EDRM, the organization that devised the widely used Electronic Discovery Reference Model, has strived to keep e-discovery practitioners up to date on the ever-evolving digital landscape. Its guidance and standards, for instance, cover everything from proportionality in discovery to cybersecurity best practices when handling sensitive data. Now, EDRM is addressing the next big e-discovery challenge: adhering to the upcoming General Data Protection Regulation (GDPR) when performing data transfers from the U.S. to the EU.
The organization, which recently became a part of Duke Law School, announced an initiative in August 2017 to develop guidance for cross-border data transfers in advance of the GDPR’s spring 2018 implementation. Given the GDPR’s significant fines, vast scope, and complex directives, such guidance may prove pivotal for international teams and e-discovery practitioners, helping them navigate their U.S. obligations alongside the strict EU privacy rules.
Deena Coffman, managing director at BDO Consulting and an EDRM member who serves as project co-lead, said EDRM’s goal is to create “a practical set of guidelines that are focused solely on U.S.-Ireland data transfers within the context of litigation and outside of Privacy Shield.” She added that the guidance is expected to be released sometime around the latter half of 2018. While there are not any formal plans yet to expand the initiative’s scope in the future, Coffman noted that there may be “years of work needed” to continually update the guidance “as new [direction] is provided [from the EU] to address a full range of scenarios.” She also expects the guidance to expand to cover data transfers to other EU countries, and not just Ireland.
For the time being, EDRM does not expect its guidance to be approved under GDPR Article 40 Code of Conduct — the formal industry guidance that the GDPR endorses, if the issuing organization can meet certain enforceability and certification requirements. But Coffman added that the current EDRM initiative lays “the groundfloor foundation that can be matured into a full code of conduct in the future.”
Developing such cross-border guidance is sure to be a highly complex task given a number of factors. There is some uncertainty, for instance, over how some of the regulation’s provisions, such as the “right to be forgotten,” will be enforced in the market. Coffman noted, “The GDPR, much like other regulations, could not be written to address every possible scenario and technology.” She expects EU agencies such as the Article 29 Working Party “to continue issuing guidance over the years to better clarify or focus GDPR provisions.”
Further exacerbating the challenge in drafting guidance are the vastly different legal and e-discovery cultures in the EU and the U.S. Coffman noted that while in the U.S. there is the belief that it is “better to have all permissible evidence, even if extremely costly to provide, than to miss an important piece of information,” in the EU, “an individual’s right to privacy is a fundamental human right.”
Indeed, once the GDPR goes into effect in 2018, it will require parties to get permission from EU citizens before processing their data. For Coffman, there is perhaps no bigger challenge for U.S. e-discovery teams than this mandate. This requirement “may cause delays in legal proceedings which will be untenable,” she said. “Using consent will not be practical because it can be revoked at any time by the data subject, and we know it will be impossible to ‘unproduce’ information already produced.”