I recently attended the ABA TECHSHOW in Chicago, IL (along with quite a few other law librarians, an impressive turnout!), primarily to stay current on recent e-discovery practices and platforms as my library’s resident e-discovery expert, per my prior life as a law firm associate. As an FCIL librarian, however, I was compelled to step out of former-litigator mode and attend what proved to be a fascinating session on the EU’s General Data Protection Regulation (GDPR) and data privacy laws. The speakers, Steven M. Puiszis and Judy Shelby, described the ways in which the practices of U.S. law firms and their clients regarding personal information may run afoul of the law, and how U.S. entities should analyze their risk and approach compliance.
Puiszis and Shelby discussed the GDPR’s expansive reach, noting that even minimal activity in an EU state may render a foreign entity “established” in the EU for purposes of the regulation, and that even data that is not “processed” in the EU is covered by the regulation. They emphasized that “personal information” is defined in a manner far broader than U.S. lawyers would expect, that there is no small business exception to the regulation, and that this information may reside in many repositories maintained by the typical U.S. firm or business, such as human resource databases, marketing databases, client databases, and, of course, email correspondence. They discussed lawful bases to process personal information, noting that a law firm conflict check should qualify as information necessary for the defense of legal claims, and discussed anonymizing data as one means of ensuring compliance with GDPR. Though there is uncertainty as to how GDPR will impact requests for documents in U.S. litigation, Shelby noted that federal courts are generally not receptive to enforcing foreign blocking statutes, and that the typical U.S. approach to discovery runs counter to GDPR’s goals of minimum storage. Cautious U.S. litigants should nevertheless consider narrowly targeting requests for data that may be subject to GDPR, and consider whether anonymized data would suit their purposes.
Their discussion raised a few issues that brought to mind research questions well suited to a course on FCIL research:
- National law: Though as a regulation, rather than a directive, GDPR is directly applicable to member states and does not require domestic implementing measures, Puiszis emphasized that EU states maintain their own privacy laws and policies that U.S. entities must consider in addition to GDPR. Furthermore, I found that European Commission guidance issued in May 2018 specifically notes that the regulation empowers member states to impose conditions and limitations beyond those imposed by GDPR, and contemplates individual member state determinations as to the applicability of the rules in certain sectors. The EC also states that interpretation of the regulation will be left to European national courts. In constructing an EU research question concerning GDPR, instructors could well introduce foreign law questions into their hypothetical research problem–questions for which researchers would not enjoy the benefit of the national transposition measures list provided only for directives in EUR-Lex.
- Cyber-insurance: Shelby discussed the possibility of obtaining cyber insurance to cover fines associated with GDPR violations, but noted that these fines may not be insurable under the domestic law of some states, raising another potential foreign law companion question.
- Recognition of foreign judgments: Though due to time constraints they could not discuss enforcement issues in depth, the speakers mentioned difficulties surrounding the imposition of fines when an entity lacks assets in the EU, and that international treaties or domestic laws such as the U.S. Uniform Foreign Money Judgements Recognition Act may provide mechanisms for cross-border enforcement. As enforcement proceedings inevitably proceed, they should raise interesting examples involving a mix of foreign and international law.
- Data Protection/Processing Agreements (DPAs): Puiszis discussed the importance of entering into, and modifying per GDPR, agreements with vendors and third parties with whom firms, and their clients, may share personal information. Asking students to locate sample agreements would be an excellent way to reinforce research instruction from 1L and Advanced Legal Research courses regarding publications containing forms and sample contracts.