The European Data Protection Board (EDPB) recently issued a report after their November 16, 2018 plenary session.  The statement covered a range of topics being discussed by the Board, but no substantive publications.  The EDPB is charged with ensuring that GDPR is applied consistently across the EU and that there is consistent enforcement by DPAs across the Union.  The Board is also tasked with issuing guidelines on the interpretation the GDPR (formerly the charge of the Article 29 Working Party), and making binding decisions about cross-border disputes.  The Board is made up of the head DPA or representatives from each member country.

An EU-Japan adequacy finding appears to be extremely close, and the Board announced they are at work on guidelines about the intersection between Clinical Trials Regulation and the GDPR for medical device and pharmaceutical companies.  There have now been four “plenary meetings” of the EDPB.  Some may consider no action on the part of the Board a good thing, but there are some significant concepts which eventually need clarification, including a formal process and procedure on appeals of DPA enforcement and fines, and modernization of the outdated Model Contractual Clauses, among other things.  The essential message from the EDPB continues to be “stay tuned,” and seems likely that no real substantive publications will come through until early 2019.

The complete press release from the EDPB can be found here.

Seyfarth eDiscovery Partners Scott Carlson and Jay Carle were recently interviewed by Mary Rechtoris of Relativity regarding “Doing Discovery Right: How Seyfarth Shaw Tackles eDiscovery.”  They discuss the Group’s formation, along with the growing importance of eDiscovery attorneys as technology changes both for clients, and in the eDiscovery space.

View the full post on Relativity’s Blog here!

This morning, the European Commission released a Proposal for a Regulation addressing the EU’s cybersecurity industry as part of its next step towards a Digital Single Market, which is the EU’s strategy to ensure fair competition, consumer and data protection, and removal of copyright and geo-blocking issues for individuals participating in online activities and accessing online content.  The Regulation would establish the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres in order to “equip Europe with the right tools to deal with an ever-changing cyber threat.”  See their Fact Sheet here.  The EU has various initiatives in place to address today’s current cyber threats, as well as the deterrence of future attacks.  Specifically, it is working with member states to improve cybersecurity initiatives, EU-level cooperation, and risk prevention, and plans to establish an EU-wide certification framework to ensure products and services are cyber-secure.  Today’s proposal carries these initiatives further by suggesting the creation of a Network of Competence Centres and a European Cybersecurity Industrial, Technology and Research Competence Centre “to develop and roll out the tools and technology needed to keep up with an ever-changing threat.”  See Fact Sheet.  The Commission is hoping that the creation of this Network will allow the many existing cybersecurity competence centres in the EU to pool and share information and expertise, help deploy EU cybersecurity products and solutions, and facilitate cooperation between industries and communities.  The Network will unite existing member state centres and allow them to co-invest to drive research and innovation, and allow for additional investment and funding to improve the EU’s digital economy, and the Centre will aid in facilitating the work of the Network.

Under this framework, each EU member state will be responsible for nominating one national coordination centre which will essentially be that country’s leader and representative to the community; these local centres will carry out actions under the Regulation, as well as determine the distribution of funds on a local level.  The Commission expects that creation of one, centralized framework will allow for increased coordination and exchange of expertise and knowledge, cost savings though co-investment, and opportunity for the EU to become a global leader in cybersecurity.

Seyfarth Shaw Partner Jordan Vick is on the panel for the “Playing by the Rules: Rule Changes Essential to Your Practice” session on Friday, November 16, at Georgetown Law’s 15th annual Advanced eDiscovery Institute in Washington, D.C.

Session topics include:

  • The 2015 Amendments to the FRCP and their actual impacts on practitioners, including unintended consequence
  • How the changes to Federal Rule of Evidence 902 will change how parties and the court can streamline authentication of ESI and potentially eliminate the need to call a witness at trial
  • What other changes the Rules Committee is discussing that may impact eDiscovery professionals
  • Pilot accelerated disclosures and their impacts in Illinois and Arizona, including the Mandatory Initial Discovery Pilot Program (“MIDP”) in the Northern District of Illinois

For more information, to see the full schedule, or to register, click here.

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

Continue Reading California’s Consumer Privacy Act of 2018 – Get Ready for New GDPR Style Requirements in the US

Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.

With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.

The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.

The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.

Continue Reading UK’s ICO Explains Its Data Protection Enforcement Powers

By now, most litigators should know that they have an affirmative duty to advise their clients about the duty to preserve potentially relevant documents.  Despite this, the United States District Court for the Southern District of New York recently denied an attorney defendant’s motion for summary judgment in part because the record was not clear as to whether the attorney defendant fulfilled its obligations with respect to the duty to preserve.

Industrial Quick Search, Inc., Michael Meiresonne, and Meiresonne & Associates (collectively “Plaintiffs”) sued their law firm Miller, Rosado & Alogis, LLP (“Defendants”) for malpractice.  Neil Miller and Chris Rosado, named partners of the firm, were also individually named as Defendants.  Defendants represented Plaintiffs in an underlying copyright infringement lawsuit in which default judgement was entered against Plaintiffs for misappropriating confidential information, plagiarizing copyrighted material, and for deliberately destroying potentially relevant documents. Continue Reading FAILURE TO ADEQUATELY ADVISE CLIENTS ON THEIR PRESERVATION OBLIGATIONS CAN BE CONSIDERED MALPRACTICE

Eleven years into the court order levied on the NSA to preserve backup tapes containing data about the NSA surveillance efforts, it’s come to light that the NSA failed to take adequate steps to ensure the data was not deleted.  Tapes containing data between 2001-2007 were deleted in 2009, 2011, and 2016, showing a systemic problem with proper data preservation.  For an agency that arguably “saves everything,” this news is rather comical.   The NSA’s deputy director of capabilities apologized for the failure in an October declaration, while another NSA official claimed the tapes were deleted during “housecleaning efforts aimed at making space for incoming information.”  Oddly enough, there was no explanation as to why live incoming information would have been put on backup tapes, adding to the mystery of the real cause of the tape destruction.  Thus far, there have been no discussions of sanctions and no requests on U.S. District Court Judge Jeffrey White to do so, at least yet.  The NSA isn’t in a great position, however, since in May 2014, an NSA official assured the court that the data on the tapes was safe.  The NSA now claims they are using “extraordinary” effort to try and recover the lost data.  However, anyone familiar with how tape rotation works should understand it’s quite likely that the tapes were overwritten with new data, effectively making the old data permanently unreadable.  The facts seem to point to a clear case of spoliation, and this time, it’s by one of the U.S. Government agencies that possessed data storage capabilities unsurpassed by any in the world.

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

A trial court opinion involving allegations of spoliation of text messages on a mobile phone in the Southern District of New York has gotten attention because of the application of legal preservation standards.  Ronnie Van Zant, Inc. v. Pyle 2017 BL 3018, S.D.N.Y. 17 Civ. 3360 (RWS), 8/23/17) is an interesting read, not just because it involves odd characters, intrigue and drama surrounding one of the greatest Southern Rock bands of all time.  It also includes some instructive information about the application of the “practical ability” test for preservation, and the uphill battle for witnesses who lose credibility in testimony about what they did and did not do in a preservation effort.

Not long after the tragic plane crash that resulted in the deaths of Lynyrd Skynyrd lead singer Ronnie Van Zandt and his co-founding band member Steven Gaines,  Artimus Pyle, the former drummer, entered an agreement with the surviving heirs and other members of the band.  The agreement involved promises to never perform as “Lynyrd Skynyrd,” or to generally profit from the name of the band or the tragic deaths of Van Zant or Gaines without approval of the original parties to the agreement.  Their dramatically named “blood oath” agreement was more concretely memorialized in a Consent Order in 1988, following other litigation, which Pyle signed.

Over 20 years after the 1988 Consent Order, the drama that spawned the litigation began in a story that sounds like it came from a Netflix mini-series.  A film director named Jared Cohn, who worked under contract for an independent record label-turned movie producer, Cleopatra Records, Inc. (“Cleopatra”) reached out to Pyle about making a movie centered around the band and Pyle’s life in it.  Cohn was hired by the founder and co-owner of Cleopatra Records, Brian Perera, who is another interesting character in his own right. Pyle met and consulted with Perera on multiple occasions about ideas for a film generally depicting his life and the plane crash, which Pyle survived.  In their first conversations, Pyle did not mention the 1988 Consent Order, but the Order eventually was delivered to Cleopatra.  The copy of the Order was also eventually followed by a “cease and desist” letter and other correspondence from the Plaintiffs’ counsel.  All the while, Cleopatra’s movie production work continued. Continue Reading Spoliation and Southern Rock