 179858 (S.D. Ala. Oct. 19, 2018) denying a motion for a protective order. This is an admiralty action in which d'Amico seeks to collect a $1.7 million foreign judgment against Nikka under the alter ego theory. The motion for a protective order aimed to protect Nikka's 30(b)(6) representative and records custodian from taking a deposition that would be videotaped. The Defendant argued that it did not receive notice that the deposition would be videotaped; the purpose of the videotaping was to embarrass, intimidate, and harass the witness; and the videotaping would violate his privacy rights under the Data Protection Act, the General Data Protection Regulation, and the European Convention on Human Rights and the Human Rights Act. Nikka makes the argument that the video of the deposition would be protected personal data.

Judge Murray declined to issue on a protective order on the basis of lack of notice because the October 5, 2018 motion for a protective order itself was filed well in advance of the deposition scheduled for October 24, 2018. He also denied the motion on the basis of it being used to harass the witness because of Nikka's failure to establish the actual harm that would be suffered and because the witness was able to endure testifying in the trial of a related action in New York.

Judge Murray also rejected the privacy concerns of the witness, stating that the GDPR and other privacy regulations were not a basis to reject the use of video of an individual in a deposition. "[T]hose Acts are directed to the use of videotaped images of persons unaware (at least,initially) of being videotaped. Here, of course, Mr. Coronis is well aware his deposition is to be videotaped and, therefore, having in hand no authority to the contrary supplied by Nikka, the undersigned DECLINES to find that the Acts to which Nikka cites are applicable to Mr. Coronis' duly-noticed videotaped deposition,which is to be utilized in civil litigation in the United States." Id. at *11-12. However to "ease his privacy concerns" Judge Murray did order that the video of the deposition not be publicly disclosed or used in any other case or investigation.

Today I attended The Master's Conference in Manhattan at the Benjamin N. Cardozo School of Law School of Yeshiva University. One of the events at the conference was a discussion entitled, Achieving GDPR Compliance : A Finish Line or a Starting Line? The panel consisted of Kenneth Rashbaum, a partner with Barton LLP, and an adjunct professor at Fordham University's School of Law; Rachel Sims, an associate with Blank Rome LLP, who helps clients manage data privacy risks; Debbie Reynolds, a Data Privacy Officer for Eimer Stahl LLP, an adjunct professor of the eDiscovery Certificate Program at the Cleveland-Marshall College of Law; and Jonathan Wright, QPharma's Chief Legal Officer. The moderator was Tom Matzen of The Matzen Consulting Group.

The group used common acronyms related to the GDPR as jumping off point for a wider discussion on the implications of the GDPR.

DPIA - Data Protection Impact Assessment

DSAR - Data Subject Access Request

SA - Supervisory Authority

DPO - Data Protection Officer

BCRs - Binding Corporate Rules

PS - Privacy Shield

Rashbaum began the discussion by emphasizing that any company doing business in Europe will be covered by the GDPR. Rashbaum used to specialize in HIPAA regulations, and he noted that it was based on European data privacy regulations.

Sims noted in that in her experience many companies have difficulty understanding that under the GDPR in the European Union individuals, not businesses, have control of their own data. She noted that the definition of personally identifiable information includes IP addresses; email addresses; and web tracking data, such as cookies. Matzen noted that in France information about one's union membership could quality as PII as well.

Rashbaum emphasized that stricter national legislation passed under the prior European data privacy regulations (which only specified a minimum standard) would remain in effect under the GDPR. The GDPR is not a cost center, it's a business opportunity. European clients will insist that GDPR standards be met or take their business elsewhere.

Reynolds pointed out that becoming GDPR compliant was not simply a matter of checking off clear requirements on a list. Some people she works with make the mistake of thinking that a country's position on a whitelist of jurisdictions deemed adequate for overseas data transfers means that GDPR compliance has been achieved.

Matzen talked about how a DPIA should consist of more than just a data map, but that such a map might be essential to the assessment. Rashbaum recommends that clients perform a gap analysis (differences in performance between information systems to determine whether business requirements are being met). He said that many of his clients find that 'off the grid' apps are a problem. Individual departments purchase software applications that collect data without the rest of the organization being aware of it.

Matzen stressed that companies have to get rid of data they are not legally required to keep, or having an ongoing business use for. Retaining data for possible future analysis is not acceptable.

Reynolds finds that some IT people are not candid with her about the existence of back-up tapes, because they are concerned they will get into trouble for not compiling with information governance regulations.

Wright discussed the incident involving WhatsApp in which it was found to lack an Article 27 representative. An Article 27 representative acts as the point of contact for both the EU authorities and customers. The panel discussed the potential liability of Facebook, which owns WhatsApp.

Matzen noted that the high fines a company can be required to pay under the GDPR have already been the motivation for ransomware attacks.

Reynolds observed that there are six lawful purposes for processing data under the GDPR, (these are consent; contract; legal obligation; vital interests of the data subject; tasks carried out in the public interest; and other legitimate interests that are not overridden by individual rights.) which may come into conflict with the needs of electronic discovery. She worked on a case collecting data in France where she was restricted to email messages sent in a one year period, and only those which were marked as having been read. She hoped that the proposed CLOUD Act would resolve such problems for American courts.

Rashbaum's experience as a lecturer for the Federal Judicial Center taught him that there is a lack of knowledge about cross border discovery among legal authorities, and judges are very impatient at the limitations of such discovery. Rashbaum stressed the importance of bringing up cross border discovery issues in the Rule 26(f) conference. Blocking statutes are not specifically mentioned in the GDPR, but blocking statutes in France and Switzerland prevent their citizens from complying with discovery orders. Companies should be worried about actions taken directly by the Irish Data Protection Commission; France's Commission Nationale de l'Informatique et des Libertes (CNIL), or Italy's Data Protection Authority (Garante per la protezione dei dati personali). Recently Rashbaum has found that Britain's Information Commissioner's Office has been more aggressive about enforcing privacy regulations than CNIL.

Reynolds anticipates that the 72 hour data breach notice requirement of the GDPR will adopted more widely, and Rashbaum said it was already in effect in New York State and Colorado, and New Jersey was already considering such legislation.

There was also some discussion about the status of attorney client communications that may be subject to cross border discovery. Rashbaum noted that in France attorneys are no longer considered practicing members of the bar when they become in=house counsel. He referred to Magistrate Judge James Francis' decision, In re Rivastigmine Patent Litig., 237 F.R.D. 69 (S.D.N.Y. 2006) which discusses privilege laws in 37 different countries.

Reynolds concluded with an observation that the other members of the panel agreed with: companies such as Facebook and Google will get fined under the GDPR not because they receive poor legal advice but because they have trouble executing the data protection measures they know they need.