As we noted in our 2023 DSIR, there has been a flurry of activity within the information governance space, at home and abroad. This activity deserves further analysis, because while it seems from a distance that there are potential inconsistencies in approach, a closer look confirms that front-end program implementation can help address the full spectrum of what has been happening around the world.

We begin in Europe, where the General Data Protection Regulation (GDPR) incorporates something colloquially known as the “Storage Limitation Principle” in its Article 5 1. (e), that dictates that personal data should only be retained long enough to satisfy the purpose for which that data was collected. Further, the GDPR’s Recital 39 requires that data storage be “limited to a strict minimum” and notes that “time limits should be established by the controller for erasure or for a periodic review.”

Domestically, this is mirrored somewhat in the text of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act, which provides, under § 1798.100 of its regulations, that subject organizations must disclose how long the organization “intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period... .” The CCPA regulations also consider record retention limitations, beginning with § 7001(o), where “Information Practices” include the retention of personal information, and § 7002(a) and §7002(d) both address how that retention “shall be reasonably necessary and proportionate.”

Why does it matter that the CCPA seems to adopt GDPR sensibilities? There is a growing expectation that the enforcement body for the CCPA – the aptly named California Privacy Protection Agency (CPPA) – will evaluate these requirements according to how the GDPR’s similar requirements were enforced. Recent 2022 European fines and enforcement tell a compelling tale and should be a warning to U.S. organizations accordingly. Among those actions were the following, related to information governance and retention:

• The Hungarian Supervisory Authority imposed a fine of approximately €248,000 on internet and broadcasting service providers for the creation and lack of immediate deletion of a database test.
• The French Commission Nationale Informatique & Libertés (CNIL) imposed a €600,000 fine against an electric utility in France for, among other issues, retention compliance problems.
• The French CNIL imposed an €800,000 fine against a French VoIP company for retention compliance problems.
• The Italian Supervisory Authority imposed a €2 million fine on a social media network in part for retention compliance issues.
• The UK Supervisory Authority’s Information Commissioner’s Office (ICO) imposed a fine of over £7.5 million on a facial recognition company for, among other issues, lack of clear data retention policy documentation.
• The French CNIL fined the Trade and Companies Register €250,000 for issues relating in part to retention of data longer than applicable retention periods.
• The French CNIL fined a short-term vehicle rental company €175,000, in part for the company’s lack of implemented, proportionate data retention periods that would have deleted data.

Moreover, in addition to the CCPA and other state data privacy laws that have codified the Storage Limitation Principle, the Federal Trade Commission (FTC) codified a similar type of principle in the promulgation of its Safeguards Rule, which governs the handling of customer information subject to the Gramm-Leach-Bliley Act. To the extent an organization is subject to the Safeguards Rule, as part of its effort toward achieving data security, it must dispose of customer information “no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates.” 16 CFR § 314.4(c)6(i). However, using language similar to that in the CCPA, the Safeguards Rule permits longer retention for “legitimate business purposes,” among other reasons. Id.

These constraints might be logical if they were entirely consistent between the U.S. and Europe; however, as we noted in a Business Crimes Bulletin earlier this year, U.S. federal regulators are scrutinizing employee use of personal devices and third-party messaging applications, “in particular, but not only, ephemeral apps where messages automatically disappear―as employees continue to conduct business on multiple platforms and concurrent channels of communication.” That is, the U.S. Department of Justice (DOJ) issued guidance regarding expectations that companies preserve all business communications conducted on personal devices and messaging apps, and the U.S. Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have aggressively enforced their recordkeeping rules against regulated entities that faced challenges with preserving electronic business communications. As we also noted, “while the SEC and CFTC have been focused on regulated entities, the DOJ’s guidance applies to all businesses.”

This tension is not new, but it does seem to be rising. As we noted in an earlier client alert, organizations are now encountering additional requirements to “maintain more controlled data environments” relating to improved cyberattack response capabilities, or more mature data privacy postures that align with the GDPR and with the CCPA’s regulations. But this pushes organizations toward using disciplined data deletion practices, aiming to preserve no more than is necessary to operate their businesses, while also being prepared to accommodate for legal holds in the reasonable anticipation of litigation. Haphazard information remediation projects can run afoul of existing recordkeeping regulations and jeopardize an organization’s ability to effectively comply with legal holds.

The GDPR and CCPA do not require organizations to collect sensitive personal information, but if organizations do, they are limited in their use of such information and may be required to search for it, disclose it and ultimately delete it upon request. Likewise, the DOJ, SEC and CFTC are not requiring organizations to use specific types or channels of communication – but if they do, then the requirements apply regardless of the relative difficulty associated with their application. By contrast, under the Safeguards Rule, the FTC ostensibly permits longer retention of customer information “where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.” 16 CFR § 314.4(c)6(i).

As with most potential failures of back-end processes, the best solution starts at the beginning. It is simply the diet and exercise of good information governance habits – that is, considering the management of information in the context of assets and behaviors, and articulating a records and information management (RIM) policy that sets forth information management practices, clearly articulates roles and responsibilities, and references or incorporates records retention schedule detail that “enumerates the organization’s records and makes critical distinctions regarding categories of information but does not encumber practical implementation.”

[View source.]