Panel discussions about international discovery, privacy, and data protection serve as a good way of encapsulating the issues of the moment in a short space. Having a range of speakers and a short time-frame forces a focus on those things which matter to those whose work brings them into daily contact with the issues raised by the subjects.
At Relativity Fest London, the panel was called Legal and Technical Perspectives on Data Privacy and Data Protection. Relativity’s David Horrigan assembled a broadly-based panel comprising Erica Albertson, Head of eDiscovery Solutions at Simmons & Simmons in London, Karyn Harty, litigation partner at McCann FitzGerald, Andrew Haslam, UK eDisclosure project manager at Squire Patton Boggs in London, and Peggy Anstett, Legal Counsel (NZ Qualified) at Relativity. David Horrigan brought to it his usual calm organisation as moderator.
The event coincided, more or less, with the third anniversary of the GDPR, which encouraged a “Where are we now?” approach. Karyn Harty said that the GDPR had been taken very seriously in Ireland, taking the opportunity as she did so to remind us that there had been similar obligations since long before the GDPR. Small and medium companies had struggled with it, she said, but the level of compliance was very high.
Andrew Haslam said that it had become easier to persuade US attorneys of the seriousness of the GDPR obligations, and that it was not just him being difficult about data transfers. I remember from years back conference rooms full of Americans being politely patronising when I talked of restrictions on the use of data. No one in Europe would dare raise that against a US judge, they implied (and actually said a few times). All I had to do was talk about it; people in Andrew Haslam’s position had actually to confront senior lawyers unwilling to consider (or even believe) the idea of constraints on the right to send data anywhere. We have come a long way.
Andrew talked also of DSARs – Data Subject Access Requests – which, he said, had become much more widely used since 2018 (although the right to demand data had existed long before the GDPR). 2019’s Relativity Fest session on DSARs (in which I participated) was packed to the doors, and Andrew Haslam’s experience since is that DSARs have been “weaponised” by litgation lawyers, especially for employment matters. The pandemic has brought many employment claims, and the more recent ones involve data in WhatsApp and Slack where older matters largely involved email.
Erica Albertson said that lawyers were taking the GDPR seriously and not seeing it as a big deal. It had provoked invention – “some really cool tech” – which helped to find the type of information which you should notice anyway. In other words, the more serious hurdles in the GDPR (such as the need to identify personal data) had provoked better technology which had application beyond that particular use case.
To Peggy Anstett, the most significant effect of the GDPR was the realisation that privacy needed to be built into the fabric of data management. Privacy by design and by default was becoming common.
Karyn Harty described the GDPR as “an international gold standard infecting the world”, whose main function was to give rights to individuals. David Horrigan recalled a talk I gave many years ago pointing to the Second World War as the beginning of the realisation that untrammelled use of private data had serious consequences, particularly in the hands of the state. It perhaps seems a long way from the misuse of lists – of race, religion, trade union membership or whatever in the middle of the last century – to the grim creepiness of Facebook rifling through our lives in search of private information to sell, but the line from one to the other is an obvious one.
Karyn Harty also covered the effect of Brexit on data transfers. It was a surprise to many that the UK was found by the EU to have adequate standards, but the UK will diverge over time from EU standards. Andrew Haslam observed that never before has the word “adequate” been treated as a gold-plated standard.
Erica Albertson did not think that the GDPR had adversely affected her work. Lawyers and data protection officers will usually find a way to get the job done within the rules, she said – there will be more process and procedure, but the technical people will be able to do their jobs.
Coming back to Ireland, Karyn Harty talked about data breaches in a country where privacy is a constitutional right, bolstering GDPR claims. Damages can be quite generous, and it can become expensive to get it wrong.
The overall conclusion of the panel members was that the GDPR and other developments in privacy and data protection had been good for individuals and had driven much technological improvement for those responsible for discovery / disclosure (redaction and the use of natural language processing were mentioned specifically in this context). The focus was very much on where data goes and where and how it should be stored and accessed. The growing right of individuals to know where their data was and that it is secure had encouraged better data management.
This was an interesting discussion with a positive message. I look forward to the next one, at Relativity Fest 2021 (notionally in Chicago, but in fact virtual) from 4-6 October 2021, when I will be the moderator.