eDiscovery and the GDPR: Ready or Not, Here it Comes: eDiscovery Best Practices

by CloudNine

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Here’s the first part.

Part One: What is the GDPR? A Primer for Understanding

Europe’s General Data Protection Regulation (GDPR) is set to take effect in less than 200 days.  It is important to understand the changes this new set of regulations will impose, but it is also important to understand that even if you don’t have a physical business presence in Europe, the GDPR may apply to you. Any organization that retains personal information of any EU individuals must act to comply with the GDPR.


To put the provisions of the GDPR in context, we should first point out the differing concepts of privacy between the United States and Europe.  The US tends to place a high emphasis on the concept of free speech more so than privacy and this emphasis is carried over into the litigation arena.

In the US, we view privacy rights as constitutional in nature, but there is actually no right to privacy enumerated in either the body of the Constitution itself or the Bill of Rights. In fact, it wasn’t until 1965 that the US Supreme Court set out an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.

In Europe however, privacy is considered a fundamental right. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). And Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.”

The seven principles governing the OECD’s recommendations for protection of personal data were:

  1. Notice: data subjects should be given notice when their data is being collected;
  2. Purpose: data should only be used for the purpose stated and not for any other purposes;
  3. Consent: data should not be disclosed without the data subject’s consent;
  4. Security: collected data should be kept secure from any potential abuses;
  5. Disclosure: data subjects should be informed as to who is collecting their data;
  6. Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  7. Accountability: data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe.  In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

But the European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and since privacy rights were declared in article 8 of the EU Charter of Fundamental Rights, acted to propose a Data Protection Directive. All seven of the OECD principles were incorporated into the EU Data Protection Directive (officially the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data) which was adopted in 1995.

However, European directives are guidelines which propose certain results but leave each Member State free to decide how to transpose them into national laws The EU currently has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). Over the years, they have made different laws that sometimes contradict each other.

A regulation, on the other hand, is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Since the 1995 Directive was only able to provide overall guidance in this area, the GDPR is designed to effectively harmonize European data protection laws. It was adopted in April 2016, and will officially supersede the Data Protection Directive and be enforceable starting on May 25, 2018.

The United States, however, while endorsing the OECD’s recommendations, did nothing to implement them within the United States. Part of the issues is the diversity of laws in our federalist structure of government. With 50 states, 94 federal judicial districts, including at least one district in each state, the District of Columbia and Puerto Rico and additional territorial courts and courts of special jurisdiction such as bankruptcy, having a unified privacy directive similar to the GDPR is problematic here.


First, we should note that the GDPR affects more than merely the EU. The regulation applies not just to the 28 member states of the EU but is also being integrated into the 1992 EEA Agreement and thus applies to the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein.

Second, as noted above, you do not have to have a physical presence in Europe to be covered by the GDPR. It applies to not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals, regardless of the organization’s location.


Activities to deal with the upcoming implementation of the GDPR have been slowly building momentum. Groups such as The Sedona Conference and the EDRM have been studying best practice principles for US attorneys but numerous questions remain on how to proceed.

The important point is to be prepared.  The GDPR demands, not requests, data privacy compliance and places strong emphasis on organizations to act more responsibly in their data governance practices. More than ever, you need to identify what privacy-related content you possess, why it’s there, and who has access to it.

Failure to adequately prepare for the changes can have severe ramifications, including much higher fines than under the current regulatory environment. These include penalties of up to 4% of the organization’s global gross revenue for non-compliance, a point we will discuss in more detail in following parts of this overview.

For the remainder of the overview, we will highlight key elements, evaluations, and events in the planned implementation of the GDPR. Key elements to be covered will include:

  • Discuss definitions for common terms used in the GDPR
  • Discuss changes in practice to be made under the GDPR
  • Set out distinctions to be made between obligations for a specific company as opposed to service providers
  • Discuss steps to take to insure compliance with the GDPR

So, what do you think?  Are you ready for the GDPR? Read more about this important event in the following parts of our GDPR series and see how it may impact you and your organization.

[View source.]

Written by:


CloudNine on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.