This subject is especially relevant in regard to the recent, far-reaching, July 16, 2020 Schrems II ruling which invalidates the EU-US Privacy Shield and confirms the validity of Standard Contractual Clauses—as long as they’re properly monitored. Read more about it here.
Prior to the Schrems II decision, Chris O’Connor, Director of eDiscovery at CDS, had the pleasure of interviewing Jonathan Armstrong, a partner at Cordery in the UK who has advised multinational companies across Europe on technology, risk and governance for more than 20 years.
Here is part of their discussion from the recent CDS webinar on GDPR and Data Privacy in a Pandemic. You can access the recording here.
In a nutshell: There’s not as much consistency. Some regulators will act on just one complainant. And now there’s a global pandemic. That changes your risk profile.
You mentioned Italy had come out with some guides early, especially when it came to being able to control their own employees’ health. Has the union or have individual countries come out with different advisories or different recommendations for how data that is rife with privacy concerns gets protected prior to full export or during the analysis process?
Yeah, that’s a really interesting question Chris. I think, obviously whilst we’ve been in lockdown, we’ve also had the second anniversary of GDPR enforcement. One of the real hopes for GDPR was that we could have consistency in data privacy laws across Europe. So, when I wrote my first article about GDPR, whenever that was, I think eight years and four months ago, that was one of the big hopes, that there would be more convergence and the law would be the same across the EU. You wouldn’t have to worry about different regulators doing different things and different local legislatures doing different things. People can read it online and fact check if they like.
But one of the concerns I have is I wasn’t convinced that was achievable under the current EU situation. Because different people in Europe care about different things. If I’m in Austria and Hungary, I care more about things like dental records. Why? Because in the late 1930s and early ’40s, people used dental records to do people harm. And so that’s still within a couple of generations. People there still worry about that. Whereas in the UK, I don’t worry about stuff that much. I did an event for the Commission when Bulgaria and Romania joined and the Latvian delegate said you will never understand this, being from the UK, until your neighbor is taken away and shot because of the data that the state has on them. And that isn’t in my cultural understanding.
But what that means in a crisis is the different regulators react differently. As a general rule, those that have suffered under repressive regimes in places like Spain and Italy and out into Eastern Europe, tend to resist encroachment by the state more. They’re worried about returning to the bad old days. Whereas countries like the UK and Ireland, where we haven’t had that, at least since 1066 – we don’t have that same fear, if you like, of what the state’s doing. Doesn’t mean to say that we’re super tolerant, but we’re not as concerned as other countries can be.
And so, what that’s meant is we’ve had this whole scattergun approach really throughout Europe as different regulators have responded to different concerns. And we have had some effort from the European Data Protection Board to try and unify, to at least have a common theme, but there is not a lot of consistency and we’re going to see, Poland for example, are already investigating some COVID-19 related alleged breaches of GDPR. Some regulators have been very quick out of the block, not only in guidance but also in terms of enforcement activity as well.
From the enforcement standpoint, you mentioned earlier that, to your understanding at least, that 72 hours, you keep within that timeline, you make your notice. They could be more understanding as part of that investigation, but pretty much you sign a warrant that they won’t be so understanding should you fail to give that notice, as a potential or an actual notified breach.
How do attorneys, and also corporations, prepare and respond, not just against the attack or even the declaration, but just get through the process? I know Europe has a wildly different understanding of punitive functions than we do in the United States, where that’s a money maker for the state.
Companies are facing an economic downturn as a result of people being locked inside and out of work, at least in jobs they can’t do remotely. What is it that the company should be thinking about as they get approached by investigators?
The first thing is what not to do. And we’ve seen a number of cases recently where people have tried to take regulators on, telling them that they should be focusing on better things, they should be addressing concerns of X, Y, Z corporation instead. That’s usually not a good idea. There’s a couple of cases recently, Cambridge Analytica and Doorstep Dispensary, where people have said, ooh, the regulator’s acting outside its powers or, in one, said it was a subject access request by a US individual and they replied and said US residents have the same data protection rights as the Taliban, i.e. nil. So that’s not a great response to give.
But some regulators will act on just one complainant. And we know that there are quite a few cases that are now public where only one person complained. And of course, your whole risk tolerance changes in the pandemic. Your risk profile changes. Why? Because particularly if I employ a lot of people, I might have some of those on furlough and some of those might never return to work, maybe because I’m going to go through some downsizing with the economy afterwards. Almost certainly, those people are going to issue subject access requests and/or litigate.
And in some respects, why wouldn’t they? If I’m sitting at home without a job and if I believe that I’ve been disadvantaged because of the way in which my data is handled, why wouldn’t I spin the dice? It’s almost a risk-free piece of litigation and I might well win some damages. I might win an extra notice period. Coupled with that, we’ve also got some worker’s representatives, and as you know, we tend to be more unionized in parts of Europe, we have works councils who have statutory powers. Some of them are putting down markers as well to say, in Germany, you cannot temperature check people. You can’t use the telemetry functions of Office 365 to monitor people’s productivity.
And some of these bodies have a really intimate understanding of the functionality and common software applications. Some of them understand Office 365, for example, better than some corporations. So, the litigation risk is definitely there. If we do bad things now, we can expect that to be visited upon us in the future. And the other danger with that is that memories tend to be quite short. So, whilst we think we’ll give people some leniency. We might think that we’re in the biggest crisis our corporation has faced, or our law firm has faced. And we might genuinely believe that, and we might think that’s true. But, as you say, these cases have a long tail. So, with some of this litigation, we’re going to view what companies have done now, maybe in six years’ time, maybe in eight years’ time. The world, let’s hope, will look very different. We’ve got to make sure that we document the decisions that we take now. We’ve got to make sure that they stand up to future scrutiny.
So, with all the member states essentially doing different things, and I realize not all of them have, but for those that have kept the same advisory to data as they had prior to the pandemic, what does the volume of investigations or data being analyzed look like? Does this lead to more investigations? You’re sitting at home, you have the time, so you spend every day working. And maybe, you even become more efficient at home. I’ve seen the numbers indicating that they see a spike in efficiencies with remote workers, at least over the first three months.
Yeah, I think that’s definitely true. I think that a lot of people, I look at Cordery for example, I don’t think our productivity is down. I hear the same from a number of clients. I think that some regulators did slow down somewhat. They weren’t perhaps as geared up to working from home as some corporations were. I know, for example, that the Information Commissioner’s office, the data privacy regulator in the UK, has suspended cases on the basis that they weren’t able to do bundles and PDFs and get the documents in electronic form ready for remote hearings. Which is something of a surprise.
There have been some delays in some investigations but equally I know that in the bribery space, for example, the serious fraud office had a pause in a trial, but it came back relatively quickly and there are investigations in train. I think they got a bit of leniency in one case recently on some documentation related deadlines. But my sense is that there isn’t a huge impact in terms of investigations, volume of data being processed, et cetera, et cetera. My sense is that people have been able to adapt pretty quickly and find ways of working.
We talked a little bit about how some member states have chosen to make alternative arrangements under the same understanding for document analysis. How are the relationships between the United Kingdom and the EU been impacted by privacy? To my understanding, they’re still on pause. They were hoping to get back to work on this this summer. Who knows if that’s possible? Does the UK start wandering away and becoming one of these states with a greater deal of privacy or is there going to be a different attitude?
Yeah, I think that’s really interesting. I think we’ve had mixed messages from the UK government particularly, as to its negotiating position around data privacy. My reading is that the law will not change that much in the UK post-Brexit. For those who aren’t aware, effectively what happens is there is an existing piece of legislation in the UK, the Data Protection Act 2018, that says when Brexit is live, it doesn’t say it in these words, but effectively, we cut the whole of GDPR and we paste it into DPA 2018 so it becomes UK domestic law.
And incidentally, the DPA 2018 is in. It has other provisions that are also relevant to the discovery professionals. Particularly things like: if I re-identify anonymized data, I commit a criminal offense. Things like: if I hold onto data against the data controller’s wishes, even if the data controller gave me that data, and I refuse to give a dataset back, for example, in litigation, I also commit a criminal offense there.
So, the Data Protection Act is there. It has identical provisions more or less to GDPR, plus added goodies like those criminal offenses.
And I could see the criminal offense you just raised there being an issue during a lockdown, during a pandemic. An employee gets furloughed or terminated during this process, which is unfortunate, but economic circumstance dictates, and they don’t return data. Or the machine it sits on.
It’s very, very likely. And we’re seeing that there is quite a lot of litigation around employees, as you say, because of the climate, there’s some recent litigation in the UK for example, over the travel industry, which is obviously in a state of turmoil. And employees leaving Group A to join Group B and taking passport details with them for customers going on trips, et cetera, et cetera. So, you’re absolutely right. Downturn leads to a rise in data theft. It’s individuals trying to hold their employer to ransom, trying not to be selected for redundancy because of the stuff they know or possess, but also those that are mobile, trying to move with contact books, with details, with data.
So, yes, we’re likely to see, I think, an increase in consequence there. And back to the Brexit point, briefly, regarding the Johnson government, June is the real decision month most likely whether they ask for an extension or not, if the UK leaves on a no-deal Brexit, without an agreement with the EU, then data transfer does get more tricky I think. There are all sorts of different scenarios. I think the UK/US issue isn’t so problematic, particularly for those organizations that are in the Privacy Shield.
The EU to UK transfer isn’t so problematic because I think initially the UK proposes to issue guidance which will give some leeway on those data transfers. But bear in mind the fact that we’ve just had some UK litigation over data transfer as well over some data related to death penalty sentences, which suggests that there’s not as much leeway in regulators or governments issuing guidance than some people have previously thought. So that’s not a given.
The really difficult situation I think potentially is from the UK to the EU. And there are a couple of political reasons behind that, one of which is the belief amongst some that the UK security services were involved in the type of allegations that Edward Snowdon made against the NSA. And there are some in the EU Parliament that would not want to regard the UK as adequate in data protection terms as a result. Some people connected to Boris Johnson are also saying really quite dumb things around the potential weakening of data privacy law which doesn’t help an already difficult situation.
So, I think circumstantially, the Brexit ship could hit the rocks as far as data transfer is concerned. Unfortunately, that means organizations, in addition to everything else they’re thinking about, are going to have to think about data transfer this month as well, to guard against that potential no-deal scenario, because once the train leaves the station, there’s no stopping it, really. So, people are going to have to be mindful of that as well.
And then finally, on 16th of July, the Schrems decision comes back again which could invalidate Privacy Shield and standard contractual clauses. My gut feel is we won’t see a full-on assault on them but obviously we’ll talk about that on a future webinar.