Fifty years ago, on July 16, 1969, the Apollo 11 lunar mission sent the first astronauts to the surface of the moon. The computing technology used on that Apollo mission was revolutionary. The astronauts could control the spacecraft through a command module computer, and critical safety and propulsion mechanisms were controlled by software for the first time. Today the computing technology of the average cell phone far exceeds the computing power of the spacecraft that got humans to the moon and home safely. A single iPhone could guide 120 million Apollo era spacecraft to the moon, all at the same time!
With that kind of computing power in our pockets, it is no wonder so many of us take advantage of numerous mobile applications, social media, messaging, and collaboration workstream tools as often as we do. On average, each of us spends 4 hours a day staring down at our phone, often blurring the lines between business and private communications.
The universe of discoverable ESI (electronically stored information) is evolving rapidly. For many organizations, within three years of adopting an enterprise-level workstream collaboration platform, the volume of new data generated from that platform will eclipse the amount of data generated by email. Notably, Microsoft Teams is quickly becoming Office 365’s main collaboration tool and is on pace to become as prominent as Outlook. Messaging data and social media communications are routinely implicated in discovery requests and, with increasing regularity, submitted as critical evidence in legal proceedings. Data collections and discovery requests involving mobile, messaging, and collaboration applications often involve personal data and PII (personally identifiable information). Sensitive personal information might be there unintentionally, due to the nature of the applications for keeping people connected and perhaps a business culture that comingles business and personal lives. Other reasons may include the frequency at which many of us increasingly use these applications outside the traditional 9-to-5 workday and a lack of corporate guidance or use policies for new and emerging technologies.
There is no doubt that redefining our eDiscovery processes, methods, and approaches is necessary for new technologies and the ESI they generate. Potentially responsive information likely exists in the candid communications common to messaging or collaboration applications, such as in chats, on virtual “white boards,” and in edited and re-edited versions of documents. But getting to this information, and along the way mitigating risks for personal data protection, is easier said than done. Emerging technologies are dynamic, context sensitive, and multi-dimensional. Every new content source requires its own method of collection, and they all behave just a little differently. It is likely that organizations will increasingly select discovery tools that can collect and process data across multiple cloud technologies or applications. This will ensure a reliable, defensible method of collection and processing compatible with conventional eDiscovery workflows already in place.
The implications for privacy and data protection, though, are considerable. Myriad multi-jurisdictional regulations require a balancing act to protect the data privacy of individuals while simultaneously meeting obligations for discovery. These regulations, such as the EU’s General Data Protection Regulation (GDPR), the Health Information Portability and Accountability Act (HIPAA), and the now imminent California Consumer Privacy Act (CCPA), cannot be ignored. A raised consciousness and awareness of privacy protections in discovery is required, in parallel with efforts to preserve and produce relevant, discoverable ESI with efficiency and precision. A serious regulatory risk exists for unintended personal data – particularly health or other similarly sensitive information – which may somehow find its way into collection and discovery. The risk is heightened when the appropriate data minimization controls have not been implemented or even considered, resulting in personal data being swept up in overly broad collection exercises.
The challenge of protecting personal data is increasingly being addressed by eDiscovery workflows designed specifically for mobile data and ESI from collaboration applications. Although these solutions are at a relatively early stage of development, well-defined guidance is available for how to embed data protection across workflows without sacrificing existing road-tested best practices, i.e. Privacy by Design.
The Privacy by Design concept has been around for quite a while, with inception as a Canadian thought experiment in how to ensure data protection across emerging technologies. But it has now been codified in Article 25 of the GDPR. Privacy by Design provides a solid roadmap for how to build data protection compliance into a product or workflow from the ground-up, as opposed to shoe-horning requirements into a process after it has already been developed. Privacy by Design-based approaches for discovery seek to integrate personal information protection over the lifecycle of all data handling processes. Importantly, the focus is on adaptation and evolution, not a zero-sum game that trades capability for over-restrictive data protection measures. Key attention is accordingly placed on relevance and materiality, from data collection through production, across the entire EDRM (electronic discovery reference model).
In practice, Privacy by Design throughout discovery could be as follows (see illustration):
Our shifting global regulatory landscape for data protection, together with exponential growth in the use of mobile applications and collaboration workflow tools, is changing the way data collection is approached, how data is handled, and how organizations will be held accountable for the treatment of personal and sensitive data in the discovery process. Solutions will require a re-consideration of conventional approaches to forensics, data collection, and eDiscovery workflows.
Privacy by Design offers a useful model for embedding privacy protections into the discovery process. It enables organizations to chart a course in the new universe of data, including development of well-crafted information governance processes for new and emerging technologies, focusing on privacy risk mitigation throughout the EDRM, and ensuring an emphasis on data security each step of the way.
Technology doesn’t wait for anyone. While only 50 years separate the computers of the Apollo mission from today’s iPhones, the pace of technology advancement is exponential. eDiscovery processes must keep up.