Here’s Part 2 of the recap of the discussion had during our recent webinar, Life After Privacy Shield: The Present and Future of Cross-Border Data Transfer. Chris O’Connor, Director of eDiscovery Strategy at CDS, interviewed Jonathan Armstrong, Partner at Cordery. They outlined some concrete steps you can take immediately to comply with the EU’s revamped data privacy regulations. 

Enforcement, in the early days, will focus on people who don’t have a plan.

Chris O’Connor:

Having a plan and how detailed that plan is will depend on the entities involved, and their experience. But the more detailed the plan, that’s going to benefit the transfer and the security of the data as it gets moved.

Jonathan Armstrong:

I think that’s dead right. We had a briefing last week from somebody at the Commission. And the way he put it was, “Enforcement is most likely on those who are ignorant.” So, enforcement activity, I think, certainly, in the early days is going to focus on people who don’t have a plan. And be aware of the fact that this is already a hot area in eDiscovery. But I know that there’s some litigation in the UK at the moment involving Royal Mail, involving investigations, e-discovery, and alleged negligence in doing reductions of that data.

We know that there’s a potential class action against Amazon, in Munich, over Privacy Shield and the fact that they haven’t updated their privacy statement on its website since Privacy Shield collapsed. So, people are calling for these plans. If you employ people in Europe, it’s likely that the works councils are asking for a plan as well. So, you’ll need a plan. It doesn’t need to be super comprehensive, but it needs to be something. And you need to show that you’ve started.

Look hard at data transfer. Make sure it’s required for the issue. And yes, it will slow things down.

Chris O’Connor:

Make sure that data actually needs to be moved, or the data that you are moving is required for the issue you’re attempting to resolve in the US. I think making that decision upfront, as opposed to saying, “Just give us all the data. We’ll figure it out. And whatever we don’t need, we’ll just delete.”

That evaluation is a challenge. And it definitely slows things down. The U.S. litigation market is quite active. We like to move quickly. But this is going to be a pause moment. Once we get past the plan, okay, we need to move this data. What are we going to do? And how much of this data is actually important for what we need to accomplish?

Produce a standardized FAQ, providing public information. Make sure your suppliers and vendors have similar policies.  

Chris O’Connor:  

What should we be telling customers? What should businesses tell customers about their plans? 

Jonathan Armstrong:

You need simple and straightforward FAQs. As I’ve said, if you have works councils, and you have facilities in Europe, you’re probably being asked for them. Now, it’s important to have standardized FAQs. Because we’ve had issues before with clients where they let, for example, the HR team do a briefing locally. And then, we had a case where the HR team had briefed the German Works Council, briefed the French Works Council and then both councils swapped slide decks. And effectively, they had the difficult conversation where the works councils said, “Were you not telling the truth in Germany or in France? Because these slide decks don’t match.”

Jonathan Armstrong:

So, you need to have a consolidated approach, and FAQs are the best way of doing that. If you use a third-party to process payroll, or look at metrics on your website, or as part of a contact center, or as part of the investor relations section on your website, or if you rely on an eDiscovery provider, or a law firm, it’s important to look at their statements too. Because if Privacy Shield doesn’t work for your supply chain, then that also causes an issue. So, I think the FAQs need to look holistically not only at what you’re doing, but what other people you work with are doing with that data as well.

There will be an Increase in Data Subject Access Requests (DSAR) in a Downward Economy.

You should take a hard look at the data that you collect on your employees. 

Chris O’Connor:

People are going to have questions, which has led us to an increase in Data Subject Access Requests. What do we anticipate in a downward global economy? Are employees worried about being monitored while they’re working from home? How do these things play into a DSAR? What should businesses be considering as part of their protocol with employees? 

Jonathan Armstrong:

I think you’re definitely right that we’re in almost a perfect storm, really, of the pandemic, people working from home, more people feeling less loyal to their employer, increase in data privacy rights, and a reduction in job security. One of our clients moved 15,000 people from office working to home working in 48 hours. Now, they’ve done the right thing, and backfilled some of that compliance. They took that decision to use Zoom then because they had to. And that’s all they could do in 48 hours. Now, they must do something different, use secure Zoom, or whatever. And the difficulty of using software like Zoom, like Office 365, is a lot of it has monitoring built in.

So in Office 365, for example, the Dutch authorities have been looking at what they call telemetry in 365. So, maybe there are 1,000 different reports from Office 365 that are going to somebody. And in some cases, that’s to Microsoft, in some cases to the employer. And we’re seeing workers, representatives be more engaged about that type of data. We’re seeing privacy organizations be more engaged. So, there’s an ongoing investigation into Barclays Bank, for example, into the UK, because of the way in which productivity data was captured from employees, and because of the way that it was used.

And the difficulty we have, of course, when we’re selecting people for redundancy in the EU, because people aren’t employed at will, normally, you have to do some scoring mechanism. So, you’ll say, “Unfortunately, Chris, I’m going to have to let you go because your coworker Anne was online for eight hours a day on average. And for you, Chris, I’m afraid it was only six and a half.” But you might say, “Well, first of all, I wasn’t told of that. Secondly, I didn’t know it was a competition.” Thirdly, you might say, “Well, actually, I’ve not told you this, but I have an eye issue. And it means I have to reduce my screen time.”

So, we’re going to get all sorts of issues like that. And I think when employees are leaving an organization, we’re already seeing them make those requests. They’re looking not only for productivity data, but they’re also looking for more standard things like emails saying, “Exit Chris from the organization because I really don’t like blue shirts.” So, they’re looking at information that will enable them either to keep the job, which is unlikely, get a bigger payment when they go, or at least delay the whole process, and collect salary in the meantime.

And we always see that in a declining economy. But I think a declining economy plus the pandemic, plus the perception that it’s harder to get a new job when you’re interviewing via Zoom, et cetera, is going to increase the number of requests, and actually increase the volume of litigation as well. And in some respects, of course, that’s good news for some people on this call. And in some respects, it’s good news for platforms that can manage subject access requests. But a lot of time, money, effort, and energy is going to be spent on them.

So, of course, a real watch phrase for organizations is be careful of the data that you collect. We’ve said to people almost since the time of email, if there’s a conversation that is better to have face-to-face or by phone, have it that way. Think about what you’re reducing in writing. And we’ve got to add to that, think about the performance data that you’re collecting, and think about things like Zoom calls. Some organizations are routinely recording every Zoom call. Well, that’s going to store up a lot of data. And that’s going to be a real challenge to investigate when you have a subject access request. 

Produce a Data Protection Impact Assessment

Jonathan Armstrong:

So, the best test, whenever you’re looking at data, is to do a Data Protection Impact Assessment. Obviously, that’s not just an EU thing. New Zealand and Australia have privacy impact assessments that are almost identical. So, go through some process of working out which data you need vs. data that you want.

And sometimes we collect data just as I collect stuff in my attic. I’ve got a pair of soccer boots, Chris, that I haven’t worn for 25 years. And I keep them in case one of my neighbors knocks on the door, and says, “Jonathan, come and play soccer. We’re a man short for the village team.” Now, look at the size of me. The chances of that happening are not great, but I still retain the soccer boots in the attic, just in case.

Chris O’Connor:

I could see how relying upon initial markers, telemetry data, would be of value to the enterprise during a pandemic. But now, we’re eight months in. If those evaluations have not yet started, get on that. Perhaps then it’s time to cut off this kind of data collection and create new markers for productivity that you can rely on. So, your business functions properly, but without any threats from a data security or privacy issue.

Jonathan Armstrong:

I think that’s dead right. And often, businesses collect this data without realizing it. Organizations and software vendors have done better in the last few years, by looking at default settings, and privacy by design, etc. But better doesn’t mean good. So, sometimes you’ve got to go and look into those default settings, challenge them, and make sure that you’re configuring stuff properly.

What’s the 2021 forecast for data privacy enforcement and regulation?

Chris O’Connor:

Do we see 2021 being a breakout year or a regulatory year? Do we think we’ll be looking at more privacy laws coming into play, or do you see this as a, we’re going to start seeing enforcement really kick in? Whether because of the death of Privacy Shield, because of an ever-engaged European Union as a result of Brexit being much more mindful than they have previously been and the increase in DSARs. How do you see 2021 balancing out, at least to start the year? I suppose, some of this is hard to call as it relies on knowledge as to how Brexit will actually happens.

Jonathan Armstrong:

I think we’re going to see more and more politics around data privacy enforcement. So, just to give you one example. In some jurisdictions in the EU, the regulator has to finance himself. So, we’re obviously going to see more and more pressure on public spending as we go from pandemic to recession in some countries, and out again. Tax revenue clearly is going to drop, and public spending has increased with greater healthcare expenditure in the EU, etc. I once spoke to a data privacy regulator in Europe and he told me that he’d had a discussion with his equivalent of treasury. And he’d said, “I haven’t got enough people to bring the cases I want to bring.” And the treasury official said, “What resources do you think you need?”

And he said, “I need extra headcounts of four. And there’s been a commission report that says that I’m under strength.” So, this treasury official said, “Yep. Four. And then, anything else you need?” And he said that he foolishly didn’t know the way this conversation was headed. And he said, “Do you know what actually? Our office furniture was inherited from a prior department and we could use some new desks.”

And then, he came back to him, apparently, a few weeks later, and said, “Okay, that headcount you wanted that costs X. That means you’ve got to levy fines of Y.” And he had even broken it down for the new desks: “You know that desk you saw in the catalog that you liked? Four fines.” And to our eyes, that’s an incredible discussion. Well, I kid you not, I heard it from the regulator himself. And in some of the smaller jurisdictions like Malta, which I think is one, the legislation actually says, “You, the data privacy regulator, must raise your resources from fines.”

So, we may see more fines as privacy regulators are told to go out and kill your own food. But equally, we may see less activity in some jurisdictions like Ireland that have already been under pressure for resources. Of course, they’re about to pick up the bill for Schrems, which is going to be a significant part of their 2021 budget, it seems. So, it’s hard to predict where the enforcement landscape is going to go in terms of centralized enforcement from governments. We look at Schrems, for example, 101 compliance post Privacy Shield ruling, to regulators across the EU, those complaints aren’t going to diminish. And many of those complaints to regulatory authorities are going to turn into civil litigation through the courts as well.