California Consumer Privacy Act (CCPA)

European-Style Privacy Laws Come to the U.S.

Barnes & Thornburg partner Brian McGinnis and associate Adam Gajadharsingh discuss the legal implications of the various new data privacy laws that American companies now must contend with.

CCBJ: What impact do advancements in technology, and the data it creates, have on compliance processes, e-discovery and other data-related obligations?

Adam Gajadharsingh: Instant messaging, and even text messaging, presents some interesting issues – the first of which is the continued increase in data, because as communications become easier, they become more frequent. People are less careful about what they communicate and how often.

More and more data, and where it resides, presents issues regarding preservation and collection. If you have dozens of employees communicating about company business through instant messaging or text messaging on their phones, how do you protect, preserve and collect that information if it becomes potentially relevant in a litigation? To take it a step further, what rights does the employer have to the data? Who owns the phone? Is the phone also used for personal matters? In the event that you actually need to collect and preserve this data, who has possession, custody or control over it? You also have the use of instant-messaging platforms within businesses for everyday connection between employees. For example, many companies use Skype for business, for quick internal communications instead of email. You need to properly understand how that data is being used, where it is housed, and what sorts of policies are in place to help ensure security and to plan for potential preservation. For example, having a defensible destruction policy as to how long data is retained is critical in managing the increasing amounts of data being generated from emerging technologies.

There was a case recently where a company’s internal instant messages became the subject of discovery in litigation. The general counsel thought they had been saved in a cloud-based server for ten years, the same manner the company’s emails were saved. In fact, user messages were only saved temporarily and the length of retention varied based on several factors. The messages at issue in the litigation had been deleted because a proper litigation hold had not been put into place. The general counsel had failed to instruct anyone in the IT department to stop the auto-deletion of the instant messages. The judge found that the evidence had been spoliated and severely sanctioned the party.

How can new technology itself be used to help handle the increasing amount of data generated by these advancements in technology?

Gajadharsingh: The key things we want clients to consider are how they’re going to plan, protect and produce all of this electronic data. There’s a certain irony, and maybe even tension, in the fact that new technology is creating so much data, but that technology also can be used to help manage it.

To help plan for this on the front end, having a comprehensive data security and management plan in place within your company can go a long way toward anticipating potential issues, so that there are less problems on the back end. One small example, going back to the issue of employees using smartphones for text messaging, instant messaging, and things like that, is having a thoughtful bring-your-own-device (BYOD) policy. With that type of policy, you can use technology to help manage how those devices are used, and the type and extent of data that is collected on them.

For example, it’s important to ensure that there is complete synchronization between an employee’s smartphone, the company’s email system, and the company’s network servers. If and when that data becomes potentially relevant in litigation, and depending on the totality of the circumstances, you can plausibly say to the court and to the opposing party that there’s nothing unique on that person’s device, because everything was synced and is held in the company’s servers. You may even implement certain technologies that prevent an employee from downloading company data to their phone or to a cloud-based server. This furthers the defensible position that all of the relevant data responsive to a discovery request is held in easily accessible company sources. There’s no need for us to go and collect an employee’s device or worry about what might be on that device.

A key concept here is “proportionality” and the Federal Rules of Civil Procedure afford some protections to parties responding to discovery. It provides the legal foundation to push back on aggressive discovery requests, which may seek data from troublesome sources like smartphones. Effective data policies strengthen proportionality defenses.

What new responsibilities are companies held to under laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) here in the U.S.?

McGinnis: In addition to the GDPR, CCPA, and a U.S. federal privacy and data protection law currently being discussed, there are also 14 states currently considering similar new laws. All of these laws are really trying to push companies more toward best practices when it comes to the protection, collection, use and sharing of people’s personal information.

These laws are all designed to provide consumers with more rights with respect to the control over their personal information than they have traditionally had under U.S. law. Those new rights are creating many new legal obligations and requirements – and compliance challenges – for businesses as they figure out how to comply with the laws.

One of the big requirements of the GDPR and CCPA is that companies have to get away from the “implied consent” strategy many have been able to employ up to this point, especially in the U.S. In the past, as long as you had a privacy policy up on your website somewhere that said you could collect a certain type of data or use it in a certain way, as long as the user continued to use the service, you could pretty much get away with claiming the individual provided their implied consent for those uses of data. One of the biggest changes stemming from these laws is really giving consumers the ability to make a true choice about whether or not they want to give information to a particular organization. And if so, demanding true transparency for individuals defining the organization’s responsibilities that come along with that data collection and use. As a result, companies currently have to figure out how they are going to address the requirements of these laws and incorporate data collection and processing best practices into their existing business structures.

What are some elements of a good action plan when it comes to ensuring this kind of compliance?

McGinnis: The first thing we do with clients is get more information about their business, what they do, and what types of folks they are collecting information about. This allows us to determine the applicable laws in their particular situation and develop a compliance strategy. You see many companies trying to make justifications about why they should not have to comply with the GDPR, even if they’re collecting some small amount of European data. Certainly there’s nothing in GDPR that would allow them to get away with that, but that’s part of the risk-based approach that many clients have chosen to take to right-size compliance efforts to their organization.

But many organizations that justified avoiding a full-sized GDPR project are now finding with the CCPA and other potential laws in the U.S., those justifications are becoming increasingly difficult. Companies are increasingly faced with a broader scope of laws that apply to them and their data collection, and they’re really having to get in line with these best practices. Many companies are now choosing a strategy where they end up adopting the highest-level standards and practices to all of their customers across the board, simply because it’s easier to treat everyone the same than it is to parse them out into different locations based on this spiderweb of laws we’re currently dealing with.

Data protection and compliance projects start first with a clear understanding of the data that exists within the organization. Most companies are still not great at this – even large companies have trouble pinpointing the exact data that they have about folks, where it came from, and what rights and restrictions on use are attached to those data sets. You hear people talk about data audits or data maps, really having something along those lines that a company can confidently rely on that says we understand what data is coming into this organization, what types of data, the categories of data that we’re collecting about people, the different data-collection scenarios is a critical first step in these projects. You’ve got marketing data flows, sales data flows, HR data flows, so it’s about understanding all of these different points where data comes in to an organization, and it can be really difficult to understand and keep track of it all – but it’s really a prerequisite to being able to meet the requirements of these laws.

What we know for sure now is gone are the days when companies could collect every piece of data they wanted from wherever they could get their hands on it, and then keep it forever while giving the individual very little choice, notice, or transparency. These laws are really pushing organizations much more toward the best-practice standard, and organizations of all types and sizes need to be prioritizing improvements to the ways in which they process personal data.

Gajadharsingh: There are also compliance obligations in the context of litigation. Having these expanding definitions of what is personal or private information, especially for European countries in the GDPR, presents its own set of difficulties in terms of complying with discovery within a litigation. Again, this is where the proper use of technology can help. Imagine a scenario where you have a client that is based in France or has a large affiliate or division of its business in France. You have a litigation in the U.S., and you need to collect data from French citizens and use that in U.S. litigation. How do you go about that? You need to properly plan for it, carefully segregating that data and managing it before anything makes its way to the U.S., and then once it’s here, using technology to find an expanded definition of what is personal or private. There can be all sorts of things that fall within private or personal data under the GDPR, and being able to find that information effectively and quickly, and redact it or do other things to it before it’s produced in litigation, can be a challenge. But there are ways you can use technology and proper planning to address that. And that’s what we’re always trying to help companies do.

Published .