There are many people who know a little bit about the General Data Protection Regulation, in some cases, just enough to be dangerous. Jonathan Armstrong of Cordery in London is an acknowledged expert on the subject of the GDPR and a range of other compliance subjects such as modern slavery.
I caught up with him in New York at Legaltech, where he had been taking part in a panel on the overlap, often amounting to conflict, between the requirements of the GDPR and US eDiscovery obligations, and I thought it would be interesting to capture some of his views on this.
The problem is a magnification of one which is familiar to anyone who has tried to reconcile the often broad demands of US eDiscovery with the ever-tighter restrictions on the use of personal data in jurisdictions outside the US. The EU has always been the leader in setting standards for the protection of personal data, and the GDPR takes this to a much deeper level.
Jonathan Armstrong said that it is often very hard to reconcile these conflicting objectives. Realistically, assessment has to be made on a case-by-case basis.
Part of the problem, he said, is a fundamental lack of understanding of some basic definitions. Personal data is a much wider concept than personally identifiable information, but US lawyers have a habit of treating them as meaning the same thing. Personal data brings in a much wider range of data such as a device’s MAC address, geolocation information etc. If a collector’s starting point is that they don’t even know what personal data is, than problems will ensue.
Another recurring issue, Jonathan Armstrong says, is the difference between anonymisation and pseudonymisation. For practical purposes, anonymised data is generally useless for eDiscovery purposes.
I asked Jonathan Armstrong if understanding of the issues was growing in the US. He said that perhaps 25% of those affected are engaged and understand the issues. The majority are not aware, for example, of the extraterritorial reach of the GDPR, retaining the view that it is an EU matter and nothing to do with them. It should be clear to all, for example, that an order from a US court does not grant immunity from EU penalties.
I asked Jonathan Armstrong what he saw as the worst downside arising from this conflict between the GDPR and eDiscovery. Although one cannot rule out the possibility of personal financial sanctions (perhaps based on the revenue of the client), the most likely area of conflict lies in individuals using their own privacy rights rather than intervention by a regulator.
This spurs some potentially interesting side-effects. Anecdote tells of employees and others who agree to give formal consent to the use of information but ask first what it is worth to the organisation to have that consent. In other cases, one hears of people asking for immunity from any consequences arising from the use of data – as Jonathan Armstrong points out, it is very unlikely that any corporation, especially a publicly-listed one, can properly offer such immunity.
On the subject of fines, it seems unlikely that the highest level of fines, the 4% of turnover which is much mentioned, will be imposed for GDPR breaches arising from eDiscovery – those higher fines are likely to be reserved for organisations suffering significant data breaches, probably after regulatory warnings, or those who resell data.
In addition to the private rights of action referred to earlier, regulators have powers beyond the mere levying of fines. Jonathan Armstrong refers particularly to the regulator’s ability to stop processing taking place at all or stopping the transfer of data to the US. This is bad enough if it arises as an objection to litigation discovery; it is perhaps worse if it extends to a prohibition on reporting to a US stock exchange.