A Corporate Lawyer's Guide To Data Privacy & Data Protection

Privacy laws bring substantial compliance challenges for every organization that collects, processes, stores, and transfers personal data anywhere in the world. For legal departments, compliance professionals and internal investigators these privacy laws create a whole set of new obligations.

With eDiscovery platforms, organizations are empowered to remain compliant with the increasingly stricter privacy regulations. Smart eDiscovery functionalities lead to better, faster, more efficient and less disruptive handling of GDPR or CCPA access requests.

An introduction to data privacy and data protection regulations

The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and replaced the previous Data Protection Directive as the primary law regulating how companies protect EU citizen’s personal data. On June 28, 2018, California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act (CCPA) of 2018. The CCPA becomes effective January 1, 2020.

The GDPR is one of the most comprehensive data protection laws in the world and extends far beyond the European borders. Since the economy of California is the fifth largest global economy in the world, the impact of the CCPA is expected to be global too.

Given their comprehensiveness and broad reaches, modern privacy laws have significant impact on how companies and government organizations manage digital information when dealing with information from citizens and consumers.

As data is the lifeblood of most organizations, it is no exaggeration to state that these and future privacy laws require fundamental changes in organizational behavior.

Industry analyst Gartner predicts that by 2021, organizations that violate privacy laws will pay substantially more in compliance costs than companies that adhere to best practices. No company can ignore these privacy regulations and data security requirements.

What is GDPR (General Data Protection Regulation)?

Since May 25 2018, the General Data Protection Regulation regulates all activities involving the personal data of EU citizens.

The GDPR covers multiple aspects of data protection, privacy, cybersecurity and information rights. There is the right to question an organization about the possession of one’s personal information. Everyone has and can exercise “the right to be forgotten.” There are strict cyber-security requirements (mandatory data encryption, data security measures, report of breaches, informing subjects of data breaches, etc.), data processing rules, the need to redact or pseudonymize sensitive information when there is no explicit need to store such information and the need to ask for and save prior consent before certain personal information is collected and stored.

What does the Right of Access mean?

EU GDPR Article 15 states the "Right of access by the data subject"

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
What are the GDPR fines?

Administrative fines can reach 20 million Euro or 4% of annual global revenue, whichever is highest.

What is a Data Subject Access Request (DSAR)?

An individual can submit a Data Subject Access Request (DSAR) - which can be up to 80 pages long to specify the information sought - to any organization. The organization has to comply within 30 days. DSARs are often followed by a “Right to be Forgotten Request” on reported information.

A typical DSAR consists of the name of the person (including various spelling variations and nicknames) and all related information the requester is interested in (such as data related to a job or credit application). Or if the requester is a former employer, all the projects he or she participated in, and all communications about the requester with other employees and even people from other organizations. A simple request can already involve a lot of data.

It gets more complicated when a former employee asks to access his PII. In this case, relevant data typically includes employment history, education, skills and qualifications, health information, performance data, pay history, disciplinary actions, bank details, next of kin details, etc. Some of this information will be stored in personnel files and payroll records, but even more will be stored as unstructured email data spanning possibly hundreds of mailboxes scattered all over the organizations.

Typical motives for a DSAR
  • Transfer to another provider/supplier/dealer/employer;
  • Privacy concerns;
  • Employment related conflicts;
  • Other legal matters.

Sometimes the reason for a DSAR is simple. A customer is switching to a different provider/supplier/dealer/employer. They, therefore, requests to retrieve and delete all of their personal data related to their purchase and shipping history with the company of which they are no longer a customer or employee.

Sometimes, a request is made out of privacy concerns. Individuals are now more aware of their rights and more concerned about data privacy. The number of organizations that are involved in data privacy issues and scandals is increasing exponentially. Concerned individuals submit DSARs to see what data of theirs is being collected, potentially at risk and whether they should follow the right to access with the right to be forgotten.

There is also an increasing number of DSARs being used as tactics by aggrieved ex-employees to cause maximum disruption to their former employers.

Global law firm Squire Patton Boggs reported in a recent survey, a particular increase in DSARs being used where an individual is facing a disciplinary or performance issue and wants to cause problems for the business or to get advance disclosure prior to raising a claim.

The survey states that a little less than a quarter (24.4%) of all respondents noted that DSARs involved employees seemingly just wanting to know what the organization has on record about them. However, 65.5% of the companies also report they had dealt with DSARs that were connected to a workplace issue (for example, grievance, redundancy, performance management, etc.), while specifically among the 64 companies identifying an increase in DSARs since the GDPR, 92% confirmed they had dealt with DSARs connected to a workplace problem.

Sometimes actual and potential litigants use DSARs or as a “fishing expedition” to obtain either pre-action disclosure or disclosure whilst proceedings are on-going.

What is a Right to be Forgotten Request?

Either subsequently or additionally, a data subject can request erasure of the data from a data controller, provided the data meets any of the following conditions:

  • The data is no longer needed;
  • The subject withdraws previously granted information to process their personal data;
  • The subject exercises their right to object to the processing of their data;
  • The data is unlawfully used by the data controllers and/or processors;
  • Data has a legal requirement for retention;
  • The data was collected when the data subject was a child.

There are some exceptions such as compliance, legal requirements to hold data or matters of national security or public interest, but one should not seek to use such exceptions lightly.

Data controllers are typically obligated to erase personal data “without undue delay” which means within a month.

What does Notification of Data Breaches mean?

Organizations must notify authorities of data breaches within 72 hours of discovery and keep records of all breaches. Data subjects must be notified of any breaches affecting their unencrypted personal data.

What is the California Consumer Privacy Act? 

The CCPA enhances the privacy rights and consumer protection for residents of California. The California State Legislature passed the bill on June 28, 2018 and was signed into law by Jerry Brown, Governor of California.

In spite of the fact that the California Department of Justice is continuing its rulemaking process for the CCPA and the California legislature is considering further amendments, businesses must comply with the CCPA on January 1, 2020.

The CCPA is the first of its kind and 17 additional states so far are following its lead.

The CCPA is designed to give California consumers ownership and control of their personal information, and the right to hold businesses accountable for such information which they collect and handle as part of their business operations.

What are California resident’s rights?

The act provides new individual rights to data access, erasure and to opt-out of data selling. Under the CCPA, California residents have the right to:

  • Right to know what personal data is being collected. If asked by a consumer, a business must disclose what Personal Information (PI) and categories of PI the business collects about the consumer, the categories of sources that the business acquired PI from, and the categories of any third parties the business sells or otherwise gives the PI to.
  • Right to access: a consumer can obtain the PI the business holds for them.
  • Right to Opt Out: a consumer can ask the business to stop selling or giving PI to third parties. The CCPA’s definition of “sale” includes any communication or transfer of a consumer’s personal information to another business or third party. This includes, for example, mutual access to each business’ marketing list, access to information or insights about consumers, or the ability to target advertising to specific consumers. The Act requires businesses to provide notice about the consumer’s opt-out right by adding a conspicuous, separate and dedicated “Do Not Sell My Personal Information” link on their home page where consumers can exercise this right.
  • Right against Discrimination: a consumer cannot be discriminated against for exercising his or her privacy rights.
  • Request a business to delete any personal information about a consumer collected from that consumer.
Who needs to comply with CCPA?

All business of one or more of the following types:

  • For-profit legal entity
  • Collects personal information (PI) or has it collected by others
  • Determines (solely or jointly) purposes of processing PI
  • Does business in California
  • Any legal entity that controls such a business and shares common branding

Or businesses that:

  • Have annual gross revenues in excess of $25 million;
  • Possess the personal information of 50,000 or more consumers, households, or devices; or
  • Earn more than half of its annual revenue from selling consumers' personal information.
What is the definition of personal data?

The CCPA defines personal information as information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

The CCPA differs in definition of personal information from GDPR as it extends that to household in comparison of GDPR that classifies consumer information as personal only. It does not consider Publicly Available Information as personal.

What are the CCPA penalties?

The Limited Private Right of Action for Unauthorized Disclosure of Data allows consumers to bring a private right of action against Covered Businesses in connection with “certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information” if the Covered Business has failed to implement and maintain reasonable security measures to protect such information.

In the event of a data breach, a business may have to compensate consumers from $100 to $750 per consumer and per incident.

Any reputational damage must also be counted and litigation (e.g., class actions) is possible.

CCPA vs GDPR: How do they compare?

The CCPA is not just an American version of the GDPR. Companies that are already prepared for GDPR will have an advantage in addressing CCPA, but this will not be enough.

Scope

In some respect, the scope of the CCPA is more limited than that of the GDPR. The CCPA for example does not restrict the transfer of personal information outside the US. It also does not require that businesses appoint a data protection officer and conduct impact assessments. The CCPA does not require businesses to have a "legal basis" for collection and use of personal information and the California residents' right to access personal information is limited to data collected in the past 12 months.

On the other hand, the scope of the CCPA is wider. The CCPA's definition of personal information specifically includes household information. The CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a "Do Not Sell My Personal Information" link on websites and mobile apps.

Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements might not meet CCPA requirements.

The GDPR applies to all businesses that process data of EU citizens, irrespective of their location or size. The CCPA is slightly narrower in its scope: it only applies to California-based businesses with a revenue above USD $25 million or those whose primary business is the sale of personal information.

Fines

The GDPR mandates penalties for non-compliance and/or data breach, which can reach up to 4% of the company’s annual global turnover or 20 million Euros, whichever amount is greater.

Although the CCPA is presented as a “privacy” bill, the law includes a private right of action against companies that fail to adopt reasonable data breach security practices.

CCPA fines are applied per violation, are uncapped and there are apparently no sanctions for non-compliance. The violation is considered at the point of breach, contrary to the GDPR that can apply a sanction where a company is deemed to be at risk of a breach or not behaving responsibly. In addition, CCPA allows for the consumer to sue the business for violation.

Rights

Both regulations endow the consumer with specific rights such as the right to access information and have information deleted or accessed. The GDPR is specifically focused on all data related to the EU consumer/citizen whereas the CCPA considers both the consumer and household as identifiable entities and, in some cases, only considers data provided by the consumer as opposed to data sourced or purchased from third parties. It is important that businesses test their processes to ensure they can accommodate these rights.

Handling Data Subject Access Requests (DSAR) and Data Breaches  

In both privacy regulations, the “Right of Access” (GDPR) or “Right to Know”  (CCPA)  and the “Right to be forgotten” (GDPR) and “Right to Delete” (CCPA) will bring an extra need for eDiscovery technology.

A typical request consists of the name of the person (including various spelling variations and nick-names) and all kinds of information they are interested in. This could be data related to a job application, credit application, or project they participated in. In Europe, a DSAR can grow to be an 80 page document, specifying the information sought.

Where Article 15 of the GDPR was designed to help concerned citizens to get more access to their personal data, it is now also (ab)used by upset employees or dissatisfied customers in legal disputes. As the cost of such request can be enormous to a company, it is considered an effective tool to force the other party into a higher settlement in legal disputes. As a result, we have seen a steep increase in the number of such requests all over Europe.

Handling DSARs is expensive for those who are unprepared. All requested data needs to be collected, processed, reviewed and produced in a common format (often PDF) and disclosed to the requestor. During the review, a lot of time is spent protecting confidential information belonging to the company and personal data belonging to other data subjects.

How to handling a data breach?

The CCPA includes individual cause of action or a class action against companies that fail to adopt reasonable data breach security practice.

When a breach of privacy occurs under the GDPR, data controllers should notify supervising authorities not later than 72 hours after becoming aware of it. They must also notify the data subject “without undue delay.”

When data has been leaked or a hacker has accessed mailboxes, file shares, or a Content Management System, etc., eDiscovery is essential to determine as quickly as possible, whether personal information was comprised, which details were compromised, and which individuals were affected. Technology also generates the required reports, so parties are notified quickly, which lessens the potential for fines and excessive damage claims.

Using eDiscovery technology to safeguard privacy & data protection

A subject access request means a lot of work for your organization. If you are not prepared or do not use technology, it can be very disruptive, and if you do not meet the deadlines or requirements can get very expensive.

Still DSARs are a fundamental data protection right and it’s your organizations responsibility to respond to them in the ways dictated by the GDPR, CCPA or other privacy laws. 

While it will never be anyone’s favorite, using technology makes responding to access requests significantly more manageable. eDiscovery technology helps you to:

  • Locate relevant data and redact all personal information related to other individuals mentioned in the same content;
  • Collect information directly from the relevant sources (Microsoft Office 365, email boxes, file shares, projects in SharePoint);
  • De-duplicate the information: up to 80% of all documents are duplicates, eliminating those automatically saves a huge amount of work;
  • Automatically unpack containers of files (ZIP, PST, NSF) and make every individual component searchable;
  • Enrich non-searchable data such as images, scans, non-searchable PDFs or media files so every component can truly be searched;
  • Analyze, classify and organize information for fast review;
  • Use auto-redaction to anonymize or pseudonymize personal and confidential information;
  • Automatically convert all electronic file formats to one common format and burn in redactions.

In short, using smarter technology leads to better, faster, more efficient and less disruptive handling of GDPR or CCPA access requests.

DSARs are often followed by a Right to be Forgotten Request on reported information. Data controllers are typically obligated to erase personal data “without undue delay”. Detailed tracking and reporting features in eDiscovery platforms ensure a complete audit trail to prove erasure.

 
Safeguarding privacy & data protection

Privacy laws bring substantial compliance challenges for every organization that collects, processes, stores, and transfers personal data anywhere in the world. For legal departments, compliance professionals and internal investigators these privacy laws create a whole set of new obligations.

With eDiscovery platforms, organizations are empowered to remain compliant with the increasingly stricter privacy regulations. Smart eDiscovery functionalities lead to better, faster, more efficient and less disruptive handling of GDPR or CCPA access requests.

Placeholder

Ready to talk to a specialist?

Our experts are standing by to help you overcome your Legal Discovery challenges.