Check out our latest GDPR update: The far-reaching July 16, 2020 Schrems II ruling invalidates the EU-US Privacy Shield and confirms validity of Standard Contractual Clauses—as long as they’re properly monitored. Read more about it here.
Just before the Schrems II decision, Chris O’Connor, Director of eDiscovery at CDS, had the pleasure of interviewing Jonathan Armstrong, a partner at Cordery in the UK who has advised multinational companies across Europe on technology, risk and governance for more than 20 years.
Below is part of their webinar discussion, “Protecting Data Privacy in a Pandemic: New Considerations Under GDPR.” You can access the recorded webinar here.
So, let’s talk a little bit about what’s happening in Asia. What is privacy law up to?
My perspective is that, again, there’s no real uniformity across Asia. There are countries like Singapore that have been very quick out of the blocks in terms of track and trace and things like that. But I think that’s against the climate of a country that has been somewhat more paternalistic in the past.
So, again, oftentimes we’re trying to fit things into cultural norms. Countries like Australia for example, followed a similar process to UK guidance, so they’ve had, like the UK’s had, Data Protection Impact Assessments as guidance or as recommended actions for about 10 years now. Australia was one of the first countries to follow that UK approach with PIAs and they’re encouraging people to do a PIA before they do work from home, before they do new processes.
But then we’ve seen other countries that I think are – I wouldn’t say ‘let’s sort out the pandemic and then worry about privacy’; that would be an oversimplification – but obviously in places like China, then employers do seem to have more leeway to implement measures which might be seen to be restricting personal freedom. So, things like technology that is very new technology, some would say untested technology, to test things like temperature, et cetera, which might be permitted in China and, indeed, is in use in some places in China, but wouldn’t fly as well in parts of Germany.
So, I think the challenge for a multinational corporation or even a multinational law firm is you’re going to have to think global but act local. And you might need to alter your processes and procedures to suit local laws in different jurisdictions.
Right. So, again, the locality is dictating a lot of the rules. And whether or not they’re following any accepted standards, whatever they may be, that exist across other countries, may not be the way it ends up being
And some of it’s really minor. For example, in Germany, 1.5 meters between desks of co-workers. In the UK, two meters. Some of it is micro-detail but other stuff, particularly relating to things like temperature checks, there’s going to be blanket bans versus encouraged. So, you are going to have to think through those nuanced differences.
What, in your opinion, is going to be the impact of a ‘pro-Schrems decision’, we’ll call it, on things like cloud. As opposed to civil but for a criminal inquest. Do you think that that gets dented or, because it’s criminality they’re mostly seeking, that the European court will stay away from that?
My sense is we’re going to see, I would anticipate, I hope I’m not wrong, a distinction between different types of data potentially. So, data relating to things like law enforcement, I think there is a resistance for that data to be borderless. But my sense is, certainly speaking to a lot of our clients, that actually the pandemic has hastened the rise of the cloud. It’s hastened the rise of things like flexible working.
For the very reasons we discussed at the start, Chris, you need technology like the Relativity platform you deploy to run a lot of things. And cloud has its attractions in a pandemic. Not only for reasons like flexible working but also through things like lockdown. If you looked post-9/11 at those, a lot of data was hosted in Herndon, Virginia and that type of area around the Pentagon. And people rightly became concerned about over dependence on specific geographical locations. And in some respects, we haven’t had the same issues in the pandemic, so whilst country A, country B, country C might have entered into lockdown, then data was still able to, if you like, move to match those locations if people were bringing back-up centers, et cetera, et cetera.
And we’ve used cloud to empower people to get them working and to enable calls like this to go on. So, I think that it’s always been a bit too binary to say, “cloud bad, privacy good.” And we’ve had all sorts of nuanced positions haven’t we, from Sedona Conference – even from something that I was personally involved with, some guidance that the UK Information Commissioner issued, seven years ago maybe – on things to look for in cloud providers, which have added at least gray scale, if not color, to that binary position. And my hope would be that the ECJ will recognize that and will say that there are valid reasons for data to be mobile, or at least for some data to be mobile.
The other trend that we’ve seen around the whole data transfer piece particularly is transparency. If you analyze the cases in the first two years of GDPR and I won’t pretend to have read every single one, but I’ve read a high number, I would say security is perhaps feature number one, transparency feature number two. And often they’ll link together. Often, they’re saying you lost that data in the cloud and you never told us that data was in the cloud. So, here’s two failings. One for putting it there in the first place without adequate procedures, two for not telling people.
Whatever the court decides in the Schrems case, transparency is going to be fundamentally at the heart of what you do going forward. Find out where your data is. Be prepared to be honest with people about where it lives and resistance to the cloud, my sense is that’s diminishing by the day as people attend more Zoom cocktail parties.
300 million Zoom calls last month. But these types of things I think do highlight an important ‘responsibility/not responsibility’ distinction. It’s your responsibility as you move your business anywhere. Move stores, for example. But migrating to the cloud without any thought and then saying, “Oh, we didn’t know we were supposed to do this?” And “Oops, we lost the data” or somebody accessed it? That’s where we get into the problem that we’re seeing now, which is, “I just did it because It made business sense but I didn’t think about your privacy impact and the way I behave doesn’t tell you that I care that much about it.” Whether or not that’s true, that’s for a regulator to figure out.
I think that’s right. And when you have even a relatively small law firm has a theoretical exposure of 20 million Euros, if they get the GDPR considerations wrong, then sometimes it makes saving a cent a terabyte not look a really good bargain. So, I think organizations do have to look at who they are trusting with data and, as you say, can’t just be a price decision. And do you know what, if you go through that due diligence, first of all you’re likely to find a provider that you can trust, but secondly, you’ve hopefully got a paper trail in place that, if there is an episode, and every organization, good, bad or indifferent, is going to have a data breach, that’s a given. But when that data breach happens, if you’ve got some documentation to show that you did proper due diligence, you asked them about where data was going to be stored, you asked them about access, you asked them about two factor authentication, all of those good things, then you’re much less likely to have an adverse regulatory finding I think.
So, knowing what we know now, how slow do you predict change will come? Will we get to a better understanding globally towards data privacy or is this going to stay regional, and for a long time, as there are so many cultural norms built into the way in which the legislation is conducted?
Yeah, I think that’s a great question, Chris. I think what history has told us is that there is some coming together. And partly the driver for that has been public opinion.
But part of the driver for that has been chasing adequacy decisions. If you look at why Japan has altered its law. If you look at why South Korea has altered its law. Yes, in part it’s because there’s a public will for that to change there, but in part it’s because they want to be seen as safe nations for the transfer of data between the EU and Japan or South Korea. There’s even talk of California seeking an adequacy decision where it would be treated differently from the rest of the US which would be a really interesting development were that true.
But I think, as we said, that also the tide is turning in terms of public awareness. Litigation is definitely on the increase. As I’ve said, I think almost the first act of any employee who doesn’t return for furlough will be to look at their data privacy rights. And they will be looking at things like if there’s O-365 telemetry on their productivity, they’ll be asking for that. They’ll be questioning whether the organization could hold that data lawfully.
And there are going to be some really challenging cases there. We’ve already seen, for example, the Dutch regulator, just last month, do a case on fingerprints and biometrics to say, “Okay, might be justified for security, but you can’t use it for other reasons.”
I know of a case in the UK, where people used swipe card productivity data when the swipe card system employees had been told it was for security, not security plus productivity. So, people are getting aggressive with their data, privacy rights. Obviously GDPR has helped that because it’s increased the fine and it’s reduced the opportunity for data controllers to charge for access. Even though those fees were only small amounts, they were a deterrent to many. 50 percent-ish from my experience didn’t come back with a request once they’re asked for money. All of that has changed under GDPR.
So, we’ve got, in most countries, regulators become more tough. If you look at the volume of cases that Spain and Romania have progressed, Poland, Belgium getting on board. Some regulators are becoming much more aggressive. That is bound to increase. Those countries who are doing less are being criticized more. Employee activism, employee pressure groups. Schrems, in some respects, was a lone voice when he started his campaign. You know how things like Digital Rights Ireland are very active, La Quadrature du Net du net in France, many more resourced pressure groups are getting involved and issuing super complaints.
And then, as I said, the rise in litigation and the ability to fund some of that litigation by using litigation funding, sweating data, making subject access requests. And using those same techniques we’ve had in e-discovery for years to find a case in all that pool of data that you’ve got.
So, I think the climate definitely changes for data protection. I do not think that GDPR is the sole reason for that. I think GDPR just is another factor in a climactic change. Almost global warming for privacy. It’s just one more factor added to that climactic change we were going through anyway.
So, the pandemic may have increased the speed at which we arrive at privacy, but it was already coming.
Yeah, exactly that.