FTI Consulting is a global company advising businesses on investigations, litigation, mergers and acquisitions, regulatory issues and the like. They are perhaps best known in the UK litigation market as suppliers of Ringtail Legal, the well-established litigation document management platform.
They do much more than that, however, including volume document processing. FTI have today announced that they have met the adequacy standard for compliance with the Safe Harbor framework which governs the handling of European Union personal data.
If you have a day or two to spare, and a plentiful supply of cold towels, you might like to settle down and read Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, known familiarly as the European Directive on Data Protection.
It has 72 recitals beginning “Whereas”, before you get to the meat. That, in the context which matters here, is that personal data – “any information relating to an identified or identifiable natural person” is given protection by (I summarise here) ensuring that it is not sent anywhere where it loses that protection. An identifiable person is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
The days are gone when one can lovingly peruse every document for traces of personal data defined this broadly. The risk of an inadvertent breach of the Directive is extremely high.
Many of the US forensic and data / document processing companies whom I met in New York in January had been looking forward to moving into Europe and carrying cart-loads of documents back to the US to feed their enormous document-processing facilities. The European Directive on Data Protection was not helpful to them. The US has a much more relaxed attitude to the use of personal data than we had even before the European Directive. The issue was not distrust of the US processors’ systems (many of which were as secure as anyone could ask for) but the need for formal compliance with the Directive.
The Directive envisaged that a “third country” (that is, a country which was not a member state) might ensure “an adequate level of protection … by reason of its domestic law or of the international commitments it has entered into … for the protection of the private lives and basic freedoms and rights of individuals”. The safe harbor framework was worked up between the US Department of Commerce and the European Commission to provide a system of certification. It was approved by the EU in 2000.
Organisations which choose to may apply to be certified and must re-certify annually. It is this standard which FTI Consulting has now met.
Craig Earnshaw, managing director in the European technology practice at FTI Consulting said. “With this certification and where appropriate to a matter, FTI will be able to transfer data from the EU to our US offices to take advantage of the additional data processing capacity without undue delay. Likewise, our US team will be able to access EU-hosted data to aid in client support more quickly.”
Earnshaw’s caveat “where appropriate to a matter”, flags the fact that certification by itself is not the only factor to take into account. Safe harbor certified or not, the data becomes subject to US rules on privilege and production which may be different from those which apply in the EU. Nevertheless, certification removes one stumbling-block, leaving the lawyers to focus on factors whch have always played a part in jurisdictional decisions.
Read the full press release here.